Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
FortiOS - CLI ReferenceVERSION 5.4.0
#
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
December-16-15
FortiOS - CLI Reference
01-540-99686-20151216
Change Log
Change Log
Date Change Description
December 16, 2015 New FortiOS 5.4.0 release.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
3
How this guide is organized Introduction
Introduction
This document describes FortiOS 5.4 CLI commands used to configure and manage a FortiGate unit from thecommand line interface (CLI).
How this guide is organized
This document contains the following sections:
Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGateunit boot-up.
config describes the commands for each configuration branch of the FortiOS CLI. The command branches andcommands are in alphabetical order. The information in this section has been extracted and formatted fromFortiOS source code. The extracted information includes the command syntax, command descriptions (extractedfrom CLI help) and default values. This is the first version of this content produced in this way. You can sendcomments about this content to [email protected].
execute describes execute commands.
get describes get commands.
tree describes the tree command.
Availability of commands and options
Some FortiOS™ CLI commands and options are not available on all FortiGate units. The CLI displays an errormessage if you attempt to enter a command or option that is not available. You can use the question mark ‘?’ toverify the commands and options that are available.
Commands and options may not be available for the following reasons:
FortiGate model
All commands are not available on all FortiGate models. For example, low-end FortiGate models do not supportthe aggregate interface type option of the config system interface command.
Hardware configuration
For example, some AMCmodule commands are only available when an AMCmodule is installed.
FortiOS Carrier, FortiGate Voice, FortiWiFi, etc
Commands for extended functionality are not available on all FortiGate models. The CLI Reference includescommands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
4
Managing Firmware with the FortiGate BIOS Accessing the BIOS
Managing Firmware with the FortiGate BIOS
FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the web-based manager or by using the CLI execute restore command. From the console, you can also interrupt theFortiGate unit’s boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.
Using the BIOS, you can:
l view system informationl format the boot devicel load firmware and reboot (see )l reboot the FortiGate unit from the backup firmware, which then becomes the default firmware (see )
Accessing the BIOS
The BIOSmenu is available only through direct connection to the FortiGate unit’s Console port. During boot-up,“Press any key” appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOSmenu appears. If you are too late, the boot-up process continues as usual.
Navigating the menuThe main BIOSmenu looks like this:
[C]: Configure TFTP parameters[R]: Review TFTP paramters[T]: Initiate TFTP firmware transfer[F]: Format boot device[Q]: Quit menu and continue to boot[I]: System Information[B]: Boot with backup firmare and set as default[Q]: Quit menu and continue to boot[H]: Display this list of options
Enter C,R,T,F,I,B,Q,or H:
Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. Anoption value in square brackets at the end of the “Enter” line is the default value which you can enter simply bypressing Return. For example,
Enter image download port number [WAN1]:
In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.
Loading firmware
The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.You need to know the IP address of the server and the name of the firmware file to download.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
5
Loading firmware Managing Firmware with the FortiGate BIOS
The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot thedownloaded firmware without saving it.
Configuring TFTP parametersStarting from the main BIOSmenu
[C]: Configure TFTP parameters.
Selecting the VLAN (if VLANs are used)
[V]: Set local VLAN ID.
Choose port and whether to use DHCP
[P]: Set firmware download port.
The options listed depend on the FortiGate model. Choose the network interface through which the TFTPserver can be reached. For example:
[0]: Any of port 1 - 7[1]: WAN1[2]: WAN2Enter image download port number [WAN1]:
[D]: Set DHCP mode.Please select DHCP setting[1]: Enable DHCP[2]: Disable DHCP
If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].
Non-DHCP steps
[I]: Set local IP address.Enter local IP address [192.168.1.188]:
This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the samesubnet to which the network interface connects.
[S]: Set local subnet mask.Enter local subnet mask [255.255.252.0]:
[G]: Set local gateway.
The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which theFortiGate unit is connected.
TFTP and filename
[T]: Set remote TFTP server IP address.Enter remote TFTP server IP address [192.168.1.145]:
[F]: Set firmware file name.Enter firmware file name [image.out]:
Enter [Q] to return to the main menu.
Initiating TFTP firmware transferStarting from the main BIOSmenu
[T]: Initiate TFTP firmware transfer.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
6
Managing Firmware with the FortiGate BIOS Booting the backup firmware
Please connect TFTP server to Ethernet port 'WAN1'.
MAC: 00:09:0f:b5:55:28
Connect to tftp server 192.168.1.145 ...
##########################################################Image Received.Checking image... OKSave as Default firmware/Backup firmware/Run image withoutsaving:[D/B/R]?
After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while thefirmware is copied:
Programming the boot device now.................................................................................................................................
Booting the backup firmware
You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.
Starting from the main BIOSmenu
[B]: Boot with backup firmware and set as default.
If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:
Failed to mount filesystem. . .Mount back up partition failed.Back up image open failed.Press ‘Y’ or ‘y’ to boot default image.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
7
Booting the backup firmware config
config
Use the config commands to change your FortiGate's configuration.
The command branches and commands are in alphabetical order. The information in this section has beenextracted and formatted from FortiOS source code. The extracted information includes the command syntax,command descriptions (extracted from CLI help) and default values. This is the first version of this contentproduced in this way. You can send comments about this content to [email protected]
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
8
alertemail/settingCLI Syntax
config alertemail setting edit <name_str> set username <string> set mailto1 <string> set mailto2 <string> set mailto3 <string> set filter-mode {category | threshold} set email-interval <integer> set IPS-logs {enable | disable} set firewall-authentication-failure-logs {enable | disable} set HA-logs {enable | disable} set IPsec-errors-logs {enable | disable} set FDS-update-logs {enable | disable} set PPP-errors-logs {enable | disable} set sslvpn-authentication-errors-logs {enable | disable} set antivirus-logs {enable | disable} set webfilter-logs {enable | disable} set configuration-changes-logs {enable | disable} set violation-traffic-logs {enable | disable} set admin-login-logs {enable | disable} set FDS-license-expiring-warning {enable | disable} set log-disk-usage-warning {enable | disable} set fortiguard-log-quota-warning {enable | disable} set amc-interface-bypass-mode {enable | disable} set FIPS-CC-errors {enable | disable} set FDS-license-expiring-days <integer> set local-disk-usage <integer> set emergency-interval <integer> set alert-interval <integer> set critical-interval <integer> set error-interval <integer> set warning-interval <integer> set notification-interval <integer> set information-interval <integer> set debug-interval <integer> set severity {emergency | alert | critical | error | warning | notification | information | debug} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
9
Description
Configuration Description Default Value
username Email from address. (Empty)
mailto1 Destination email address 1. (Empty)
mailto2 Destination email address 2. (Empty)
mailto3 Destination email address 3. (Empty)
filter-mode Filter mode. category
email-interval Interval between each email. 5
IPS-logs Enable/disable IPS Logs. disable
firewall-authentication-failure-logs
Enable/disable logging of firewall authenticationfailures.
disable
HA-logs Enable/disable HA Logs. disable
IPsec-errors-logs Enable/disable IPsec errors logs. disable
FDS-update-logs Enable/disable FortiGuard update logs. disable
PPP-errors-logs Enable/disable PPP errors logs. disable
sslvpn-authentication-errors-logs
Enable/disable logging of SSL-VPNauthentication error.
disable
antivirus-logs Enable/disable antivirus logs. disable
webfilter-logs Enable/disable web filter logging. disable
configuration-changes-logs
Enable/disable logging of configuration changes. disable
violation-traffic-logs Enable/disable logging of violation traffic. disable
admin-login-logs Enable/disable logging of administratorlogin/logouts.
disable
FDS-license-expiring-warning
Enable/disable FortiGuard license expirationwarning.
disable
log-disk-usage-warning Enable/disable logging of disk usage warning. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
10
fortiguard-log-quota-warning
Enable/disable warning of FortiCloud log quota. disable
amc-interface-bypass-mode
Enable/disable Fortinet Advanced MezzanineCard (AMC) interface bypass mode.
disable
FIPS-CC-errors Enable/disable FIPS and Common Criteria errors. disable
FDS-license-expiring-days
Number of days to end alert email prior toFortiGuard license expiration (1 - 100 days).
15
local-disk-usage Percentage at which to send alert email prior todisk usage exceeding this threshold (1 - 99percent).
75
emergency-interval Emergency alert interval in minutes. 1
alert-interval Alert alert interval in minutes. 2
critical-interval Critical alert interval in minutes. 3
error-interval Error alert interval in minutes. 5
warning-interval Warning alert interval in minutes. 10
notification-interval Notification alert interval in minutes. 20
information-interval Information alert interval in minutes. 30
debug-interval Debug alert interval in minutes. 60
severity Lowest severity level to log. alert
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
11
antivirus/heuristicCLI Syntax
config antivirus heuristic edit <name_str> set mode {pass | block | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
12
Description
Configuration Description Default Value
mode Mode to use for heuristics. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
13
antivirus/profileCLI Syntax
config antivirus profile edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set inspection-mode {proxy | flow-based} set ftgd-analytics {disable | suspicious | everything} set analytics-max-upload <integer> set analytics-wl-filetype <integer> set analytics-bl-filetype <integer> set analytics-db {disable | enable} set mobile-malware-db {disable | enable} config http edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} end config ftp edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} end config imap edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} set executables {default | virus} end config pop3 edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
14
set emulator {enable | disable} set executables {default | virus} end config smtp edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} set executables {default | virus} end config mapi edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} set executables {default | virus} end config nntp edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} end config smb edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} end config nac-quar edit <name_str> set infected {none | quar-src-ip | quar-interface} set expiry <user> set log {enable | disable} end set av-virus-log {enable | disable} set av-block-log {enable | disable} set scan-mode {quick | full} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
15
Description
Configuration Description Default Value
name Profile name. (Empty)
comment Comment. (Empty)
replacemsg-group Replacement message group. (Empty)
inspection-mode Inspection mode. flow-based
ftgd-analytics Submit suspicious or supposedly clean files toFortiSandbox.
disable
analytics-max-upload Maximum upload size to FortiSandbox (in MB). 10
analytics-wl-filetype Do not submit files matching this file-pattern tableto the FortiSandbox.
0
analytics-bl-filetype Only submit files matching this file-pattern tableto the FortiSandbox.
0
analytics-db Use signature database from FortiSandbox tosupplement the AV signature databases.
disable
mobile-malware-db Use mobile malware signature database. enable
http HTTP. Details below
Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enable
ftp FTP. Details below
Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enable
imap IMAP. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
16
Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enableexecutables default
pop3 POP3. Details below
Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enableexecutables default
smtp SMTP. Details below
Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enableexecutables default
mapi MAPI. Details below
Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enableexecutables default
nntp NNTP. Details below
Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enable
smb SMB. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
17
Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enable
nac-quar Quarantine settings. Details below
Configuration Default Valueinfected noneexpiry 5mlog disable
av-virus-log Enable/disable logging for antivirus scanning. enable
av-block-log Enable/disable logging for antivirus file blocking. enable
scan-mode Choose between full scan mode and quick scanmode.
full
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
18
antivirus/quarantineCLI Syntax
config antivirus quarantine edit <name_str> set agelimit <integer> set maxfilesize <integer> set quarantine-quota <integer> set drop-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7} set store-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7} set drop-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s | ftps | mapi | mm1 | mm3 | mm4 | mm7} set store-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s | ftps | mapi | mm1 | mm3 | mm4 | mm7} set drop-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7} set store-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7} set lowspace {drop-new | ovrw-old} set destination {NULL | disk | FortiAnalyzer} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
19
Description
Configuration Description Default Value
agelimit Age limit for quarantined files. 0
maxfilesize Maximum file size to quarantine. 0
quarantine-quota Quarantine quota. 0
drop-infected Ignore infected files from a protocol. (Empty)
store-infected Quarantine infected files from a protocol. imap smtp pop3 http ftpnntp imaps smtpspop3s https ftps mapi
drop-blocked Drop blocked files from a protocol. (Empty)
store-blocked Quarantine blocked files from a protocol. imap smtp pop3 http ftpnntp imaps smtpspop3s ftps mapi
drop-heuristic Ignore heuristically caught files from a protocol. (Empty)
store-heuristic Quarantine heuristically caught files from aprotocol.
imap smtp pop3 http ftpnntp imaps smtpspop3s https ftps mapi
lowspace Action when the disk is almost full. ovrw-old
destination Quarantine destination: disk/FortiAnalyzer. disk
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
20
antivirus/settingsCLI Syntax
config antivirus settings edit <name_str> set default-db {normal | extended | extreme} set grayware {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
21
Description
Configuration Description Default Value
default-db Select AV database to be used for AV scanning. extended
grayware Enable/disable detection of grayware. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
22
application/customCLI Syntax
config application custom edit <name_str> set tag <string> set name <string> set id <integer> set comment <string> set signature <string> set category <integer> set protocol <user> set technology <user> set behavior <user> set vendor <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
23
Description
Configuration Description Default Value
tag Signature tag. (Empty)
name Application name. (Empty)
id Application ID. 0
comment Comment. (Empty)
signature Signature text. (Empty)
category Application category ID. 0
protocol Application protocol. (Empty)
technology Application technology. (Empty)
behavior Application behavior. (Empty)
vendor Application vendor. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
24
application/listCLI Syntax
config application list edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set other-application-action {pass | block} set app-replacemsg {disable | enable} set other-application-log {disable | enable} set unknown-application-action {pass | block} set unknown-application-log {disable | enable} set p2p-black-list {skype | edonkey | bittorrent} set deep-app-inspection {disable | enable} set options {allow-dns | allow-icmp | allow-http | allow-ssl} config entries edit <name_str> set id <integer> config risk edit <name_str> set level <integer> end config category edit <name_str> set id <integer> end config sub-category edit <name_str> set id <integer> end config application edit <name_str> set id <integer> end set protocols <user> set vendor <user> set technology <user> set behavior <user> set popularity {1 | 2 | 3 | 4 | 5} config tags edit <name_str> set name <string> end config parameters edit <name_str> set id <integer> set value <string> end set action {pass | block | reset}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
25
set log {disable | enable} set log-packet {disable | enable} set rate-count <integer> set rate-duration <integer> set rate-mode {periodical | continuous} set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain} set session-ttl <integer> set shaper <string> set shaper-reverse <string> set per-ip-shaper <string> set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
26
Description
Configuration Description Default Value
name List name. (Empty)
comment comments (Empty)
replacemsg-group Replacement message group. (Empty)
other-application-action Action for other applications. pass
app-replacemsg Enable/disable replacement messages forblocked applications.
enable
other-application-log Enable/disable logging of other applications. disable
unknown-application-action
Action for unknown applications. pass
unknown-application-log
Enable/disable logging of unknown applications. disable
p2p-black-list Action for p2p black list. (Empty)
deep-app-inspection Enable/disable deep application inspection. disable
options Options. allow-dns
entries Application list entries. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
27
application/nameCLI Syntax
config application name edit <name_str> set name <string> set id <integer> set category <integer> set sub-category <integer> set popularity <integer> set risk <integer> set protocol <user> set technology <user> set behavior <user> set vendor <user> set parameter <string> config metadata edit <name_str> set id <integer> set metaid <integer> set valueid <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
28
Description
Configuration Description Default Value
name Application name. (Empty)
id Application ID. 0
category Application category ID. 0
sub-category Application sub-category ID. 0
popularity Application popularity. 0
risk Application risk. 0
protocol Application protocol. (Empty)
technology Application technology. (Empty)
behavior Application behavior. (Empty)
vendor Application vendor. (Empty)
parameter Application parameter name. (Empty)
metadata Meta data. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
29
application/rule-settingsCLI Syntax
config application rule-settings edit <name_str> set id <integer> config tags edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
30
Description
Configuration Description Default Value
id Rule ID. 0
tags Applied object tags. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
31
certificate/caCLI Syntax
config certificate ca edit <name_str> set name <string> set ca <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} set trusted {enable | disable} set scep-url <string> set auto-update-days <integer> set auto-update-days-warning <integer> set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
32
Description
Configuration Description Default Value
name Name. (Empty)
ca CA certificate. (Empty)
range CA certificate range. global
source CA certificate source. user
trusted Enable/disable trusted CA. enable
scep-url URL of SCEP server. (Empty)
auto-update-days Days to auto-update before expired, 0=disabled. 0
auto-update-days-warning
Days to send update before auto-update(0=disabled).
0
source-ip Source IP for communications to SCEP server. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
33
certificate/crlCLI Syntax
config certificate crl edit <name_str> set name <string> set crl <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} set update-vdom <string> set ldap-server <string> set ldap-username <string> set ldap-password <password> set http-url <string> set scep-url <string> set scep-cert <string> set update-interval <integer> set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
34
Description
Configuration Description Default Value
name Name. (Empty)
crl Certificate Revocation List. (Empty)
range CRL range. global
source CRL source. user
update-vdom Virtual domain for CRL update. root
ldap-server LDAP server. (Empty)
ldap-username Login name for LDAP server. (Empty)
ldap-password Login password for LDAP server. (Empty)
http-url URL of HTTP server for CRL update. (Empty)
scep-url URL of CA server for CRL update via SCEP. (Empty)
scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL
update-interval Second between updates, 0=disabled. 0
source-ip Source IP for communications to CA(HTTP/SCEP) server.
0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
35
certificate/localCLI Syntax
config certificate local edit <name_str> set name <string> set password <password> set comments <string> set private-key <user> set certificate <user> set csr <user> set state <user> set scep-url <string> set range {global | vdom} set source {factory | user | bundle | fortiguard} set auto-regenerate-days <integer> set auto-regenerate-days-warning <integer> set scep-password <password> set ca-identifier <string> set name-encoding {printable | utf8} set source-ip <ipv4-address> set ike-localid <string> set ike-localid-type {asn1dn | fqdn} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
36
Description
Configuration Description Default Value
name Name. (Empty)
password Password. (Empty)
comments Comment. (Empty)
private-key Private key. (Empty)
certificate Certificate. (Empty)
csr Certificate Signing Request. (Empty)
state Certificate Signing Request State. (Empty)
scep-url URL of SCEP server. (Empty)
range Certificate range. global
source Certificate source. user
auto-regenerate-days Days to auto-regenerate before expired,0=disabled.
0
auto-regenerate-days-warning
Days to send warning before auto-regeneration,0=disabled.
0
scep-password SCEP server challenge password for auto-regeneration.
(Empty)
ca-identifier CA identifier of the CA server for signing viaSCEP.
(Empty)
name-encoding Name encoding for auto-regeneration. printable
source-ip Source IP for communications to SCEP server. 0.0.0.0
ike-localid IKE local ID. (Empty)
ike-localid-type IKE local ID type. asn1dn
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
37
dlp/filepatternCLI Syntax
config dlp filepattern edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set filter-type {pattern | type} set pattern <string> set file-type {7z | arj | cab | lzh | rar | tar | zip | bzip | gzip | bzip2 | xz | bat | msc | uue | mime | base64 | binhex | bin | elf | exe | hta | html | jad | class | cod | javascript | msoffice | msofficex | fsg | upx | petite | aspack | prc | sis | hlp | activemime | jpeg | gif | tiff | png | bmp | ignored | unknown | mpeg | mov | mp3 | wma | wav | pdf | avi | rm | torrent | hibun} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
38
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
entries Configure file patterns used by DLP blocking. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
39
dlp/fp-doc-sourceCLI Syntax
config dlp fp-doc-source edit <name_str> set name <string> set server-type {samba} set server <string> set period {none | daily | weekly | monthly} set vdom {mgmt | current} set scan-subdirectories {enable | disable} set scan-on-creation {enable | disable} set remove-deleted {enable | disable} set keep-modified {enable | disable} set username <string> set password <password> set file-path <string> set file-pattern <string> set sensitivity <string> set tod-hour <integer> set tod-min <integer> set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set date <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
40
Description
Configuration Description Default Value
name DLP Server. (Empty)
server-type DLP Server. samba
server Server location (can be IP or IPv6 address). (Empty)
period Select periodic server checking. none
vdom Select source on management or current VDOM. mgmt
scan-subdirectories Enable/disable scanning of subdirectories. enable
scan-on-creation Enable/disable force scan of server to happenwhen document source is created or edited.
enable
remove-deleted Enable/disable removing chunks of files deletedfrom the server.
enable
keep-modified Enable/disable retaining old chunks of modifiedfiles.
enable
username Login username. (Empty)
password Login password. (Empty)
file-path File path on server. (Empty)
file-pattern File patterns to fingerprint (wildcard). *
sensitivity DLP fingerprint sensitivity defined for these files. (Empty)
tod-hour Time of day to run scans (hour part, 24 hourclock).
1
tod-min Time of day to run scans (min). 0
weekday Day of week to run scans. sunday
date Date within a month to run scans. 1
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
41
dlp/fp-sensitivityCLI Syntax
config dlp fp-sensitivity edit <name_str> set name <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
42
Description
Configuration Description Default Value
name DLP Sensitivity Levels. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
43
dlp/sensorCLI Syntax
config dlp sensor edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> config filter edit <name_str> set id <integer> set name <string> set severity {info | low | medium | high | critical} set type {file | message} set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7} set filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprint | watermark | encrypted} set file-size <integer> set company-identifier <string> config fp-sensitivity edit <name_str> set name <string> end set match-percentage <integer> set file-type <integer> set regexp <string> set archive {disable | enable} set action {allow | log-only | block | ban | quarantine-ip | quarantine-port} set expiry <user> end set dlp-log {enable | disable} set nac-quar-log {enable | disable} set flow-based {enable | disable} set options {} set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7} set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
44
Description
Configuration Description Default Value
name Name. (Empty)
comment Comment. (Empty)
replacemsg-group Replacement message group. (Empty)
filter Configure DLP filters. (Empty)
dlp-log Enable/disable logging for data leak prevention. enable
nac-quar-log Enable/disable logging for NAC quarantinecreation.
disable
flow-based Enable/disable flow-based data leak prevention. disable
options options
full-archive-proto Protocols to always content archive. (Empty)
summary-proto Protocols to always log summary. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
45
dlp/settingsCLI Syntax
config dlp settings edit <name_str> set storage-device <string> set size <integer> set db-mode {stop-adding | remove-modified-then-oldest | remove-oldest} set cache-mem-percent <integer> set chunk-size <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
46
Description
Configuration Description Default Value
storage-device Storage name. (Empty)
size Maximum total size of files within the storage(MB).
16
db-mode Method of maintaining database size. stop-adding
cache-mem-percent Maximum percentage of available memoryallocated to caching (1 - 15%).
2
chunk-size Maximum fingerprint chunk size. **Changing willflush the entire database**.
2800
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
47
dnsfilter/profileCLI Syntax
config dnsfilter profile edit <name_str> set name <string> set comment <var-string> config urlfilter edit <name_str> set urlfilter-table <integer> end config ftgd-dns edit <name_str> set options {error-allow | ftgd-disable} config filters edit <name_str> set id <integer> set category <integer> set action {block | monitor} set log {enable | disable} end end set log-all-url {enable | disable} set block-action {block | redirect} set redirect-portal <ipv4-address> set block-botnet {disable | enable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
48
Description
Configuration Description Default Value
name Profile name. (Empty)
comment Comment. (Empty)
urlfilter URL filter settings. Details below
Configuration Default Valueurlfilter-table 0
ftgd-dns FortiGuard DNS Filter settings. Details below
Configuration Default Valueoptions (Empty)filters (Empty)
log-all-url Enable/disable log all URLs visited. disable
block-action Action to take for blocked domains. redirect
redirect-portal IP address of the SDNS portal. 0.0.0.0
block-botnet Enable/disable block of botnet C&C. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
49
dnsfilter/urlfilterCLI Syntax
config dnsfilter urlfilter edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set id <integer> set url <string> set type {simple | regex | wildcard} set action {block | allow | monitor} set status {enable | disable} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
50
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
entries DNS URL filter. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
51
endpoint-control/clientCLI Syntax
config endpoint-control client edit <name_str> set id <integer> set ftcl-uid <string> set src-ip <ipv4-address-any> set src-mac <mac-address> set info <user> set ad-groups <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
52
Description
Configuration Description Default Value
id Endpoint client ID. 0
ftcl-uid Endpoint FortiClient UID. (Empty)
src-ip Endpoint client IP address. 0.0.0.0
src-mac Endpoint client MAC address. 00:00:00:00:00:00
info Endpoint client information. (Empty)
ad-groups Endpoint client AD logon groups. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
53
endpoint-control/forticlient-registration-syncCLI Syntax
config endpoint-control forticlient-registration-sync edit <name_str> set peer-name <string> set peer-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
54
Description
Configuration Description Default Value
peer-name Peer name. (Empty)
peer-ip Peer connecting IP. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
55
endpoint-control/profileCLI Syntax
config endpoint-control profile edit <name_str> set profile-name <string> config forticlient-winmac-settings edit <name_str> set view-profile-details {enable | disable} set forticlient-av {enable | disable} set av-realtime-protection {enable | disable} set scan-download-file {enable | disable} set sandbox-scan {enable | disable} set sandbox-address <string> set wait-sandbox-result {enable | disable} set use-sandbox-signature {enable | disable} set block-malicious-website {enable | disable} set block-attack-channel {enable | disable} set av-scheduled-scan {enable | disable} set av-scan-type {quick | full | custom} set av-scan-folder <string> set av-scan-schedule {daily | weekly | monthly} set av-scan-day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set av-scan-day-of-month <integer> set av-scan-time <user> config av-scan-exclusions edit <name_str> set id <integer> set type {file | folder} set name <string> end set forticlient-application-firewall {enable | disable} set forticlient-application-firewall-list <string> set monitor-unknown-application {enable | disable} set install-ca-certificate {enable | disable} set forticlient-wf {enable | disable} set forticlient-wf-profile <string> set disable-wf-when-protected {enable | disable} set forticlient-vuln-scan {enable | disable} set forticlient-vuln-scan-schedule {daily | weekly | monthly} set forticlient-vuln-scan-on-registration {enable | disable} set forticlient-vpn-provisioning {enable | disable} set forticlient-advanced-vpn {enable | disable} set forticlient-advanced-vpn-buffer <var-string> config forticlient-vpn-settings edit <name_str> set name <string> set type {ipsec | ssl} set remote-gw <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
56
set sslvpn-access-port <integer> set sslvpn-require-certificate {enable | disable} set auth-method {psk | certificate} set preshared-key <password> end set disable-unregister-option {enable | disable} set forticlient-log-upload {enable | disable} set forticlient-log-upload-server <string> set forticlient-log-ssl-upload {enable | disable} set forticlient-log-upload-schedule {hourly | daily} set forticlient-update-from-fmg {enable | disable} config forticlient-update-server edit <name_str> set name <string> end set forticlient-update-failover-to-fdn {enable | disable} set forticlient-settings-lock {enable | disable} set forticlient-settings-lock-passwd <password> set auto-vpn-when-off-net {enable | disable} set auto-vpn-name <user> set client-log-when-on-net {enable | disable} set forticlient-ad {enable | disable} set fsso-ma {enable | disable} set fsso-ma-server <string> set fsso-ma-psk <password> set allow-personal-vpn {enable | disable} set disable-user-disconnect {enable | disable} set vpn-before-logon {enable | disable} set vpn-captive-portal {enable | disable} set forticlient-ui-options {av | wf | af | vpn | vs} set forticlient-advanced-cfg {enable | disable} set forticlient-advanced-cfg-buffer <var-string> config extra-buffer-entries edit <name_str> set id <integer> set buffer <var-string> end end config forticlient-android-settings edit <name_str> set forticlient-wf {enable | disable} set forticlient-wf-profile <string> set disable-wf-when-protected {enable | disable} set forticlient-vpn-provisioning {enable | disable} set forticlient-advanced-vpn {enable | disable} set forticlient-advanced-vpn-buffer <var-string> config forticlient-vpn-settings edit <name_str> set name <string> set type {ipsec | ssl} set remote-gw <string> set sslvpn-access-port <integer> set sslvpn-require-certificate {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
57
set sslvpn-require-certificate {enable | disable} set auth-method {psk | certificate} set preshared-key <password> end end config forticlient-ios-settings edit <name_str> set forticlient-wf {enable | disable} set forticlient-wf-profile <string> set disable-wf-when-protected {enable | disable} set client-vpn-provisioning {enable | disable} config client-vpn-settings edit <name_str> set name <string> set type {ipsec | ssl} set vpn-configuration-name <string> set vpn-configuration-content <var-string> set remote-gw <string> set sslvpn-access-port <integer> set sslvpn-require-certificate {enable | disable} set auth-method {psk | certificate} set preshared-key <password> end set distribute-configuration-profile {enable | disable} set configuration-name <string> set configuration-content <var-string> end set description <var-string> config src-addr edit <name_str> set name <string> end config device-groups edit <name_str> set name <string> end config users edit <name_str> set name <string> end config user-groups edit <name_str> set name <string> end config on-net-addr edit <name_str> set name <string> end set replacemsg-override-group <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
58
Description
Configuration Description Default Value
profile-name Profile name. (Empty)
forticlient-winmac-settings
FortiClient settings for Windows/Mac platform. Details below
Configuration Default Valueview-profile-details enableforticlient-av enableav-realtime-protection enablescan-download-file enablesandbox-scan disablesandbox-address (Empty)wait-sandbox-result disableuse-sandbox-signature disableblock-malicious-website disableblock-attack-channel disableav-scheduled-scan disableav-scan-type quickav-scan-folder (Empty)av-scan-schedule dailyav-scan-day-of-week sundayav-scan-day-of-month 0av-scan-time 00:00av-scan-exclusions (Empty)forticlient-application-firewall disableforticlient-application-firewall-list (Empty)monitor-unknown-application disableinstall-ca-certificate disableforticlient-wf enableforticlient-wf-profile defaultdisable-wf-when-protected enableforticlient-vuln-scan disableforticlient-vuln-scan-schedule monthlyforticlient-vuln-scan-on-registration enableforticlient-vpn-provisioning disableforticlient-advanced-vpn disableforticlient-advanced-vpn-buffer (Empty)forticlient-vpn-settings (Empty)disable-unregister-option disableforticlient-log-upload disableforticlient-log-upload-server (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
59
forticlient-log-ssl-upload enableforticlient-log-upload-schedule dailyforticlient-update-from-fmg disableforticlient-update-server (Empty)forticlient-update-failover-to-fdn enableforticlient-settings-lock disableforticlient-settings-lock-passwd (Empty)auto-vpn-when-off-net disableauto-vpn-name (Empty)client-log-when-on-net disableforticlient-ad disablefsso-ma disablefsso-ma-server (Empty)fsso-ma-psk (Empty)allow-personal-vpn enabledisable-user-disconnect disablevpn-before-logon disablevpn-captive-portal disableforticlient-ui-options av wf vpnforticlient-advanced-cfg disableforticlient-advanced-cfg-buffer (Empty)extra-buffer-entries (Empty)
forticlient-android-settings
FortiClient settings for Android platform. Details below
Configuration Default Valueforticlient-wf disableforticlient-wf-profile (Empty)disable-wf-when-protected enableforticlient-vpn-provisioning disableforticlient-advanced-vpn disableforticlient-advanced-vpn-buffer (Empty)forticlient-vpn-settings (Empty)
forticlient-ios-settings FortiClient settings for iOS platform. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
60
Configuration Default Valueforticlient-wf disableforticlient-wf-profile (Empty)disable-wf-when-protected enableclient-vpn-provisioning disableclient-vpn-settings (Empty)distribute-configuration-profile disableconfiguration-name (Empty)configuration-content (Empty)
description Description. (Empty)
src-addr Source addresses. (Empty)
device-groups Device groups. (Empty)
users Users. (Empty)
user-groups User groups. (Empty)
on-net-addr Addresses for on-net detection. (Empty)
replacemsg-override-group
Specify endpoint control replacement messageoverride group.
(Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
61
endpoint-control/registered-forticlientCLI Syntax
config endpoint-control registered-forticlient edit <name_str> set uid <string> set vdom <string> set ip <ipv4-address-any> set mac <mac-address> set status <integer> set flag <integer> set reg-fortigate <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
62
Description
Configuration Description Default Value
uid FortiClient UID. (Empty)
vdom Registering vdom. (Empty)
ip Endpoint IP address. 0.0.0.0
mac Endpoint MAC address. 00:00:00:00:00:00
status FortiClient registration status. 1
flag FortiClient registration flag. 0
reg-fortigate Registering FortiGate SN. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
63
endpoint-control/settingsCLI Syntax
config endpoint-control settings edit <name_str> set forticlient-reg-key-enforce {enable | disable} set forticlient-reg-key <password> set forticlient-reg-timeout <integer> set download-custom-link <string> set download-location {fortiguard | custom} set forticlient-keepalive-interval <integer> set forticlient-sys-update-interval <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
64
Description
Configuration Description Default Value
forticlient-reg-key-enforce
Enable/disable enforcement of FortiClientregistration key.
disable
forticlient-reg-key FortiClient registration key. (Empty)
forticlient-reg-timeout FortiClient registration license timeout (days, min= 1, max = 180, 0 = unlimited).
7
download-custom-link Customized URL for downloading FortiClient. (Empty)
download-location FortiClient download location. fortiguard
forticlient-keepalive-interval
Interval between two KeepAlive messages fromFortiClient (in seconds).
60
forticlient-sys-update-interval
Interval between two system update messagesfrom FortiClient (in minutes).
720
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
65
extender-controller/extenderCLI Syntax
config extender-controller extender edit <name_str> set id <string> set admin {disable | discovered | enable} set ifname <string> set vdom <integer> set role {none | primary | secondary} set mode {standalone | redundant} set dial-mode {dial-on-demand | always-connect} set redial {none | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10} set redundant-intf <string> set dial-status <integer> set conn-status <integer> set ext-name <string> set description <string> set quota-limit-mb <integer> set billing-start-day <integer> set at-dial-script <string> set modem-passwd <password> set initiated-update {enable | disable} set modem-type {cdma | gsm/lte | wimax} set ppp-username <string> set ppp-password <password> set ppp-auth-protocol {auto | pap | chap} set ppp-echo-request {enable | disable} set wimax-carrier <string> set wimax-realm <string> set wimax-auth-protocol {tls | ttls} set sim-pin <password> set access-point-name <string> set multi-mode {auto | auto-3g | force-lte | force-3g | force-2g} set roaming {enable | disable} set cdma-nai <string> set aaa-shared-secret <password> set ha-shared-secret <password> set primary-ha <string> set secondary-ha <string> set cdma-aaa-spi <string> set cdma-ha-spi <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
66
Description
Configuration Description Default Value
id FortiExtender serial number. (Empty)
admin FortiExtender Administration (enable or disable). disable
ifname FortiExtender interface name. (Empty)
vdom VDOM 0
role FortiExtender work role(Primary, Secondary,None).
none
mode FortiExtender mode. standalone
dial-mode Dial mode (dial-on-demand or always-connect). always-connect
redial Number of redials allowed based on failedattempts.
none
redundant-intf Redundant interface. (Empty)
dial-status Dial status. 0
conn-status Connection status. 0
ext-name FortiExtender name. (Empty)
description Description. (Empty)
quota-limit-mb Monthly quota limit (MB). 0
billing-start-day Billing start day. 1
at-dial-script Initialization AT commands specific to theMODEM.
(Empty)
modem-passwd MODEM password. (Empty)
initiated-update Allow/disallow network initiated updates to theMODEM.
disable
modem-type MODEM type (CDMA, GSM/LTE or WIMAX). gsm/lte
ppp-username PPP username. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
67
ppp-password PPP password. (Empty)
ppp-auth-protocol PPP authentication protocol (PAP,CHAP or auto). auto
ppp-echo-request Enable/disable PPP echo request. disable
wimax-carrier WiMax carrier. (Empty)
wimax-realm WiMax realm. (Empty)
wimax-auth-protocol WiMax authentication protocol(TLS or TTLS). tls
sim-pin SIM PIN. (Empty)
access-point-name Access point name(APN). (Empty)
multi-mode MODEM mode of operation(3G,LTE,etc). auto
roaming Enable/disable MODEM roaming. disable
cdma-nai NAI for CDMA MODEMS. (Empty)
aaa-shared-secret AAA shared secret. (Empty)
ha-shared-secret HA shared secret. (Empty)
primary-ha Primary HA. (Empty)
secondary-ha Secondary HA. (Empty)
cdma-aaa-spi CDMA AAA SPI. (Empty)
cdma-ha-spi CDMA HA SPI. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
68
firewall.ipmacbinding/settingCLI Syntax
config firewall.ipmacbinding setting edit <name_str> set bindthroughfw {enable | disable} set bindtofw {enable | disable} set undefinedhost {allow | block} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
69
Description
Configuration Description Default Value
bindthroughfw Enable/disable going through firewall. disable
bindtofw Enable/disable going to firewall. disable
undefinedhost Allow/block traffic for undefined hosts. block
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
70
firewall.ipmacbinding/tableCLI Syntax
config firewall.ipmacbinding table edit <name_str> set seq-num <integer> set ip <ipv4-address> set mac <mac-address> set name <string> set status {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
71
Description
Configuration Description Default Value
seq-num Entry number. 0
ip IP address. 0.0.0.0
mac MAC address. 00:00:00:00:00:00
name Name (optional, default = no name). noname
status Enable/disable IP-mac binding. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
72
firewall.schedule/groupCLI Syntax
config firewall.schedule group edit <name_str> set name <string> config member edit <name_str> set name <string> end set color <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
73
Description
Configuration Description Default Value
name Schedule group name. (Empty)
member Schedule group member. (Empty)
color GUI icon color. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
74
firewall.schedule/onetimeCLI Syntax
config firewall.schedule onetime edit <name_str> set name <string> set start <user> set end <user> set color <integer> set expiration-days <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
75
Description
Configuration Description Default Value
name Onetime schedule name. (Empty)
start Start time and date. 00:00 2001/01/01
end End time and date. 00:00 2001/01/01
color GUI icon color. 0
expiration-days Generate event log before schedule expires (1-100 days, 0 = disable).
3
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
76
firewall.schedule/recurringCLI Syntax
config firewall.schedule recurring edit <name_str> set name <string> set start <user> set end <user> set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | none} set color <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
77
Description
Configuration Description Default Value
name Recurring schedule name. (Empty)
start Start time. 00:00
end End time. 00:00
day weekday sunday
color GUI icon color. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
78
firewall.service/categoryCLI Syntax
config firewall.service category edit <name_str> set name <string> set comment <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
79
Description
Configuration Description Default Value
name Service category name. (Empty)
comment Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
80
firewall.service/customCLI Syntax
config firewall.service custom edit <name_str> set name <string> set explicit-proxy {enable | disable} set category <string> set protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP | HTTP | FTP | CONNECT | SOCKS | SOCKS-TCP | SOCKS-UDP | ALL} set iprange <user> set fqdn <string> set protocol-number <integer> set icmptype <integer> set icmpcode <integer> set tcp-portrange <user> set udp-portrange <user> set sctp-portrange <user> set tcp-halfclose-timer <integer> set tcp-halfopen-timer <integer> set tcp-timewait-timer <integer> set udp-idle-timer <integer> set session-ttl <integer> set check-reset-range {disable | strict | default} set comment <var-string> set color <integer> set visibility {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
81
Description
Configuration Description Default Value
name Custom service name. (Empty)
explicit-proxy Enable/disable explicit web proxy service. disable
category Service category. (Empty)
protocol Protocol type. TCP/UDP/SCTP
iprange Start IP-End IP. 0.0.0.0
fqdn Fully qualified domain name. (Empty)
protocol-number IP protocol number. 0
icmptype ICMP type. (Empty)
icmpcode ICMP code. (Empty)
tcp-portrange Multiple TCP port ranges. (Empty)
udp-portrange Multiple UDP port ranges. (Empty)
sctp-portrange Multiple SCTP port ranges. (Empty)
tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, 0 =default).
0
tcp-halfopen-timer TCP half close timeout (1 - 86400 sec, 0 =default).
0
tcp-timewait-timer TCP half close timeout (1 - 300 sec, 0 = default). 0
udp-idle-timer TCP half close timeout (0 - 86400 sec, 0 =default).
0
session-ttl Session TTL (300 - 604800, 0 = default). 0
check-reset-range Enable/disable RST check. default
comment Comment. (Empty)
color GUI icon color. 0
visibility Enable/disable service visibility. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
82
firewall.service/groupCLI Syntax
config firewall.service group edit <name_str> set name <string> config member edit <name_str> set name <string> end set explicit-proxy {enable | disable} set comment <var-string> set color <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
83
Description
Configuration Description Default Value
name Address group name. (Empty)
member Address group member. (Empty)
explicit-proxy Enable/disable explicit web proxy service group. disable
comment Comment. (Empty)
color GUI icon color. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
84
firewall.shaper/per-ip-shaperCLI Syntax
config firewall.shaper per-ip-shaper edit <name_str> set name <string> set max-bandwidth <integer> set bandwidth-unit {kbps | mbps | gbps} set max-concurrent-session <integer> set diffserv-forward {enable | disable} set diffserv-reverse {enable | disable} set diffservcode-forward <user> set diffservcode-rev <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
85
Description
Configuration Description Default Value
name Traffic shaper name. (Empty)
max-bandwidth Maximum bandwidth value (0 - 16776000). 0
bandwidth-unit Bandwidth unit (default = kbps). kbps
max-concurrent-session
Maximum concurrent session (0 - 2097000). 0
diffserv-forward Forward (original) traffic DiffServ. disable
diffserv-reverse Reverse (reply) traffic DiffServ. disable
diffservcode-forward Forward (original) traffic DiffServ code pointvalue.
000000
diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
86
firewall.shaper/traffic-shaperCLI Syntax
config firewall.shaper traffic-shaper edit <name_str> set name <string> set guaranteed-bandwidth <integer> set maximum-bandwidth <integer> set bandwidth-unit {kbps | mbps | gbps} set priority {low | medium | high} set per-policy {disable | enable} set diffserv {enable | disable} set diffservcode <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
87
Description
Configuration Description Default Value
name Traffic shaper name. (Empty)
guaranteed-bandwidth Guaranteed bandwidth value (0 - 16776000). 0
maximum-bandwidth Maximum bandwidth value (0 - 16776000). 0
bandwidth-unit Bandwidth unit (default = kbps). kbps
priority Traffic priority. high
per-policy Enable/disable use a separate shaper for eachpolicy.
disable
diffserv Enable/disable traffic DiffServ. disable
diffservcode Traffic DiffServ code point value. 000000
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
88
firewall.ssl/settingCLI Syntax
config firewall.ssl setting edit <name_str> set proxy-connect-timeout <integer> set ssl-dh-bits {768 | 1024 | 1536 | 2048} set ssl-send-empty-frags {enable | disable} set no-matching-cipher-action {bypass | drop} set cert-cache-capacity <integer> set cert-cache-timeout <integer> set session-cache-capacity <integer> set session-cache-timeout <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
89
Description
Configuration Description Default Value
proxy-connect-timeout Time limit to make an internal connection to theappropriate proxy process (1 - 60 sec).
30
ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSAnegotiation.
2048
ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV(SSL 3.0 & TLS 1.0 only).
enable
no-matching-cipher-action
Bypass or drop the connection when no matchingcipher was found.
bypass
cert-cache-capacity Maximum capacity of the host certificate cache (0- 500).
200
cert-cache-timeout Minutes to keep certificate cache (1 - 120 min). 10
session-cache-capacity Obsolete. 500
session-cache-timeout Number of minutes to keep SSL session state. 20
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
90
firewall/addressCLI Syntax
config firewall address edit <name_str> set name <string> set uuid <uuid> set subnet <ipv4-classnet-any> set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn} set start-ip <ipv4-address-any> set end-ip <ipv4-address-any> set fqdn <string> set country <string> set wildcard-fqdn <string> set cache-ttl <integer> set wildcard <ipv4-classnet-any> set comment <var-string> set visibility {enable | disable} set associated-interface <string> set color <integer> config tags edit <name_str> set name <string> end set allow-routing {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
91
Description
Configuration Description Default Value
name Address name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
subnet IP address and netmask. 0.0.0.0 0.0.0.0
type Type. ipmask
start-ip Start IP. 0.0.0.0
end-ip End IP. 0.0.0.0
fqdn Fully qualified domain name. (Empty)
country Country name. (Empty)
wildcard-fqdn Wildcard FQDN. (Empty)
cache-ttl Minimal TTL of individual IP addresses in FQDNcache.
0
wildcard IP address and wildcard netmask. 0.0.0.0 0.0.0.0
comment Comment. (Empty)
visibility Enable/disable address visibility. enable
associated-interface Associated interface name. (Empty)
color GUI icon color. 0
tags Applied object tags. (Empty)
allow-routing Enable/disable use of this address in the staticroute configuration.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
92
firewall/address6CLI Syntax
config firewall address6 edit <name_str> set name <string> set uuid <uuid> set type {ipprefix | iprange} set ip6 <ipv6-network> set start-ip <ipv6-address> set end-ip <ipv6-address> set visibility {enable | disable} set color <integer> config tags edit <name_str> set name <string> end set comment <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
93
Description
Configuration Description Default Value
name Address name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
type Type. ipprefix
ip6 IPv6 address prefix. ::/0
start-ip Start IP. ::
end-ip End IP. ::
visibility Enable/disable address visibility. enable
color GUI icon color. 0
tags Applied object tags. (Empty)
comment Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
94
firewall/addrgrpCLI Syntax
config firewall addrgrp edit <name_str> set name <string> set uuid <uuid> config member edit <name_str> set name <string> end set comment <var-string> set visibility {enable | disable} set color <integer> config tags edit <name_str> set name <string> end set allow-routing {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
95
Description
Configuration Description Default Value
name Address group name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
member Address group member. (Empty)
comment Comment. (Empty)
visibility Enable/disable address group visibility. enable
color GUI icon color. 0
tags Applied object tags. (Empty)
allow-routing Enable/disable use of this group in the static routeconfiguration.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
96
firewall/addrgrp6CLI Syntax
config firewall addrgrp6 edit <name_str> set name <string> set uuid <uuid> set visibility {enable | disable} set color <integer> set comment <var-string> config member edit <name_str> set name <string> end config tags edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
97
Description
Configuration Description Default Value
name IPv6 address group name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
visibility Enable/disable address group6 visibility. enable
color GUI icon color. 0
comment Comment. (Empty)
member IPv6 address group member. (Empty)
tags Applied object tags. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
98
firewall/auth-portalCLI Syntax
config firewall auth-portal edit <name_str> config groups edit <name_str> set name <string> end set portal-addr <string> set portal-addr6 <string> set identity-based-route <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
99
Description
Configuration Description Default Value
groups Group name. (Empty)
portal-addr Address (or domain name) of authenticationportal.
(Empty)
portal-addr6 IPv6 address (or domain name) of authenticationportal.
(Empty)
identity-based-route Name of identity-based routing rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
100
firewall/central-snat-mapCLI Syntax
config firewall central-snat-map edit <name_str> set policyid <integer> set status {enable | disable} config orig-addr edit <name_str> set name <string> end config dst-addr edit <name_str> set name <string> end config nat-ippool edit <name_str> set name <string> end set protocol <integer> set orig-port <integer> set nat-port <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
101
Description
Configuration Description Default Value
policyid Policy ID. 0
status Enable/disable policy status. enable
orig-addr Original address. (Empty)
dst-addr Destination address. (Empty)
nat-ippool IP pool names for translated address. (Empty)
protocol Protocol (0 - 255). 0
orig-port Original port. 0
nat-port Translated port or port range. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
102
firewall/dnstranslationCLI Syntax
config firewall dnstranslation edit <name_str> set id <integer> set src <ipv4-address> set dst <ipv4-address> set netmask <ipv4-netmask> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
103
Description
Configuration Description Default Value
id ID. 0
src Source IP. 0.0.0.0
dst Destination IP. 0.0.0.0
netmask Network mask. 255.255.255.255
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
104
firewall/DoS-policyCLI Syntax
config firewall DoS-policy edit <name_str> set policyid <integer> set status {enable | disable} set interface <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end config anomaly edit <name_str> set name <string> set status {disable | enable} set log {enable | disable} set action {pass | block | proxy} set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} set threshold <integer> set threshold(default) <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
105
Description
Configuration Description Default Value
policyid Policy ID. 0
status Enable/disable policy status. enable
interface Interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
service Service name. (Empty)
anomaly Anomaly. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
106
firewall/DoS-policy6CLI Syntax
config firewall DoS-policy6 edit <name_str> set policyid <integer> set status {enable | disable} set interface <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end config anomaly edit <name_str> set name <string> set status {disable | enable} set log {enable | disable} set action {pass | block | proxy} set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} set threshold <integer> set threshold(default) <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
107
Description
Configuration Description Default Value
policyid Policy ID. 0
status Enable/disable policy status. enable
interface Interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
service Service name. (Empty)
anomaly Anomaly. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
108
firewall/explicit-proxy-addressCLI Syntax
config firewall explicit-proxy-address edit <name_str> set name <string> set uuid <uuid> set type {host-regex | url | category | method | ua | header | src-advanced | dst-advanced} set host <string> set host-regex <string> set path <string> config category edit <name_str> set id <integer> end set method {get | post | put | head | connect | trace | options | delete} set ua {chrome | ms | firefox | safari | other} set header-name <string> set header <string> set case-sensitivity {disable | enable} config header-group edit <name_str> set id <integer> set header-name <string> set header <string> set case-sensitivity {disable | enable} end set color <integer> config tags edit <name_str> set name <string> end set comment <var-string> set visibility {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
109
Description
Configuration Description Default Value
name Address name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
type Address type. url
host Host address (Empty)
host-regex Host regular expression. (Empty)
path URL path regular expression. (Empty)
category FortiGuard category ID. (Empty)
method HTTP methods. (Empty)
ua User agent. (Empty)
header-name HTTP header. (Empty)
header HTTP header regular expression. (Empty)
case-sensitivity Case sensitivity in pattern. disable
header-group HTTP header group. (Empty)
color GUI icon color. 0
tags Applied object tags. (Empty)
comment Comment. (Empty)
visibility Enable/disable address visibility. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
110
firewall/explicit-proxy-addrgrpCLI Syntax
config firewall explicit-proxy-addrgrp edit <name_str> set name <string> set type {src | dst} set uuid <uuid> config member edit <name_str> set name <string> end set color <integer> config tags edit <name_str> set name <string> end set comment <var-string> set visibility {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
111
Description
Configuration Description Default Value
name Address group name. (Empty)
type Address group type. src
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
member Address group members. (Empty)
color GUI icon color. 0
tags Applied object tags. (Empty)
comment Comment. (Empty)
visibility Enable/disable address visibility. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
112
firewall/explicit-proxy-policyCLI Syntax
config firewall explicit-proxy-policy edit <name_str> set uuid <uuid> set policyid <integer> set proxy {web | ftp | wanopt} config dstintf edit <name_str> set name <string> end config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end set srcaddr-negate {enable | disable} set dstaddr-negate {enable | disable} set service-negate {enable | disable} set action {accept | deny} set status {enable | disable} set schedule <string> set logtraffic {all | utm | disable} config srcaddr6 edit <name_str> set name <string> end config dstaddr6 edit <name_str> set name <string> end set identity-based {enable | disable} set ip-based {enable | disable} set active-auth-method {ntlm | basic | digest | form | none} set sso-auth-method {fsso | rsso | none} set require-tfa {enable | disable} set web-auth-cookie {enable | disable} set transaction-based {enable | disable} config identity-based-policy edit <name_str> set id <integer> set schedule <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
113
set logtraffic {all | utm | disable} set logtraffic-start {enable | disable} set scan-botnet-connections {disable | block | monitor} set utm-status {enable | disable} set profile-type {single | group} set profile-group <string> set av-profile <string> set webfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string> set icap-profile <string> set waf-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> config groups edit <name_str> set name <string> end config users edit <name_str> set name <string> end set disclaimer {disable | domain | policy | user} set replacemsg-override-group <string> end set webproxy-forward-server <string> set webproxy-profile <string> set transparent {enable | disable} set webcache {enable | disable} set webcache-https {disable | any | enable} set disclaimer {disable | domain | policy | user} set utm-status {enable | disable} set profile-type {single | group} set profile-group <string> set av-profile <string> set webfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string> set icap-profile <string> set waf-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> set replacemsg-override-group <string> set logtraffic-start {enable | disable} config tags edit <name_str> set name <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
114
set name <string> end set label <string> set global-label <string> set scan-botnet-connections {disable | block | monitor} set comments <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
115
Description
Configuration Description Default Value
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
policyid Policy ID. 0
proxy Explicit proxy type. (Empty)
dstintf Destination interface name. (Empty)
srcaddr Source address name. [srcaddr or srcaddr6(webproxy only) must be set].
(Empty)
dstaddr Destination address name. [dstaddr ordstaddr6(web proxy only) must be set].
(Empty)
service Service name. (Empty)
srcaddr-negate Enable/disable negated source address match. disable
dstaddr-negate Enable/disable negated destination addressmatch.
disable
service-negate Enable/disable negated service match. disable
action Policy action. deny
status Enable/disable policy status. enable
schedule Schedule name. (Empty)
logtraffic Enable/disable policy log traffic. utm
srcaddr6 IPv6 source address (web proxy only). [srcaddr6or srcaddr must be set].
(Empty)
dstaddr6 IPv6 destination address (web proxy only).[dstaddr6 or dstaddr must be set].
(Empty)
identity-based Enable/disable identity-based policy. disable
ip-based Enable/disable IP-based authentication. disable
active-auth-method Active authentication method. basic
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
116
sso-auth-method SSO authentication method. none
require-tfa Enable/disable requirement of 2-factorauthentication.
disable
web-auth-cookie Enable/disable Web authentication cookie. disable
transaction-based Enable/disable transaction based authentication. disable
identity-based-policy Identity-based policy. (Empty)
webproxy-forward-server
Web proxy forward server. (Empty)
webproxy-profile Web proxy profile. (Empty)
transparent Use IP address of client to connect to server. disable
webcache Enable/disable web cache. disable
webcache-https Enable/disable web cache for HTTPS. disable
disclaimer Web proxy disclaimer setting. disable
utm-status Enable AV/web/IPS protection profile. disable
profile-type profile type single
profile-group profile group (Empty)
av-profile Antivirus profile. (Empty)
webfilter-profile Web filter profile. (Empty)
spamfilter-profile Spam filter profile. (Empty)
dlp-sensor DLP sensor. (Empty)
ips-sensor IPS sensor. (Empty)
application-list Application list. (Empty)
casi-profile CASI profile. (Empty)
icap-profile ICAP profile. (Empty)
waf-profile Web application firewall profile. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
117
profile-protocol-options Profile protocol options. (Empty)
ssl-ssh-profile SSL SSH Profile. (Empty)
replacemsg-override-group
Specify authentication replacement messageoverride group.
(Empty)
logtraffic-start Enable/disable policy log traffic start. disable
tags Applied object tags. (Empty)
label Label for section view. (Empty)
global-label Label for global view. (Empty)
scan-botnet-connections
Enable/disable scanning of connections to Botnetservers.
disable
comments Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
118
firewall/identity-based-routeCLI Syntax
config firewall identity-based-route edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set gateway <ipv4-address> set device <string> config groups edit <name_str> set name <string> end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
119
Description
Configuration Description Default Value
name Name. (Empty)
comments Description/comments. (Empty)
rule Rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
120
firewall/interface-policyCLI Syntax
config firewall interface-policy edit <name_str> set policyid <integer> set status {enable | disable} set logtraffic {all | utm | disable} set address-type {ipv4 | ipv6} set interface <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end set application-list-status {enable | disable} set application-list <string> set casi-profile-status {enable | disable} set casi-profile <string> set ips-sensor-status {enable | disable} set ips-sensor <string> set dsri {enable | disable} set av-profile-status {enable | disable} set av-profile <string> set webfilter-profile-status {enable | disable} set webfilter-profile <string> set spamfilter-profile-status {enable | disable} set spamfilter-profile <string> set dlp-sensor-status {enable | disable} set dlp-sensor <string> set scan-botnet-connections {disable | block | monitor} set label <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
121
Description
Configuration Description Default Value
policyid Policy ID. 0
status Enable/disable policy status. enable
logtraffic Enable/disable interface log traffic. utm
address-type Policy address type. ipv4
interface Interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
service Service name. (Empty)
application-list-status Enable/disable application control. disable
application-list Application list name. (Empty)
casi-profile-status Enable/disable CASI. disable
casi-profile CASI profile name. (Empty)
ips-sensor-status Enable/disable IPS sensor. disable
ips-sensor IPS sensor name. (Empty)
dsri Enable/disable DSRI. disable
av-profile-status Enable/disable antivirus. disable
av-profile Antivirus profile. (Empty)
webfilter-profile-status Enable/disable web filter profile. disable
webfilter-profile Web filter profile. (Empty)
spamfilter-profile-status Enable/disable spam filter. disable
spamfilter-profile Spam filter profile. (Empty)
dlp-sensor-status Enable/disable DLP sensor. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
122
dlp-sensor DLP sensor. (Empty)
scan-botnet-connections
Enable/disable scanning of connections to Botnetservers.
disable
label Label. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
123
firewall/interface-policy6CLI Syntax
config firewall interface-policy6 edit <name_str> set policyid <integer> set status {enable | disable} set logtraffic {all | utm | disable} set address-type {ipv4 | ipv6} set interface <string> config srcaddr6 edit <name_str> set name <string> end config dstaddr6 edit <name_str> set name <string> end config service6 edit <name_str> set name <string> end set application-list-status {enable | disable} set application-list <string> set casi-profile-status {enable | disable} set casi-profile <string> set ips-sensor-status {enable | disable} set ips-sensor <string> set dsri {enable | disable} set av-profile-status {enable | disable} set av-profile <string> set webfilter-profile-status {enable | disable} set webfilter-profile <string> set spamfilter-profile-status {enable | disable} set spamfilter-profile <string> set dlp-sensor-status {enable | disable} set dlp-sensor <string> set scan-botnet-connections {disable | block | monitor} set label <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
124
Description
Configuration Description Default Value
policyid Policy ID. 0
status Enable/disable policy status. enable
logtraffic Enable/disable interface log traffic. utm
address-type Policy address type. ipv6
interface Interface name. (Empty)
srcaddr6 IPv6 source address name. (Empty)
dstaddr6 IPv6 destination address name. (Empty)
service6 Service name. (Empty)
application-list-status Enable/disable application control. disable
application-list Application list name. (Empty)
casi-profile-status Enable/disable CASI. disable
casi-profile CASI profile name. (Empty)
ips-sensor-status Enable/disable IPS sensor. disable
ips-sensor IPS sensor name. (Empty)
dsri Enable/disable DSRI. disable
av-profile-status Enable/disable antivirus. disable
av-profile Antivirus profile. (Empty)
webfilter-profile-status Enable/disable web filter profile. disable
webfilter-profile Web filter profile. (Empty)
spamfilter-profile-status Enable/disable spam filter. disable
spamfilter-profile Spam filter profile. (Empty)
dlp-sensor-status Enable/disable DLP sensor. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
125
dlp-sensor DLP sensor. (Empty)
scan-botnet-connections
Enable/disable scanning of connections to Botnetservers.
disable
label Label. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
126
firewall/ip-translationCLI Syntax
config firewall ip-translation edit <name_str> set transid <integer> set type {SCTP} set startip <ipv4-address-any> set endip <ipv4-address-any> set map-startip <ipv4-address-any> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
127
Description
Configuration Description Default Value
transid IP translation ID. 0
type IP translation type. SCTP
startip Start IP. 0.0.0.0
endip End IP. 0.0.0.0
map-startip Mapped start IP. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
128
firewall/ippoolCLI Syntax
config firewall ippool edit <name_str> set name <string> set type {overload | one-to-one | fixed-port-range | port-block-allocation} set startip <ipv4-address-any> set endip <ipv4-address-any> set source-startip <ipv4-address-any> set source-endip <ipv4-address-any> set block-size <integer> set num-blocks-per-user <integer> set permit-any-host {disable | enable} set arp-reply {disable | enable} set arp-intf <string> set comments <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
129
Description
Configuration Description Default Value
name IP pool name. (Empty)
type IP pool type. overload
startip Start IP. 0.0.0.0
endip End IP. 0.0.0.0
source-startip Source start IP. 0.0.0.0
source-endip Source end IP. 0.0.0.0
block-size Block size. 128
num-blocks-per-user Number of blocks per user (1 - 128). 8
permit-any-host Enable/disable full cone. disable
arp-reply Enable/disable ARP reply. enable
arp-intf ARP reply interface. Any if unset. (Empty)
comments Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
130
firewall/ippool6CLI Syntax
config firewall ippool6 edit <name_str> set name <string> set startip <ipv6-address> set endip <ipv6-address> set comments <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
131
Description
Configuration Description Default Value
name IPv6 pool name. (Empty)
startip Start IP. ::
endip End IP. ::
comments Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
132
firewall/ipv6-eh-filterCLI Syntax
config firewall ipv6-eh-filter edit <name_str> set hop-opt {enable | disable} set dest-opt {enable | disable} set hdopt-type <integer> set routing {enable | disable} set routing-type <integer> set fragment {enable | disable} set auth {enable | disable} set no-next {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
133
Description
Configuration Description Default Value
hop-opt Block packets with Hop-by-Hop Options header. disable
dest-opt Block packets with Destination Options header. disable
hdopt-type Block specific Hop-by-Hop and/or DestinationOption types (maximum 7 types, each between 0and 255).
(Empty)
routing Block packets with Routing header. enable
routing-type Block specific Routing header types (maximum 7types, each between 0 and 255).
0
fragment Block packets with Fragment header. disable
auth Block packets with Authentication header. disable
no-next Block packets with No Next header. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
134
firewall/ldb-monitorCLI Syntax
config firewall ldb-monitor edit <name_str> set name <string> set type {ping | tcp | http | passive-sip} set interval <integer> set timeout <integer> set retry <integer> set port <integer> set http-get <string> set http-match <string> set http-max-redirects <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
135
Description
Configuration Description Default Value
name Monitor name. (Empty)
type Monitor type. (Empty)
interval Detect interval. 10
timeout Detect request timeout. 2
retry Number of detect tries before bring server down. 3
port Service port. 0
http-get HTTP get URL string. (Empty)
http-match String for matching HTTP-get response. (Empty)
http-max-redirects The maximum number of HTTP redirects to beallowed.
0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
136
firewall/local-in-policyCLI Syntax
config firewall local-in-policy edit <name_str> set policyid <integer> set ha-mgmt-intf-only {enable | disable} set intf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} config service edit <name_str> set name <string> end set schedule <string> set auto-asic-offload {enable | disable} set status {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
137
Description
Configuration Description Default Value
policyid User defined local in policy ID. 0
ha-mgmt-intf-only Enable/disable dedication of HA managementinterface only for local-in policy.
disable
intf Source interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
action Local-In policy action. deny
service Service name. (Empty)
schedule Schedule name. (Empty)
auto-asic-offload Enable/disable policy traffic ASIC offloading. enable
status Enable/disable policy status. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
138
firewall/local-in-policy6CLI Syntax
config firewall local-in-policy6 edit <name_str> set policyid <integer> set intf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} config service edit <name_str> set name <string> end set schedule <string> set status {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
139
Description
Configuration Description Default Value
policyid User defined local in policy ID. 0
intf Source interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
action Local-In policy action. deny
service Service name. (Empty)
schedule Schedule name. (Empty)
status Enable/disable policy status. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
140
firewall/multicast-addressCLI Syntax
config firewall multicast-address edit <name_str> set name <string> set type {multicastrange | broadcastmask} set subnet <ipv4-classnet-any> set start-ip <ipv4-address-any> set end-ip <ipv4-address-any> set comment <var-string> set visibility {enable | disable} set associated-interface <string> set color <integer> config tags edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
141
Description
Configuration Description Default Value
name Multicast address name. (Empty)
type type multicastrange
subnet Broadcast address and subnet. 0.0.0.0 0.0.0.0
start-ip Start IP. 0.0.0.0
end-ip End IP. 0.0.0.0
comment Comment. (Empty)
visibility Enable/disable multicast address visibility. enable
associated-interface Associated interface name. (Empty)
color GUI icon color. 0
tags Applied object tags. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
142
firewall/multicast-address6CLI Syntax
config firewall multicast-address6 edit <name_str> set name <string> set ip6 <ipv6-network> set comment <var-string> set visibility {enable | disable} set color <integer> config tags edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
143
Description
Configuration Description Default Value
name IPv6 multicast address name. (Empty)
ip6 IPv6 address prefix. ::/0
comment Comment. (Empty)
visibility Enable/disable multicast address visibility. enable
color GUI icon color. 0
tags Applied object tags. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
144
firewall/multicast-policyCLI Syntax
config firewall multicast-policy edit <name_str> set id <integer> set status {enable | disable} set logtraffic {enable | disable} set srcintf <string> set dstintf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set snat {enable | disable} set snat-ip <ipv4-address> set dnat <ipv4-address-any> set action {accept | deny} set protocol <integer> set start-port <integer> set end-port <integer> set auto-asic-offload {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
145
Description
Configuration Description Default Value
id Policy ID. 0
status Enable/disable policy status. enable
logtraffic Enable/disable policy log traffic. disable
srcintf Source interface name. (Empty)
dstintf Destination interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
snat Enable/disable NAT source address. disable
snat-ip NAT source address. 0.0.0.0
dnat NAT destination address. 0.0.0.0
action Policy action. accept
protocol Protocol number. 0
start-port Start port number. 1
end-port End port number. 65535
auto-asic-offload Enable/disable policy traffic ASIC offloading. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
146
firewall/multicast-policy6CLI Syntax
config firewall multicast-policy6 edit <name_str> set id <integer> set status {enable | disable} set logtraffic {enable | disable} set srcintf <string> set dstintf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} set protocol <integer> set start-port <integer> set end-port <integer> set auto-asic-offload {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
147
Description
Configuration Description Default Value
id Policy ID. 0
status Enable/disable multicast IPv6 policy status. enable
logtraffic Enable/disable multicast IPv6 policy log traffic. disable
srcintf IPv6 source interface name. (Empty)
dstintf IPv6 destination interface name. (Empty)
srcaddr IPv6 source address name. (Empty)
dstaddr IPv6 destination address name. (Empty)
action Policy action. accept
protocol Protocol number. 0
start-port Start port number. 1
end-port End port number. 65535
auto-asic-offload Enable/disable policy traffic ASIC offloading. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
148
firewall/policyCLI Syntax
config firewall policy edit <name_str> set policyid <integer> set name <string> set uuid <uuid> config srcintf edit <name_str> set name <string> end config dstintf edit <name_str> set name <string> end config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set rtp-nat {disable | enable} config rtp-addr edit <name_str> set name <string> end set action {accept | deny | ipsec | ssl-vpn} set send-deny-packet {disable | enable} set firewall-session-dirty {check-all | check-new} set status {enable | disable} set schedule <string> set schedule-timeout {enable | disable} config service edit <name_str> set name <string> end set utm-status {enable | disable} set profile-type {single | group} set profile-group <string> set av-profile <string> set webfilter-profile <string> set dnsfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
149
set voip-profile <string> set icap-profile <string> set waf-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> set logtraffic {all | utm | disable} set logtraffic-start {enable | disable} set capture-packet {enable | disable} set auto-asic-offload {enable | disable} set wanopt {enable | disable} set wanopt-detection {active | passive | off} set wanopt-passive-opt {default | transparent | non-transparent} set wanopt-profile <string> set wanopt-peer <string> set webcache {enable | disable} set webcache-https {disable | ssl-server | any | enable} set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> set nat {enable | disable} set permit-any-host {enable | disable} set permit-stun-host {enable | disable} set fixedport {enable | disable} set ippool {enable | disable} config poolname edit <name_str> set name <string> end set session-ttl <integer> set vlan-cos-fwd <integer> set vlan-cos-rev <integer> set inbound {enable | disable} set outbound {enable | disable} set natinbound {enable | disable} set natoutbound {enable | disable} set wccp {enable | disable} set ntlm {enable | disable} set ntlm-guest {enable | disable} config ntlm-enabled-browsers edit <name_str> set user-agent-string <string> end set fsso {enable | disable} set wsso {enable | disable} set rsso {enable | disable} set fsso-agent-for-ntlm <string> config groups edit <name_str> set name <string> end config users edit <name_str> set name <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
150
set name <string> end config devices edit <name_str> set name <string> end set auth-path {enable | disable} set disclaimer {enable | disable} set vpntunnel <string> set natip <ipv4-classnet> set match-vip {enable | disable} set diffserv-forward {enable | disable} set diffserv-reverse {enable | disable} set diffservcode-forward <user> set diffservcode-rev <user> set tcp-mss-sender <integer> set tcp-mss-receiver <integer> set comments <var-string> set label <string> set global-label <string> set auth-cert <string> set auth-redirect-addr <string> set redirect-url <string> set identity-based-route <string> set block-notification {enable | disable} config custom-log-fields edit <name_str> set field_id <string> end config tags edit <name_str> set name <string> end set replacemsg-override-group <string> set srcaddr-negate {enable | disable} set dstaddr-negate {enable | disable} set service-negate {enable | disable} set timeout-send-rst {enable | disable} set captive-portal-exempt {enable | disable} set ssl-mirror {enable | disable} config ssl-mirror-intf edit <name_str> set name <string> end set scan-botnet-connections {disable | block | monitor} set dsri {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
151
Description
Configuration Description Default Value
policyid Policy ID. 0
name Policy name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
srcintf Source interface name. (Empty)
dstintf Destination interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
rtp-nat Enable/disable use of this policy for RTP NAT. disable
rtp-addr RTP NAT address name. (Empty)
action Policy action. deny
send-deny-packet Enable/disable return of deny-packet. disable
firewall-session-dirty Packet session management. check-all
status Enable/disable policy status. enable
schedule Schedule name. (Empty)
schedule-timeout Enable/disable schedule timeout. disable
service Service name. (Empty)
utm-status Enable AV/web/IPS protection profile. disable
profile-type profile type single
profile-group profile group (Empty)
av-profile Antivirus profile. (Empty)
webfilter-profile Web filter profile. (Empty)
dnsfilter-profile DNS filter profile. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
152
spamfilter-profile Spam filter profile. (Empty)
dlp-sensor DLP sensor. (Empty)
ips-sensor IPS sensor. (Empty)
application-list Application list. (Empty)
casi-profile CASI profile. (Empty)
voip-profile VoIP profile. (Empty)
icap-profile ICAP profile. (Empty)
waf-profile Web application firewall profile. (Empty)
profile-protocol-options Profile protocol options. (Empty)
ssl-ssh-profile SSL SSH Profile. (Empty)
logtraffic Enable/disable policy log traffic. utm
logtraffic-start Enable/disable policy log traffic start. disable
capture-packet Enable/disable capture packets. disable
auto-asic-offload Enable/disable policy traffic ASIC offloading. enable
wanopt Enable/disable WAN optimization. disable
wanopt-detection WAN optimization auto-detection mode. active
wanopt-passive-opt WAN optimization passive mode options. Thisoption decides what IP address will be used toconnect server.
default
wanopt-profile WAN optimization profile. (Empty)
wanopt-peer WAN optimization peer. (Empty)
webcache Enable/disable web cache. disable
webcache-https Enable/disable web cache for HTTPS. disable
traffic-shaper Traffic shaper. (Empty)
traffic-shaper-reverse Traffic shaper. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
153
per-ip-shaper Per-IP shaper. (Empty)
nat Enable/disable policy NAT. disable
permit-any-host Enable/disable permit any host in. disable
permit-stun-host Enable/disable permit stun host in. disable
fixedport Enable/disable policy fixed port. disable
ippool Enable/disable policy IP pool. disable
poolname Policy IP pool names. (Empty)
session-ttl Session TTL. 0
vlan-cos-fwd VLAN forward direction user priority. 255
vlan-cos-rev VLAN reverse direction user priority. 255
inbound Enable/disable policy inbound. disable
outbound Enable/disable policy outbound. disable
natinbound Enable/disable policy NAT inbound. disable
natoutbound Enable/disable policy NAT outbound. disable
wccp Enable/disable Web Cache Coordination Protocol(WCCP).
disable
ntlm Enable/disable NTLM authentication. disable
ntlm-guest Enable/disable guest user for NTLMauthentication.
disable
ntlm-enabled-browsers User agent strings for NTLM enabled browsers. (Empty)
fsso Enable/disable Fortinet Single Sign-On. disable
wsso Enable/disable WiFi Single Sign-On. enable
rsso Enable/disable RADIUS Single Sign-On. disable
fsso-agent-for-ntlm Specify FSSO agent for NTLM authentication. (Empty)
groups User authentication groups. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
154
users User name. (Empty)
devices Devices or device groups. (Empty)
auth-path Enable/disable authentication-based routing. disable
disclaimer Enable/disable user authentication disclaimer. disable
vpntunnel Policy VPN tunnel. (Empty)
natip NAT address. 0.0.0.0 0.0.0.0
match-vip Enable/disable match DNATed packet. disable
diffserv-forward Enable/disable forward (original) traffic DiffServ. disable
diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable
diffservcode-forward Forward (original) traffic DiffServ code pointvalue.
000000
diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000
tcp-mss-sender TCP MSS value of sender. 0
tcp-mss-receiver TCP MSS value of receiver. 0
comments Comment. (Empty)
label Label for section view. (Empty)
global-label Label for global view. (Empty)
auth-cert HTTPS server certificate for policy authentication. (Empty)
auth-redirect-addr HTTP-to-HTTPS redirect address for firewallauthentication.
(Empty)
redirect-url URL redirection after disclaimer/authentication. (Empty)
identity-based-route Name of identity-based routing rule. (Empty)
block-notification Enable/disable block notification. disable
custom-log-fields Log custom fields. (Empty)
tags Applied object tags. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
155
replacemsg-override-group
Specify authentication replacement messageoverride group.
(Empty)
srcaddr-negate Enable/disable negated source address match. disable
dstaddr-negate Enable/disable negated destination addressmatch.
disable
service-negate Enable/disable negated service match. disable
timeout-send-rst Enable/disable sending of RST packet upon TCPsession expiration.
disable
captive-portal-exempt Enable/disable exemption of captive portal. disable
ssl-mirror Enable/disable SSL mirror. disable
ssl-mirror-intf Mirror interface name. (Empty)
scan-botnet-connections
Enable/disable scanning of connections to Botnetservers.
disable
dsri Enable/disable DSRI. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
156
firewall/policy46CLI Syntax
config firewall policy46 edit <name_str> set permit-any-host {enable | disable} set policyid <integer> set uuid <uuid> set srcintf <string> set dstintf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} set status {enable | disable} set schedule <string> config service edit <name_str> set name <string> end set logtraffic {enable | disable} set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> set fixedport {enable | disable} set tcp-mss-sender <integer> set tcp-mss-receiver <integer> set comments <var-string> config tags edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
157
Description
Configuration Description Default Value
permit-any-host Enable/disable permit any host in. disable
policyid Policy ID. 0
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
srcintf Source interface name. (Empty)
dstintf Destination interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
action Policy action. deny
status Policy status. enable
schedule Schedule name. (Empty)
service Service name. (Empty)
logtraffic Enable/disable traffic log. disable
traffic-shaper Traffic shaper. (Empty)
traffic-shaper-reverse Reverse traffic shaper. (Empty)
per-ip-shaper Per IP traffic shaper. (Empty)
fixedport Enable/disable policy fixed port. disable
tcp-mss-sender TCP MSS value of sender. 0
tcp-mss-receiver TCP MSS value of receiver. 0
comments Comment. (Empty)
tags Applied object tags. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
158
firewall/policy6CLI Syntax
config firewall policy6 edit <name_str> set policyid <integer> set name <string> set uuid <uuid> config srcintf edit <name_str> set name <string> end config dstintf edit <name_str> set name <string> end config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny | ipsec | ssl-vpn} set firewall-session-dirty {check-all | check-new} set status {enable | disable} set vlan-cos-fwd <integer> set vlan-cos-rev <integer> set schedule <string> config service edit <name_str> set name <string> end set utm-status {enable | disable} set profile-type {single | group} set profile-group <string> set av-profile <string> set webfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string> set voip-profile <string> set icap-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> set logtraffic {all | utm | disable} set logtraffic-start {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
159
set auto-asic-offload {enable | disable} set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> set nat {enable | disable} set fixedport {enable | disable} set ippool {enable | disable} config poolname edit <name_str> set name <string> end set inbound {enable | disable} set outbound {enable | disable} set natinbound {enable | disable} set natoutbound {enable | disable} set send-deny-packet {enable | disable} set vpntunnel <string> set diffserv-forward {enable | disable} set diffserv-reverse {enable | disable} set diffservcode-forward <user> set diffservcode-rev <user> set tcp-mss-sender <integer> set tcp-mss-receiver <integer> set comments <var-string> set label <string> set global-label <string> set rsso {enable | disable} config tags edit <name_str> set name <string> end set replacemsg-override-group <string> set srcaddr-negate {enable | disable} set dstaddr-negate {enable | disable} set service-negate {enable | disable} config groups edit <name_str> set name <string> end config users edit <name_str> set name <string> end config devices edit <name_str> set name <string> end set timeout-send-rst {enable | disable} set ssl-mirror {enable | disable} config ssl-mirror-intf edit <name_str> set name <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
160
end set dsri {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
161
Description
Configuration Description Default Value
policyid Policy ID. 0
name Policy name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
srcintf Source interface name. (Empty)
dstintf Destination interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
action Policy action. deny
firewall-session-dirty Packet session management. check-all
status Enable/disable policy status. enable
vlan-cos-fwd VLAN forward direction user priority. 255
vlan-cos-rev VLAN reverse direction user priority. 255
schedule Schedule name. (Empty)
service Service name. (Empty)
utm-status Enable AV/web/ips protection profile. disable
profile-type profile type single
profile-group profile group (Empty)
av-profile Antivirus profile. (Empty)
webfilter-profile Web filter profile. (Empty)
spamfilter-profile Spam filter profile. (Empty)
dlp-sensor DLP sensor. (Empty)
ips-sensor IPS sensor. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
162
application-list Application list. (Empty)
casi-profile CASI profile. (Empty)
voip-profile VoIP profile. (Empty)
icap-profile ICAP profile. (Empty)
profile-protocol-options Profile protocol options. (Empty)
ssl-ssh-profile SSL SSH Profile. (Empty)
logtraffic Enable/disable policy log traffic. utm
logtraffic-start Enable/disable policy log traffic start. disable
auto-asic-offload Enable/disable policy traffic ASIC offloading. enable
traffic-shaper Traffic shaper. (Empty)
traffic-shaper-reverse Traffic shaper. (Empty)
per-ip-shaper Per-IP shaper. (Empty)
nat Enable/disable policy NAT. disable
fixedport Enable/disable policy fixed port. disable
ippool Enable/disable policy IP pool. disable
poolname Policy IP pool names. (Empty)
inbound Enable/disable policy inbound. disable
outbound Enable/disable policy outbound. disable
natinbound Enable/disable policy NAT inbound. disable
natoutbound Enable/disable policy NAT outbound. disable
send-deny-packet Enable/disable return of deny-packet. disable
vpntunnel Policy VPN tunnel. (Empty)
diffserv-forward Enable/disable forward (original) traffic DiffServ. disable
diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
163
diffservcode-forward Forward (original) Traffic DiffServ code pointvalue.
000000
diffservcode-rev Reverse (reply) Traffic DiffServ code point value. 000000
tcp-mss-sender TCP MSS value of sender. 0
tcp-mss-receiver TCP MSS value of receiver. 0
comments Comment. (Empty)
label Label for section view. (Empty)
global-label Label for global view. (Empty)
rsso Enable/disable RADIUS Single Sign-On. disable
tags Applied object tags. (Empty)
replacemsg-override-group
Specify authentication replacement messageoverride group.
(Empty)
srcaddr-negate Enable/disable negated source address match. disable
dstaddr-negate Enable/disable negated destination addressmatch.
disable
service-negate Enable/disable negated service match. disable
groups User authentication groups. (Empty)
users User name. (Empty)
devices Devices or device groups. (Empty)
timeout-send-rst Enable/disable sending of RST packet upon TCPsession expiration.
disable
ssl-mirror Enable/disable SSL mirror. disable
ssl-mirror-intf Mirror interface name. (Empty)
dsri Enable/disable DSRI. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
164
firewall/policy64CLI Syntax
config firewall policy64 edit <name_str> set policyid <integer> set uuid <uuid> set srcintf <string> set dstintf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} set status {enable | disable} set schedule <string> config service edit <name_str> set name <string> end set logtraffic {enable | disable} set permit-any-host {enable | disable} set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> set fixedport {enable | disable} set ippool {enable | disable} config poolname edit <name_str> set name <string> end set tcp-mss-sender <integer> set tcp-mss-receiver <integer> set comments <var-string> config tags edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
165
Description
Configuration Description Default Value
policyid Policy ID. 0
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
srcintf Source interface name. (Empty)
dstintf Destination interface name. (Empty)
srcaddr Source address name. (Empty)
dstaddr Destination address name. (Empty)
action Policy action. deny
status Enable/disable policy status. enable
schedule Schedule name. (Empty)
service Service name. (Empty)
logtraffic Enable/disable policy log traffic. disable
permit-any-host Enable/disable permit any host in. disable
traffic-shaper Traffic shaper. (Empty)
traffic-shaper-reverse Reverse traffic shaper. (Empty)
per-ip-shaper Per-IP traffic shaper. (Empty)
fixedport Enable/disable policy fixed port. disable
ippool Enable/disable policy64 IP pool. disable
poolname Policy IP pool names. (Empty)
tcp-mss-sender TCP MSS value of sender. 0
tcp-mss-receiver TCP MSS value of receiver. 0
comments Comment. (Empty)
tags Applied object tags. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
166
firewall/profile-groupCLI Syntax
config firewall profile-group edit <name_str> set name <string> set av-profile <string> set webfilter-profile <string> set dnsfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string> set voip-profile <string> set icap-profile <string> set waf-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
167
Description
Configuration Description Default Value
name Profile group name. (Empty)
av-profile Antivirus profile. (Empty)
webfilter-profile Web filter profile. (Empty)
dnsfilter-profile DNS filter profile. (Empty)
spamfilter-profile Spam filter profile. (Empty)
dlp-sensor DLP sensor. (Empty)
ips-sensor IPS sensor. (Empty)
application-list Application list. (Empty)
casi-profile CASI profile. (Empty)
voip-profile VoIP profile. (Empty)
icap-profile ICAP profile. (Empty)
waf-profile Web application firewall profile. (Empty)
profile-protocol-options Profile protocol options. (Empty)
ssl-ssh-profile SSL SSH Profile. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
168
firewall/profile-protocol-optionsCLI Syntax
config firewall profile-protocol-options edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set oversize-log {disable | enable} set switching-protocols-log {disable | enable} config http edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {clientcomfort | servercomfort | oversize | no-content-summary | chunkedbypass} set comfort-interval <integer> set comfort-amount <integer> set range-block {disable | enable} set post-lang {jisx0201 | jisx0208 | jisx0212 | gb2312 | ksc5601-ex | euc-jp | sjis | iso2022-jp | iso2022-jp-1 | iso2022-jp-2 | euc-cn | ces-gbk | hz | ces-big5 | euc-kr | iso2022-jp-3 | iso8859-1 | tis620 | cp874 | cp1252 | cp1251} set fortinet-bar {enable | disable} set fortinet-bar-port <integer> set streaming-content-bypass {enable | disable} set switching-protocols {bypass | block} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} set block-page-status-code <integer> set retry-count <integer> end config ftp edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {clientcomfort | oversize | no-content-summary | splice | bypass-rest-command | bypass-mode-command} set comfort-interval <integer> set comfort-amount <integer> set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end config imap edit <name_str>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
169
set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {fragmail | oversize | no-content-summary} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end config mapi edit <name_str> set ports <integer> set status {enable | disable} set options {fragmail | oversize | no-content-summary} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end config pop3 edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {fragmail | oversize | no-content-summary} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end config smtp edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {fragmail | oversize | no-content-summary | splice} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} set server-busy {enable | disable} end config nntp edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {oversize | no-content-summary | splice} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
170
end config dns edit <name_str> set ports <integer> set status {enable | disable} end config mail-signature edit <name_str> set status {disable | enable} set signature <string> end set rpc-over-http {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
171
Description
Configuration Description Default Value
name Name. (Empty)
comment Comment. (Empty)
replacemsg-group Replacement message group. (Empty)
oversize-log Enable/disable log antivirus oversize file blocking. disable
switching-protocols-log Enable/disable log HTTP/HTTPS switchingprotocols.
disable
http HTTP. Details below
Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)comfort-interval 10comfort-amount 1range-block disablepost-lang (Empty)fortinet-bar disablefortinet-bar-port 8011streaming-content-bypass enableswitching-protocols bypassoversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enableblock-page-status-code 200retry-count 0
ftp FTP. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
172
Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)comfort-interval 10comfort-amount 1oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enable
imap IMAP. Details below
Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enable
mapi MAPI Details below
Configuration Default Valueports (Empty)status enableoptions (Empty)oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enable
pop3 POP3. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
173
Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enable
smtp SMTP. Details below
Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enableserver-busy disable
nntp NNTP. Details below
Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enable
dns DNS. Details below
Configuration Default Valueports (Empty)status enable
mail-signature Mail signature. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
174
Configuration Default Valuestatus disablesignature (Empty)
rpc-over-http Enable/disable inspection of RPC over HTTP. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
175
firewall/shaping-policyCLI Syntax
config firewall shaping-policy edit <name_str> set id <integer> set status {enable | disable} set ip-version {4 | 6} config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config srcaddr6 edit <name_str> set name <string> end config dstaddr6 edit <name_str> set name <string> end config service edit <name_str> set name <string> end config users edit <name_str> set name <string> end config groups edit <name_str> set name <string> end config application edit <name_str> set id <integer> end config app-category edit <name_str> set id <integer> end config url-category edit <name_str> set id <integer> end config dstintf edit <name_str>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
176
set name <string> end set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
177
Description
Configuration Description Default Value
id Shaping policy ID. 0
status Enable/disable traffic shaping policy. enable
ip-version IP version. 4
srcaddr Source address. (Empty)
dstaddr Destination address. (Empty)
srcaddr6 IPv6 source address. (Empty)
dstaddr6 IPv6 destination address. (Empty)
service Service name. (Empty)
users User name. (Empty)
groups User authentication groups. (Empty)
application Application ID list. (Empty)
app-category Application category ID list. (Empty)
url-category URL category ID list. (Empty)
dstintf Destination interface list. (Empty)
traffic-shaper Forward traffic shaper. (Empty)
traffic-shaper-reverse Reverse traffic shaper. (Empty)
per-ip-shaper Per IP shaper. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
178
firewall/snifferCLI Syntax
config firewall sniffer edit <name_str> set id <integer> set status {enable | disable} set logtraffic {all | utm | disable} set ipv6 {enable | disable} set non-ip {enable | disable} set interface <string> set host <string> set port <string> set protocol <string> set vlan <string> set application-list-status {enable | disable} set application-list <string> set casi-profile-status {enable | disable} set casi-profile <string> set ips-sensor-status {enable | disable} set ips-sensor <string> set dsri {enable | disable} set av-profile-status {enable | disable} set av-profile <string> set webfilter-profile-status {enable | disable} set webfilter-profile <string> set spamfilter-profile-status {enable | disable} set spamfilter-profile <string> set dlp-sensor-status {enable | disable} set dlp-sensor <string> set ips-dos-status {enable | disable} config anomaly edit <name_str> set name <string> set status {disable | enable} set log {enable | disable} set action {pass | block | proxy} set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} set threshold <integer> set threshold(default) <integer> end set scan-botnet-connections {disable | block | monitor} set max-packet-count <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
179
Description
Configuration Description Default Value
id Sniffer ID. 0
status Enable/disable sniffer status. enable
logtraffic Enable/disable sniffer log traffic. utm
ipv6 Enable/disable sniffer for IPv6 packets. disable
non-ip Enable/disable sniffer for non-IP packets. disable
interface Interface name. (Empty)
host Host list (IP or IP/mask or IP range). (Empty)
port Port list. (Empty)
protocol IP protocol list. (Empty)
vlan VLAN list. (Empty)
application-list-status Enable/disable application control. disable
application-list Application list name. (Empty)
casi-profile-status Enable/disable CASI. disable
casi-profile CASI profile name. (Empty)
ips-sensor-status Enable/disable IPS sensor. disable
ips-sensor IPS sensor name. (Empty)
dsri Enable/disable DSRI. disable
av-profile-status Enable/disable antivirus. disable
av-profile Antivirus profile. (Empty)
webfilter-profile-status Enable/disable web filter. disable
webfilter-profile Web filter profile. (Empty)
spamfilter-profile-status Enable/disable spam filter. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
180
spamfilter-profile Spam filter profile. (Empty)
dlp-sensor-status Enable/disable DLP sensor. disable
dlp-sensor DLP sensor. (Empty)
ips-dos-status Enable/disable IPS DoS anomaly detection. disable
anomaly Configure anomaly. (Empty)
scan-botnet-connections
Enable/disable scanning of connections to Botnetservers.
disable
max-packet-count Maximum packet count. 4000
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
181
firewall/ssl-serverCLI Syntax
config firewall ssl-server edit <name_str> set name <string> set ip <ipv4-address-any> set port <integer> set ssl-mode {half | full} set add-header-x-forwarded-proto {enable | disable} set mapped-port <integer> set ssl-cert <string> set ssl-dh-bits {768 | 1024 | 1536 | 2048} set ssl-algorithm {high | medium | low} set ssl-client-renegotiation {allow | deny | secure} set ssl-min-version {ssl-3.0 | tls-1.0} set ssl-max-version {ssl-3.0 | tls-1.0} set ssl-send-empty-frags {enable | disable} set url-rewrite {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
182
Description
Configuration Description Default Value
name Server name. (Empty)
ip Server IP address. 0.0.0.0
port Server service port. 0
ssl-mode SSL/TLS mode for encryption & decryption oftraffic.
full
add-header-x-forwarded-proto
Enable/disable add X-Forwarded-Proto header toforwarded requests.
enable
mapped-port Mapped server service port. 0
ssl-cert Name of certificate for SSL connections to thisserver.
(Empty)
ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSAnegotiation.
2048
ssl-algorithm Relative strength of encryption algorithmsaccepted in negotiation.
high
ssl-client-renegotiation Allow/block client renegotiation by server. allow
ssl-min-version Lowest SSL/TLS version to negotiate. ssl-3.0
ssl-max-version Highest SSL/TLS version to negotiate. tls-1.0
ssl-send-empty-frags Enable/disable send empty fragments to avoidattack on CBC IV.
enable
url-rewrite Enable/disable rewrite URL. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
183
firewall/ssl-ssh-profileCLI Syntax
config firewall ssl-ssh-profile edit <name_str> set name <string> set comment <var-string> config ssl edit <name_str> set inspect-all {disable | certificate-inspection | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config https edit <name_str> set ports <integer> set status {disable | certificate-inspection | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config ftps edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config imaps edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config pop3s edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
184
end config smtps edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config ssh edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set inspect-all {disable | deep-inspection | enable} set block {x11-filter | ssh-shell | exec | port-forward} set log {x11-filter | ssh-shell | exec | port-forward} end set whitelist {enable | disable} config ssl-exempt edit <name_str> set id <integer> set type {fortiguard-category | address | address6} set fortiguard-category <integer> set address <string> set address6 <string> end set server-cert-mode {re-sign | replace} set use-ssl-server {disable | enable} set caname <string> set untrusted-caname <string> set certname <string> set server-cert <string> config ssl-server edit <name_str> set id <integer> set ip <ipv4-address-any> set https-client-cert-request {bypass | inspect | block} set smtps-client-cert-request {bypass | inspect | block} set pop3s-client-cert-request {bypass | inspect | block} set imaps-client-cert-request {bypass | inspect | block} set ftps-client-cert-request {bypass | inspect | block} set ssl-other-client-cert-request {bypass | inspect | block} end set ssl-invalid-server-cert-log {disable | enable} set rpc-over-https {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
185
Description
Configuration Description Default Value
name Name. (Empty)
comment Comment. (Empty)
ssl ssl Details below
Configuration Default Valueinspect-all disableclient-cert-request bypassunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow
https https Details below
Configuration Default Valueports (Empty)status deep-inspectionclient-cert-request bypassunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow
ftps ftps Details below
Configuration Default Valueports (Empty)status deep-inspectionclient-cert-request bypassunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow
imaps imaps Details below
Configuration Default Valueports (Empty)status deep-inspectionclient-cert-request inspectunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
186
pop3s pop3s Details below
Configuration Default Valueports (Empty)status deep-inspectionclient-cert-request inspectunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow
smtps smtps Details below
Configuration Default Valueports (Empty)status deep-inspectionclient-cert-request inspectunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow
ssh ssh Details below
Configuration Default Valueports (Empty)status deep-inspectioninspect-all disableblock (Empty)log (Empty)
whitelist Enable/disable exempt servers by FortiGuardwhitelist.
disable
ssl-exempt Servers to exempt from SSL inspection. (Empty)
server-cert-mode Re-sign or replace the server's certificate. re-sign
use-ssl-server Enable/disable to use SSL server table for SSLoffloading.
disable
caname CA certificate used by SSL Inspection. Fortinet_CA_SSL
untrusted-caname Untrusted CA certificate used by SSL Inspection. Fortinet_CA_Untrusted
certname Certificate containing the key to use when re-signing server certificates for SSL inspection.
Fortinet_SSL
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
187
server-cert Certificate used by SSL Inspection to replaceserver certificate.
Fortinet_SSL
ssl-server SSL servers. (Empty)
ssl-invalid-server-cert-log
Enable/disable SSL server certificate validationlogging.
disable
rpc-over-https Enable/disable inspection of RPC over HTTPS. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
188
firewall/ttl-policyCLI Syntax
config firewall ttl-policy edit <name_str> set id <integer> set status {enable | disable} set action {accept | deny} set srcintf <string> config srcaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end set schedule <string> set ttl <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
189
Description
Configuration Description Default Value
id ID. 0
status status enable
action Action. deny
srcintf Source interface name. (Empty)
srcaddr Source address name. (Empty)
service Service name. (Empty)
schedule Schedule name. (Empty)
ttl TTL range. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
190
firewall/vipCLI Syntax
config firewall vip edit <name_str> set name <string> set id <integer> set uuid <uuid> set comment <var-string> set type {static-nat | load-balance | server-load-balance | dns-translation | fqdn} set dns-mapping-ttl <integer> set ldb-method {static | round-robin | weighted | least-session | least-rtt | first-alive | http-host} config src-filter edit <name_str> set range <string> end set extip <user> config mappedip edit <name_str> set range <string> end set mapped-addr <string> set extintf <string> set arp-reply {disable | enable} set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip} set persistence {none | http-cookie | ssl-session-id} set nat-source-vip {disable | enable} set portforward {disable | enable} set protocol {tcp | udp | sctp | icmp} set extport <user> set mappedport <user> set gratuitous-arp-interval <integer> config srcintf-filter edit <name_str> set interface-name <string> end set portmapping-type {1-to-1 | m-to-n} config realservers edit <name_str> set id <integer> set ip <ipv4-address-any> set port <integer> set status {active | standby | disable} set weight <integer> set holddown-interval <integer> set healthcheck {disable | enable | vip} set http-host <string> set max-connections <integer>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
191
set monitor <string> set client-ip <user> end set http-cookie-domain-from-host {disable | enable} set http-cookie-domain <string> set http-cookie-path <string> set http-cookie-generation <integer> set http-cookie-age <integer> set http-cookie-share {disable | same-ip} set https-cookie-secure {disable | enable} set http-multiplex {enable | disable} set http-ip-header {enable | disable} set http-ip-header-name <string> set outlook-web-access {disable | enable} set weblogic-server {disable | enable} set websphere-server {disable | enable} set ssl-mode {half | full} set ssl-certificate <string> set ssl-dh-bits {768 | 1024 | 1536 | 2048} set ssl-algorithm {high | medium | low | custom} config ssl-cipher-suites edit <name_str> set priority <integer> set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WITH-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITH-AES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256 | TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITH-CAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WITH-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 | TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5 | TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBC-SHA | TLS-RSA-WITH-DES-CBC-SHA}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
192
SHA | TLS-RSA-WITH-DES-CBC-SHA} set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} end set ssl-pfs {require | deny | allow} set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} set ssl-send-empty-frags {enable | disable} set ssl-client-renegotiation {allow | deny | secure} set ssl-client-session-state-type {disable | time | count | both} set ssl-client-session-state-timeout <integer> set ssl-client-session-state-max <integer> set ssl-server-session-state-type {disable | time | count | both} set ssl-server-session-state-timeout <integer> set ssl-server-session-state-max <integer> set ssl-http-location-conversion {enable | disable} set ssl-http-match-host {enable | disable} set monitor <string> set max-embryonic-connections <integer> set color <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
193
Description
Configuration Description Default Value
name Virtual IP name. (Empty)
id Custom defined ID. 0
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
comment Comment. (Empty)
type VIP type: static NAT, load balance., server loadbalance
static-nat
dns-mapping-ttl DNS mapping TTL (Set to zero to use TTL inDNS response, default = 0).
0
ldb-method Load balance method. static
src-filter Source IP filter (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)
extip Start external IP - end external IP. 0.0.0.0
mappedip Mapped IP (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)
mapped-addr Mapped address. (Empty)
extintf External interface. (Empty)
arp-reply Enable/disable ARP reply. enable
server-type Server type. (Empty)
persistence Persistence. none
nat-source-vip Enable/disable force NAT as VIP when servergoes out.
disable
portforward Enable/disable port forward. disable
protocol Mapped port protocol. tcp
extport External service port. 0
mappedport Mapped service port. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
194
gratuitous-arp-interval Interval between sending gratuitous ARPs(seconds, 0 to disable).
0
srcintf-filter Source interface filter. (Empty)
portmapping-type Port mapping type. 1-to-1
realservers Real servers. (Empty)
http-cookie-domain-from-host
Enable/disable use of HTTP cookie domain fromhost field in HTTP.
disable
http-cookie-domain HTTP cookie domain. (Empty)
http-cookie-path HTTP cookie path. (Empty)
http-cookie-generation Generation of HTTP cookie to be accepted.Changing invalidates all existing cookies.
0
http-cookie-age Number of minutes the web browser should keepcookie (0 = forever).
60
http-cookie-share Share HTTP cookies across different virtualservers.
same-ip
https-cookie-secure Enable/disable verification of cookie inserted intoHTTPS is marked as secure.
disable
http-multiplex Enable/disable multiplex HTTPrequests/responses over a single TCPconnection.
disable
http-ip-header Add additional HTTP header containing client'soriginal IP address.
disable
http-ip-header-name Name of HTTP header containing client's IPaddress (X-Forwarded-For is used if empty).
(Empty)
outlook-web-access Enable/disable adding HTTP header indicatingSSL offload for Outlook Web Access server.
disable
weblogic-server Enable/disable adding HTTP header indicatingSSL offload for WebLogic server.
disable
websphere-server Enable/disable adding HTTP header indicatingSSL offload for WebSphere server.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
195
ssl-mode SSL/TLS mode for encryption & decryption oftraffic.
half
ssl-certificate Name of Certificate to offer in every SSLconnection.
(Empty)
ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSAnegotiation.
2048
ssl-algorithm Relative strength of encryption algorithmsaccepted in negotiation.
high
ssl-cipher-suites SSL/TLS cipher suites ordered by priority. (Empty)
ssl-pfs SSL Perfect Forward Secrecy. allow
ssl-min-version Lowest SSL/TLS version to negotiate. tls-1.0
ssl-max-version Highest SSL/TLS version to negotiate. tls-1.2
ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV(SSL 3.0 & TLS 1.0 only).
enable
ssl-client-renegotiation Allow/block client renegotiation by server. allow
ssl-client-session-state-type
Control Client to FortiGate SSL session statepreservation.
both
ssl-client-session-state-timeout
Number of minutes to keep client to FortiGateSSL session state.
30
ssl-client-session-state-max
Maximum number of client to FortiGate SSLsession states to keep.
1000
ssl-server-session-state-type
Control FortiGate to server SSL session statepreservation.
both
ssl-server-session-state-timeout
Number of minutes to keep FortiGate to ServerSSL session state.
60
ssl-server-session-state-max
Maximum number of FortiGate to Server SSLsession states to keep.
100
ssl-http-location-conversion
Enable/disable location conversion on HTTPresponse header.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
196
ssl-http-match-host Enable/disable HTTP host matching for locationconversion.
disable
monitor Health monitors. (Empty)
max-embryonic-connections
Maximum number of incomplete connections. 1000
color GUI icon color. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
197
firewall/vip46CLI Syntax
config firewall vip46 edit <name_str> set name <string> set id <integer> set uuid <uuid> set comment <var-string> config src-filter edit <name_str> set range <string> end set extip <user> set mappedip <user> set arp-reply {disable | enable} set portforward {disable | enable} set protocol {tcp | udp} set extport <user> set mappedport <user> set color <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
198
Description
Configuration Description Default Value
name VIP46 name. (Empty)
id Custom defined id. 0
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
comment Comment. (Empty)
src-filter Source IP filter (x.x.x.x/x). (Empty)
extip Start-external-IP [-end-external-IP]. 0.0.0.0
mappedip Start-mapped-IP [-end mapped-IP]. ::
arp-reply Enable ARP reply. enable
portforward Enable port forward. disable
protocol Mapped port protocol. tcp
extport External service port. 0
mappedport Mapped service port. 0
color GUI icon color. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
199
firewall/vip6CLI Syntax
config firewall vip6 edit <name_str> set name <string> set id <integer> set uuid <uuid> set comment <var-string> set type {static-nat} config src-filter edit <name_str> set range <string> end set extip <user> set mappedip <user> set arp-reply {disable | enable} set portforward {disable | enable} set protocol {tcp | udp | sctp} set extport <user> set mappedport <user> set color <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
200
Description
Configuration Description Default Value
name Virtual ip6 name. (Empty)
id Custom defined ID. 0
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
comment Comment. (Empty)
type VIP type: static NAT. static-nat
src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)
extip Start external IP - end external IP. ::
mappedip Start mapped IP -end mapped IP. ::
arp-reply Enable/disable ARP reply. enable
portforward Enable/disable port forward. disable
protocol Mapped port protocol. tcp
extport External service port. 0
mappedport Mapped service port. 0
color GUI icon color. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
201
firewall/vip64CLI Syntax
config firewall vip64 edit <name_str> set name <string> set id <integer> set uuid <uuid> set comment <var-string> config src-filter edit <name_str> set range <string> end set extip <user> set mappedip <user> set arp-reply {disable | enable} set portforward {disable | enable} set protocol {tcp | udp} set extport <user> set mappedport <user> set color <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
202
Description
Configuration Description Default Value
name VIP64 name. (Empty)
id Custom defined id. 0
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
comment Comment. (Empty)
src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)
extip Start-external-IP [-End-external-IP]. ::
mappedip Start-mapped-IP [-End-mapped-IP]. 0.0.0.0
arp-reply Enable ARP reply. enable
portforward Enable port forward. disable
protocol Mapped port protocol. tcp
extport External service port. 0
mappedport Mapped service port. 0
color GUI icon color. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
203
firewall/vipgrpCLI Syntax
config firewall vipgrp edit <name_str> set name <string> set uuid <uuid> set interface <string> set color <integer> set comments <var-string> config member edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
204
Description
Configuration Description Default Value
name VIP group name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
interface interface (Empty)
color GUI icon color. 0
comments Comment. (Empty)
member VIP group member. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
205
firewall/vipgrp46CLI Syntax
config firewall vipgrp46 edit <name_str> set name <string> set uuid <uuid> set color <integer> set comments <var-string> config member edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
206
Description
Configuration Description Default Value
name VIP46 group name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
color GUI icon color. 0
comments Comment. (Empty)
member VIP46 group member. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
207
firewall/vipgrp6CLI Syntax
config firewall vipgrp6 edit <name_str> set name <string> set uuid <uuid> set color <integer> set comments <var-string> config member edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
208
Description
Configuration Description Default Value
name IPv6 VIP group name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
color GUI icon color. 0
comments Comment. (Empty)
member VIP group6 member. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
209
firewall/vipgrp64CLI Syntax
config firewall vipgrp64 edit <name_str> set name <string> set uuid <uuid> set color <integer> set comments <var-string> config member edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
210
Description
Configuration Description Default Value
name VIP64 group name. (Empty)
uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000
color GUI icon color. 0
comments Comment. (Empty)
member VIP64 group member. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
211
ftp-proxy/explicitCLI Syntax
config ftp-proxy explicit edit <name_str> set status {enable | disable} set incoming-port <integer> set incoming-ip <ipv4-address-any> set outgoing-ip <ipv4-address-any> set sec-default-action {accept | deny} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
212
Description
Configuration Description Default Value
status Enable/disable explicit ftp proxy. disable
incoming-port Accept incoming FTP requests on ports otherthan port 21.
21
incoming-ip accept incoming ftp requests from this ip. Aninterface must have this IP address.
0.0.0.0
outgoing-ip outgoing FTP requests will leave this ip. Aninterface must have this IP address.
(Empty)
sec-default-action Default action to allow or deny when no ftp-proxyfirewall policy exists.
deny
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
213
gui/consoleCLI Syntax
config gui console edit <name_str> set preferences <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
214
Description
Configuration Description Default Value
preferences Preferences. "c2lkY2FyZQlGRkZGRkYJMDAwMDAwCW1vbm9zcGFjZQkxMHB0CTk5OTkJMAphZG1pbglGRkZGRkYJMDAwMDAwCW1vbm9zcGFjZQkxMHB0CTUwMAkwCg=="
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
215
icap/profileCLI Syntax
config icap profile edit <name_str> set replacemsg-group <string> set name <string> set request {disable | enable} set response {disable | enable} set streaming-content-bypass {disable | enable} set request-server <string> set response-server <string> set request-failure {error | bypass} set response-failure {error | bypass} set request-path <string> set response-path <string> set methods {delete | get | head | options | post | put | trace | other} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
216
Description
Configuration Description Default Value
replacemsg-group Replacement message group. (Empty)
name ICAP profile name. (Empty)
request Enable/disable control of an HTTP requestpassing tolerance to ICAP server.
disable
response Enable/disable control of an HTTP responsepassing to ICAP server.
disable
streaming-content-bypass
Enable/disable control over streaming contentbeing sent to ICAP server or bypassed.
disable
request-server ICAP server to use for an HTTP request. (Empty)
response-server ICAP server to use for an HTTP response. (Empty)
request-failure Action to take if the ICAP server cannot becontacted when processing an HTTP request.
error
response-failure Action to take if the ICAP server cannot becontacted when processing an HTTP response.
error
request-path Path component of the ICAP URI that identifiesthe HTTP request processing service.
(Empty)
response-path Path component of the ICAP URI that identifiesthe HTTP response processing service.
(Empty)
methods The allowed HTTP methods that will be sent toICAP server for further processing.
delete get head optionspost put trace other
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
217
icap/serverCLI Syntax
config icap server edit <name_str> set name <string> set ip-version {4 | 6} set ip-address <ipv4-address-any> set ip6-address <ipv6-address> set port <integer> set max-connections <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
218
Description
Configuration Description Default Value
name Server name. (Empty)
ip-version IP version. 4
ip-address IPv4 address of the ICAP server. 0.0.0.0
ip6-address IPv6 address of the ICAP server. ::
port ICAP server port. 1344
max-connections Maximum number of concurrent connections toICAP server.
100
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
219
ips/customCLI Syntax
config ips custom edit <name_str> set tag <string> set signature <string> set sig-name <string> set rule-id <integer> set severity <user> set location <user> set os <user> set application <user> set protocol <user> set status {disable | enable} set log {disable | enable} set log-packet {disable | enable} set action {pass | block} set comment <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
220
Description
Configuration Description Default Value
tag Signature tag. (Empty)
signature Signature text. (Empty)
sig-name Signature name. (Empty)
rule-id Signature ID. 0
severity severity (Empty)
location Vulnerable location. (Empty)
os Vulnerable operating systems. (Empty)
application Vulnerable applications. (Empty)
protocol Vulnerable service. (Empty)
status Enable/disable status. enable
log Enable/disable logging. enable
log-packet Enable/disable packet logging. disable
action Action. pass
comment Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
221
ips/dbinfoCLI Syntax
config ips dbinfo edit <name_str> set version <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
222
Description
Configuration Description Default Value
version Internal category version. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
223
ips/decoderCLI Syntax
config ips decoder edit <name_str> set name <string> config parameter edit <name_str> set name <string> set value <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
224
Description
Configuration Description Default Value
name Decoder name. (Empty)
parameter IPS group parameters. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
225
ips/globalCLI Syntax
config ips global edit <name_str> set fail-open {enable | disable} set database {regular | extended} set traffic-submit {enable | disable} set anomaly-mode {periodical | continuous} set session-limit-mode {accurate | heuristic} set intelligent-mode {enable | disable} set socket-size <integer> set engine-count <integer> set algorithm {engine-pick | low | high | super} set sync-session-ttl {enable | disable} set np-accel-mode {none | basic} set ips-reserve-cpu {disable | enable} set cp-accel-mode {none | basic | advanced} set skype-client-public-ipaddr <var-string> set default-app-cat-mask <user> set deep-app-insp-timeout <integer> set deep-app-insp-db-limit <integer> set exclude-signatures {none | industrial} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
226
Description
Configuration Description Default Value
fail-open Enable/disable IPS fail open option. enable
database IPS database selection. extended
traffic-submit Enable/disable submit attack characteristics toFortiGuard Service.
disable
anomaly-mode Blocking mode for rate-based anomaly. continuous
session-limit-mode Counter mode for session-limit anomaly. heuristic
intelligent-mode Enable/disable intelligent scan mode. enable
socket-size IPS socket buffer size. 128
engine-count Number of engines (0: use recommendedsetting).
0
algorithm Signature matching algorithm. engine-pick
sync-session-ttl Enable/disable use of kernel session TTL for IPSsessions.
disable
np-accel-mode Network Processor acceleration mode. basic
ips-reserve-cpu Enable/disable IPS daemon's use of CPUs otherthan CPU 0
disable
cp-accel-mode Content Processor acceleration mode. advanced
skype-client-public-ipaddr
Comma-separated client external IP address fordecrypting Skype protocol.
(Empty)
default-app-cat-mask Default enabled application category mask. 18446744073709551615
deep-app-insp-timeout Timeout for Deep application inspection (1 -2147483647 sec., 0 = use recommended setting).
0
deep-app-insp-db-limit Limit on number of entries in deep applicationinspection database (1 - 2147483647, 0 = userecommended setting)
0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
227
exclude-signatures Excluded signatures. industrial
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
228
ips/ruleCLI Syntax
config ips rule edit <name_str> set name <string> set status {disable | enable} set log {disable | enable} set log-packet {disable | enable} set action {pass | block} set group <string> set severity {} set location {} set os <user> set application <user> set service <user> set rule-id <integer> set rev <integer> set date <integer> config metadata edit <name_str> set id <integer> set metaid <integer> set valueid <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
229
Description
Configuration Description Default Value
name Rule name. (Empty)
status Enable/disable status. enable
log Enable/disable logging. enable
log-packet Enable/disable packet logging. disable
action Action. pass
group Group. (Empty)
severity Severity. (Empty)
location Vulnerable location. (Empty)
os Vulnerable operation systems. (Empty)
application Vulnerable applications. (Empty)
service Vulnerable service. (Empty)
rule-id Rule ID. 0
rev Revision. 0
date Date. 0
metadata Meta data. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
230
ips/rule-settingsCLI Syntax
config ips rule-settings edit <name_str> set id <integer> config tags edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
231
Description
Configuration Description Default Value
id Rule ID. 0
tags Applied object tags. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
232
ips/sensorCLI Syntax
config ips sensor edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set block-malicious-url {disable | enable} config entries edit <name_str> set id <integer> config rule edit <name_str> set id <integer> end set location <user> set severity <user> set protocol <user> set os <user> set application <user> config tags edit <name_str> set name <string> end set status {disable | enable | default} set log {disable | enable} set log-packet {disable | enable} set log-attack-context {disable | enable} set action {pass | block | reset | default} set rate-count <integer> set rate-duration <integer> set rate-mode {periodical | continuous} set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain} config exempt-ip edit <name_str> set id <integer> set src-ip <ipv4-classnet> set dst-ip <ipv4-classnet> end set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} end config filter edit <name_str> set name <string> set location <user> set severity <user> set protocol <user>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
233
set os <user> set application <user> set status {disable | enable | default} set log {disable | enable} set log-packet {disable | enable} set action {pass | block | reset | default} set quarantine {none | attacker | both | interface} set quarantine-expiry <integer> set quarantine-log {disable | enable} end config override edit <name_str> set rule-id <integer> set status {disable | enable} set log {disable | enable} set log-packet {disable | enable} set action {pass | block | reset} set quarantine {none | attacker | both | interface} set quarantine-expiry <integer> set quarantine-log {disable | enable} config exempt-ip edit <name_str> set id <integer> set src-ip <ipv4-classnet> set dst-ip <ipv4-classnet> end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
234
Description
Configuration Description Default Value
name Sensor name. (Empty)
comment Comment. (Empty)
replacemsg-group Replacement message group. (Empty)
block-malicious-url Enable/disable malicious URL blocking. disable
entries IPS sensor filter. (Empty)
filter IPS sensor filter. (Empty)
override IPS override rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
235
ips/settingsCLI Syntax
config ips settings edit <name_str> set packet-log-history <integer> set packet-log-post-attack <integer> set packet-log-memory <integer> set ips-packet-quota <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
236
Description
Configuration Description Default Value
packet-log-history Number of packets to be recorded before alert (1- 255).
1
packet-log-post-attack Number of packets to be recorded after attack (0- 255).
0
packet-log-memory Maximum memory can be used by packet log (64- 8192 kB).
256
ips-packet-quota IPS packet quota. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
237
log.disk/filterCLI Syntax
config log.disk filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set event {enable | disable} set system {enable | disable} set radius {enable | disable} set ipsec {enable | disable} set dhcp {enable | disable} set ppp {enable | disable} set admin {enable | disable} set ha {enable | disable} set auth {enable | disable} set pattern {enable | disable} set sslvpn-log-auth {enable | disable} set sslvpn-log-adm {enable | disable} set sslvpn-log-session {enable | disable} set vip-ssl {enable | disable} set ldb-monitor {enable | disable} set wan-opt {enable | disable} set wireless-activity {enable | disable} set cpu-memory-usage {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
238
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
dlp-archive Enable/disable log DLP archive. enable
gtp Enable/disable log GTP messages. enable
event Enable/disable log event messages. enable
system Enable/disable log system activity messages. enable
radius Enable/disable log RADIUS messages. enable
ipsec Enable/disable log IPsec negotiation messages. enable
dhcp Enable/disable log DHCP service messages. enable
ppp Enable/disable log L2TP/PPTP/PPPoEmessages.
enable
admin Enable/disable log admin login/logout messages. enable
ha Enable/disable log HA activity messages. enable
auth Enable/disable log firewall authenticationmessages.
enable
pattern Enable/disable log pattern update messages. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
239
sslvpn-log-auth Enable/disable log SSL user authentication. enable
sslvpn-log-adm Enable/disable log SSL administration. enable
sslvpn-log-session Enable/disable log SSL session. enable
vip-ssl Enable/disable log VIP SSL messages. enable
ldb-monitor Enable/disable log VIP real server healthmonitoring messages.
enable
wan-opt Enable/disable log WAN optimization messages. enable
wireless-activity Enable/disable log wireless activity. enable
cpu-memory-usage Enable/disable log CPU & memory usage every 5minutes.
disable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
240
log.disk/settingCLI Syntax
config log.disk setting edit <name_str> set status {enable | disable} set ips-archive {enable | disable} set max-log-file-size <integer> set max-policy-packet-capture-size <integer> set roll-schedule {daily | weekly} set roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set roll-time <user> set diskfull {overwrite | nolog} set log-quota <integer> set dlp-archive-quota <integer> set report-quota <integer> set maximum-log-age <integer> set upload {enable | disable} set upload-destination {ftp-server} set uploadip <ipv4-address> set uploadport <integer> set source-ip <ipv4-address> set uploaduser <string> set uploadpass <password> set uploaddir <string> set uploadtype {traffic | event | virus | webfilter | IPS | spamfilter | dlp-archive | anomaly | voip | dlp | app-ctrl | waf | netscan | gtp} set uploadzip {disable | enable} set uploadsched {disable | enable} set uploadtime <integer> set upload-delete-files {enable | disable} set upload-ssl-conn {default | high | low | disable} set full-first-warning-threshold <integer> set full-second-warning-threshold <integer> set full-final-warning-threshold <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
241
Description
Configuration Description Default Value
status Enable/disable local disk log. disable
ips-archive Enable/disable IPS packet archive. enable
max-log-file-size Maximum log file size in MB before rolling. 20
max-policy-packet-capture-size
Maximum size of policy sniffer in MB (0 =unlimited).
10
roll-schedule Frequency to check log file for rolling. daily
roll-day Days of week to roll logs. sunday
roll-time Time to roll logs (hh:mm). 00:00
diskfull Policy to apply when disk is full. overwrite
log-quota Disk log quota (MB). 0
dlp-archive-quota DLP archive quota (MB). 0
report-quota Report quota (MB). 0
maximum-log-age Delete log files older than (days). 7
upload Enable/disable upload of log files upon rolling. disable
upload-destination Server type. ftp-server
uploadip IP address of log uploading server. 0.0.0.0
uploadport Port of the log uploading server. 21
source-ip Source IP address of the disk log uploading. 0.0.0.0
uploaduser User account in the uploading server. (Empty)
uploadpass Password of the user account in the uploadingserver.
(Empty)
uploaddir Log file uploading remote directory. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
242
uploadtype Types of log files that need to be uploaded. traffic event viruswebfilter IPS spamfilterdlp-archive anomalyvoip dlp app-ctrl wafnetscan gtp
uploadzip Enable/disable compression of uploaded logs. disable
uploadsched Scheduled upload (disable = upload whenrolling).
disable
uploadtime Time of scheduled upload. 0
upload-delete-files Delete log files after uploading (default=enable). enable
upload-ssl-conn Enable/disable SSL communication whenuploading.
default
full-first-warning-threshold
Log full first warning threshold (1 - 98, default =75).
75
full-second-warning-threshold
Log full second warning threshold (2 - 99, default= 90).
90
full-final-warning-threshold
Log full final warning threshold (3 - 100, default =95).
95
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
243
log.fortianalyzer/filterCLI Syntax
config log.fortianalyzer filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
244
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
dlp-archive Enable/disable log DLP archive. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
245
log.fortianalyzer/override-filterCLI Syntax
config log.fortianalyzer override-filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
246
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
dlp-archive Enable/disable log DLP archive. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
247
log.fortianalyzer/override-settingCLI Syntax
config log.fortianalyzer override-setting edit <name_str> set override {enable | disable} set use-management-vdom {enable | disable} set status {enable | disable} set ips-archive {enable | disable} set server <string> set hmac-algorithm {sha256 | sha1} set enc-algorithm {default | high | low | disable} set conn-timeout <integer> set monitor-keepalive-period <integer> set monitor-failure-retry-period <integer> set mgmt-name <string> set faz-type <integer> set source-ip <string> set __change_ip <integer> set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set reliable {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
248
Description
Configuration Description Default Value
override Enable/disable override FortiAnalyzer settings oruse the global settings.
disable
use-management-vdom
Enable/disable use of management VDOM IPaddress as source IP for logs sent toFortiAnalyzer.
disable
status Enable/disable FortiAnalyzer. disable
ips-archive Enable/disable IPS packet archive. enable
server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)
hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256
enc-algorithm Enable/disable sending of FortiAnalyzer log datawith SSL encryption.
high
conn-timeout FortiAnalyzer connection time-out in seconds (forstatus and log buffer).
10
monitor-keepalive-period
Time between OFTP keepalives in seconds (forstatus and log buffer).
5
monitor-failure-retry-period
Time between FortiAnalyzer connection retries inseconds (for status and log buffer).
5
mgmt-name Hidden management name of FortiAnalyzer. (Empty)
faz-type Hidden setting index of FortiAnalyzer. 4
source-ip Source IPv4 or IPv6 address used tocommunicate with FortiAnalyzer.
(Empty)
__change_ip Hidden attribute. 0
upload-option Enable/disable logging to hard disk and thenupload to FortiAnalyzer.
realtime
upload-interval Frequency to check log file for upload. daily
upload-day Days of week (month) to upload logs. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
249
upload-time Time to upload logs (hh:mm). 00:59
reliable Enable/disable reliable logging to FortiAnalyzer. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
250
log.fortianalyzer/settingCLI Syntax
config log.fortianalyzer setting edit <name_str> set status {enable | disable} set ips-archive {enable | disable} set server <string> set hmac-algorithm {sha256 | sha1} set enc-algorithm {default | high | low | disable} set conn-timeout <integer> set monitor-keepalive-period <integer> set monitor-failure-retry-period <integer> set mgmt-name <string> set faz-type <integer> set source-ip <string> set __change_ip <integer> set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set reliable {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
251
Description
Configuration Description Default Value
status Enable/disable FortiAnalyzer. disable
ips-archive Enable/disable IPS packet archive. enable
server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)
hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256
enc-algorithm Enable/disable sending of FortiAnalyzer log datawith SSL encryption.
high
conn-timeout FortiAnalyzer connection time-out in seconds (forstatus and log buffer).
10
monitor-keepalive-period
Time between OFTP keepalives in seconds (forstatus and log buffer).
5
monitor-failure-retry-period
Time between FortiAnalyzer connection retries inseconds (for status and log buffer).
5
mgmt-name Hidden management name of FortiAnalyzer. FGh_Log1
faz-type Hidden setting index of FortiAnalyzer. 1
source-ip Source IPv4 or IPv6 address used tocommunicate with FortiAnalyzer.
(Empty)
__change_ip Hidden attribute. 0
upload-option Enable/disable logging to hard disk and thenupload to FortiAnalyzer.
realtime
upload-interval Frequency to check log file for upload. daily
upload-day Days of week (month) to upload logs. (Empty)
upload-time Time to upload logs (hh:mm). 00:59
reliable Enable/disable reliable logging to FortiAnalyzer. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
252
log.fortianalyzer2/filterCLI Syntax
config log.fortianalyzer2 filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
253
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
dlp-archive Enable/disable log DLP archive. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
254
log.fortianalyzer2/settingCLI Syntax
config log.fortianalyzer2 setting edit <name_str> set status {enable | disable} set ips-archive {enable | disable} set server <string> set hmac-algorithm {sha256 | sha1} set enc-algorithm {default | high | low | disable} set conn-timeout <integer> set monitor-keepalive-period <integer> set monitor-failure-retry-period <integer> set mgmt-name <string> set faz-type <integer> set source-ip <string> set __change_ip <integer> set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set reliable {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
255
Description
Configuration Description Default Value
status Enable/disable FortiAnalyzer. disable
ips-archive Enable/disable IPS packet archive. enable
server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)
hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256
enc-algorithm Enable/disable sending of FortiAnalyzer log datawith SSL encryption.
high
conn-timeout FortiAnalyzer connection time-out in seconds (forstatus and log buffer).
10
monitor-keepalive-period
Time between OFTP keepalives in seconds (forstatus and log buffer).
5
monitor-failure-retry-period
Time between FortiAnalyzer connection retries inseconds (for status and log buffer).
5
mgmt-name Hidden management name of FortiAnalyzer. FGh_Log2
faz-type Hidden setting index of FortiAnalyzer. 2
source-ip Source IPv4 or IPv6 address used tocommunicate with FortiAnalyzer.
(Empty)
__change_ip Hidden attribute. 0
upload-option Enable/disable logging to hard disk and thenupload to FortiAnalyzer.
realtime
upload-interval Frequency to check log file for upload. daily
upload-day Days of week (month) to upload logs. (Empty)
upload-time Time to upload logs (hh:mm). 00:59
reliable Enable/disable reliable logging to FortiAnalyzer. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
256
log.fortianalyzer3/filterCLI Syntax
config log.fortianalyzer3 filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
257
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
258
log.fortianalyzer3/settingCLI Syntax
config log.fortianalyzer3 setting edit <name_str> set status {enable | disable} set ips-archive {enable | disable} set server <string> set hmac-algorithm {sha256 | sha1} set enc-algorithm {default | high | low | disable} set conn-timeout <integer> set monitor-keepalive-period <integer> set monitor-failure-retry-period <integer> set mgmt-name <string> set faz-type <integer> set source-ip <string> set __change_ip <integer> set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set reliable {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
259
Description
Configuration Description Default Value
status Enable/disable FortiAnalyzer. disable
ips-archive Enable/disable IPS packet archive. enable
server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)
hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256
enc-algorithm Enable/disable sending of FortiAnalyzer log datawith SSL encryption.
high
conn-timeout FortiAnalyzer connection time-out in seconds (forstatus and log buffer).
10
monitor-keepalive-period
Time between OFTP keepalives in seconds (forstatus and log buffer).
5
monitor-failure-retry-period
Time between FortiAnalyzer connection retries inseconds (for status and log buffer).
5
mgmt-name Hidden management name of FortiAnalyzer. FGh_Log3
faz-type Hidden setting index of FortiAnalyzer. 3
source-ip Source IPv4 or IPv6 address used tocommunicate with FortiAnalyzer.
(Empty)
__change_ip Hidden attribute. 0
upload-option Enable/disable logging to hard disk and thenupload to FortiAnalyzer.
realtime
upload-interval Frequency to check log file for upload. daily
upload-day Days of week (month) to upload logs. (Empty)
upload-time Time to upload logs (hh:mm). 00:59
reliable Enable/disable reliable logging to FortiAnalyzer. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
260
log.fortiguard/filterCLI Syntax
config log.fortiguard filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
261
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
dlp-archive Enable/disable log DLP archive. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
262
log.fortiguard/override-filterCLI Syntax
config log.fortiguard override-filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
263
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
dlp-archive Enable/disable log DLP archive. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
264
log.fortiguard/override-settingCLI Syntax
config log.fortiguard override-setting edit <name_str> set override {enable | disable} set status {enable | disable} set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
265
Description
Configuration Description Default Value
override Enable/disable override FortiGuard settings oruse the global settings.
disable
status Enable FortiCloud. disable
upload-option Enable/disable logging to hard disk and thenupload to FortiCloud.
realtime
upload-interval Frequency to check log file for upload. daily
upload-day Days of week to roll logs. (Empty)
upload-time Time to roll logs (hh:mm). 00:00
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
266
log.fortiguard/settingCLI Syntax
config log.fortiguard setting edit <name_str> set status {enable | disable} set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set enc-algorithm {default | high | low | disable} set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
267
Description
Configuration Description Default Value
status Enable FortiCloud. disable
upload-option Enable/disable logging to hard disk and thenupload to FortiCloud.
realtime
upload-interval Frequency to check log file for upload. daily
upload-day Days of week to roll logs. (Empty)
upload-time Time to roll logs (hh:mm). 00:00
enc-algorithm Enable/disable sending of FortiCloud log datawith SSL encryption.
high
source-ip Source IP address used to connect FortiCloud. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
268
log.memory/filterCLI Syntax
config log.memory filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set event {enable | disable} set system {enable | disable} set radius {enable | disable} set ipsec {enable | disable} set dhcp {enable | disable} set ppp {enable | disable} set admin {enable | disable} set ha {enable | disable} set auth {enable | disable} set pattern {enable | disable} set sslvpn-log-auth {enable | disable} set sslvpn-log-adm {enable | disable} set sslvpn-log-session {enable | disable} set vip-ssl {enable | disable} set ldb-monitor {enable | disable} set wan-opt {enable | disable} set wireless-activity {enable | disable} set cpu-memory-usage {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
269
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
gtp Enable/disable log GTP messages. enable
event Enable/disable log event messages. enable
system Enable/disable log system activity messages. enable
radius Enable/disable log RADIUS messages. enable
ipsec Enable/disable log IPsec negotiation messages. enable
dhcp Enable/disable log DHCP service messages. enable
ppp Enable/disable log L2TP/PPTP/PPPoEmessages.
enable
admin Enable/disable log admin login/logout messages. enable
ha Enable/disable log HA activity messages. enable
auth Enable/disable log firewall authenticationmessages.
enable
pattern Enable/disable log pattern update messages. enable
sslvpn-log-auth Enable/disable log SSL user authentication. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
270
sslvpn-log-adm Enable/disable log SSL administration. enable
sslvpn-log-session Enable/disable log SSL session. enable
vip-ssl Enable/disable log VIP SSL messages. enable
ldb-monitor Enable/disable log VIP real server healthmonitoring messages.
enable
wan-opt Enable/disable log WAN optimization messages. enable
wireless-activity Enable/disable log wireless activity. enable
cpu-memory-usage Enable/disable log CPU & memory usage every 5minutes.
disable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
271
log.memory/global-settingCLI Syntax
config log.memory global-setting edit <name_str> set max-size <integer> set full-first-warning-threshold <integer> set full-second-warning-threshold <integer> set full-final-warning-threshold <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
272
Description
Configuration Description Default Value
max-size Maximum memory buffer size for log (byte). 163840
full-first-warning-threshold
Log full first warning threshold (1 - 98, default =75).
75
full-second-warning-threshold
Log full second warning threshold (2 - 99, default= 90).
90
full-final-warning-threshold
Log full final warning threshold (3 - 100, default =95).
95
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
273
log.memory/settingCLI Syntax
config log.memory setting edit <name_str> set status {enable | disable} set diskfull {overwrite} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
274
Description
Configuration Description Default Value
status Enable/disable memory buffer log. enable
diskfull Action when memory is full. overwrite
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
275
log.syslogd/filterCLI Syntax
config log.syslogd filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
276
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
277
log.syslogd/override-filterCLI Syntax
config log.syslogd override-filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
278
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
279
log.syslogd/override-settingCLI Syntax
config log.syslogd override-setting edit <name_str> set override {enable | disable} set status {enable | disable} set server <string> set reliable {enable | disable} set port <integer> set csv {enable | disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} set source-ip <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
280
Description
Configuration Description Default Value
override Enable/disable override syslog settings. disable
status Enable/disable remote syslog logging. disable
server Address of remote syslog server. (Empty)
reliable Enable/disable reliable logging (RFC3195). disable
port Server listen port. 514
csv Enable/disable CSV formatting of logs. disable
facility Remote syslog facility. local7
source-ip Source IP address of syslog. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
281
log.syslogd/settingCLI Syntax
config log.syslogd setting edit <name_str> set status {enable | disable} set server <string> set reliable {enable | disable} set port <integer> set csv {enable | disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} set source-ip <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
282
Description
Configuration Description Default Value
status Enable/disable remote syslog logging. disable
server Address of remote syslog server. (Empty)
reliable Enable/disable reliable logging (RFC3195). disable
port Server listen port. 514
csv Enable/disable CSV formatting of logs. disable
facility Remote syslog facility. local7
source-ip Source IP address of syslog. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
283
log.syslogd2/filterCLI Syntax
config log.syslogd2 filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
284
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
285
log.syslogd2/settingCLI Syntax
config log.syslogd2 setting edit <name_str> set status {enable | disable} set server <string> set reliable {enable | disable} set port <integer> set csv {enable | disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} set source-ip <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
286
Description
Configuration Description Default Value
status Enable/disable remote syslog logging. disable
server Address of remote syslog server. (Empty)
reliable Enable/disable reliable logging (RFC3195). disable
port Server listen port. 514
csv Enable/disable CSV formatting of logs. disable
facility Remote syslog facility. local7
source-ip Source IP address of syslog. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
287
log.syslogd3/filterCLI Syntax
config log.syslogd3 filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
288
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
289
log.syslogd3/settingCLI Syntax
config log.syslogd3 setting edit <name_str> set status {enable | disable} set server <string> set reliable {enable | disable} set port <integer> set csv {enable | disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} set source-ip <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
290
Description
Configuration Description Default Value
status Enable/disable remote syslog logging. disable
server Address of remote syslog server. (Empty)
reliable Enable/disable reliable logging (RFC3195). disable
port Server listen port. 514
csv Enable/disable CSV formatting of logs. disable
facility Remote syslog facility. local7
source-ip Source IP address of syslog. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
291
log.syslogd4/filterCLI Syntax
config log.syslogd4 filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
292
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
293
log.syslogd4/settingCLI Syntax
config log.syslogd4 setting edit <name_str> set status {enable | disable} set server <string> set reliable {enable | disable} set port <integer> set csv {enable | disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} set source-ip <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
294
Description
Configuration Description Default Value
status Enable/disable remote syslog logging. disable
server Address of remote syslog server. (Empty)
reliable Enable/disable reliable logging (RFC3195). disable
port Server listen port. 514
csv Enable/disable CSV formatting of logs. disable
facility Remote syslog facility. local7
source-ip Source IP address of syslog. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
295
log.webtrends/filterCLI Syntax
config log.webtrends filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
296
Description
Configuration Description Default Value
severity Lowest severity level to log. information
forward-traffic Enable/disable log through traffic messages. enable
local-traffic Enable/disable log local in or out trafficmessages.
enable
multicast-traffic Enable/disable log multicast traffic messages. enable
sniffer-traffic Enable/disable log sniffer traffic messages. enable
anomaly Enable/disable log anomaly messages. enable
netscan-discovery Enable/disable log netscan discovery events. enable
netscan-vulnerability Enable/disable log netscan vulnerability events. enable
voip Enable/disable log VoIP messages. enable
gtp Enable/disable log GTP messages. enable
filter Log filter for the log device. (Empty)
filter-type Include/exclude logs that match the filter setting. include
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
297
log.webtrends/settingCLI Syntax
config log.webtrends setting edit <name_str> set status {enable | disable} set server <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
298
Description
Configuration Description Default Value
status Enable/disable WebTrends logging. disable
server Address of the remote WebTrends. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
299
log/custom-fieldCLI Syntax
config log custom-field edit <name_str> set id <string> set name <string> set value <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
300
Description
Configuration Description Default Value
id ID. (Empty)
name Field name. (Empty)
value Field value. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
301
log/eventfilterCLI Syntax
config log eventfilter edit <name_str> set event {enable | disable} set system {enable | disable} set vpn {enable | disable} set user {enable | disable} set router {enable | disable} set wireless-activity {enable | disable} set wan-opt {enable | disable} set endpoint {enable | disable} set ha {enable | disable} set compliance-check {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
302
Description
Configuration Description Default Value
event Enable/disable log event messages. enable
system Enable/disable log system activity messages. enable
vpn Enable/disable log VPN messages. enable
user Enable/disable log user activity messages. enable
router Enable/disable log router activity. enable
wireless-activity Enable/disable log wireless activity. enable
wan-opt Enable/disable log WAN optimization messages. enable
endpoint Enable/disable log for endpoint events. enable
ha Enable/disable log for ha events. enable
compliance-check Enable/disable log for PCI DSS compliancecheck.
enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
303
log/gui-displayCLI Syntax
config log gui-display edit <name_str> set resolve-hosts {enable | disable} set resolve-apps {enable | disable} set fortiview-unscanned-apps {enable | disable} set fortiview-local-traffic {enable | disable} set location {memory | disk | fortianalyzer | fortiguard} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
304
Description
Configuration Description Default Value
resolve-hosts Resolve IP addresses to hostnames on the GUIusing reverse DNS lookup.
enable
resolve-apps Resolve unknown applications on the GUI usingremote application database.
enable
fortiview-unscanned-apps
Enable/disable inclusion of unscanned traffic inFortiView application charts.
disable
fortiview-local-traffic Enable/disable inclusion of local-in traffic inFortiView realtime charts.
disable
location GUI log location display. memory
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
305
log/settingCLI Syntax
config log setting edit <name_str> set resolve-ip {enable | disable} set resolve-port {enable | disable} set log-user-in-upper {enable | disable} set fwpolicy-implicit-log {enable | disable} set fwpolicy6-implicit-log {enable | disable} set log-invalid-packet {enable | disable} set local-in-allow {enable | disable} set local-in-deny-unicast {enable | disable} set local-in-deny-broadcast {enable | disable} set local-out {enable | disable} set daemon-log {enable | disable} set neighbor-event {enable | disable} set brief-traffic-format {enable | disable} set user-anonymize {enable | disable} set fortiview-weekly-data {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
306
Description
Configuration Description Default Value
resolve-ip Add resolved domain name into traffic log ifpossible.
disable
resolve-port Add resolved service name into traffic log ifpossible.
enable
log-user-in-upper Enable/disable collect log with user-in-upper. disable
fwpolicy-implicit-log Enable/disable collect firewall implicit policy log. disable
fwpolicy6-implicit-log Enable/disable collect firewall implicit policy6 log. disable
log-invalid-packet Enable/disable collect invalid packet traffic log. disable
local-in-allow Enable/disable collect local-in-allow log. disable
local-in-deny-unicast Enable/disable collect local-in-deny-unicast log. disable
local-in-deny-broadcast Enable/disable collect local-in-deny-broadcastlog.
disable
local-out Enable/disable collect local-out log. disable
daemon-log Enable/disable collect daemon log. disable
neighbor-event Enable/disable collect neighbor event log. disable
brief-traffic-format Enable/disable use of brief format for traffic log. disable
user-anonymize Enable/disable anonymize log user name. disable
fortiview-weekly-data Enable/disable FortiView weekly data. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
307
log/threat-weightCLI Syntax
config log threat-weight edit <name_str> set status {enable | disable} config level edit <name_str> set low <integer> set medium <integer> set high <integer> set critical <integer> end set blocked-connection {disable | low | medium | high | critical} set failed-connection {disable | low | medium | high | critical} set malware-detected {disable | low | medium | high | critical} set url-block-detected {disable | low | medium | high | critical} set botnet-connection-detected {disable | low | medium | high | critical} config ips edit <name_str> set info-severity {disable | low | medium | high | critical} set low-severity {disable | low | medium | high | critical} set medium-severity {disable | low | medium | high | critical} set high-severity {disable | low | medium | high | critical} set critical-severity {disable | low | medium | high | critical} end config web edit <name_str> set id <integer> set category <integer> set level {disable | low | medium | high | critical} end config geolocation edit <name_str> set id <integer> set country <string> set level {disable | low | medium | high | critical} end config application edit <name_str> set id <integer> set category <integer> set level {disable | low | medium | high | critical} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
308
Description
Configuration Description Default Value
status Enable/disable threat weight status. enable
level Level to score mapping. Details below
Configuration Default Valuelow 5medium 10high 30critical 50
blocked-connection Score level for blocked connections for threatweight.
high
failed-connection Score level for failed connections for threatweight.
low
malware-detected Score level for detected malware for threatweight.
critical
url-block-detected Score level for URL blocking for threat weight. high
botnet-connection-detected
Score level for detected botnet connection forthreat weight.
critical
ips IPS reputation settings. Details below
Configuration Default Valueinfo-severity disablelow-severity lowmedium-severity mediumhigh-severity highcritical-severity critical
web Web-based threat weight settings. (Empty)
geolocation Geolocation-based threat weight settings. (Empty)
application Application-control based threat weight settings. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
309
netscan/assetsCLI Syntax
config netscan assets edit <name_str> set asset-id <integer> set name <string> set scheduled {disable | enable} set addr-type {ip | range} set start-ip <ipv4-address-any> set end-ip <ipv4-address-any> set auth-windows {disable | enable} set auth-unix {disable | enable} set win-username <string> set win-password <password> set unix-username <string> set unix-password <password> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
310
Description
Configuration Description Default Value
asset-id Asset ID. 0
name Name of this asset. (Empty)
scheduled Enable/disable include asset in scheduledvulnerability scan.
disable
addr-type IP address or range. ip
start-ip IP address of asset or start of asset range. 0.0.0.0
end-ip End of asset range. 0.0.0.0
auth-windows Enable/disable authenticate on Windows hosts. disable
auth-unix Enable/disable authenticate on UNIX hosts. disable
win-username User name for Windows hosts. (Empty)
win-password Password for Windows hosts. (Empty)
unix-username User name for Unix hosts. (Empty)
unix-password Password for Unix hosts. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
311
netscan/settingsCLI Syntax
config netscan settings edit <name_str> set scan-mode {quick | standard | full} set scheduled-pause {disable | enable} set time <user> set pause-from <user> set pause-to <user> set recurrence {daily | weekly | monthly} set day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set day-of-month <integer> set tcp-ports <user> set udp-ports <user> set tcp-scan {auto | enable | disable} set udp-scan {auto | enable | disable} set service-detection {auto | enable | disable} set os-detection {auto | enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
312
Description
Configuration Description Default Value
scan-mode Level of vulnerability scanning to perform onports.
quick
scheduled-pause Enable/disable set time during which scanningshould pause.
disable
time Time of day to start the scan. 00:00
pause-from Time of day to pause scanning. 00:00
pause-to Time of day to resume scanning. 00:00
recurrence Frequency at which the scans should recur. weekly
day-of-week Day of the week on which to run the scan. sunday
day-of-month Day of the month on which to run the scan. 1
tcp-ports TCP ports scanned. (Empty)
udp-ports UDP ports scanned. (Empty)
tcp-scan Enable/disable TCP port scan. auto
udp-scan Enable/disable UDP port scan. auto
service-detection Enable/disable service detection. auto
os-detection Enable/disable OS detection. auto
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
313
report/chartCLI Syntax
config report chart edit <name_str> set name <string> set policy <integer> set type {graph | table} set period {last24h | last7d} config drill-down-charts edit <name_str> set id <integer> set chart-name <string> set status {enable | disable} end set comments <string> set dataset <string> set category {misc | traffic | event | virus | webfilter | attack | spam | dlp | app-ctrl | vulnerability} set favorite {no | yes} set graph-type {none | bar | pie | line | flow} set style {auto | manual} set dimension {2D | 3D} config x-series edit <name_str> set databind <string> set caption <string> set caption-font-size <integer> set font-size <integer> set label-angle {45-degree | vertical | horizontal} set is-category {yes | no} set scale-unit {minute | hour | day | month | year} set scale-step <integer> set scale-direction {decrease | increase} set scale-format {YYYY-MM-DD-HH-MM | YYYY-MM-DD HH | YYYY-MM-DD | YYYY-MM | YYYY | HH-MM | MM-DD} set unit <string> end config y-series edit <name_str> set databind <string> set caption <string> set caption-font-size <integer> set font-size <integer> set label-angle {45-degree | vertical | horizontal} set group <string> set unit <string> set extra-y {enable | disable} set extra-databind <string> set y-legend <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
314
set extra-y-legend <string> end config category-series edit <name_str> set databind <string> set font-size <integer> end config value-series edit <name_str> set databind <string> end set title <string> set title-font-size <integer> set background <string> set color-palette <string> set legend {enable | disable} set legend-font-size <integer> config column edit <name_str> set id <integer> set header-value <string> set detail-value <string> set footer-value <string> set detail-unit <string> set footer-unit <string> config mapping edit <name_str> set id <integer> set op {none | greater | greater-equal | less | less-equal | equal | between} set value-type {integer | string} set value1 <string> set value2 <string> set displayname <string> end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
315
Description
Configuration Description Default Value
name Chart Widget Name (Empty)
policy Used by monitor policy. 0
type Chart type. graph
period Time period. last24h
drill-down-charts Drill down charts. (Empty)
comments Comment. (Empty)
dataset Bind dataset to chart. (Empty)
category Category. misc
favorite Favorite. no
graph-type Graph type. none
style Style. auto
dimension Dimension. 3D
x-series X-series of chart. Details below
Configuration Default Valuedatabind (Empty)caption (Empty)caption-font-size 0font-size 0label-angle 45-degreeis-category yesscale-unit dayscale-step 1scale-direction decreasescale-format YYYY-MM-DD-HH-MMunit (Empty)
y-series Y-series of chart. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
316
Configuration Default Valuedatabind (Empty)caption (Empty)caption-font-size 0font-size 0label-angle horizontalgroup (Empty)unit (Empty)extra-y disableextra-databind (Empty)y-legend (Empty)extra-y-legend (Empty)
category-series Category series of pie chart. Details below
Configuration Default Valuedatabind (Empty)font-size 0
value-series Value series of pie chart. Details below
Configuration Default Valuedatabind (Empty)
title Chart title. (Empty)
title-font-size Font size of chart title. 0
background Chart background. (Empty)
color-palette Color palette (system will pick color automaticallyby default).
(Empty)
legend Enable/Disable Legend area. enable
legend-font-size Font size of legend area. 0
column Table column definition. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
317
report/datasetCLI Syntax
config report dataset edit <name_str> set name <string> set policy <integer> set query <string> config field edit <name_str> set id <integer> set type {text | integer | double} set name <string> set displayname <string> end config parameters edit <name_str> set id <integer> set display-name <string> set field <string> set data-type {text | integer | double | long-integer | date-time} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
318
Description
Configuration Description Default Value
name Name. (Empty)
policy Used by monitor policy. 0
query SQL query statement. (Empty)
field Fields. (Empty)
parameters Parameters. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
319
report/layoutCLI Syntax
config report layout edit <name_str> set name <string> set title <string> set subtitle <string> set description <string> set style-theme <string> set options {include-table-of-content | auto-numbering-heading | view-chart-as-heading | show-html-navbar-before-heading | dummy-option} set format {html | pdf} set schedule-type {demand | daily | weekly} set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set time <user> set cutoff-option {run-time | custom} set cutoff-time <user> set email-send {enable | disable} set email-recipients <string> set max-pdf-report <integer> config page edit <name_str> set paper {a4 | letter} set column-break-before {heading1 | heading2 | heading3} set page-break-before {heading1 | heading2 | heading3} set options {header-on-first-page | footer-on-first-page} config header edit <name_str> set style <string> config header-item edit <name_str> set id <integer> set description <string> set type {text | image} set style <string> set content <string> set img-src <string> end end config footer edit <name_str> set style <string> config footer-item edit <name_str> set id <integer> set description <string> set type {text | image} set style <string> set content <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
320
set img-src <string> end end end config body-item edit <name_str> set id <integer> set description <string> set type {text | image | chart | misc} set style <string> set top-n <integer> set hide {enable | disable} config parameters edit <name_str> set id <integer> set name <string> set value <string> end set text-component {text | heading1 | heading2 | heading3} set content <string> set img-src <string> set list-component {bullet | numbered} config list edit <name_str> set id <integer> set content <string> end set chart <string> set chart-options {include-no-data | hide-title | show-caption} set drill-down-items <string> set drill-down-types <string> set table-column-widths <string> set table-caption-style <string> set table-head-style <string> set table-odd-row-style <string> set table-even-row-style <string> set misc-component {hline | page-break | column-break | section-start} set column <integer> set title <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
321
Description
Configuration Description Default Value
name Report layout name. (Empty)
title Report title. (Empty)
subtitle Report subtitle. (Empty)
description Description. (Empty)
style-theme Report style theme. (Empty)
options Report layout options. include-table-of-contentauto-numbering-heading view-chart-as-heading
format Report format. html
schedule-type Report schedule type. daily
day Schedule days of week to generate report. sunday
time Schedule time to generate report [hh:mm]. 00:00
cutoff-option Cutoff-option is either run-time or custom. run-time
cutoff-time Custom cutoff time to generate report [hh:mm]. 00:00
email-send Enable/disable sending emails after reports aregenerated.
disable
email-recipients Email recipients for generated reports. (Empty)
max-pdf-report Maximum number of PDF reports to keep at onetime (oldest report is overwritten).
31
page Configure report page. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
322
Configuration Default Valuepaper a4column-break-before (Empty)page-break-before (Empty)options (Empty)header {"style":"","header-item":[]}footer {"style":"","footer-item":[]}
body-item Configure report body item. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
323
report/settingCLI Syntax
config report setting edit <name_str> set pdf-report {enable | disable} set fortiview {enable | disable} set report-source {forward-traffic | sniffer-traffic} set web-browsing-threshold <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
324
Description
Configuration Description Default Value
pdf-report Enable/disable PDF report. enable
fortiview Enable/disable historical FortiView. enable
report-source Report log source. forward-traffic
web-browsing-threshold
Web browsing time calculation threshold (3 - 15min).
3
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
325
report/styleCLI Syntax
config report style edit <name_str> set name <string> set options {font | text | color | align | size | margin | border | padding | column} set font-family {Verdana | Arial | Helvetica | Courier | Times} set font-style {normal | italic} set font-weight {normal | bold} set font-size <string> set line-height <string> set fg-color <string> set bg-color <string> set align {left | center | right | justify} set width <string> set height <string> set margin-top <string> set margin-right <string> set margin-bottom <string> set margin-left <string> set border-top <user> set border-right <user> set border-bottom <user> set border-left <user> set padding-top <string> set padding-right <string> set padding-bottom <string> set padding-left <string> set column-span {none | all} set column-gap <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
326
Description
Configuration Description Default Value
name Report style name. (Empty)
options Report style options. (Empty)
font-family Font family. (Empty)
font-style Font style. normal
font-weight Font weight. normal
font-size Font size. (Empty)
line-height Text line height. (Empty)
fg-color Foreground color. (Empty)
bg-color Background color. (Empty)
align Alignment. (Empty)
width Width. (Empty)
height Height. (Empty)
margin-top Margin top. (Empty)
margin-right Margin right. (Empty)
margin-bottom Margin bottom. (Empty)
margin-left Margin left. (Empty)
border-top Border top. " none "
border-right Border right. " none "
border-bottom Border bottom. " none "
border-left Border left. " none "
padding-top Padding top. (Empty)
padding-right Padding right. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
327
padding-bottom Padding bottom. (Empty)
padding-left Padding left. (Empty)
column-span Column span. none
column-gap Column gap. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
328
report/themeCLI Syntax
config report theme edit <name_str> set name <string> set page-orient {portrait | landscape} set column-count {1 | 2 | 3} set default-html-style <string> set default-pdf-style <string> set page-style <string> set page-header-style <string> set page-footer-style <string> set report-title-style <string> set report-subtitle-style <string> set toc-title-style <string> set toc-heading1-style <string> set toc-heading2-style <string> set toc-heading3-style <string> set toc-heading4-style <string> set heading1-style <string> set heading2-style <string> set heading3-style <string> set heading4-style <string> set normal-text-style <string> set bullet-list-style <string> set numbered-list-style <string> set image-style <string> set hline-style <string> set graph-chart-style <string> set table-chart-style <string> set table-chart-caption-style <string> set table-chart-head-style <string> set table-chart-odd-row-style <string> set table-chart-even-row-style <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
329
Description
Configuration Description Default Value
name Report theme name. (Empty)
page-orient Report page orientation. portrait
column-count Report page column count. 1
default-html-style Default HTML report style. (Empty)
default-pdf-style Default PDF report style. (Empty)
page-style Report page style. (Empty)
page-header-style Report page header style. (Empty)
page-footer-style Report page footer style. (Empty)
report-title-style Report title style. (Empty)
report-subtitle-style Report subtitle style. (Empty)
toc-title-style Table of contents title style. (Empty)
toc-heading1-style Table of contents heading style. (Empty)
toc-heading2-style Table of contents heading style. (Empty)
toc-heading3-style Table of contents heading style. (Empty)
toc-heading4-style Table of contents heading style. (Empty)
heading1-style Report heading style. (Empty)
heading2-style Report heading style. (Empty)
heading3-style Report heading style. (Empty)
heading4-style Report heading style. (Empty)
normal-text-style Normal text style. (Empty)
bullet-list-style Bullet list style. (Empty)
numbered-list-style Numbered list style. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
330
image-style Image style. (Empty)
hline-style Horizontal line style. (Empty)
graph-chart-style Graph chart style. (Empty)
table-chart-style Table chart style. (Empty)
table-chart-caption-style
Table chart caption style. (Empty)
table-chart-head-style Table chart head row style. (Empty)
table-chart-odd-row-style
Table chart odd row style. (Empty)
table-chart-even-row-style
Table chart even row style. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
331
router/access-listCLI Syntax
config router access-list edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set prefix <user> set wildcard <user> set exact-match {enable | disable} set flags <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
332
Description
Configuration Description Default Value
name Name. (Empty)
comments Comment. (Empty)
rule Rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
333
router/access-list6CLI Syntax
config router access-list6 edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set prefix6 <user> set exact-match {enable | disable} set flags <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
334
Description
Configuration Description Default Value
name Name. (Empty)
comments Comment. (Empty)
rule Rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
335
router/aspath-listCLI Syntax
config router aspath-list edit <name_str> set name <string> config rule edit <name_str> set id <integer> set action {deny | permit} set regexp <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
336
Description
Configuration Description Default Value
name AS path list name. (Empty)
rule AS path list rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
337
router/auth-pathCLI Syntax
config router auth-path edit <name_str> set name <string> set device <string> set gateway <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
338
Description
Configuration Description Default Value
name Name of the entry. (Empty)
device Output interface. (Empty)
gateway Gateway IP address. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
339
router/bfdCLI Syntax
config router bfd edit <name_str> config neighbor edit <name_str> set ip <ipv4-address> set interface <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
340
Description
Configuration Description Default Value
neighbor neighbor (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
341
router/bgpCLI Syntax
config router bgp edit <name_str> set as <integer> set router-id <ipv4-address-any> set keepalive-timer <integer> set holdtime-timer <integer> set always-compare-med {enable | disable} set bestpath-as-path-ignore {enable | disable} set bestpath-cmp-confed-aspath {enable | disable} set bestpath-cmp-routerid {enable | disable} set bestpath-med-confed {enable | disable} set bestpath-med-missing-as-worst {enable | disable} set client-to-client-reflection {enable | disable} set dampening {enable | disable} set deterministic-med {enable | disable} set ebgp-multipath {enable | disable} set ibgp-multipath {enable | disable} set enforce-first-as {enable | disable} set fast-external-failover {enable | disable} set log-neighbour-changes {enable | disable} set network-import-check {enable | disable} set ignore-optional-capability {enable | disable} set cluster-id <ipv4-address-any> set confederation-identifier <integer> config confederation-peers edit <name_str> set peer <string> end set dampening-route-map <string> set dampening-reachability-half-life <integer> set dampening-reuse <integer> set dampening-suppress <integer> set dampening-max-suppress-time <integer> set dampening-unreachability-half-life <integer> set default-local-preference <integer> set scan-time <integer> set distance-external <integer> set distance-internal <integer> set distance-local <integer> set synchronization {enable | disable} set graceful-restart {enable | disable} set graceful-restart-time <integer> set graceful-stalepath-time <integer> set graceful-update-delay <integer> config aggregate-address edit <name_str> set id <integer>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
342
set prefix <ipv4-classnet-any> set as-set {enable | disable} set summary-only {enable | disable} end config aggregate-address6 edit <name_str> set id <integer> set prefix6 <ipv6-prefix> set as-set {enable | disable} set summary-only {enable | disable} end config neighbor edit <name_str> set ip <string> set advertisement-interval <integer> set allowas-in-enable {enable | disable} set allowas-in-enable6 {enable | disable} set allowas-in <integer> set allowas-in6 <integer> set attribute-unchanged {as-path | med | next-hop} set attribute-unchanged6 {as-path | med | next-hop} set activate {enable | disable} set activate6 {enable | disable} set bfd {enable | disable} set capability-dynamic {enable | disable} set capability-orf {none | receive | send | both} set capability-orf6 {none | receive | send | both} set capability-graceful-restart {enable | disable} set capability-graceful-restart6 {enable | disable} set capability-route-refresh {enable | disable} set capability-default-originate {enable | disable} set capability-default-originate6 {enable | disable} set dont-capability-negotiate {enable | disable} set ebgp-enforce-multihop {enable | disable} set next-hop-self {enable | disable} set next-hop-self6 {enable | disable} set override-capability {enable | disable} set passive {enable | disable} set remove-private-as {enable | disable} set remove-private-as6 {enable | disable} set route-reflector-client {enable | disable} set route-reflector-client6 {enable | disable} set route-server-client {enable | disable} set route-server-client6 {enable | disable} set shutdown {enable | disable} set soft-reconfiguration {enable | disable} set soft-reconfiguration6 {enable | disable} set as-override {enable | disable} set as-override6 {enable | disable} set strict-capability-match {enable | disable} set default-originate-routemap <string> set default-originate-routemap6 <string> set description <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
343
set description <string> set distribute-list-in <string> set distribute-list-in6 <string> set distribute-list-out <string> set distribute-list-out6 <string> set ebgp-multihop-ttl <integer> set filter-list-in <string> set filter-list-in6 <string> set filter-list-out <string> set filter-list-out6 <string> set interface <string> set maximum-prefix <integer> set maximum-prefix6 <integer> set maximum-prefix-threshold <integer> set maximum-prefix-threshold6 <integer> set maximum-prefix-warning-only {enable | disable} set maximum-prefix-warning-only6 {enable | disable} set prefix-list-in <string> set prefix-list-in6 <string> set prefix-list-out <string> set prefix-list-out6 <string> set remote-as <integer> set retain-stale-time <integer> set route-map-in <string> set route-map-in6 <string> set route-map-out <string> set route-map-out6 <string> set send-community {standard | extended | both | disable} set send-community6 {standard | extended | both | disable} set keep-alive-timer <integer> set holdtime-timer <integer> set connect-timer <integer> set unsuppress-map <string> set unsuppress-map6 <string> set update-source <string> set weight <integer> set restart-time <integer> set password <password> config conditional-advertise edit <name_str> set advertise-routemap <string> set condition-routemap <string> set condition-type {exist | non-exist} end end config neighbor-group edit <name_str> set name <string> set advertisement-interval <integer> set allowas-in-enable {enable | disable} set allowas-in-enable6 {enable | disable} set allowas-in <integer> set allowas-in6 <integer>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
344
set allowas-in6 <integer> set attribute-unchanged {as-path | med | next-hop} set attribute-unchanged6 {as-path | med | next-hop} set activate {enable | disable} set activate6 {enable | disable} set bfd {enable | disable} set capability-dynamic {enable | disable} set capability-orf {none | receive | send | both} set capability-orf6 {none | receive | send | both} set capability-graceful-restart {enable | disable} set capability-graceful-restart6 {enable | disable} set capability-route-refresh {enable | disable} set capability-default-originate {enable | disable} set capability-default-originate6 {enable | disable} set dont-capability-negotiate {enable | disable} set ebgp-enforce-multihop {enable | disable} set next-hop-self {enable | disable} set next-hop-self6 {enable | disable} set override-capability {enable | disable} set passive {enable | disable} set remove-private-as {enable | disable} set remove-private-as6 {enable | disable} set route-reflector-client {enable | disable} set route-reflector-client6 {enable | disable} set route-server-client {enable | disable} set route-server-client6 {enable | disable} set shutdown {enable | disable} set soft-reconfiguration {enable | disable} set soft-reconfiguration6 {enable | disable} set as-override {enable | disable} set as-override6 {enable | disable} set strict-capability-match {enable | disable} set default-originate-routemap <string> set default-originate-routemap6 <string> set description <string> set distribute-list-in <string> set distribute-list-in6 <string> set distribute-list-out <string> set distribute-list-out6 <string> set ebgp-multihop-ttl <integer> set filter-list-in <string> set filter-list-in6 <string> set filter-list-out <string> set filter-list-out6 <string> set interface <string> set maximum-prefix <integer> set maximum-prefix6 <integer> set maximum-prefix-threshold <integer> set maximum-prefix-threshold6 <integer> set maximum-prefix-warning-only {enable | disable} set maximum-prefix-warning-only6 {enable | disable} set prefix-list-in <string> set prefix-list-in6 <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
345
set prefix-list-in6 <string> set prefix-list-out <string> set prefix-list-out6 <string> set remote-as <integer> set retain-stale-time <integer> set route-map-in <string> set route-map-in6 <string> set route-map-out <string> set route-map-out6 <string> set send-community {standard | extended | both | disable} set send-community6 {standard | extended | both | disable} set keep-alive-timer <integer> set holdtime-timer <integer> set connect-timer <integer> set unsuppress-map <string> set unsuppress-map6 <string> set update-source <string> set weight <integer> set restart-time <integer> end config neighbor-range edit <name_str> set id <integer> set prefix <ipv4-classnet> set max-neighbor-num <integer> set neighbor-group <string> end config network edit <name_str> set id <integer> set prefix <ipv4-classnet> set backdoor {enable | disable} set route-map <string> end config network6 edit <name_str> set id <integer> set prefix6 <ipv6-network> set backdoor {enable | disable} set route-map <string> end config redistribute edit <name_str> set name <string> set status {enable | disable} set route-map <string> end config redistribute6 edit <name_str> set name <string> set status {enable | disable} set route-map <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
346
end config admin-distance edit <name_str> set id <integer> set neighbour-prefix <ipv4-classnet> set route-list <string> set distance <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
347
Description
Configuration Description Default Value
as Router AS number. 0
router-id Router ID. 0.0.0.0
keepalive-timer Frequency to send keep alive requests. 60
holdtime-timer Number of seconds to mark peer as dead. 180
always-compare-med Enable/disable always compare MED. disable
bestpath-as-path-ignore
Enable/disable ignore AS path. disable
bestpath-cmp-confed-aspath
Enable/disable compare federation AS pathlength.
disable
bestpath-cmp-routerid Enable/disable compare router ID for identicalEBGP paths.
disable
bestpath-med-confed Enable/disable compare MED amongconfederation paths.
disable
bestpath-med-missing-as-worst
Enable/disable treat missing MED as leastpreferred.
disable
client-to-client-reflection
Enable/disable client-to-client route reflection. enable
dampening Enable/disable route-flap dampening. disable
deterministic-med Enable/disable enforce deterministic comparisonof MED.
disable
ebgp-multipath Enable/disable EBGP multi-path. disable
ibgp-multipath Enable/disable IBGP multi-path. disable
enforce-first-as Enable/disable enforce first AS for EBGP routes. enable
fast-external-failover Enable/disable reset peer BGP session if linkgoes down.
enable
log-neighbour-changes Enable logging of BGP neighbour's changes enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
348
network-import-check Enable/disable ensure BGP network route existsin IGP.
enable
ignore-optional-capability
Don't send unknown optional capabilitynotification message
enable
cluster-id Route reflector cluster ID. 0.0.0.0
confederation-identifier Confederation identifier. 0
confederation-peers Confederation peers. (Empty)
dampening-route-map Criteria for dampening. (Empty)
dampening-reachability-half-life
Reachability half-life time for penalty (min). 15
dampening-reuse Threshold to reuse routes. 750
dampening-suppress Threshold to suppress routes. 2000
dampening-max-suppress-time
Maximum minutes a route can be suppressed. 60
dampening-unreachability-half-life
Unreachability half-life time for penalty (min). 15
default-local-preference
Default local preference. 100
scan-time Background scanner interval (sec). 60
distance-external Distance for routes external to the AS. 20
distance-internal Distance for routes internal to the AS. 200
distance-local Distance for routes local to the AS. 200
synchronization Enable/disable only advertise routes from iBGP ifroutes present in an IGP.
disable
graceful-restart Enable/disable BGP graceful restart capabilities. disable
graceful-restart-time Time needed for neighbors to restart (sec). 120
graceful-stalepath-time Time to hold stale paths of restarting neighbor(sec).
360
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
349
graceful-update-delay Route advertisement/selection delay after restart(sec).
120
aggregate-address BGP aggregate address table. (Empty)
aggregate-address6 BGP IPv6 aggregate address table. (Empty)
neighbor BGP neighbor table. (Empty)
neighbor-group BGP neighbor group table. (Empty)
neighbor-range BGP neighbor range table. (Empty)
network BGP network table. (Empty)
network6 BGP IPv6 network table. (Empty)
redistribute BGP IPv4 redistribute table. (Empty)
redistribute6 BGP IPv6 redistribute table. (Empty)
admin-distance Administrative distance modifications. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
350
router/community-listCLI Syntax
config router community-list edit <name_str> set name <string> set type {standard | expanded} config rule edit <name_str> set id <integer> set action {deny | permit} set regexp <string> set match <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
351
Description
Configuration Description Default Value
name Community list name. (Empty)
type Community list type. standard
rule Community list rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
352
router/isisCLI Syntax
config router isis edit <name_str> set is-type {level-1-2 | level-1 | level-2-only} set auth-mode-l1 {password | md5} set auth-mode-l2 {password | md5} set auth-password-l1 <password> set auth-password-l2 <password> set auth-keychain-l1 <string> set auth-keychain-l2 <string> set auth-sendonly-l1 {enable | disable} set auth-sendonly-l2 {enable | disable} set ignore-lsp-errors {enable | disable} set lsp-gen-interval-l1 <integer> set lsp-gen-interval-l2 <integer> set lsp-refresh-interval <integer> set max-lsp-lifetime <integer> set spf-interval-exp-l1 <user> set spf-interval-exp-l2 <user> set dynamic-hostname {enable | disable} set adjacency-check {enable | disable} set overload-bit {enable | disable} set overload-bit-suppress {external | interlevel} set overload-bit-on-startup <integer> set default-originate {enable | disable} set metric-style {narrow | narrow-transition | narrow-transition-l1 | narrow-transition-l2 | wide | wide-l1 | wide-l2 | wide-transition | wide-transition-l1 | wide-transition-l2 | transition | transition-l1 | transition-l2} set redistribute-l1 {enable | disable} set redistribute-l1-list <string> set redistribute-l2 {enable | disable} set redistribute-l2-list <string> config isis-net edit <name_str> set id <integer> set net <user> end config isis-interface edit <name_str> set name <string> set status {enable | disable} set network-type {broadcast | point-to-point} set circuit-type {level-1-2 | level-1 | level-2} set csnp-interval-l1 <integer> set csnp-interval-l2 <integer> set hello-interval-l1 <integer> set hello-interval-l2 <integer> set hello-multiplier-l1 <integer>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
353
set hello-multiplier-l2 <integer> set hello-padding {enable | disable} set lsp-interval <integer> set lsp-retransmit-interval <integer> set metric-l1 <integer> set metric-l2 <integer> set wide-metric-l1 <integer> set wide-metric-l2 <integer> set auth-password-l1 <password> set auth-password-l2 <password> set auth-keychain-l1 <string> set auth-keychain-l2 <string> set auth-send-only-l1 {enable | disable} set auth-send-only-l2 {enable | disable} set auth-mode-l1 {md5 | password} set auth-mode-l2 {md5 | password} set priority-l1 <integer> set priority-l2 <integer> set mesh-group {enable | disable} set mesh-group-id <integer> end config summary-address edit <name_str> set id <integer> set prefix <ipv4-classnet-any> set level {level-1-2 | level-1 | level-2} end config redistribute edit <name_str> set protocol <string> set status {enable | disable} set metric <integer> set metric-type {external | internal} set level {level-1-2 | level-1 | level-2} set routemap <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
354
Description
Configuration Description Default Value
is-type IS type. level-1-2
auth-mode-l1 Level 1 authentication mode. password
auth-mode-l2 Level 2 authentication mode. password
auth-password-l1 Authentication password for level 1 PDUs. (Empty)
auth-password-l2 Authentication password for level 2 PDUs. (Empty)
auth-keychain-l1 Authentication key-chain for level 1 PDUs. (Empty)
auth-keychain-l2 Authentication key-chain for level 2 PDUs. (Empty)
auth-sendonly-l1 Enable/disable level 1 authentication send-only. disable
auth-sendonly-l2 Enable/disable level 2 authentication send-only. disable
ignore-lsp-errors Enable/disable ignoring of LSP errors with badchecksums.
disable
lsp-gen-interval-l1 Minimum interval for level 1 LSP regenerating. 30
lsp-gen-interval-l2 Minimum interval for level 2 LSP regenerating. 30
lsp-refresh-interval LSP refresh time in seconds. 900
max-lsp-lifetime Maximum LSP lifetime in seconds. 1200
spf-interval-exp-l1 Level 1 SPF calculation delay. 500 50000
spf-interval-exp-l2 Level 2 SPF calculation delay. 500 50000
dynamic-hostname Enable/disable dynamic hostname. disable
adjacency-check Enable/disable adjacency check. disable
overload-bit Enable/disable signal other routers not to use usin SPF.
disable
overload-bit-suppress Suppress overload-bit for the specific prefixes. (Empty)
overload-bit-on-startup Overload-bit only temporarily after reboot. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
355
default-originate Enable/disable control distribution of defaultinformation.
disable
metric-style Use old-style (ISO 10589) or new-style packetformats
narrow
redistribute-l1 Enable/disable redistribute level 1 routes intolevel 2.
disable
redistribute-l1-list Access-list for redistribute l1 to l2. (Empty)
redistribute-l2 Enable/disable redistribute level 2 routes intolevel 1.
disable
redistribute-l2-list Access-list for redistribute l2 to l1. (Empty)
isis-net IS-IS net configuration. (Empty)
isis-interface IS-IS interface configuration. (Empty)
summary-address IS-IS summary addresses. (Empty)
redistribute IS-IS redistribute protocols. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
356
router/key-chainCLI Syntax
config router key-chain edit <name_str> set name <string> config key edit <name_str> set id <integer> set accept-lifetime <user> set send-lifetime <user> set key-string <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
357
Description
Configuration Description Default Value
name Key-chain name. (Empty)
key Key. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
358
router/multicastCLI Syntax
config router multicast edit <name_str> set route-threshold <integer> set route-limit <integer> set igmp-state-limit <integer> set multicast-routing {enable | disable} config pim-sm-global edit <name_str> set message-interval <integer> set join-prune-holdtime <integer> set accept-register-list <string> set bsr-candidate {enable | disable} set bsr-interface <string> set bsr-priority <integer> set bsr-hash <integer> set bsr-allow-quick-refresh {enable | disable} set cisco-register-checksum {enable | disable} set cisco-register-checksum-group <string> set cisco-crp-prefix {enable | disable} set cisco-ignore-rp-set-priority {enable | disable} set register-rp-reachability {enable | disable} set register-source {disable | interface | ip-address} set register-source-interface <string> set register-source-ip <ipv4-address> set register-supression <integer> set null-register-retries <integer> set rp-register-keepalive <integer> set spt-threshold {enable | disable} set spt-threshold-group <string> set ssm {enable | disable} set ssm-range <string> set register-rate-limit <integer> config rp-address edit <name_str> set id <integer> set ip-address <ipv4-address> set group <string> end end config interface edit <name_str> set name <string> set ttl-threshold <integer> set pim-mode {sparse-mode | dense-mode} set passive {enable | disable} set bfd {enable | disable} set neighbour-filter <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
359
set hello-interval <integer> set hello-holdtime <integer> set cisco-exclude-genid {enable | disable} set dr-priority <integer> set propagation-delay <integer> set state-refresh-interval <integer> set rp-candidate {enable | disable} set rp-candidate-group <string> set rp-candidate-priority <integer> set rp-candidate-interval <integer> set multicast-flow <string> set static-group <string> config join-group edit <name_str> set address <ipv4-address-any> end config igmp edit <name_str> set access-group <string> set version {3 | 2 | 1} set immediate-leave-group <string> set last-member-query-interval <integer> set last-member-query-count <integer> set query-max-response-time <integer> set query-interval <integer> set query-timeout <integer> set router-alert-check {enable | disable} end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
360
Description
Configuration Description Default Value
route-threshold Generate warnings when number of multicastroutes exceeds this number.
2147483647
route-limit Maximum number of multicast routes. 2147483647
igmp-state-limit Maximum IGMP memberships (system wide). 3200
multicast-routing Enable/disable multicast routing. disable
pim-sm-global PIM sparse-mode global settings. Details below
Configuration Default Valuemessage-interval 60join-prune-holdtime 210accept-register-list (Empty)bsr-candidate disablebsr-interface (Empty)bsr-priority 0bsr-hash 10bsr-allow-quick-refresh disablecisco-register-checksum disablecisco-register-checksum-group (Empty)cisco-crp-prefix disablecisco-ignore-rp-set-priority disableregister-rp-reachability enableregister-source disableregister-source-interface (Empty)register-source-ip 0.0.0.0register-supression 60null-register-retries 1rp-register-keepalive 185spt-threshold enablespt-threshold-group (Empty)ssm disablessm-range (Empty)register-rate-limit 0rp-address (Empty)
interface PIM interfaces. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
361
router/multicast-flowCLI Syntax
config router multicast-flow edit <name_str> set name <string> set comments <string> config flows edit <name_str> set id <integer> set group-addr <ipv4-address-any> set source-addr <ipv4-address-any> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
362
Description
Configuration Description Default Value
name Name. (Empty)
comments Comment. (Empty)
flows Multicast-flow entries. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
363
router/multicast6CLI Syntax
config router multicast6 edit <name_str> set multicast-routing {enable | disable} config interface edit <name_str> set name <string> set hello-interval <integer> set hello-holdtime <integer> end config pim-sm-global edit <name_str> set register-rate-limit <integer> config rp-address edit <name_str> set id <integer> set ip6-address <ipv6-address> end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
364
Description
Configuration Description Default Value
multicast-routing Enable/disable multicast routing. disable
interface PIM interfaces. (Empty)
pim-sm-global PIM sparse-mode global settings. Details below
Configuration Default Valueregister-rate-limit 0rp-address (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
365
router/ospfCLI Syntax
config router ospf edit <name_str> set abr-type {cisco | ibm | shortcut | standard} set auto-cost-ref-bandwidth <integer> set distance-external <integer> set distance-inter-area <integer> set distance-intra-area <integer> set database-overflow {enable | disable} set database-overflow-max-lsas <integer> set database-overflow-time-to-recover <integer> set default-information-originate {enable | always | disable} set default-information-metric <integer> set default-information-metric-type {1 | 2} set default-information-route-map <string> set default-metric <integer> set distance <integer> set rfc1583-compatible {enable | disable} set router-id <ipv4-address-any> set spf-timers <user> set bfd {enable | disable} set log-neighbour-changes {enable | disable} set distribute-list-in <string> set distribute-route-map-in <string> set restart-mode {none | lls | graceful-restart} set restart-period <integer> config area edit <name_str> set id <ipv4-address-any> set shortcut {disable | enable | default} set authentication {none | text | md5} set default-cost <integer> set nssa-translator-role {candidate | never | always} set stub-type {no-summary | summary} set type {regular | nssa | stub} set nssa-default-information-originate {enable | always | disable} set nssa-default-information-originate-metric <integer> set nssa-default-information-originate-metric-type {1 | 2} set nssa-redistribution {enable | disable} config range edit <name_str> set id <integer> set prefix <ipv4-classnet-any> set advertise {disable | enable} set substitute <ipv4-classnet-any> set substitute-status {enable | disable} end config virtual-link
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
366
edit <name_str> set name <string> set authentication {none | text | md5} set authentication-key <password> set md5-key <user> set dead-interval <integer> set hello-interval <integer> set retransmit-interval <integer> set transmit-delay <integer> set peer <ipv4-address-any> end config filter-list edit <name_str> set id <integer> set list <string> set direction {in | out} end end config ospf-interface edit <name_str> set name <string> set interface <string> set ip <ipv4-address> set authentication {none | text | md5} set authentication-key <password> set md5-key <user> set prefix-length <integer> set retransmit-interval <integer> set transmit-delay <integer> set cost <integer> set priority <integer> set dead-interval <integer> set hello-interval <integer> set hello-multiplier <integer> set database-filter-out {enable | disable} set mtu <integer> set mtu-ignore {enable | disable} set network-type {broadcast | non-broadcast | point-to-point | point-to-multipoint | point-to-multipoint-non-broadcast} set bfd {global | enable | disable} set status {disable | enable} set resync-timeout <integer> end config network edit <name_str> set id <integer> set prefix <ipv4-classnet> set area <ipv4-address-any> end config neighbor edit <name_str> set id <integer> set ip <ipv4-address>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
367
set ip <ipv4-address> set poll-interval <integer> set cost <integer> set priority <integer> end config passive-interface edit <name_str> set name <string> end config summary-address edit <name_str> set id <integer> set prefix <ipv4-classnet> set tag <integer> set advertise {disable | enable} end config distribute-list edit <name_str> set id <integer> set access-list <string> set protocol {connected | static | rip} end config redistribute edit <name_str> set name <string> set status {enable | disable} set metric <integer> set routemap <string> set metric-type {1 | 2} set tag <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
368
Description
Configuration Description Default Value
abr-type Area border router type. standard
auto-cost-ref-bandwidth Reference bandwidth in terms of megabits persecond.
1000
distance-external Administrative external distance. 110
distance-inter-area Administrative inter-area distance. 110
distance-intra-area Administrative intra-area distance. 110
database-overflow Enable/disable database overflow. disable
database-overflow-max-lsas
Database overflow maximum LSAs. 10000
database-overflow-time-to-recover
Database overflow time to recover (sec). 300
default-information-originate
Enable/disable generation of default route. disable
default-information-metric
Default information metric. 10
default-information-metric-type
Default information metric type. 2
default-information-route-map
Default information route map. (Empty)
default-metric Default metric of redistribute routes. 10
distance Distance of the route. 110
rfc1583-compatible Enable/disable RFC1583 compatibility. disable
router-id Router ID. 0.0.0.0
spf-timers SPF calculation frequency. 5 10
bfd Bidirectional Forwarding Detection (BFD). disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
369
log-neighbour-changes Enable logging of OSPF neighbour's changes enable
distribute-list-in Filter incoming routes. (Empty)
distribute-route-map-in Filter incoming external routes by route-map. (Empty)
restart-mode OSPF restart mode (graceful or LLS). none
restart-period Graceful restart period. 120
area OSPF area configuration. (Empty)
ospf-interface OSPF interface configuration. (Empty)
network OSPF network configuration. (Empty)
neighbor OSPF neighbor configuration are used whenOSPF runs on non-broadcast media
(Empty)
passive-interface Passive interface configuration. (Empty)
summary-address IP address summary configuration. (Empty)
distribute-list Distribute list configuration. (Empty)
redistribute Redistribute configuration. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
370
router/ospf6CLI Syntax
config router ospf6 edit <name_str> set abr-type {cisco | ibm | standard} set auto-cost-ref-bandwidth <integer> set default-information-originate {enable | always | disable} set log-neighbour-changes {enable | disable} set default-information-metric <integer> set default-information-metric-type {1 | 2} set default-information-route-map <string> set default-metric <integer> set router-id <ipv4-address-any> set spf-timers <user> config area edit <name_str> set id <ipv4-address-any> set default-cost <integer> set nssa-translator-role {candidate | never | always} set stub-type {no-summary | summary} set type {regular | nssa | stub} set nssa-default-information-originate {enable | disable} set nssa-default-information-originate-metric <integer> set nssa-default-information-originate-metric-type {1 | 2} set nssa-redistribution {enable | disable} config range edit <name_str> set id <integer> set prefix6 <ipv6-network> set advertise {disable | enable} end config virtual-link edit <name_str> set name <string> set dead-interval <integer> set hello-interval <integer> set retransmit-interval <integer> set transmit-delay <integer> set peer <ipv4-address-any> end end config ospf6-interface edit <name_str> set name <string> set area-id <ipv4-address-any> set interface <string> set retransmit-interval <integer> set transmit-delay <integer> set cost <integer>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
371
set priority <integer> set dead-interval <integer> set hello-interval <integer> set status {disable | enable} set network-type {broadcast | non-broadcast | point-to-point | point-to-multipoint | point-to-multipoint-non-broadcast} config neighbor edit <name_str> set ip6 <ipv6-address> set poll-interval <integer> set cost <integer> set priority <integer> end end config passive-interface edit <name_str> set name <string> end config redistribute edit <name_str> set name <string> set status {enable | disable} set metric <integer> set routemap <string> set metric-type {1 | 2} end config summary-address edit <name_str> set id <integer> set prefix6 <ipv6-network> set advertise {disable | enable} set tag <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
372
Description
Configuration Description Default Value
abr-type Area border router type. standard
auto-cost-ref-bandwidth Reference bandwidth in terms of megabits persecond.
1000
default-information-originate
Enable/disable generation of default route. disable
log-neighbour-changes Enable logging of OSPFv3 neighbour's changes enable
default-information-metric
Default information metric. 10
default-information-metric-type
Default information metric type. 2
default-information-route-map
Default information route map. (Empty)
default-metric Default metric of redistribute routes. 20
router-id A.B.C.D, in IPv4 address format. 0.0.0.0
spf-timers SPF calculation frequency. 5 10
area OSPF6 area configuration. (Empty)
ospf6-interface OSPF6 interface configuration. (Empty)
passive-interface Passive interface configuration. (Empty)
redistribute Redistribute configuration. (Empty)
summary-address IPv6 address summary configuration. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
373
router/policyCLI Syntax
config router policy edit <name_str> set seq-num <integer> config input-device edit <name_str> set name <string> end config src edit <name_str> set subnet <string> end config srcaddr edit <name_str> set name <string> end set src-negate {enable | disable} config dst edit <name_str> set subnet <string> end config dstaddr edit <name_str> set name <string> end set dst-negate {enable | disable} set action {deny | permit} set protocol <integer> set start-port <integer> set end-port <integer> set start-source-port <integer> set end-source-port <integer> set gateway <ipv4-address> set output-device <string> set tos <user> set tos-mask <user> set comments <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
374
Description
Configuration Description Default Value
seq-num Sequence number. 0
input-device Incoming interface name. (Empty)
src Source IP and mask (x.x.x.x/x). (Empty)
srcaddr Source address name. (Empty)
src-negate Enable/disable negated source address match. disable
dst Destination IP and mask (x.x.x.x/x). (Empty)
dstaddr Destination address name. (Empty)
dst-negate Enable/disable negated destination addressmatch.
disable
action Action of the policy route. permit
protocol Protocol number. 0
start-port Start destination port number. 1
end-port End destination port number. 65535
start-source-port Start source port number. 1
end-source-port End source port number. 65535
gateway IP address of gateway. 0.0.0.0
output-device Outgoing interface name. (Empty)
tos Type of service bit pattern. 0x00
tos-mask Type of service evaluated bits. 0x00
comments Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
375
router/policy6CLI Syntax
config router policy6 edit <name_str> set seq-num <integer> set input-device <string> set src <ipv6-network> set dst <ipv6-network> set protocol <integer> set start-port <integer> set end-port <integer> set gateway <ipv6-address> set output-device <string> set tos <user> set tos-mask <user> set comments <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
376
Description
Configuration Description Default Value
seq-num Sequence number. 0
input-device Incoming interface name. (Empty)
src Source IPv6 prefix. ::/0
dst Destination IPv6 prefix. ::/0
protocol Protocol number. 0
start-port Start port number. 1
end-port End port number. 65535
gateway IPv6 address of gateway. ::
output-device Outgoing interface name. (Empty)
tos Terms of service bit pattern. 0x00
tos-mask Terms of service evaluated bits. 0x00
comments Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
377
router/prefix-listCLI Syntax
config router prefix-list edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set prefix <user> set ge <integer> set le <integer> set flags <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
378
Description
Configuration Description Default Value
name Name. (Empty)
comments Comment. (Empty)
rule Rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
379
router/prefix-list6CLI Syntax
config router prefix-list6 edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set prefix6 <user> set ge <integer> set le <integer> set flags <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
380
Description
Configuration Description Default Value
name Name. (Empty)
comments Comment. (Empty)
rule Rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
381
router/ripCLI Syntax
config router rip edit <name_str> set default-information-originate {enable | disable} set default-metric <integer> set max-out-metric <integer> set recv-buffer-size <integer> config distance edit <name_str> set id <integer> set prefix <ipv4-classnet-any> set distance <integer> set access-list <string> end config distribute-list edit <name_str> set id <integer> set status {enable | disable} set direction {in | out} set listname <string> set interface <string> end config neighbor edit <name_str> set id <integer> set ip <ipv4-address> end config network edit <name_str> set id <integer> set prefix <ipv4-classnet> end config offset-list edit <name_str> set id <integer> set status {enable | disable} set direction {in | out} set access-list <string> set offset <integer> set interface <string> end config passive-interface edit <name_str> set name <string> end config redistribute edit <name_str> set name <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
382
set status {enable | disable} set metric <integer> set routemap <string> set flags <integer> end set update-timer <integer> set timeout-timer <integer> set garbage-timer <integer> set version {1 | 2} config interface edit <name_str> set name <string> set auth-keychain <string> set auth-mode {none | text | md5} set auth-string <password> set receive-version {1 | 2} set send-version {1 | 2} set send-version2-broadcast {disable | enable} set split-horizon-status {enable | disable} set split-horizon {poisoned | regular} set flags <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
383
Description
Configuration Description Default Value
default-information-originate
Enable/disable generation of default route. disable
default-metric Default metric. 1
max-out-metric Maximum metric allowed to output(0 means 'notset').
0
recv-buffer-size Receiving buffer size. 655360
distance distance (Empty)
distribute-list Distribute list. (Empty)
neighbor neighbor (Empty)
network network (Empty)
offset-list Offset list. (Empty)
passive-interface Passive interface configuration. (Empty)
redistribute Redistribute configuration. (Empty)
update-timer Update timer. 30
timeout-timer Timeout timer. 180
garbage-timer Garbage timer. 120
version RIP version. 2
interface RIP interface configuration. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
384
router/ripngCLI Syntax
config router ripng edit <name_str> set default-information-originate {enable | disable} set default-metric <integer> set max-out-metric <integer> config distance edit <name_str> set id <integer> set distance <integer> set prefix6 <ipv6-prefix> set access-list6 <string> end config distribute-list edit <name_str> set id <integer> set status {enable | disable} set direction {in | out} set listname <string> set interface <string> end config neighbor edit <name_str> set id <integer> set ip6 <ipv6-address> set interface <string> end config network edit <name_str> set id <integer> set prefix <ipv6-prefix> end config aggregate-address edit <name_str> set id <integer> set prefix6 <ipv6-prefix> end config offset-list edit <name_str> set id <integer> set status {enable | disable} set direction {in | out} set access-list6 <string> set offset <integer> set interface <string> end config passive-interface edit <name_str>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
385
set name <string> end config redistribute edit <name_str> set name <string> set status {enable | disable} set metric <integer> set routemap <string> set flags <integer> end set update-timer <integer> set timeout-timer <integer> set garbage-timer <integer> config interface edit <name_str> set name <string> set split-horizon-status {enable | disable} set split-horizon {poisoned | regular} set flags <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
386
Description
Configuration Description Default Value
default-information-originate
Enable/disable generation of default route. disable
default-metric Default metric. 1
max-out-metric Maximum metric allowed to output(0 means 'notset').
0
distance distance (Empty)
distribute-list Distribute list. (Empty)
neighbor neighbor (Empty)
network Network. (Empty)
aggregate-address Aggregate address. (Empty)
offset-list Offset list. (Empty)
passive-interface Passive interface configuration. (Empty)
redistribute Redistribute configuration. (Empty)
update-timer Update timer. 30
timeout-timer Timeout timer. 180
garbage-timer Garbage timer. 120
interface RIPng interface configuration. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
387
router/route-mapCLI Syntax
config router route-map edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set match-as-path <string> set match-community <string> set match-community-exact {enable | disable} set match-origin {none | egp | igp | incomplete} set match-interface <string> set match-ip-address <string> set match-ip6-address <string> set match-ip-nexthop <string> set match-ip6-nexthop <string> set match-metric <integer> set match-route-type {1 | 2} set match-tag <integer> set set-aggregator-as <integer> set set-aggregator-ip <ipv4-address-any> set set-aspath-action {prepend | replace} config set-aspath edit <name_str> set as <string> end set set-atomic-aggregate {enable | disable} set set-community-delete <string> config set-community edit <name_str> set community <string> end set set-community-additive {enable | disable} set set-dampening-reachability-half-life <integer> set set-dampening-reuse <integer> set set-dampening-suppress <integer> set set-dampening-max-suppress <integer> set set-dampening-unreachability-half-life <integer> config set-extcommunity-rt edit <name_str> set community <string> end config set-extcommunity-soo edit <name_str> set community <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
388
set set-ip-nexthop <ipv4-address> set set-ip6-nexthop <ipv6-address> set set-ip6-nexthop-local <ipv6-address> set set-local-preference <integer> set set-metric <integer> set set-metric-type {1 | 2} set set-originator-id <ipv4-address-any> set set-origin {none | egp | igp | incomplete} set set-tag <integer> set set-weight <integer> set set-flags <integer> set match-flags <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
389
Description
Configuration Description Default Value
name Name. (Empty)
comments Comment. (Empty)
rule Rule. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
390
router/settingCLI Syntax
config router setting edit <name_str> set show-filter <string> set hostname <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
391
Description
Configuration Description Default Value
show-filter Prefix-list as filter for showing routes. (Empty)
hostname Hostname for this virtual domain router. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
392
router/staticCLI Syntax
config router static edit <name_str> set seq-num <integer> set dst <ipv4-classnet> set gateway <ipv4-address> set distance <integer> set weight <integer> set priority <integer> set device <string> set comment <var-string> set blackhole {enable | disable} set dynamic-gateway {enable | disable} set virtual-wan-link {enable | disable} set dstaddr <string> set internet-service <integer> set internet-service-custom <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
393
Description
Configuration Description Default Value
seq-num Entry number. 0
dst Destination IP and mask for this route. 0.0.0.0 0.0.0.0
gateway Gateway IP for this route. 0.0.0.0
distance Administrative distance (1 - 255). 10
weight Administrative weight (0 - 255). 0
priority Administrative priority (0 - 4294967295). 0
device Enable/disable gateway out interface. (Empty)
comment Comment. (Empty)
blackhole Enable/disable black hole. disable
dynamic-gateway Enable use of dynamic gateway retrieved from aDHCP or PPP server.
disable
virtual-wan-link Enable/disable egress through the virtual-wan-link.
disable
dstaddr Name of firewall address or address group. (Empty)
internet-service Application ID in the Internet service database. 0
internet-service-custom Application name in the Internet service customdatabase.
(Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
394
router/static6CLI Syntax
config router static6 edit <name_str> set seq-num <integer> set dst <ipv6-network> set gateway <ipv6-address> set device <string> set devindex <integer> set distance <integer> set priority <integer> set comment <var-string> set blackhole {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
395
Description
Configuration Description Default Value
seq-num Sequence number. 0
dst Destination IPv6 prefix for this route. ::/0
gateway Gateway IPv6 address for this route. ::
device Gateway out interface or tunnel. (Empty)
devindex Device index (0 - 4294967295). 0
distance Administrative distance (1 - 255). 10
priority Administrative priority (0 - 4294967295). 0
comment Comment. (Empty)
blackhole Enable/disable black hole. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
396
spamfilter/bwlCLI Syntax
config spamfilter bwl edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set type {ip | email} set action {reject | spam | clear} set addr-type {ipv4 | ipv6} set ip4-subnet <ipv4-classnet> set ip6-subnet <ipv6-network> set pattern-type {wildcard | regexp} set email-pattern <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
397
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
entries Anti-spam black/white list entries. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
398
spamfilter/bwordCLI Syntax
config spamfilter bword edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set pattern <string> set pattern-type {wildcard | regexp} set action {spam | clear} set where {subject | body | all} set language {western | simch | trach | japanese | korean | french | thai | spanish} set score <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
399
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
entries Spam filter banned word. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
400
spamfilter/dnsblCLI Syntax
config spamfilter dnsbl edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set server <string> set action {reject | spam} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
401
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
entries Spam filter DNSBL and ORBL server. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
402
spamfilter/fortishieldCLI Syntax
config spamfilter fortishield edit <name_str> set spam-submit-srv <string> set spam-submit-force {enable | disable} set spam-submit-txt2htm {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
403
Description
Configuration Description Default Value
spam-submit-srv Hostname of the spam submission server. www.nospammer.net
spam-submit-force Enable/disable force insertion of a new mimeentity for the submission text.
enable
spam-submit-txt2htm Enable/disable conversion of text email to HTMLemail.
enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
404
spamfilter/iptrustCLI Syntax
config spamfilter iptrust edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set addr-type {ipv4 | ipv6} set ip4-subnet <ipv4-classnet> set ip6-subnet <ipv6-network> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
405
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
entries Spam filter trusted IP addresses. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
406
spamfilter/mheaderCLI Syntax
config spamfilter mheader edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set fieldname <string> set fieldbody <string> set pattern-type {wildcard | regexp} set action {spam | clear} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
407
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
entries Spam filter mime header content. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
408
spamfilter/optionsCLI Syntax
config spamfilter options edit <name_str> set dns-timeout <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
409
Description
Configuration Description Default Value
dns-timeout DNS query time out (1 - 30 sec). 7
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
410
spamfilter/profileCLI Syntax
config spamfilter profile edit <name_str> set name <string> set comment <var-string> set flow-based {enable | disable} set replacemsg-group <string> set spam-log {enable | disable} set spam-filtering {enable | disable} set external {enable | disable} set options {bannedword | spambwl | spamfsip | spamfssubmit | spamfschksum | spamfsurl | spamhelodns | spamraddrdns | spamrbl | spamhdrcheck | spamfsphish} config imap edit <name_str> set log {enable | disable} set action {pass | tag} set tag-type {subject | header | spaminfo} set tag-msg <string> end config pop3 edit <name_str> set log {enable | disable} set action {pass | tag} set tag-type {subject | header | spaminfo} set tag-msg <string> end config smtp edit <name_str> set log {enable | disable} set action {pass | tag | discard} set tag-type {subject | header | spaminfo} set tag-msg <string> set hdrip {enable | disable} set local-override {enable | disable} end config mapi edit <name_str> set log {enable | disable} set action {pass | discard} end config msn-hotmail edit <name_str> set log {enable | disable} end config yahoo-mail edit <name_str> set log {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
411
config gmail edit <name_str> set log {enable | disable} end set spam-bword-threshold <integer> set spam-bword-table <integer> set spam-bwl-table <integer> set spam-mheader-table <integer> set spam-rbl-table <integer> set spam-iptrust-table <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
412
Description
Configuration Description Default Value
name Profile name. (Empty)
comment Comment. (Empty)
flow-based Enable/disable flow-based spam filtering. disable
replacemsg-group Replacement message group. (Empty)
spam-log Enable/disable spam logging for email filtering. enable
spam-filtering Enable/disable spam filtering. disable
external Enable/disable external Email inspection. disable
options Options. (Empty)
imap IMAP. Details below
Configuration Default Valuelog disableaction tagtag-type subject spaminfotag-msg Spam
pop3 POP3. Details below
Configuration Default Valuelog disableaction tagtag-type subject spaminfotag-msg Spam
smtp SMTP. Details below
Configuration Default Valuelog disableaction discardtag-type subject spaminfotag-msg Spamhdrip disablelocal-override disable
mapi MAPI. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
413
Configuration Default Valuelog disableaction discard
msn-hotmail MSN Hotmail. Details below
Configuration Default Valuelog disable
yahoo-mail Yahoo! Mail. Details below
Configuration Default Valuelog disable
gmail Gmail. Details below
Configuration Default Valuelog disable
spam-bword-threshold Spam banned word threshold. 10
spam-bword-table Anti-spam banned word table ID. 0
spam-bwl-table Anti-spam black/white list table ID. 0
spam-mheader-table Anti-spam MIME header table ID. 0
spam-rbl-table Anti-spam DNSBL table ID. 0
spam-iptrust-table Anti-spam IP trust table ID. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
414
system.autoupdate/push-updateCLI Syntax
config system.autoupdate push-update edit <name_str> set status {enable | disable} set override {enable | disable} set address <ipv4-address-any> set port <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
415
Description
Configuration Description Default Value
status Enable/disable push updates. disable
override Enable/disable push update override server. disable
address Push update override server. 0.0.0.0
port Push update override port. 9443
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
416
system.autoupdate/scheduleCLI Syntax
config system.autoupdate schedule edit <name_str> set status {enable | disable} set frequency {every | daily | weekly} set time <user> set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
417
Description
Configuration Description Default Value
status Enable/disable scheduled updates. enable
frequency Update frequency. every
time Update time. 02:60
day Update day. Monday
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
418
system.autoupdate/tunnelingCLI Syntax
config system.autoupdate tunneling edit <name_str> set status {enable | disable} set address <string> set port <integer> set username <string> set password <password> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
419
Description
Configuration Description Default Value
status Enable/disable web proxy tunnelling. disable
address Web proxy IP address or FQDN. (Empty)
port Web proxy port. 0
username Web proxy username. (Empty)
password Web proxy password. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
420
system.dhcp/serverCLI Syntax
config system.dhcp server edit <name_str> set id <integer> set status {disable | enable} set lease-time <integer> set mac-acl-default-action {assign | block} set forticlient-on-net-status {disable | enable} set dns-service {local | default | specify} set dns-server1 <ipv4-address> set dns-server2 <ipv4-address> set dns-server3 <ipv4-address> set wifi-ac1 <ipv4-address> set wifi-ac2 <ipv4-address> set wifi-ac3 <ipv4-address> set ntp-service {local | default | specify} set ntp-server1 <ipv4-address> set ntp-server2 <ipv4-address> set ntp-server3 <ipv4-address> set domain <string> set wins-server1 <ipv4-address> set wins-server2 <ipv4-address> set default-gateway <ipv4-address> set next-server <ipv4-address> set netmask <ipv4-netmask> set interface <string> config ip-range edit <name_str> set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end set timezone-option {disable | default | specify} set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 | 26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 | 40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00 | 82 | 73 | 86 | 76} set tftp-server <string> set filename <string> set option1 <user> set option2 <user> set option3 <user> set option4 <user> set option5 <user> set option6 <user> set server-type {regular | ipsec}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
421
set ip-mode {range | usrgrp} set conflicted-ip-timeout <integer> set ipsec-lease-hold <integer> set auto-configuration {disable | enable} set ddns-update {disable | enable} set ddns-server-ip <ipv4-address> set ddns-zone <string> set ddns-auth {disable | tsig} set ddns-keyname <string> set ddns-key <user> set ddns-ttl <integer> set vci-match {disable | enable} config vci-string edit <name_str> set vci-string <string> end config exclude-range edit <name_str> set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end config reserved-address edit <name_str> set id <integer> set ip <ipv4-address> set mac <mac-address> set action {assign | block | reserved} set description <var-string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
422
Description
Configuration Description Default Value
id ID. 0
status Enable/disable use this DHCP configuration. enable
lease-time Lease time in seconds. 604800
mac-acl-default-action MAC access control default action. assign
forticlient-on-net-status Sending FortiGate serial number as a DHCPoption.
enable
dns-service DNS service option. specify
dns-server1 DNS server 1. 0.0.0.0
dns-server2 DNS server 2. 0.0.0.0
dns-server3 DNS server 3. 0.0.0.0
wifi-ac1 WiFi AC 1. 0.0.0.0
wifi-ac2 WiFi AC 2. 0.0.0.0
wifi-ac3 WiFi AC 3. 0.0.0.0
ntp-service NTP service option. specify
ntp-server1 NTP server 1. 0.0.0.0
ntp-server2 NTP server 2. 0.0.0.0
ntp-server3 NTP server 3. 0.0.0.0
domain Domain name. (Empty)
wins-server1 WINS server 1. 0.0.0.0
wins-server2 WINS server 2. 0.0.0.0
default-gateway Enable/disable default gateway. 0.0.0.0
next-server Next bootstrap server. 0.0.0.0
netmask Netmask. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
423
interface Interface name. (Empty)
ip-range DHCP IP range configuration. (Empty)
timezone-option Time zone settings. disable
timezone Time zone. 00
tftp-server Hostname or IP address of the TFTP server. (Empty)
filename Boot file name. (Empty)
option1 Option 1. 0
option2 Option 2. 0
option3 Option 3. 0
option4 Option 4. 0
option5 Option 5. 0
option6 Option 6. 0
server-type Type of DHCP service to provide. regular
ip-mode Method used to assign client IP. range
conflicted-ip-timeout Time conflicted IP is removed from the range(seconds).
1800
ipsec-lease-hold DHCP over IPsec leases expire this manyseconds after tunnel down (0 to disable forced-expiry).
60
auto-configuration Enable/disable auto configuration. enable
ddns-update Enable/disable DDNS update for DHCP. disable
ddns-server-ip DDNS server IP. 0.0.0.0
ddns-zone Zone of your domain name (ex. DDNS.com). (Empty)
ddns-auth DDNS authentication mode. disable
ddns-keyname DDNS update key name. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
424
ddns-key DDNS update key (base 64 encoding). 'ENCAuAHaUUdY1NOrENeFjxC6TXsIjntkrMvREwMTLVsKksjKKAeHgnmgOYHVJsx1EMp4FsdxXlBMGI9fs0Gob4fjHviV670NU8ypyB+szhnVal5VB5J/EQgo1R2WKM='
ddns-ttl TTL. 300
vci-match Enable/disable VCI matching. disable
vci-string VCI strings. (Empty)
exclude-range DHCP exclude range configuration. (Empty)
reserved-address DHCP reserved IP address. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
425
system.dhcp6/serverCLI Syntax
config system.dhcp6 server edit <name_str> set id <integer> set status {disable | enable} set rapid-commit {disable | enable} set lease-time <integer> set dns-service {delegated | default | specify} set dns-server1 <ipv6-address> set dns-server2 <ipv6-address> set dns-server3 <ipv6-address> set domain <string> set subnet <ipv6-prefix> set interface <string> set option1 <user> set option2 <user> set option3 <user> set upstream-interface <string> set ip-mode {range | delegated} config ip-range edit <name_str> set id <integer> set start-ip <ipv6-address> set end-ip <ipv6-address> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
426
Description
Configuration Description Default Value
id ID. 0
status Enable/disable use this DHCP configuration. enable
rapid-commit Enable/disable allow/disallow rapid commit. disable
lease-time Lease time in seconds. 604800
dns-service DNS service option. specify
dns-server1 DNS server 1. ::
dns-server2 DNS server 2. ::
dns-server3 DNS server 3. ::
domain Domain name. (Empty)
subnet Subnet or subnet-id if the IP mode is delegated. ::/0
interface Interface name. (Empty)
option1 Option 1. 0
option2 Option 2. 0
option3 Option 3. 0
upstream-interface Interface name from where delegated informationis provided.
(Empty)
ip-mode Method used to assign client IP. range
ip-range DHCP IP range configuration. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
427
system.replacemsg/adminCLI Syntax
config system.replacemsg admin edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
428
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
429
system.replacemsg/alertmailCLI Syntax
config system.replacemsg alertmail edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
430
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
431
system.replacemsg/authCLI Syntax
config system.replacemsg auth edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
432
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
433
system.replacemsg/device-detection-portalCLI Syntax
config system.replacemsg device-detection-portal edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
434
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
435
system.replacemsg/ecCLI Syntax
config system.replacemsg ec edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
436
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
437
system.replacemsg/fortiguard-wfCLI Syntax
config system.replacemsg fortiguard-wf edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
438
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
439
system.replacemsg/ftpCLI Syntax
config system.replacemsg ftp edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
440
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
441
system.replacemsg/httpCLI Syntax
config system.replacemsg http edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
442
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
443
system.replacemsg/mailCLI Syntax
config system.replacemsg mail edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
444
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
445
system.replacemsg/nac-quarCLI Syntax
config system.replacemsg nac-quar edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
446
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
447
system.replacemsg/nntpCLI Syntax
config system.replacemsg nntp edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
448
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
449
system.replacemsg/spamCLI Syntax
config system.replacemsg spam edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
450
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
451
system.replacemsg/sslvpnCLI Syntax
config system.replacemsg sslvpn edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
452
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
453
system.replacemsg/traffic-quotaCLI Syntax
config system.replacemsg traffic-quota edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
454
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
455
system.replacemsg/utmCLI Syntax
config system.replacemsg utm edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
456
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
457
system.replacemsg/webproxyCLI Syntax
config system.replacemsg webproxy edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
458
Description
Configuration Description Default Value
msg-type Message type. (Empty)
buffer Message string. (Empty)
header Header flag. none
format Format flag. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
459
system.snmp/communityCLI Syntax
config system.snmp community edit <name_str> set id <integer> set name <string> set status {enable | disable} config hosts edit <name_str> set id <integer> set source-ip <ipv4-address> set ip <user> set interface <string> set ha-direct {enable | disable} set host-type {any | query | trap} end config hosts6 edit <name_str> set id <integer> set source-ipv6 <ipv6-address> set ipv6 <ipv6-prefix> set ha-direct {enable | disable} set interface <string> set host-type {any | query | trap} end set query-v1-status {enable | disable} set query-v1-port <integer> set query-v2c-status {enable | disable} set query-v2c-port <integer> set trap-v1-status {enable | disable} set trap-v1-lport <integer> set trap-v1-rport <integer> set trap-v2c-status {enable | disable} set trap-v2c-lport <integer> set trap-v2c-rport <integer> set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down | ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backward-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-bypass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temperature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | wc-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-server-down | device-new} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
460
Description
Configuration Description Default Value
id Community ID. 0
name Community name. (Empty)
status Enable/disable this community. enable
hosts Allow hosts configuration. (Empty)
hosts6 Allow hosts configuration for IPv6. (Empty)
query-v1-status Enable/disable SNMP v1 query. enable
query-v1-port SNMP v1 query port. 161
query-v2c-status Enable/disable SNMP v2c query. enable
query-v2c-port SNMP v2c query port. 161
trap-v1-status Enable/disable SNMP v1 trap. enable
trap-v1-lport SNMP v1 trap local port. 162
trap-v1-rport SNMP v1 trap remote port. 162
trap-v2c-status Enable/disable SNMP v2c trap. enable
trap-v2c-lport SNMP v2c trap local port. 162
trap-v2c-rport SNMP v2c trap remote port. 162
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
461
events SNMP trap events. cpu-high mem-low log-full intf-ip vpn-tun-upvpn-tun-down ha-switch ha-hb-failureips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypassav-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open temperature-highvoltage-alert power-supply-failure faz-disconnect fan-failurewc-ap-up wc-ap-downfswctl-session-upfswctl-session-download-balance-real-server-down
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
462
system.snmp/sysinfoCLI Syntax
config system.snmp sysinfo edit <name_str> set status {enable | disable} set engine-id <string> set description <string> set contact-info <string> set location <string> set trap-high-cpu-threshold <integer> set trap-low-memory-threshold <integer> set trap-log-full-threshold <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
463
Description
Configuration Description Default Value
status Enable/disable SNMP. disable
engine-id Local SNMP engineID string (maximum 24characters).
(Empty)
description System description. (Empty)
contact-info Contact information. (Empty)
location System location. (Empty)
trap-high-cpu-threshold CPU usage when trap is sent. 80
trap-low-memory-threshold
Memory usage when trap is sent. 80
trap-log-full-threshold Log disk usage when trap is sent. 90
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
464
system.snmp/userCLI Syntax
config system.snmp user edit <name_str> set name <string> set status {enable | disable} set trap-status {enable | disable} set trap-lport <integer> set trap-rport <integer> set queries {enable | disable} set query-port <integer> set notify-hosts <ipv4-address> set notify-hosts6 <ipv6-address> set source-ip <ipv4-address> set source-ipv6 <ipv6-address> set ha-direct {enable | disable} set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down | ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backward-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-bypass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temperature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | wc-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-server-down | device-new} set security-level {no-auth-no-priv | auth-no-priv | auth-priv} set auth-proto {md5 | sha} set auth-pwd <password> set priv-proto {aes | des | aes256 | aes256cisco} set priv-pwd <password> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
465
Description
Configuration Description Default Value
name SNMP user name. (Empty)
status Enable/disable this user. enable
trap-status Enable/disable traps for this user. enable
trap-lport SNMPv3 trap local port. 162
trap-rport SNMPv3 trap remote port. 162
queries Enable/disable queries for this user. enable
query-port SNMPv3 query port. 161
notify-hosts Hosts to send notifications (traps) to. (Empty)
notify-hosts6 IPv6 hosts to send notifications (traps) to. (Empty)
source-ip Source IP for SNMP trap. 0.0.0.0
source-ipv6 Source IPv6 for SNMP trap. ::
ha-direct Enable/disable direct management of HA clustermembers.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
466
events SNMP notifications (traps) to send. cpu-high mem-low log-full intf-ip vpn-tun-upvpn-tun-down ha-switch ha-hb-failureips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypassav-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open temperature-highvoltage-alert power-supply-failure faz-disconnect fan-failurewc-ap-up wc-ap-downfswctl-session-upfswctl-session-download-balance-real-server-down
security-level Security level for message authentication andencryption.
no-auth-no-priv
auth-proto Authentication protocol. sha
auth-pwd Password for authentication protocol. (Empty)
priv-proto Privacy (encryption) protocol. aes
priv-pwd Password for privacy (encryption) protocol. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
467
system/accprofileCLI Syntax
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
468
config system accprofile edit <name_str> set name <string> set scope {vdom | global} set comments <var-string> set mntgrp {none | read | read-write} set admingrp {none | read | read-write} set updategrp {none | read | read-write} set authgrp {none | read | read-write} set sysgrp {none | read | read-write} set netgrp {none | read | read-write} set loggrp {none | read | read-write | custom | w | r | rw} set routegrp {none | read | read-write} set fwgrp {none | read | read-write | custom | w | r | rw} set vpngrp {none | read | read-write} set utmgrp {none | read | read-write | custom | w | r | rw} set wanoptgrp {none | read | read-write} set endpoint-control-grp {none | read | read-write} set wifi {none | read | read-write} config fwgrp-permission edit <name_str> set policy {none | read | read-write} set address {none | read | read-write} set service {none | read | read-write} set schedule {none | read | read-write} set packet-capture {none | read | read-write} set others {none | read | read-write} end config loggrp-permission edit <name_str> set config {none | read | read-write} set data-access {none | read | read-write} set report-access {none | read | read-write} set threat-weight {none | read | read-write} end config utmgrp-permission edit <name_str> set antivirus {none | read | read-write} set ips {none | read | read-write} set webfilter {none | read | read-write} set spamfilter {none | read | read-write} set data-loss-prevention {none | read | read-write} set application-control {none | read | read-write} set icap {none | read | read-write} set casi {none | read | read-write} set voip {none | read | read-write} set waf {none | read | read-write} set dnsfilter {none | read | read-write} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
469
Description
Configuration Description Default Value
name Profile name. (Empty)
scope Global or single VDOM access restriction. vdom
comments Comment. (Empty)
mntgrp Maintenance. none
admingrp Administrator Users. none
updategrp FortiGuard Update. none
authgrp User & Device. none
sysgrp System Configuration. none
netgrp Network Configuration. none
loggrp Log & Report. none
routegrp Router Configuration. none
fwgrp Firewall Configuration. none
vpngrp VPN Configuration. none
utmgrp Security Profile Configuration. none
wanoptgrp WAN Opt & Cache. none
endpoint-control-grp Endpoint Security. none
wifi Wireless controller. none
fwgrp-permission Custom firewall permission. Details below
Configuration Default Valuepolicy noneaddress noneservice noneschedule nonepacket-capture noneothers none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
470
loggrp-permission Custom Log & Report permission. Details below
Configuration Default Valueconfig nonedata-access nonereport-access nonethreat-weight none
utmgrp-permission Custom UTM permission. Details below
Configuration Default Valueantivirus noneips nonewebfilter nonespamfilter nonedata-loss-prevention noneapplication-control noneicap nonecasi nonevoip nonewaf nonednsfilter none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
471
system/adminCLI Syntax
config system admin edit <name_str> set name <string> set wildcard {enable | disable} set remote-auth {enable | disable} set remote-group <string> set password <password-2> set peer-auth {enable | disable} set peer-group <string> set trusthost1 <ipv4-classnet> set trusthost2 <ipv4-classnet> set trusthost3 <ipv4-classnet> set trusthost4 <ipv4-classnet> set trusthost5 <ipv4-classnet> set trusthost6 <ipv4-classnet> set trusthost7 <ipv4-classnet> set trusthost8 <ipv4-classnet> set trusthost9 <ipv4-classnet> set trusthost10 <ipv4-classnet> set ip6-trusthost1 <ipv6-prefix> set ip6-trusthost2 <ipv6-prefix> set ip6-trusthost3 <ipv6-prefix> set ip6-trusthost4 <ipv6-prefix> set ip6-trusthost5 <ipv6-prefix> set ip6-trusthost6 <ipv6-prefix> set ip6-trusthost7 <ipv6-prefix> set ip6-trusthost8 <ipv6-prefix> set ip6-trusthost9 <ipv6-prefix> set ip6-trusthost10 <ipv6-prefix> set accprofile <string> set allow-remove-admin-session {enable | disable} set comments <var-string> set hidden <integer> config vdom edit <name_str> set name <string> end set is-admin <integer> set ssh-public-key1 <user> set ssh-public-key2 <user> set ssh-public-key3 <user> set ssh-certificate <string> set schedule <string> set accprofile-override {enable | disable} set radius-vdom-override {enable | disable} set password-expire <user> set force-password-change {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
472
config dashboard edit <name_str> set id <integer> set widget-type {sysinfo | licinfo | sysop | sysres | alert | jsconsole | raid | tr-history | analytics | usb-modem} set name <string> set column <integer> set refresh-interval <integer> set time-period <integer> set chart-color <integer> set top-n <integer> set sort-by {bytes | msg-counts | packets | bandwidth | sessions} set report-by {source | destination | application | dlp-rule | dlp-sensor | policy | protocol | web-category | web-domain | all | profile} set ip-version {ipboth | ipv4 | ipv6} set resolve-host {enable | disable} set resolve-service {enable | disable} set aggregate-hosts {enable | disable} set resolve-apps {enable | disable} set display-format {chart | table | line} set view-type {real-time | historical} set cpu-display-type {average | each} set interface <string> set dst-interface <string> set tr-history-period1 <integer> set tr-history-period2 <integer> set tr-history-period3 <integer> set vdom <string> set refresh {enable | disable} set status {close | open} set protocols <integer> set show-system-restart {enable | disable} set show-conserve-mode {enable | disable} set show-firmware-change {enable | disable} set show-fds-update {enable | disable} set show-device-update {enable | disable} set show-fds-quota {enable | disable} set show-disk-failure {enable | disable} set show-power-supply {enable | disable} set show-admin-auth {enable | disable} set show-fgd-alert {enable | disable} set show-fcc-license {enable | disable} set show-policy-overflow {enable | disable} end set two-factor {disable | fortitoken | email | sms} set fortitoken <string> set email-to <string> set sms-server {fortiguard | custom} set sms-custom-server <string> set sms-phone <string> set guest-auth {disable | enable} config guest-usergroups edit <name_str>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
473
edit <name_str> set name <string> end set guest-lang <string> set history0 <password-2> set history1 <password-2> config login-time edit <name_str> set usr-name <string> set last-login <datetime> set last-failed-login <datetime> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
474
Description
Configuration Description Default Value
name User name. (Empty)
wildcard Enable/disable wildcard RADIUS authentication. disable
remote-auth Enable/disable remote authentication. disable
remote-group User group name used for remote auth. (Empty)
password Admin user password. ENC XXUp2ozpdysrQ
peer-auth Enable/disable peer authentication. disable
peer-group Peer group name. (Empty)
trusthost1 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
trusthost2 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
trusthost3 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
trusthost4 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
trusthost5 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
trusthost6 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
trusthost7 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
trusthost8 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
trusthost9 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
trusthost10 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.
0.0.0.0 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
475
ip6-trusthost1 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
ip6-trusthost2 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
ip6-trusthost3 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
ip6-trusthost4 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
ip6-trusthost5 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
ip6-trusthost6 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
ip6-trusthost7 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
ip6-trusthost8 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
ip6-trusthost9 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
ip6-trusthost10 Admin user IPv6 trust host IP, default ::/0 for all. ::/0
accprofile Admin user access profile. (Empty)
allow-remove-admin-session
Enable/disable allow admin session to beremoved by privileged admin users.
enable
comments Comment. (Empty)
hidden Admin user hidden attribute. 0
vdom Virtual domains. (Empty)
is-admin Is user admin. 0
ssh-public-key1 SSH public key1. (Empty)
ssh-public-key2 SSH public key2. (Empty)
ssh-public-key3 SSH public key3. (Empty)
ssh-certificate SSH certificate. (Empty)
schedule Schedule name. (Empty)
accprofile-override Enable/disable allow access profile to beoverridden from remote auth server.
disable
radius-vdom-override Enable/disable allow VDOM to be overriddenfrom RADIUS.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
476
password-expire Password expire time. 0000-00-00 00:00:00
force-password-change Enable/disable force password change on nextlogin.
disable
dashboard GUI custom dashboard. (Empty)
two-factor Enable/disable two-factor authentication. disable
fortitoken Two-factor recipient's FortiToken serial number. (Empty)
email-to Two-factor recipient's email address. (Empty)
sms-server Send SMS through FortiGuard or other externalserver.
fortiguard
sms-custom-server Two-factor recipient's SMS server. (Empty)
sms-phone Two-factor recipient's mobile phone number. (Empty)
guest-auth Enable/disable guest authentication. disable
guest-usergroups Select guest user groups. (Empty)
guest-lang Guest management portal language. (Empty)
history0 history0 ENC
history1 history1 ENC
login-time Record user login time. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
477
system/alarmCLI Syntax
config system alarm edit <name_str> set status {enable | disable} set audible {enable | disable} set sequence <integer> config groups edit <name_str> set id <integer> set period <integer> set admin-auth-failure-threshold <integer> set admin-auth-lockout-threshold <integer> set user-auth-failure-threshold <integer> set user-auth-lockout-threshold <integer> set replay-attempt-threshold <integer> set self-test-failure-threshold <integer> set log-full-warning-threshold <integer> set encryption-failure-threshold <integer> set decryption-failure-threshold <integer> config fw-policy-violations edit <name_str> set id <integer> set threshold <integer> set src-ip <ipv4-address> set dst-ip <ipv4-address> set src-port <integer> set dst-port <integer> end set fw-policy-id <integer> set fw-policy-id-threshold <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
478
Description
Configuration Description Default Value
status Enable/disable alarm. disable
audible Enable/disable audible alarm. disable
sequence Sequence ID of alarms. 0
groups Alarm groups. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
479
system/arp-tableCLI Syntax
config system arp-table edit <name_str> set id <integer> set interface <string> set ip <ipv4-address> set mac <mac-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
480
Description
Configuration Description Default Value
id Unique integer ID of the entry. 0
interface Interface name. (Empty)
ip IP address. 0.0.0.0
mac MAC address. 00:00:00:00:00:00
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
481
system/auto-installCLI Syntax
config system auto-install edit <name_str> set auto-install-config {enable | disable} set auto-install-image {enable | disable} set default-config-file <string> set default-image-file <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
482
Description
Configuration Description Default Value
auto-install-config Enable/disable auto install the config in USB disk. disable
auto-install-image Enable/disable auto install the image in USB disk. disable
default-config-file Default config file name in USB disk. fgt_system.conf
default-image-file Default image file name in USB disk. image.out
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
483
system/auto-scriptCLI Syntax
config system auto-script edit <name_str> set name <string> set interval <integer> set repeat <integer> set start {manual | auto} set script <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
484
Description
Configuration Description Default Value
name Auto script name. (Empty)
interval Repeat interval in seconds. 0
repeat Number of times to repeat this script (0 = infinite). 1
start Script starting mode. manual
script List of FortiOS CLI commands to repeat. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
485
system/central-managementCLI Syntax
config system central-management edit <name_str> set mode {normal | backup} set type {fortimanager | fortiguard | none} set schedule-config-restore {enable | disable} set schedule-script-restore {enable | disable} set allow-push-configuration {enable | disable} set allow-pushd-firmware {enable | disable} set allow-remote-firmware-upgrade {enable | disable} set allow-monitor {enable | disable} set serial-number <user> set fmg <string> set fmg-source-ip <ipv4-address> set fmg-source-ip6 <ipv6-address> set vdom <string> config server-list edit <name_str> set id <integer> set server-type {update | rating} set addr-type {ipv4 | ipv6} set server-address <ipv4-address> set server-address6 <ipv6-address> end set include-default-servers {enable | disable} set enc-algorithm {default | high | low} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
486
Description
Configuration Description Default Value
mode Normal/backup management mode. normal
type Type of management server. none
schedule-config-restore Enable/disable scheduled configuration restore. enable
schedule-script-restore Enable/disable scheduled script restore. enable
allow-push-configuration
Enable/disable push configuration. enable
allow-pushd-firmware Enable/disable push firmware. enable
allow-remote-firmware-upgrade
Enable/disable remote firmware upgrade. enable
allow-monitor Enable/disable remote monitoring of device. enable
serial-number Serial number. (Empty)
fmg Address of FortiManager (IP or FQDN name). (Empty)
fmg-source-ip Source IPv4 address to use when connecting toFortiManager.
0.0.0.0
fmg-source-ip6 Source IPv6 address to use when connecting toFortiManager.
::
vdom Virtual domain name. root
server-list FortiGuard override server list. (Empty)
include-default-servers Enable/disable inclusion of public FortiGuardservers in the override server list.
enable
enc-algorithm Use SSL encryption. high
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
487
system/cluster-syncCLI Syntax
config system cluster-sync edit <name_str> set sync-id <integer> set peervd <string> set peerip <ipv4-address> config syncvd edit <name_str> set name <string> end config session-sync-filter edit <name_str> set srcintf <string> set dstintf <string> set srcaddr <ipv4-classnet-any> set dstaddr <ipv4-classnet-any> set srcaddr6 <ipv6-network> set dstaddr6 <ipv6-network> config custom-service edit <name_str> set id <integer> set src-port-range <user> set dst-port-range <user> end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
488
Description
Configuration Description Default Value
sync-id Sync ID. 0
peervd Peer connecting VDOM. root
peerip Peer connecting IP. 0.0.0.0
syncvd VDOM of which sessions need to be synced. (Empty)
session-sync-filter Session sync filter. Details below
Configuration Default Valuesrcintf (Empty)dstintf (Empty)srcaddr 0.0.0.0 0.0.0.0dstaddr 0.0.0.0 0.0.0.0srcaddr6 ::/0dstaddr6 ::/0custom-service (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
489
system/consoleCLI Syntax
config system console edit <name_str> set mode {batch | line} set baudrate {9600 | 19200 | 38400 | 57600 | 115200} set output {standard | more} set login {enable | disable} set fortiexplorer {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
490
Description
Configuration Description Default Value
mode Console mode. line
baudrate Console baud rate. 9600
output Console output mode. more
login Enable/disable serial console and FortiExplorer. enable
fortiexplorer Enable/disable access for FortiExplorer. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
491
system/custom-languageCLI Syntax
config system custom-language edit <name_str> set name <string> set filename <string> set comments <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
492
Description
Configuration Description Default Value
name Name. (Empty)
filename Custom language file path. (Empty)
comments Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
493
system/ddnsCLI Syntax
config system ddns edit <name_str> set ddnsid <integer> set ddns-server {dyndns.org | dyns.net | ods.org | tzo.com | vavic.com | dipdns.net | now.net.cn | dhs.org | easydns.com | genericDDNS | FortiGuardDDNS} set ddns-server-ip <ipv4-address> set ddns-zone <string> set ddns-ttl <integer> set ddns-auth {disable | tsig} set ddns-keyname <string> set ddns-key <user> set ddns-domain <string> set ddns-username <string> set ddns-sn <string> set ddns-password <password> set use-public-ip {disable | enable} set bound-ip <ipv4-address> config monitor-interface edit <name_str> set interface-name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
494
Description
Configuration Description Default Value
ddnsid DDNS ID. 0
ddns-server DDNS server. (Empty)
ddns-server-ip Generic DDNS server IP. 0.0.0.0
ddns-zone Zone of your domain name (ex. DDNS.com). (Empty)
ddns-ttl TTL. 300
ddns-auth DDNS authentication mode. disable
ddns-keyname DDNS update key name. (Empty)
ddns-key DDNS update key (base 64 encoding). 'ENCL97VaR0bKQoAAeh+O+39Q85hAnL3Fl7t4UL1eLfgKdgTSHZUCAnVYM1U9oVgGyVRfy6HlPmrFFsS9nlLExpJmd1pwYrf7jCCjr0lx5+1WNFyP50Fgz7fsLe43Lc='
ddns-domain Your domain name (ex. yourname.DDNS.com). (Empty)
ddns-username DDNS user name. (Empty)
ddns-sn DDNS Serial Number. (Empty)
ddns-password DDNS password. (Empty)
use-public-ip Enable/disable use of public IP address. disable
bound-ip Bound IP address. 0.0.0.0
monitor-interface Monitored interface. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
495
system/dedicated-mgmtCLI Syntax
config system dedicated-mgmt edit <name_str> set status {enable | disable} set interface <string> set default-gateway <ipv4-address> set dhcp-server {enable | disable} set dhcp-netmask <ipv4-netmask> set dhcp-start-ip <ipv4-address> set dhcp-end-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
496
Description
Configuration Description Default Value
status Enable/disable dedicated management. disable
interface Dedicated management interface. (Empty)
default-gateway Default gateway for dedicated managementinterface.
0.0.0.0
dhcp-server Enable/disable DHCP server on managementinterface.
disable
dhcp-netmask DHCP netmask. 0.0.0.0
dhcp-start-ip DHCP start IP for dedicated management. 0.0.0.0
dhcp-end-ip DHCP end IP for dedicated management. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
497
system/dnsCLI Syntax
config system dns edit <name_str> set primary <ipv4-address> set secondary <ipv4-address> set domain <string> set ip6-primary <ipv6-address> set ip6-secondary <ipv6-address> set dns-cache-limit <integer> set dns-cache-ttl <integer> set cache-notfound-responses {disable | enable} set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
498
Description
Configuration Description Default Value
primary Primary DNS IP. 0.0.0.0
secondary Secondary DNS IP. 0.0.0.0
domain Local domain name. (Empty)
ip6-primary IPv6 primary DNS IP. ::
ip6-secondary IPv6 secondary DNS IP. ::
dns-cache-limit Maximum number of entries in DNS cache. 5000
dns-cache-ttl TTL in DNS cache. 1800
cache-notfound-responses
Enable/disable cache NOTFOUND responsesfrom DNS server.
disable
source-ip Source IP for communications to DNS server. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
499
system/dns-databaseCLI Syntax
config system dns-database edit <name_str> set name <string> set status {enable | disable} set domain <string> set allow-transfer <user> set type {master | slave} set view {shadow | public} set ip-master <ipv4-address-any> set primary-name <string> set contact <string> set ttl <integer> set authoritative {enable | disable} set forwarder <user> set source-ip <ipv4-address> config dns-entry edit <name_str> set id <integer> set status {enable | disable} set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6} set ttl <integer> set preference <integer> set ip <ipv4-address-any> set ipv6 <ipv6-address> set hostname <string> set canonical-name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
500
Description
Configuration Description Default Value
name Zone name. (Empty)
status Enable/disable DNS zone status. enable
domain Domain name. (Empty)
allow-transfer DNS zone transfer IP address list. (Empty)
type Zone type ('master' to manage entries directly,'slave' to import entries from outside).
master
view Zone view ('public' to serve public clients,'shadow' to serve internal clients).
shadow
ip-master IP address of master DNS server to importentries of this zone.
0.0.0.0
primary-name Domain name of the default DNS server for thiszone.
dns
contact Email address of the administrator for this zone.You can specify only the username (e.g. admin)or full email address (e.g. [email protected])When using simple username, the domain of theemail will be this zone.
hostmaster
ttl Default time-to-live value in units of seconds forthe entries of this zone (0 - 2147483647).
86400
authoritative Enable/disable authoritative zone. enable
forwarder DNS zone forwarder IP address list. (Empty)
source-ip Source IP for forwarding to DNS server. 0.0.0.0
dns-entry DNS entry. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
501
system/dns-serverCLI Syntax
config system dns-server edit <name_str> set name <string> set mode {recursive | non-recursive | forward-only} set dnsfilter-profile <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
502
Description
Configuration Description Default Value
name DNS server name. (Empty)
mode DNS server mode. recursive
dnsfilter-profile DNS filter profile. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
503
system/dscp-based-priorityCLI Syntax
config system dscp-based-priority edit <name_str> set id <integer> set ds <integer> set priority {low | medium | high} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
504
Description
Configuration Description Default Value
id Item ID. 0
ds DSCP(DiffServ) DS value (0 - 63). 0
priority DSCP based priority level. high
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
505
system/email-serverCLI Syntax
config system email-server edit <name_str> set type {custom} set reply-to <string> set server <string> set port <integer> set source-ip <ipv4-address> set source-ip6 <ipv6-address> set authenticate {enable | disable} set validate-server {enable | disable} set username <string> set password <password> set security {none | starttls | smtps} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
506
Description
Configuration Description Default Value
type Use FortiGuard Message service or customserver.
custom
reply-to Reply-To email address. (Empty)
server SMTP server IP address or hostname. (Empty)
port SMTP server port. 25
source-ip SMTP server source IP. 0.0.0.0
source-ip6 SMTP server source IPv6. ::
authenticate Enable/disable authentication. disable
validate-server Enable/disable validation of server certificate. disable
username SMTP server user name for authentication. (Empty)
password SMTP server user password for authentication. (Empty)
security Connection security. none
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
507
system/fips-ccCLI Syntax
config system fips-cc edit <name_str> set status {enable | disable} set entropy-token {enable | disable | dynamic} set error-flag {error-mode | exit-ready} set error-cause {none | memory | disk | syslog} set self-test-period <integer> set key-generation-self-test {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
508
Description
Configuration Description Default Value
status Enable/disable FIPS-CC mode. disable
entropy-token Enable/disable/dynamic entropy token. dynamic
error-flag Hidden CC error flag. (Empty)
error-cause Hidden CC error cause. none
self-test-period Self test period. 1440
key-generation-self-test Enable/disable self tests after key generation. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
509
system/fmCLI Syntax
config system fm edit <name_str> set status {enable | disable} set id <string> set ip <ipv4-address> set vdom <string> set auto-backup {enable | disable} set scheduled-config-restore {enable | disable} set ipsec {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
510
Description
Configuration Description Default Value
status Enable/disable FM. disable
id ID. (Empty)
ip IP address. 0.0.0.0
vdom VDOM. root
auto-backup Enable/disable automatic backup. disable
scheduled-config-restore
Enable/disable scheduled configuration restore. disable
ipsec Enable/disable IPsec. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
511
system/fortiguardCLI Syntax
config system fortiguard edit <name_str> set port {53 | 8888 | 80} set service-account-id <string> set load-balance-servers <integer> set antispam-force-off {enable | disable} set antispam-cache {enable | disable} set antispam-cache-ttl <integer> set antispam-cache-mpercent <integer> set antispam-license <integer> set antispam-expiration <integer> set antispam-timeout <integer> set avquery-force-off {} set avquery-cache {} set avquery-cache-ttl <integer> set avquery-cache-mpercent <integer> set avquery-license <integer> set avquery-timeout <integer> set webfilter-force-off {enable | disable} set webfilter-cache {enable | disable} set webfilter-cache-ttl <integer> set webfilter-license <integer> set webfilter-expiration <integer> set webfilter-timeout <integer> set sdns-server-ip <user> set sdns-server-port <integer> set source-ip <ipv4-address> set source-ip6 <ipv6-address> set ddns-server-ip <ipv4-address> set ddns-server-port <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
512
Description
Configuration Description Default Value
port Port used to communicate with the FortiGuardservers.
53
service-account-id Service account ID. (Empty)
load-balance-servers Number of servers to alternate between as firstFortiGuard option.
1
antispam-force-off Enable/disable forcibly disable the service. disable
antispam-cache Enable/disable FortiGuard antispam cache. enable
antispam-cache-ttl Time-to-live for cache entries in seconds (300 -86400).
1800
antispam-cache-mpercent
Maximum percent of memory the cache isallowed to use (1-15%).
2
antispam-license License type. 4294967295
antispam-expiration License expiration. 0
antispam-timeout Query time out (1 - 30 seconds). 7
avquery-force-off avquery-force-off
avquery-cache avquery-cache
avquery-cache-ttl avquery-cache-ttl
avquery-cache-mpercent
avquery-cache-mpercent
avquery-license avquery-license
avquery-timeout avquery-timeout
webfilter-force-off Enable/disable forcibly disable the service. disable
webfilter-cache Enable/disable FortiGuard webfilter cache. enable
webfilter-cache-ttl Time-to-live for cache entries in seconds (300 -86400).
3600
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
513
webfilter-license License type. 4294967295
webfilter-expiration License expiration. 0
webfilter-timeout Query time out (1 - 30 seconds). 15
sdns-server-ip IP address of the FortiDNS server. (Empty)
sdns-server-port Port used to communicate with the FortiDNSservers.
53
source-ip Source IPv4 address used to communicate withthe FortiGuard service.
0.0.0.0
source-ip6 Source IPv6 address used to communicate withthe FortiGuard service.
::
ddns-server-ip IP address of the FortiDDNS server. 0.0.0.0
ddns-server-port Port used to communicate with the FortiDDNSservers.
443
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
514
system/fortimanagerCLI Syntax
config system fortimanager edit <name_str> set ip <ipv4-address-any> set vdom <string> set ipsec {enable | disable} set central-management {enable | disable} set central-mgmt-auto-backup {enable | disable} set central-mgmt-schedule-config-restore {enable | disable} set central-mgmt-schedule-script-restore {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
515
Description
Configuration Description Default Value
ip IP address. 0.0.0.0
vdom Virtual domain name. root
ipsec Enable/disable FortiManager IPsec tunnel. disable
central-management Enable/disable FortiManager centralmanagement.
disable
central-mgmt-auto-backup
Enable/disable central management auto backup. disable
central-mgmt-schedule-config-restore
Enable/disable central management scheduleconfig restore.
disable
central-mgmt-schedule-script-restore
Enable/disable central management schedulescript restore.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
516
system/fortisandboxCLI Syntax
config system fortisandbox edit <name_str> set status {enable | disable} set server <ipv4-address-any> set source-ip <ipv4-address> set enc-algorithm {default | high | low | disable} set email <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
517
Description
Configuration Description Default Value
status Enable/disable FortiSandbox. disable
server Server IP. 0.0.0.0
source-ip Source IP for communications to FortiSandbox. 0.0.0.0
enc-algorithm Enable/disable sending of FortiSandbox data withSSL encryption.
default
email Notifier email address. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
518
system/fsso-pollingCLI Syntax
config system fsso-polling edit <name_str> set status {enable | disable} set listening-port <integer> set authentication {enable | disable} set auth-password <password> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
519
Description
Configuration Description Default Value
status Enable/disable FSSO Polling Mode status. enable
listening-port Listening port to accept clients. 8000
authentication Enable/disable FSSO Agent Authenticationstatus.
disable
auth-password Password to connect to FSSO Agent. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
520
system/geoip-overrideCLI Syntax
config system geoip-override edit <name_str> set name <string> set description <string> set country-id <string> config ip-range edit <name_str> set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
521
Description
Configuration Description Default Value
name Location name. (Empty)
description Description. (Empty)
country-id Country ID. (Empty)
ip-range IP range. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
522
system/globalCLI Syntax
config system global edit <name_str> set language {english | french | spanish | portuguese | japanese | trach | simch | korean} set gui-ipv6 {enable | disable} set gui-certificates {enable | disable} set gui-custom-language {enable | disable} set gui-wireless-opensecurity {enable | disable} set gui-display-hostname {enable | disable} set gui-lines-per-page <integer> set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3} set admin-https-banned-cipher {rc4 | low} set admintimeout <integer> set admin-console-timeout <integer> set admin-concurrent {enable | disable} set admin-lockout-threshold <integer> set admin-lockout-duration <integer> set refresh <integer> set interval <integer> set failtime <integer> set daily-restart {enable | disable} set restart-time <user> set radius-port <integer> set admin-login-max <integer> set remoteauthtimeout <integer> set ldapconntimeout <integer> set batch-cmdb {enable | disable} set max-dlpstat-memory <integer> set dst {enable | disable} set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 | 26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 | 40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00 | 82 | 73 | 86 | 76} set ntpserver <string> set ntpsync {enable | disable} set syncinterval <integer> set traffic-priority {tos | dscp} set traffic-priority-level {low | medium | high} set anti-replay {disable | loose | strict} set send-pmtu-icmp {enable | disable} set honor-df {enable | disable} set split-port <user> set revision-image-auto-backup {enable | disable} set revision-backup-on-logout {enable | disable} set management-vdom <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
523
set hostname <string> set strong-crypto {enable | disable} set ssh-cbc-cipher {enable | disable} set ssh-hmac-md5 {enable | disable} set snat-route-change {enable | disable} set cli-audit-log {enable | disable} set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192} set fds-statistics {enable | disable} set fds-statistics-period <integer> set multicast-forward {enable | disable} set mc-ttl-notchange {enable | disable} set asymroute {enable | disable} set tcp-option {enable | disable} set phase1-rekey {enable | disable} set lldp-transmission {enable | disable} set explicit-proxy-auth-timeout <integer> set sys-perf-log-interval <integer> set check-protocol-header {loose | strict} set vip-arp-range {unlimited | restricted} set optimize {antivirus | session-setup | throughput} set reset-sessionless-tcp {enable | disable} set allow-traffic-redirect {enable | disable} set strict-dirty-session-check {enable | disable} set tcp-halfclose-timer <integer> set tcp-halfopen-timer <integer> set tcp-timewait-timer <integer> set udp-idle-timer <integer> set block-session-timer <integer> set ip-src-port-range <user> set pre-login-banner {enable | disable} set post-login-banner {disable | enable} set tftp {enable | disable} set av-failopen {pass | idledrop | off | one-shot} set av-failopen-session {enable | disable} set check-reset-range {strict | disable} set vdom-admin {enable | disable} set admin-port <integer> set admin-sport <integer> set admin-https-redirect {enable | disable} set admin-ssh-password {enable | disable} set admin-ssh-port <integer> set admin-ssh-grace-time <integer> set admin-ssh-v1 {enable | disable} set admin-telnet-port <integer> set admin-maintainer {enable | disable} set admin-server-cert <string> set user-server-cert <string> set admin-https-pki-required {enable | disable} set wifi-certificate <string> set wifi-ca-certificate <string> set auth-http-port <integer> set auth-https-port <integer> set auth-keepalive {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
524
set auth-keepalive {enable | disable} set policy-auth-concurrent <integer> set auth-cert <string> set clt-cert-req {enable | disable} set endpoint-control-portal-port <integer> set endpoint-control-fds-access {enable | disable} set tp-mc-skip-policy {enable | disable} set cfg-save {automatic | manual | revert} set cfg-revert-timeout <integer> set reboot-upon-config-restore {enable | disable} set admin-scp {enable | disable} set registration-notification {enable | disable} set service-expire-notification {enable | disable} set wireless-controller {enable | disable} set wireless-controller-port <integer> set fortiextender-data-port <integer> set fortiextender {enable | disable} set switch-controller {disable | enable} set switch-controller-reserved-network <ipv4-classnet> set proxy-worker-count <integer> set scanunit-count <integer> set ssl-worker-count <integer> set proxy-kxp-hardware-acceleration {disable | enable} set proxy-cipher-hardware-acceleration {disable | enable} set fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attack | new-antivirus-db | new-attack-db} set ipsec-hmac-offload {enable | disable} set ipv6-accept-dad <integer> set csr-ca-attribute {enable | disable} set wimax-4g-usb {enable | disable} set cert-chain-max <integer> set sslvpn-max-worker-count <integer> set sslvpn-kxp-hardware-acceleration {enable | disable} set sslvpn-cipher-hardware-acceleration {enable | disable} set sslvpn-plugin-version-check {enable | disable} set two-factor-email-expiry <integer> set two-factor-sms-expiry <integer> set two-factor-ftm-expiry <integer> set per-user-bwl {enable | disable} set virtual-server-count <integer> set virtual-server-hardware-acceleration {disable | enable} set wad-worker-count <integer> set login-timestamp {enable | disable} set miglogd-children <integer> set special-file-23-support {disable | enable} set log-uuid {disable | policy-only | extended} set arp-max-entry <integer> set ips-affinity <string> set av-affinity <string> set miglog-affinity <string> set ndp-max-entry <integer> set br-fdb-max-entry <integer> set ipsec-asic-offload {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
525
set ipsec-asic-offload {enable | disable} set device-idle-timeout <integer> set compliance-check {enable | disable} set compliance-check-time <time> set gui-device-latitude <string> set gui-device-longitude <string> set private-data-encryption {disable | enable} set auto-auth-extension-device {enable | disable} set gui-theme {green | red | blue | melongene} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
526
Description
Configuration Description Default Value
language GUI display language. english
gui-ipv6 Enable/disable IPv6 settings in GUI. disable
gui-certificates Enable/disable certificates configuration in GUI. enable
gui-custom-language Enable/disable custom languages in GUI. disable
gui-wireless-opensecurity
Enable/disable wireless open security option inGUI.
disable
gui-display-hostname Enable/disable display of hostname on GUI loginpage.
disable
gui-lines-per-page Number of lines to display per page for webadministration.
50
admin-https-ssl-versions
Allowed SSL/TLS versions for webadministration.
tlsv1-1 tlsv1-2
admin-https-banned-cipher
Banned ciphers for web administration. rc4 low
admintimeout Idle time-out for firewall administration. 5
admin-console-timeout Idle time-out for console. 0
admin-concurrent Enable/disable admin concurrent login. enable
admin-lockout-threshold
Lockout threshold for firewall administration. 3
admin-lockout-duration Lockout duration (sec) for firewall administration. 60
refresh Statistics refresh interval in GUI. 0
interval Dead gateway detection interval. 5
failtime Fail-time for server lost. 5
daily-restart Enable/disable firewall daily reboot. disable
restart-time Daily restart time (hh:mm). 00:00
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
527
radius-port RADIUS service port number. 1812
admin-login-max Maximum number admin users logged in at onetime (1 - 100).
100
remoteauthtimeout Remote authentication (RADIUS/LDAP) time-out. 5
ldapconntimeout LDAP connection time-out (0 - 4294967295milliseconds).
500
batch-cmdb Enable/disable batch mode to execute in CMDBserver.
enable
max-dlpstat-memory Maximum DLP stat memory (0 - 4294967295).
dst Enable/disable daylight saving time. enable
timezone Time zone. 00
ntpserver IP address/hostname of NTP Server. (Empty)
ntpsync Enable/disable synchronization with NTP Server. disable
syncinterval NTP synchronization interval. 0
traffic-priority Traffic priority type. tos
traffic-priority-level Default TOS/DSCP priority level. medium
anti-replay Anti-replay control. strict
send-pmtu-icmp Enable/disable sending of PMTU ICMPdestination unreachable packet.
enable
honor-df Enable/disable honoring Don't-Fragment flag. enable
split-port Split port(s) to multiple 10Gbps ports. none
revision-image-auto-backup
Enable/disable revision image backupautomatically when upgrading image.
disable
revision-backup-on-logout
Enable/disable revision config backupautomatically when logout.
disable
management-vdom Management virtual domain name. root
hostname Firewall hostname. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
528
strong-crypto Enable/disable strong crypto for HTTPS/SSHaccess.
enable
ssh-cbc-cipher Enable/disable CBC cipher for SSH access. enable
ssh-hmac-md5 Enable/disable HMAC-MD5 for SSH access. enable
snat-route-change Enable/disable SNAT route change. disable
cli-audit-log Enable/disable CLI audit log. disable
dh-params Minimum size of Diffie-Hellman prime forHTTPS/SSH.
2048
fds-statistics Enable/disable FortiGuard statistics. enable
fds-statistics-period FortiGuard statistics update period (1 - 1440 min,default = 60 min).
60
multicast-forward Enable/disable multicast forwarding. enable
mc-ttl-notchange Enable/disable no modification of multicast TTL. disable
asymroute Enable/disable asymmetric route. disable
tcp-option Enable/disable TCP option. enable
phase1-rekey Enable/disable phase1 rekey. enable
lldp-transmission Enable/disable Link Layer Discovery Protocol(LLDP) transmission.
disable
explicit-proxy-auth-timeout
Authentication timeout (sec) for idle sessions inexplicit web proxy.
300
sys-perf-log-interval The interval of performance statistics logging. 5
check-protocol-header Level of checking protocol header. loose
vip-arp-range Control ARP behavior for VIP ranges. restricted
optimize Firmware optimization option. antivirus
reset-sessionless-tcp Enable/disable reset session-less TCP. disable
allow-traffic-redirect Enable/disable allow traffic redirect. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
529
strict-dirty-session-check
Enable/disable strict dirty-session check. enable
tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, default =120).
120
tcp-halfopen-timer TCP half open timeout (1 - 86400 sec, default =10).
10
tcp-timewait-timer TCP time wait timeout (0 - 300 sec, default = 1). 1
udp-idle-timer UDP idle timeout (1 - 86400 sec, default = 180). 180
block-session-timer Block-session timeout (1-300 sec, default = 30sec).
30
ip-src-port-range IP source port range for firewall originated traffic. 1024-25000
pre-login-banner Enable/disable pre-login-banner. disable
post-login-banner Enable/disable post-login-banner. disable
tftp Enable/disable TFTP. enable
av-failopen AV fail open option. pass
av-failopen-session Enable/disable AV fail open session option. disable
check-reset-range Drop RST packets if out-of-window. disable
vdom-admin Enable/disable multiple VDOMs mode. disable
admin-port Admin access HTTP port (1 - 65535). 80
admin-sport Admin access HTTPS port (1 - 65535). 443
admin-https-redirect Enable/disable redirection of HTTP admin trafficto HTTPS.
enable
admin-ssh-password Enable/disable password authentication for SSHadmin access.
enable
admin-ssh-port Admin access SSH port (1 - 65535). 22
admin-ssh-grace-time Admin access login grace time (10 - 3600 sec). 120
admin-ssh-v1 Enable/disable SSH v1 compatibility. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
530
admin-telnet-port Admin access TELNET port (1 - 65535). 23
admin-maintainer Enable/disable login of maintainer user. enable
admin-server-cert Admin HTTPS server certificate. Fortinet_Factory
user-server-cert User HTTPS server certificate. Fortinet_Factory
admin-https-pki-required
Enable/disable require HTTPS login page whenPKI is enabled.
disable
wifi-certificate WiFi certificate for WPA. Fortinet_Wifi
wifi-ca-certificate WiFi CA certificate for WPA. PositiveSSL_CA
auth-http-port Authentication HTTP port (1 - 65535). 1000
auth-https-port Authentication HTTPS port (1 - 65535). 1003
auth-keepalive Enable/disable use of keep alive to extendauthentication.
disable
policy-auth-concurrent Concurrent user to pass firewall authentication. 0
auth-cert HTTPS server certificate for policy authentication. Fortinet_Factory
clt-cert-req Enable/disable require client certificate for GUIlogin.
disable
endpoint-control-portal-port
Endpoint control portal port (1 - 65535). 8009
endpoint-control-fds-access
Enable/disable access to FortiGuard servers fornon-compliant endpoints.
enable
tp-mc-skip-policy Enable/disable skip policy check and allowmulticast through.
disable
cfg-save Configuration file save mode for changes madeusing the CLI.
automatic
cfg-revert-timeout Time-out for reverting to the last savedconfiguration.
600
reboot-upon-config-restore
Enable/disable reboot of system upon restoringconfiguration.
enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
531
admin-scp Enable/disable allow system configurationdownload by SCP.
disable
registration-notification Enable/disable allow license registrationnotification.
enable
service-expire-notification
Enable/disable service expiration notification. enable
wireless-controller Enable/disable wireless controller. enable
wireless-controller-port Local wireless controller port (1024 - 49150). 5246
fortiextender-data-port Fortiextender controller data port (1024 - 49150). 25246
fortiextender Enable/disable FortiExtender controller. disable
switch-controller Enable/disable switch controller feature. disable
switch-controller-reserved-network
Reserved network for switch-controller. 169.254.254.0255.255.254.0
proxy-worker-count Proxy worker count. 16
scanunit-count Scanunit count. 39
ssl-worker-count SSL worker count (0 - 4294967295).
proxy-kxp-hardware-acceleration
Enable/disable use of content processor toencrypt or decrypt traffic.
enable
proxy-cipher-hardware-acceleration
Enable/disable use of content processor toencrypt or decrypt traffic.
enable
fgd-alert-subscription FortiGuard alert subscription. (Empty)
ipsec-hmac-offload Enable/disable offload HMAC to hardware forIPsec VPN.
enable
ipv6-accept-dad Enable/disable acceptance of IPv6 DAD(Duplicate Address Detection). 0: Disable DAD; 1:Enable DAD (default); 2: Enable DAD, anddisable IPv6 operation if MAC-based duplicatelink-local address has been found.
1
csr-ca-attribute Enable/disable CSR CA attribute. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
532
wimax-4g-usb Enable/disable WiMAX USB device. disable
cert-chain-max Maximum depth for certificate chain. 8
sslvpn-max-worker-count
Maximum number of worker processes for SSL-VPN.
39
sslvpn-kxp-hardware-acceleration
Enable/disable KXP SSL-VPN hardwareacceleration.
disable
sslvpn-cipher-hardware-acceleration
Enable/disable SSL-VPN cipher hardwareacceleration.
disable
sslvpn-plugin-version-check
Enable/disable SSL-VPN automatic checking ofbrowser plug-in version.
enable
two-factor-email-expiry Expiration time for email token (30 - 300 sec,default = 60 sec).
60
two-factor-sms-expiry Expiration time for SMS token (30 - 300 sec,default = 60 sec).
60
two-factor-ftm-expiry Expiration time for FortiToken mobile provision (1- 168 hr, default = 72 hr).
72
per-user-bwl Enable/disable per-user black/white list filter. disable
virtual-server-count Number of concurrent virtual server workers. 20
virtual-server-hardware-acceleration
Enable/disable use of content processor toencrypt or decrypt traffic.
enable
wad-worker-count Number of concurrent WAD workers. 20
login-timestamp Enable/disable login time recording. disable
miglogd-children Number of miglog children. 0
special-file-23-support Enable/disable support for special file 23. disable
log-uuid Universally Unique Identifier (UUID) log option. policy-only
arp-max-entry Maximum number of ARP table entries (set to131,072 or higher).
131072
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
533
ips-affinity Affinity setting for IPS (64-bit hexadecimal valuein the format of xxxxxxxxxxxxxxxx; allowed CPUsmust be less than total number of IPS enginedaemons).
0
av-affinity Affinity setting for AV scanning (64-bithexadecimal value in the format ofxxxxxxxxxxxxxxxx).
0
miglog-affinity Affinity setting for logging (64-bit hexadecimalvalue in the format of xxxxxxxxxxxxxxxx).
0
ndp-max-entry Maximum number of NDP table entries (set to65,536 or higher; if set to 0, kernel holds 65,536entries).
0
br-fdb-max-entry Maximum number of bridge forwarding databaseentries (set to 8192 or higher).
8192
ipsec-asic-offload Enable/disable ASIC offload for IPsec VPN. enable
device-idle-timeout Device idle timeout (30 - 31536000 sec, default =300 sec).
300
compliance-check Enable/disable global PCI DSS compliancecheck.
enable
compliance-check-time PCI DSS compliance check time. 00:00:00
gui-device-latitude Physical device latitude coordinate. (Empty)
gui-device-longitude Physical device longitude coordinate. (Empty)
private-data-encryption Enable/disable private data encryption using anAES 128-bit key.
disable
auto-auth-extension-device
Enable/disable automatic authorization ofdedicated Fortinet extension device globally.
enable
gui-theme Color scheme to use for the administration GUI. green
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
534
system/gre-tunnelCLI Syntax
config system gre-tunnel edit <name_str> set name <string> set interface <string> set remote-gw <ipv4-address> set local-gw <ipv4-address-any> set sequence-number-transmission {disable | enable} set sequence-number-reception {disable | enable} set checksum-transmission {disable | enable} set checksum-reception {disable | enable} set key-outbound <integer> set key-inbound <integer> set auto-asic-offload {enable | disable} set keepalive-interval <integer> set keepalive-failtimes <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
535
Description
Configuration Description Default Value
name Tunnel name. (Empty)
interface Interface name. (Empty)
remote-gw IP address of the remote gateway. 0.0.0.0
local-gw IP address of the local gateway. 0.0.0.0
sequence-number-transmission
Enable/disable inclusion of sequence number intransmitted GRE packets.
disable
sequence-number-reception
Enable/disable validation of sequence number inreceived GRE packets.
disable
checksum-transmission Enable/disable inclusion of checksum intransmitted GRE packets.
disable
checksum-reception Enable/disable validation of checksum inreceived GRE packets.
disable
key-outbound Include this key in transmitted GRE packets (0 -4294967295).
0
key-inbound Require received GRE packets contain this key (0- 4294967295).
0
auto-asic-offload Enable/disable tunnel ASIC offloading. enable
keepalive-interval Keepalive message interval (0 - 32767, 0 =disabled).
0
keepalive-failtimes Number of consecutive unreturned keepalivemessages before GRE connection is considereddown (1 - 255).
10
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
536
system/haCLI Syntax
config system ha edit <name_str> set group-id <integer> set group-name <string> set mode {standalone | a-a | a-p} set password <password> set key <password> set hbdev <user> set session-sync-dev <user> set route-ttl <integer> set route-wait <integer> set route-hold <integer> set load-balance-all {enable | disable} set sync-config {enable | disable} set encryption {enable | disable} set authentication {enable | disable} set hb-interval <integer> set hb-lost-threshold <integer> set helo-holddown <integer> set gratuitous-arps {enable | disable} set arps <integer> set arps-interval <integer> set session-pickup {enable | disable} set session-pickup-connectionless {enable | disable} set session-pickup-expectation {enable | disable} set session-pickup-nat {enable | disable} set session-pickup-delay {enable | disable} set session-sync-daemon-number <integer> set link-failed-signal {enable | disable} set uninterruptible-upgrade {enable | disable} set standalone-mgmt-vdom {enable | disable} set ha-mgmt-status {enable | disable} set ha-mgmt-interface <string> set ha-mgmt-interface-gateway <ipv4-address> set ha-mgmt-interface-gateway6 <ipv6-address> set ha-eth-type <string> set hc-eth-type <string> set l2ep-eth-type <string> set ha-uptime-diff-margin <integer> set standalone-config-sync {enable | disable} set vcluster2 {enable | disable} set vcluster-id <integer> set override {enable | disable} set priority <integer> set override-wait-time <integer> set schedule {none | hub | leastconnection | round-robin | weight-round-robin | random | ip | ipport}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
537
set weight <user> set cpu-threshold <user> set memory-threshold <user> set http-proxy-threshold <user> set ftp-proxy-threshold <user> set imap-proxy-threshold <user> set nntp-proxy-threshold <user> set pop3-proxy-threshold <user> set smtp-proxy-threshold <user> set monitor <user> set pingserver-monitor-interface <user> set pingserver-failover-threshold <integer> set pingserver-slave-force-reset {enable | disable} set pingserver-flip-timeout <integer> set vdom <user> config secondary-vcluster edit <name_str> set vcluster-id <integer> set override {enable | disable} set priority <integer> set override-wait-time <integer> set monitor <user> set pingserver-monitor-interface <user> set pingserver-failover-threshold <integer> set pingserver-slave-force-reset {enable | disable} set vdom <user> end set ha-direct {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
538
Description
Configuration Description Default Value
group-id Group ID (0 - 255). 0
group-name Group name. (Empty)
mode Mode. standalone
password password (Empty)
key key (Empty)
hbdev Heartbeat interfaces. "mgmt1" 50
session-sync-dev Session sync interfaces. (Empty)
route-ttl HA route TTL on master (5 - 3600 sec). 10
route-wait Route update wait time (0 - 3600 sec). 0
route-hold Wait time between route updates (0 - 3600 sec). 10
load-balance-all Enable/disable load balance. disable
sync-config Enable/disable configuration synchronization. enable
encryption Enable/disable HA message encryption. disable
authentication Enable/disable HA message authentication. disable
hb-interval Configure heartbeat interval (1 - 20 (100*ms)). 2
hb-lost-threshold Lost heartbeat threshold (1 - 60). 6
helo-holddown Configure hello state hold-down time (5 - 300sec).
20
gratuitous-arps Enable/disable gratuitous ARPs. enable
arps Configure number of gratuitous ARPs (1 - 60). 5
arps-interval Configure gratuitous ARPs interval (1 - 20 sec). 8
session-pickup Enable/disable session pickup. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
539
session-pickup-connectionless
Enable/disable pickup non-TCP sessions. disable
session-pickup-expectation
Enable/disable pickup expectation sessions. disable
session-pickup-nat Enable/disable pickup of NATed sessions. disable
session-pickup-delay Enable/disable delay session sync by 30seconds.
disable
session-sync-daemon-number
Session sync daemon process number. 1
link-failed-signal Enable/disable link failed signal. disable
uninterruptible-upgrade Enable/disable uninterruptible HA upgrade. enable
standalone-mgmt-vdom Enable/disable standalone management VDOM. disable
ha-mgmt-status Enable/disable HA management interfacereservation.
disable
ha-mgmt-interface Reserved interface of HA management. (Empty)
ha-mgmt-interface-gateway
Gateway for reserved interface of HAmanagement.
0.0.0.0
ha-mgmt-interface-gateway6
IPv6 gateway for reserved interface of HAmanagement.
::
ha-eth-type HA Ethernet type (4-digit hex). 8890
hc-eth-type HC Ethernet type (4-digit hex). 8891
l2ep-eth-type L2EP Ethernet type (4-digit hex). 8893
ha-uptime-diff-margin HA uptime difference margin (sec). 300
standalone-config-sync Enable/disable standalone config sync. disable
vcluster2 Enable/disable secondary virtual cluster. disable
vcluster-id Cluster ID. 0
override Enable/disable master HA unit overriding. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
540
priority Priority value (0 - 255). 128
override-wait-time Override wait time (0 - 3600 sec). 0
schedule Schedule. round-robin
weight Weight for weight-round-robin schedule. 40
cpu-threshold CPU threshold weight. 5 0 0
memory-threshold Memory threshold weight. 5 0 0
http-proxy-threshold HTTP proxy threshold. 5 0 0
ftp-proxy-threshold FTP proxy threshold. 5 0 0
imap-proxy-threshold IMAP proxy threshold. 5 0 0
nntp-proxy-threshold NNTP proxy threshold. 5 0 0
pop3-proxy-threshold POP3 proxy threshold. 5 0 0
smtp-proxy-threshold SMTP proxy threshold. 5 0 0
monitor Interfaces to monitor. (Empty)
pingserver-monitor-interface
Monitor interfaces that has PING server enabled. (Empty)
pingserver-failover-threshold
Threshold at which HA failover occurs upon PINGserver failure (0 - 50).
0
pingserver-slave-force-reset
Enable/disable force reset of slave after PINGserver failure.
enable
pingserver-flip-timeout Minutes to wait before HA failover flip-flop. 60
vdom VDOM members. (Empty)
secondary-vcluster Secondary virtual cluster. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
541
Configuration Default Valuevcluster-id 1override enablepriority 128override-wait-time 0monitor (Empty)pingserver-monitor-interface (Empty)pingserver-failover-threshold 0pingserver-slave-force-reset enablevdom (Empty)
ha-direct Enable/disable sending of messages (logs,SNMP, RADIUS) directly from ha-mgmt interface.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
542
system/ha-monitorCLI Syntax
config system ha-monitor edit <name_str> set monitor-vlan {enable | disable} set vlan-hb-interval <integer> set vlan-hb-lost-threshold <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
543
Description
Configuration Description Default Value
monitor-vlan Enable/disable monitor VLAN interfaces. disable
vlan-hb-interval Configure heartbeat interval (seconds). 5
vlan-hb-lost-threshold VLAN lost heartbeat threshold (1 - 60). 3
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
544
system/interfaceCLI Syntax
config system interface edit <name_str> set name <string> set vdom <string> set cli-conn-status <integer> set mode {static | dhcp | pppoe} set distance <integer> set priority <integer> set dhcp-relay-service {disable | enable} set dhcp-relay-ip <user> set dhcp-relay-type {regular | ipsec} set ip <ipv4-classnet-host> set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | radius-acct | probe-response | capwap} set gwdetect {enable | disable} set ping-serv-status <integer> set detectserver <user> set detectprotocol {ping | tcp-echo | udp-echo} set ha-priority <integer> set fail-detect {enable | disable} set fail-detect-option {detectserver | link-down} set fail-alert-method {link-failed-signal | link-down} set fail-action-on-extender {soft-restart | hard-restart | reboot} config fail-alert-interfaces edit <name_str> set name <string> end set dhcp-client-identifier <string> set ipunnumbered <ipv4-address> set username <string> set pppoe-unnumbered-negotiate {enable | disable} set password <password> set idle-timeout <integer> set detected-peer-mtu <integer> set disc-retry-timeout <integer> set padt-retry-timeout <integer> set service-name <string> set ac-name <string> set lcp-echo-interval <integer> set lcp-max-echo-fails <integer> set defaultgw {enable | disable} set dns-server-override {enable | disable} set auth-type {auto | pap | chap | mschapv1 | mschapv2} set pptp-client {enable | disable} set pptp-user <string> set pptp-password <password> set pptp-server-ip <ipv4-address>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
545
set pptp-auth-type {auto | pap | chap | mschapv1 | mschapv2} set pptp-timeout <integer> set arpforward {enable | disable} set ndiscforward {enable | disable} set broadcast-forward {enable | disable} set bfd {global | enable | disable} set bfd-desired-min-tx <integer> set bfd-detect-mult <integer> set bfd-required-min-rx <integer> set l2forward {enable | disable} set icmp-redirect {enable | disable} set vlanforward {enable | disable} set stpforward {enable | disable} set stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | rpl-nothing} set ips-sniffer-mode {enable | disable} set ident-accept {enable | disable} set ipmac {enable | disable} set subst {enable | disable} set macaddr <mac-address> set substitute-dst-mac <mac-address> set speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half | 1000auto | 10000full | 10000auto | 40000full} set status {up | down} set netbios-forward {disable | enable} set wins-ip <ipv4-address> set type {physical | vlan | aggregate | redundant | fortilink | tunnel | vdom-link | loopback | switch | hard-switch | vap-switch | wl-mesh | fext-wan | hdlc | switch-vlan} set dedicated-to {none | management} set trust-ip-1 <ipv4-classnet-any> set trust-ip-2 <ipv4-classnet-any> set trust-ip-3 <ipv4-classnet-any> set trust-ip6-1 <ipv6-prefix> set trust-ip6-2 <ipv6-prefix> set trust-ip6-3 <ipv6-prefix> set mtu-override {enable | disable} set mtu <integer> set wccp {enable | disable} set nst {enable | disable} set netflow-sampler {disable | tx | rx | both} set sflow-sampler {enable | disable} set drop-overlapped-fragment {enable | disable} set drop-fragment {enable | disable} set scan-botnet-connections {disable | block | monitor} set sample-rate <integer> set polling-interval <integer> set sample-direction {tx | rx | both} set explicit-web-proxy {enable | disable} set explicit-ftp-proxy {enable | disable} set tcp-mss <integer> set mediatype {serdes-sfp | sgmii-sfp | serdes-copper-sfp} set fp-anomaly {pass_winnuke | pass_tcpland | pass_udpland | pass_icmpland | pass_ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
546
ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pass_iptimestamp | pass_ipunknown_option | pass_ipunknown_prot | pass_icmp_frag | pass_tcp_no_flag | pass_tcp_fin_noack | drop_winnuke | drop_tcpland | drop_udpland | drop_icmpland | drop_ipland | drop_iprr | drop_ipssrr | drop_iplsrr | drop_ipstream | drop_ipsecurity | drop_iptimestamp | drop_ipunknown_option | drop_ipunknown_prot | drop_icmp_frag | drop_tcp_no_flag | drop_tcp_fin_noack} set inbandwidth <integer> set outbandwidth <integer> set spillover-threshold <integer> set ingress-spillover-threshold <integer> set weight <integer> set interface <string> set external {enable | disable} set vlanid <integer> set forward-domain <integer> set remote-ip <ipv4-address-any> config member edit <name_str> set interface-name <string> end set lacp-mode {static | passive | active} set lacp-ha-slave {enable | disable} set lacp-speed {slow | fast} set min-links <integer> set min-links-down {operational | administrative} set algorithm {L2 | L3 | L4} set link-up-delay <integer> set priority-override {enable | disable} set aggregate <string> set redundant-interface <string> set fortilink <string> set managed-device <string> set devindex <integer> set vindex <integer> set switch <string> set description <var-string> set alias <string> set security-mode {none | captive-portal | 802.1X} set security-mac-auth-bypass {enable | disable} set security-external-web <string> set replacemsg-override-group <string> set security-redirect-url <string> set security-exempt-list <string> config security-groups edit <name_str> set name <string> end set device-identification {enable | disable} set device-user-identification {enable | disable} set device-identification-active-scan {enable | disable} set device-access-list <string> set device-netscan {disable | enable} set lldp-transmission {enable | disable | vdom}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
547
set lldp-transmission {enable | disable | vdom} set listen-forticlient-connection {enable | disable} set broadcast-forticlient-discovery {enable | disable} set endpoint-compliance {enable | disable} set estimated-upstream-bandwidth <integer> set estimated-downstream-bandwidth <integer> set vrrp-virtual-mac {enable | disable} config vrrp edit <name_str> set vrid <integer> set vrgrp <integer> set vrip <ipv4-address-any> set priority <integer> set adv-interval <integer> set start-time <integer> set preempt {enable | disable} set vrdst <ipv4-address-any> set status {enable | disable} end set role {lan | wan | dmz | undefined} set snmp-index <integer> set secondary-IP {enable | disable} config secondaryip edit <name_str> set id <integer> set ip <ipv4-classnet-host> set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | radius-acct | probe-response | capwap} set gwdetect {enable | disable} set ping-serv-status <integer> set detectserver <user> set detectprotocol {ping | tcp-echo | udp-echo} set ha-priority <integer> end set auto-auth-extension-device {enable | disable} set ap-discover {enable | disable} config ipv6 edit <name_str> set ip6-mode {static | dhcp | pppoe | delegated} set ip6-dns-server-override {enable | disable} set ip6-address <ipv6-prefix> config ip6-extra-addr edit <name_str> set prefix <ipv6-prefix> end set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap} set ip6-send-adv {enable | disable} set ip6-manage-flag {enable | disable} set ip6-other-flag {enable | disable} set ip6-max-interval <integer> set ip6-min-interval <integer> set ip6-link-mtu <integer>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
548
set ip6-link-mtu <integer> set ip6-reachable-time <integer> set ip6-retrans-time <integer> set ip6-default-life <integer> set ip6-hop-limit <integer> set autoconf {enable | disable} set ip6-upstream-interface <string> set ip6-subnet <ipv6-prefix> config ip6-prefix-list edit <name_str> set prefix <ipv6-network> set autonomous-flag {enable | disable} set onlink-flag {enable | disable} set valid-life-time <integer> set preferred-life-time <integer> end config ip6-delegated-prefix-list edit <name_str> set prefix-id <integer> set upstream-interface <string> set autonomous-flag {enable | disable} set onlink-flag {enable | disable} set subnet <ipv6-network> end set dhcp6-relay-service {disable | enable} set dhcp6-relay-type {regular} set dhcp6-relay-ip <user> set dhcp6-client-options {rapid | iapd | iana | dns | dnsname} set dhcp6-prefix-delegation {enable | disable} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
549
Description
Configuration Description Default Value
name Name. (Empty)
vdom Virtual domain name. (Empty)
cli-conn-status CLI connection status. 0
mode Addressing mode (static, DHCP, PPPoE). static
distance Distance of learned routes. 5
priority Priority of learned routes. 0
dhcp-relay-service Enable/disable use DHCP relay service. disable
dhcp-relay-ip DHCP relay IP address. (Empty)
dhcp-relay-type DHCP relay type. regular
ip IP address of interface. 0.0.0.0 0.0.0.0
allowaccess Allow management access to the interface. (Empty)
gwdetect Enable/disable detect gateway alive for first. disable
ping-serv-status PING server status. 0
detectserver Gateway's ping server for this IP. (Empty)
detectprotocol Protocols used to detect the server. ping
ha-priority HA election priority for the PING server. 1
fail-detect Enable/disable interface failed option status. disable
fail-detect-option Interface fail detect option. link-down
fail-alert-method Interface fail alert. link-down
fail-action-on-extender Action on extender when interface fail . soft-restart
fail-alert-interfaces Physical interfaces that will be alerted. (Empty)
dhcp-client-identifier DHCP client identifier. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
550
ipunnumbered PPPoE unnumbered IP. 0.0.0.0
username User name. (Empty)
pppoe-unnumbered-negotiate
Enable/disable PPPoE unnumbered negotiation. enable
password Password (Empty)
idle-timeout PPPoE auto disconnect after idle timeoutseconds.
0
detected-peer-mtu MTU of detected peer (0 - 4294967295). 0
disc-retry-timeout PPPoE discovery init timeout value in sec. 1
padt-retry-timeout PPPoE terminate timeout value in sec. 1
service-name PPPoE service name. (Empty)
ac-name PPPoE AC name. (Empty)
lcp-echo-interval PPPoE LCP echo interval (sec). 5
lcp-max-echo-fails Maximum missed LCP echo messages beforedisconnect.
3
defaultgw Enable/disable default gateway. enable
dns-server-override Enable/disable use DNS acquired by DHCP orPPPoE.
enable
auth-type PPP authentication type to use. auto
pptp-client Enable/disable PPTP client. disable
pptp-user PPTP user name. (Empty)
pptp-password PPTP password. (Empty)
pptp-server-ip PPTP server IP address. 0.0.0.0
pptp-auth-type PPTP authentication type. auto
pptp-timeout Idle timer in minutes (0 for disabled). 0
arpforward Enable/disable ARP forwarding. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
551
ndiscforward Enable/disable NDISC forwarding. enable
broadcast-forward Enable/disable broadcast forwarding. disable
bfd Bidirectional Forwarding Detection (BFD). global
bfd-desired-min-tx BFD desired minimal transmit interval. 250
bfd-detect-mult BFD detection multiplier. 3
bfd-required-min-rx BFD required minimal receive interval. 250
l2forward Enable/disable l2 forwarding. disable
icmp-redirect Enable/disable ICMP redirect. enable
vlanforward Enable/disable VLAN forwarding. disable
stpforward Enable/disable STP forwarding. disable
stpforward-mode Configure STP forwarding mode. rpl-all-ext-id
ips-sniffer-mode Enable/disable IPS sniffer mode. disable
ident-accept Enable/disable accept ident protocol. disable
ipmac Enable/disable IP/MAC binding status. disable
subst Enable/disable substitute MAC. disable
macaddr MAC address. 00:00:00:00:00:00
substitute-dst-mac Substitute destination MAC address. 00:00:00:00:00:00
speed Speed auto
status Interface status. up
netbios-forward Enable/disable NETBIOS forwarding. disable
wins-ip WINS server IP. 0.0.0.0
type Interface type. vlan
dedicated-to Configure interface for single purpose. none
trust-ip-1 Trusted host for dedicated management traffic(0.0.0.0/24 for all hosts).
0.0.0.0 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
552
trust-ip-2 Trusted host for dedicated management traffic(0.0.0.0/24 for all hosts).
0.0.0.0 0.0.0.0
trust-ip-3 Trusted host for dedicated management traffic(0.0.0.0/24 for all hosts).
0.0.0.0 0.0.0.0
trust-ip6-1 Trusted IPv6 host for dedicated managementtraffic (::/0 for all hosts).
::/0
trust-ip6-2 Trusted IPv6 host for dedicated managementtraffic (::/0 for all hosts).
::/0
trust-ip6-3 Trusted IPv6 host for dedicated managementtraffic (::/0 for all hosts).
::/0
mtu-override Enable/disable use custom MTU. disable
mtu Maximum transportation unit. 1500
wccp Enable/disable WCCP protocol on this interface. disable
nst Enable/disable NST protocol on this interface. disable
netflow-sampler NetFlow measurement status. disable
sflow-sampler Enable/disable sFlow protocol. disable
drop-overlapped-fragment
Enable/disable drop overlapped fragmentpackets.
disable
drop-fragment Enable/disable drop fragment packets. disable
scan-botnet-connections
Enable/disable scanning of connections to Botnetservers.
disable
sample-rate sFlow sampler sample rate. 2000
polling-interval sFlow sampler counter polling interval. 20
sample-direction sFlow sample direction. both
explicit-web-proxy Enable/disable explicit Web proxy. disable
explicit-ftp-proxy Enable/disable explicit FTP proxy. disable
tcp-mss Maximum sending TCP packet size. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
553
mediatype Select SFP media interface type serdes-sfp
fp-anomaly Pass or drop different types of anomalies usingFastpath
(Empty)
inbandwidth Bandwidth limit for incoming traffic (0 - 16776000kbps).
0
outbandwidth Bandwidth limit for outgoing traffic (0 - 16776000kbps).
0
spillover-threshold Egress Spillover threshold (0 - 16776000 kbps). 0
ingress-spillover-threshold
Ingress Spillover threshold (0 - 16776000 kbps). 0
weight Default weight for static routes (if route has noweight configured).
0
interface Interface name. (Empty)
external Enable/disable identifying interface as connectedto external side.
disable
vlanid VLAN ID. 0
forward-domain TP mode forward domain. 0
remote-ip Remote IP address of tunnel. 0.0.0.0
member Physical interfaces that belong to theaggregate/redundant interface.
(Empty)
lacp-mode LACP mode. active
lacp-ha-slave LACP HA slave. enable
lacp-speed LACP speed. slow
min-links Minimum number of aggregated ports that mustbe up.
1
min-links-down Action to take when there are less than min-linksactive members.
operational
algorithm Frame distribution algorithm. L4
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
554
link-up-delay Number of milliseconds to wait beforeconsidering a link is up.
50
priority-override Enable/disable fail back to higher priority portonce recovered.
enable
aggregate Aggregate interface. (Empty)
redundant-interface Redundant interface. (Empty)
fortilink FortiLink interface. (Empty)
managed-device FortiLink interface managed device. (Empty)
devindex Device Index. 0
vindex Switch control interface VLAN ID. 0
switch Contained in switch. (Empty)
description Description. (Empty)
alias Alias. (Empty)
security-mode Security mode. none
security-mac-auth-bypass
Enable/disable MAC authentication bypass. disable
security-external-web URL of external authentication web server. (Empty)
replacemsg-override-group
Specify replacement message override group. (Empty)
security-redirect-url URL redirection after disclaimer/authentication. (Empty)
security-exempt-list Name of security-exempt-list. (Empty)
security-groups Group name. (Empty)
device-identification Enable/disable passive gathering of identityinformation about source hosts on this interface.
disable
device-user-identification
Enable/disable passive gathering of user identityinformation about source hosts on this interface.
enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
555
device-identification-active-scan
Enable/disable active gathering of identityinformation about source hosts on this interface.
enable
device-access-list Device access list. (Empty)
device-netscan Enable/disable inclusion of devices detected onthis interface in network vulnerability scans.
disable
lldp-transmission Enable/disable Link Layer Discovery Protocol(LLDP) transmission.
vdom
listen-forticlient-connection
Enable/disable listen for FortiClient connections. disable
broadcast-forticlient-discovery
Enable/disable broadcast FortiClient discoverymessages.
disable
endpoint-compliance Enable/disable endpoint complianceenforcement.
disable
estimated-upstream-bandwidth
Estimated maximum upstream bandwidth (kbps).Used to estimate link utilization.
0
estimated-downstream-bandwidth
Estimated maximum downstream bandwidth(kbps). Used to estimate link utilization.
0
vrrp-virtual-mac Enable/disable use of virtual MAC for VRRP. disable
vrrp VRRP configuration. (Empty)
role Interface role. undefined
snmp-index Permanent SNMP Index of the interface. 0
secondary-IP Enable/disable secondary IP. disable
secondaryip Second IP address of interface. (Empty)
auto-auth-extension-device
Enable/disable automatic authorization ofdedicated Fortinet extension device on thisinterface.
disable
ap-discover Enable/disable automatic registration of unknownFortiAP devices.
enable
ipv6 IPv6 of interface. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
556
Configuration Default Valueip6-mode staticip6-dns-server-override enableip6-address ::/0ip6-extra-addr (Empty)ip6-allowaccess (Empty)ip6-send-adv disableip6-manage-flag disableip6-other-flag disableip6-max-interval 600ip6-min-interval 198ip6-link-mtu 0ip6-reachable-time 0ip6-retrans-time 0ip6-default-life 1800ip6-hop-limit 0autoconf disableip6-upstream-interface (Empty)ip6-subnet ::/0ip6-prefix-list (Empty)ip6-delegated-prefix-list (Empty)dhcp6-relay-service disabledhcp6-relay-type regulardhcp6-relay-ip (Empty)dhcp6-client-options dnsdhcp6-prefix-delegation disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
557
system/ipip-tunnelCLI Syntax
config system ipip-tunnel edit <name_str> set name <string> set interface <string> set remote-gw <ipv4-address> set local-gw <ipv4-address-any> set auto-asic-offload {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
558
Description
Configuration Description Default Value
name IPIP Tunnel name. (Empty)
interface Interface name. (Empty)
remote-gw IP address of the remote gateway. 0.0.0.0
local-gw Enable/disable IP address of the local gateway. 0.0.0.0
auto-asic-offload Enable/disable tunnel ASIC offloading. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
559
system/ips-urlfilter-dnsCLI Syntax
config system ips-urlfilter-dns edit <name_str> set address <ipv4-address> set status {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
560
Description
Configuration Description Default Value
address DNS server IP address. 0.0.0.0
status Enable/disable this server for queries. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
561
system/ipv6-neighbor-cacheCLI Syntax
config system ipv6-neighbor-cache edit <name_str> set id <integer> set interface <string> set ipv6 <ipv6-address> set mac <mac-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
562
Description
Configuration Description Default Value
id Unique integer ID of the entry. 0
interface Interface name. (Empty)
ipv6 IPv6 address. ::
mac MAC address. 00:00:00:00:00:00
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
563
system/ipv6-tunnelCLI Syntax
config system ipv6-tunnel edit <name_str> set name <string> set source <ipv6-address> set destination <ipv6-address> set interface <string> set auto-asic-offload {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
564
Description
Configuration Description Default Value
name Tunnel name. (Empty)
source Local IPv6 address of tunnel. ::
destination Remote IPv6 address of tunnel. ::
interface Interface name. (Empty)
auto-asic-offload Enable/disable tunnel ASIC offloading. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
565
system/link-monitorCLI Syntax
config system link-monitor edit <name_str> set name <string> set srcintf <string> config server edit <name_str> set address <string> end set protocol {ping | tcp-echo | udp-echo | http | twamp} set port <integer> set gateway-ip <ipv4-address-any> set source-ip <ipv4-address-any> set http-get <string> set http-match <string> set interval <integer> set timeout <integer> set failtime <integer> set recoverytime <integer> set security-mode {none | authentication} set password <password> set packet-size <integer> set ha-priority <integer> set update-cascade-interface {enable | disable} set update-static-route {enable | disable} set status {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
566
Description
Configuration Description Default Value
name Link monitor name. (Empty)
srcintf Interface where the monitor traffic is sent. (Empty)
server Server address(es). (Empty)
protocol Protocols used to detect the server. ping
port Port number to poll. 80
gateway-ip Gateway IP used to PING the server. 0.0.0.0
source-ip Source IP used in packet to the server. 0.0.0.0
http-get HTTP GET URL string. /
http-match Response value from detected server in http-get. (Empty)
interval Detection interval. 5
timeout Detect request timeout. 1
failtime Number of retry attempts before bringing serverdown.
5
recoverytime Number of retry attempts before bringing serverup.
5
security-mode Twamp controller security mode. none
password Twamp controller password in authenticationmode
(Empty)
packet-size Packet size of a twamp test session, 64
ha-priority HA election priority (1 - 50). 1
update-cascade-interface
Enable/disable update cascade interface. enable
update-static-route Enable/disable update static route. enable
status Enable/disable Link monitor administrative status. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
567
system/mac-address-tableCLI Syntax
config system mac-address-table edit <name_str> set mac <mac-address> set interface <string> set reply-substitute <mac-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
568
Description
Configuration Description Default Value
mac MAC address. 00:00:00:00:00:00
interface Interface name. (Empty)
reply-substitute New MAC for reply traffic. 00:00:00:00:00:00
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
569
system/management-tunnelCLI Syntax
config system management-tunnel edit <name_str> set status {enable | disable} set allow-config-restore {enable | disable} set allow-push-configuration {enable | disable} set allow-push-firmware {enable | disable} set allow-collect-statistics {enable | disable} set authorized-manager-only {enable | disable} set serial-number <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
570
Description
Configuration Description Default Value
status Enable/disable FGFM tunnel. enable
allow-config-restore Enable/disable allow config restore. enable
allow-push-configuration
Enable/disable push configuration. enable
allow-push-firmware Enable/disable push firmware. enable
allow-collect-statistics Enable/disable collection of run time statistics. enable
authorized-manager-only
Enable/disable restriction of authorized manageronly.
enable
serial-number Serial number. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
571
system/mobile-tunnelCLI Syntax
config system mobile-tunnel edit <name_str> set name <string> set status {disable | enable} set roaming-interface <string> set home-agent <ipv4-address> set home-address <ipv4-address> set renew-interval <integer> set lifetime <integer> set reg-interval <integer> set reg-retry <integer> set n-mhae-spi <integer> set n-mhae-key-type {ascii | base64} set n-mhae-key <user> set hash-algorithm {hmac-md5} set tunnel-mode {gre} config network edit <name_str> set id <integer> set interface <string> set prefix <ipv4-classnet> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
572
Description
Configuration Description Default Value
name Tunnel name. (Empty)
status Enable/disable this mobile tunnel. enable
roaming-interface Roaming interface name. (Empty)
home-agent IP address of the NEMO HA. 0.0.0.0
home-address Home IP address. 0.0.0.0
renew-interval Time before lifetime expiraton to send NMMO HAre-registration.
60
lifetime NMMO HA registration request lifetime. 65535
reg-interval NMMO HA registration interval. 5
reg-retry NMMO HA registration maximal retries. 3
n-mhae-spi NEMO authentication spi. 256
n-mhae-key-type NEMO authentication key type. ascii
n-mhae-key NEMO authentication key. 'ENCAQAAAMfMADGjaE1uXnMNcglZAOU1olJLaQTpy1cUY+iM/eyN61pZcd9q4u4lzUZ7Ar7ptVwgtfiB3PJBXT+jqecFU7Fl7T9EREz21rRkr3XeQA6OfVhpJuk3/ZQ='
hash-algorithm Hash Algorithm. hmac-md5
tunnel-mode NEMO tunnnel mode. gre
network NEMO network configuration. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
573
system/nat64CLI Syntax
config system nat64 edit <name_str> set status {enable | disable} set nat64-prefix <ipv6-prefix> set always-synthesize-aaaa-record {enable | disable} set generate-ipv6-fragment-header {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
574
Description
Configuration Description Default Value
status Enable/disable NAT64. disable
nat64-prefix NAT64 prefix must be ::/96. 64:ff9b::/96
always-synthesize-aaaa-record
Enable/disable AAAA record synthesis. enable
generate-ipv6-fragment-header
Enable/disable IPv6 fragment header generation. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
575
system/netflowCLI Syntax
config system netflow edit <name_str> set collector-ip <ipv4-address> set collector-port <integer> set source-ip <ipv4-address> set active-flow-timeout <integer> set inactive-flow-timeout <integer> set template-tx-timeout <integer> set template-tx-counter <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
576
Description
Configuration Description Default Value
collector-ip Collector IP. 0.0.0.0
collector-port NetFlow collector port. 2055
source-ip Source IP for NetFlow agent. 0.0.0.0
active-flow-timeout Timeout to report active flows (min). 30
inactive-flow-timeout Timeout for periodic report of finished flows (sec). 15
template-tx-timeout Timeout for periodic template flowsettransmission (min).
30
template-tx-counter Counter of flowset records before resending atemplate flowset record.
20
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
577
system/network-visibilityCLI Syntax
config system network-visibility edit <name_str> set destination-visibility {disable | enable} set source-location {disable | enable} set destination-hostname-visibility {disable | enable} set hostname-ttl <integer> set hostname-limit <integer> set destination-location {disable | enable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
578
Description
Configuration Description Default Value
destination-visibility Enable/disable logging of destination visibility. enable
source-location Enable/disable logging of source geographicallocation visibility.
enable
destination-hostname-visibility
Enable/disable logging of destination hostnamevisibility.
enable
hostname-ttl TTL of hostname table entries. 86400
hostname-limit Limit of hostname table entries. 5000
destination-location Enable/disable logging of destinationgeographical location visibility.
enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
579
system/ntpCLI Syntax
config system ntp edit <name_str> set ntpsync {enable | disable} set type {fortiguard | custom} set syncinterval <integer> config ntpserver edit <name_str> set id <integer> set server <string> set ntpv3 {enable | disable} set authentication {enable | disable} set key <password> set key-id <integer> end set source-ip <ipv4-address> set server-mode {enable | disable} config interface edit <name_str> set interface-name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
580
Description
Configuration Description Default Value
ntpsync Enable/disable synchronization with NTP Server. disable
type FortiGuard or custom NTP Server. fortiguard
syncinterval NTP synchronization interval. 1
ntpserver NTP Server. (Empty)
source-ip Source IP for communications to NTP server. 0.0.0.0
server-mode Enable/disable NTP Server Mode. disable
interface List of interfaces with NTP server mode enabled. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
581
system/object-tagCLI Syntax
config system object-tag edit <name_str> set name <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
582
Description
Configuration Description Default Value
name Tag name. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
583
system/password-policyCLI Syntax
config system password-policy edit <name_str> set status {enable | disable} set apply-to {admin-password | ipsec-preshared-key} set minimum-length <integer> set min-lower-case-letter <integer> set min-upper-case-letter <integer> set min-non-alphanumeric <integer> set min-number <integer> set change-4-characters {enable | disable} set expire-status {enable | disable} set expire-day <integer> set reuse-password {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
584
Description
Configuration Description Default Value
status Enable/disable password policy. disable
apply-to Apply password policy to. admin-password
minimum-length Minimum password length. 8
min-lower-case-letter Minimum number of lowercase characters inpassword.
0
min-upper-case-letter Minimum number of uppercase characters inpassword.
0
min-non-alphanumeric Minimum number of non-alphanumericcharacters in password.
0
min-number Minimum number of numeric characters inpassword.
0
change-4-characters Enable/disable changing at least 4 characters fornew password.
disable
expire-status Enable/disable password expiration. disable
expire-day Number of days after which admin users'password will expire.
90
reuse-password Enable/disable reuse of password. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
585
system/probe-responseCLI Syntax
config system probe-response edit <name_str> set port <integer> set http-probe-value <string> set ttl-mode {reinit | decrease | retain} set mode {none | http-probe | twamp} set security-mode {none | authentication} set password <password> set timeout <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
586
Description
Configuration Description Default Value
port Port number to response. 8008
http-probe-value Value to respond to the monitoring server. OK
ttl-mode Mode for TWAMP packet TTL modification. retain
mode SLA response mode. none
security-mode Twamp respondor security mode. none
password Twamp respondor password in authenticationmode
(Empty)
timeout An inactivity timer for a twamp test session. 300
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
587
system/proxy-arpCLI Syntax
config system proxy-arp edit <name_str> set id <integer> set interface <string> set ip <ipv4-address> set end-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
588
Description
Configuration Description Default Value
id Unique integer ID of the entry. 0
interface Interface acting proxy-ARP. (Empty)
ip IP address or start IP to be proxied. 0.0.0.0
end-ip End IP of IP range to be proxied. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
589
system/replacemsg-groupCLI Syntax
config system replacemsg-group edit <name_str> set name <string> set comment <var-string> set group-type {default | utm | auth | ec} config mail edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config http edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config webproxy edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config ftp edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config nntp edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config fortiguard-wf edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
590
config spam edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config alertmail edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config admin edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config auth edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config sslvpn edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config ec edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config device-detection-portal edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config nac-quar edit <name_str> set msg-type <string> set buffer <var-string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
591
set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config traffic-quota edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config utm edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config custom-message edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
592
Description
Configuration Description Default Value
name Group name. (Empty)
comment Comment. (Empty)
group-type Group type. default
mail Replacement message table entries. (Empty)
http Replacement message table entries. (Empty)
webproxy Replacement message table entries. (Empty)
ftp Replacement message table entries. (Empty)
nntp Replacement message table entries. (Empty)
fortiguard-wf Replacement message table entries. (Empty)
spam Replacement message table entries. (Empty)
alertmail Replacement message table entries. (Empty)
admin Replacement message table entries. (Empty)
auth Replacement message table entries. (Empty)
sslvpn Replacement message table entries. (Empty)
ec Replacement message table entries. (Empty)
device-detection-portal Replacement message table entries. (Empty)
nac-quar Replacement message table entries. (Empty)
traffic-quota Replacement message table entries. (Empty)
utm Replacement message table entries. (Empty)
custom-message Replacement message table entries. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
593
system/replacemsg-imageCLI Syntax
config system replacemsg-image edit <name_str> set name <string> set image-type {gif | jpg | tiff | png} set image-base64 <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
594
Description
Configuration Description Default Value
name Image name. (Empty)
image-type Image type. (Empty)
image-base64 Image data. (null)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
595
system/resource-limitsCLI Syntax
config system resource-limits edit <name_str> set session <integer> set ipsec-phase1 <integer> set ipsec-phase2 <integer> set dialup-tunnel <integer> set firewall-policy <integer> set firewall-address <integer> set firewall-addrgrp <integer> set custom-service <integer> set service-group <integer> set onetime-schedule <integer> set recurring-schedule <integer> set user <integer> set user-group <integer> set sslvpn <integer> set proxy <integer> set log-disk-quota <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
596
Description
Configuration Description Default Value
session Maximum number of sessions. 0
ipsec-phase1 Maximum number of VPN IPsec phase1 tunnels. 0
ipsec-phase2 Maximum number of VPN IPsec phase2 tunnels. 0
dialup-tunnel Maximum number of dial-up tunnels. 0
firewall-policy Maximum number of firewall policies. 0
firewall-address Maximum number of firewall addresses. 0
firewall-addrgrp Maximum number of firewall address groups. 0
custom-service Maximum number of firewall custom services. 0
service-group Maximum number of firewall service groups. 0
onetime-schedule Maximum number of firewall one-time schedules. 0
recurring-schedule Maximum number of firewall recurring schedules. 0
user Maximum number of local users. 0
user-group Maximum number of user groups. 0
sslvpn Maximum number of SSL-VPN. 0
proxy Maximum number of concurrent explicit proxyusers.
0
log-disk-quota Log disk quota in MB. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
597
system/session-helperCLI Syntax
config system session-helper edit <name_str> set id <integer> set name {ftp | tftp | ras | h323 | h245O | h245I | tns | mms | sip | pptp | rtsp | dns-udp | dns-tcp | pmap | rsh | dcerpc | mgcp | gtp-c | gtp-u | gtp-b} set protocol <integer> set port <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
598
Description
Configuration Description Default Value
id Session helper ID. 0
name Helper name. (Empty)
protocol Protocol number. 0
port Protocol port. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
599
system/session-ttlCLI Syntax
config system session-ttl edit <name_str> set default <user> config port edit <name_str> set id <integer> set protocol <integer> set start-port <integer> set end-port <integer> set timeout <user> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
600
Description
Configuration Description Default Value
default Default timeout. 3600
port Session TTL port. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
601
system/settingsCLI Syntax
config system settings edit <name_str> set comments <var-string> set opmode {nat | transparent} set inspection-mode {proxy | flow} set http-external-dest {fortiweb | forticache} set firewall-session-dirty {check-all | check-new | check-policy-option} set manageip <user> set gateway <ipv4-address> set ip <ipv4-classnet-host> set manageip6 <ipv6-prefix> set gateway6 <ipv6-address> set ip6 <ipv6-prefix> set device <string> set bfd {enable | disable} set bfd-desired-min-tx <integer> set bfd-required-min-rx <integer> set bfd-detect-mult <integer> set bfd-dont-enforce-src-port {enable | disable} set utf8-spam-tagging {enable | disable} set wccp-cache-engine {enable | disable} set vpn-stats-log {ipsec | pptp | l2tp | ssl} set vpn-stats-period <integer> set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-based} set mac-ttl <integer> set fw-session-hairpin {enable | disable} set snat-hairpin-traffic {enable | disable} set dhcp-proxy {enable | disable} set dhcp-server-ip <user> set dhcp6-server-ip <user> set central-nat {enable | disable} config gui-default-policy-columns edit <name_str> set name <string> end set lldp-transmission {enable | disable | global} set asymroute {enable | disable} set asymroute-icmp {enable | disable} set tcp-session-without-syn {enable | disable} set ses-denied-traffic {enable | disable} set strict-src-check {enable | disable} set asymroute6 {enable | disable} set asymroute6-icmp {enable | disable} set sip-helper {enable | disable} set sip-nat-trace {enable | disable} set status {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
602
set sip-tcp-port <integer> set sip-udp-port <integer> set sip-ssl-port <integer> set sccp-port <integer> set multicast-forward {enable | disable} set multicast-ttl-notchange {enable | disable} set multicast-skip-policy {enable | disable} set allow-subnet-overlap {enable | disable} set deny-tcp-with-icmp {enable | disable} set ecmp-max-paths <integer> set discovered-device-timeout <integer> set email-portal-check-dns {disable | enable} set default-voip-alg-mode {proxy-based | kernel-helper-based} set gui-icap {enable | disable} set gui-nat46-64 {enable | disable} set gui-implicit-policy {enable | disable} set gui-dns-database {enable | disable} set gui-load-balance {enable | disable} set gui-multicast-policy {enable | disable} set gui-dos-policy {enable | disable} set gui-object-colors {enable | disable} set gui-replacement-message-groups {enable | disable} set gui-voip-profile {enable | disable} set gui-ap-profile {enable | disable} set gui-dynamic-profile-display {enable | disable} set gui-ipsec-manual-key {enable | disable} set gui-local-in-policy {enable | disable} set gui-local-reports {enable | disable} set gui-wanopt-cache {enable | disable} set gui-explicit-proxy {enable | disable} set gui-dynamic-routing {enable | disable} set gui-dlp {enable | disable} set gui-sslvpn-personal-bookmarks {enable | disable} set gui-sslvpn-realms {enable | disable} set gui-policy-based-ipsec {enable | disable} set gui-threat-weight {enable | disable} set gui-multiple-utm-profiles {enable | disable} set gui-spamfilter {enable | disable} set gui-application-control {enable | disable} set gui-casi {enable | disable} set gui-ips {enable | disable} set gui-endpoint-control {enable | disable} set gui-dhcp-advanced {enable | disable} set gui-vpn {enable | disable} set gui-wireless-controller {enable | disable} set gui-switch-controller {enable | disable} set gui-fortiap-split-tunneling {enable | disable} set gui-webfilter-advanced {enable | disable} set gui-traffic-shaping {enable | disable} set gui-wan-load-balancing {enable | disable} set gui-antivirus {enable | disable} set gui-webfilter {enable | disable} set gui-dnsfilter {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
603
set gui-dnsfilter {enable | disable} set gui-waf-profile {enable | disable} set gui-fortiextender-controller {enable | disable} set gui-advanced-policy {enable | disable} set gui-allow-unnamed-policy {enable | disable} set gui-email-collection {enable | disable} set gui-domain-ip-reputation {enable | disable} set compliance-check {enable | disable} set ike-session-resume {enable | disable} set ike-quick-crash-detect {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
604
Description
Configuration Description Default Value
comments VDOM comments. (Empty)
opmode Firewall operation mode. nat
inspection-mode Inspection mode. proxy
http-external-dest HTTP service external inspection destination. fortiweb
firewall-session-dirty Packet session management. check-all
manageip IP address and netmask. (Empty)
gateway Default gateway IP address. 0.0.0.0
ip IP address and netmask. 0.0.0.0 0.0.0.0
manageip6 Management IPv6 address prefix for transparentmode.
::/0
gateway6 Default gateway IPv6 address. ::
ip6 IPv6 address prefix for NAT mode. ::/0
device Interface. (Empty)
bfd Enable/disable Bi-directional ForwardingDetection (BFD) on all interfaces.
disable
bfd-desired-min-tx BFD desired minimal transmit interval. 250
bfd-required-min-rx BFD required minimal receive interval. 250
bfd-detect-mult BFD detection multiplier. 3
bfd-dont-enforce-src-port
Enable/disable verify source port of BFD Packets. disable
utf8-spam-tagging Convert spam tags to UTF-8 for better non-ASCIIcharacter support.
enable
wccp-cache-engine Enable/disable WCCP cache engine. disable
vpn-stats-log Enable/disable periodic VPN log statistics. ipsec pptp l2tp ssl
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
605
vpn-stats-period Period to send VPN log statistics (sec). 600
v4-ecmp-mode IPv4 ECMP mode. source-ip-based
mac-ttl Bridge MAC address expiration time (sec). 300
fw-session-hairpin Check every cross. disable
snat-hairpin-traffic Enable/disable SNAT hairpin traffic. enable
dhcp-proxy Enable/disable DHCP Proxy. disable
dhcp-server-ip DHCP Server IP address. (Empty)
dhcp6-server-ip DHCPv6 server IP address. (Empty)
central-nat Enable/disable central NAT. disable
gui-default-policy-columns
Default columns to display for firewall policy liston GUI.
(Empty)
lldp-transmission Enable/disable Link Layer Discovery Protocol(LLDP) transmission.
global
asymroute Enable/disable asymmetric route. disable
asymroute-icmp Enable/disable asymmetric ICMP route. disable
tcp-session-without-syn Enable/disable creation of TCP session withoutSYN flag.
disable
ses-denied-traffic Enable/disable insertion of denied traffic intosession table.
disable
strict-src-check Enable/disable strict source verification. disable
asymroute6 Enable/disable asymmetric IPv6 route. disable
asymroute6-icmp Enable/disable asymmetric ICMPv6 route. disable
sip-helper Enable/disable helper to add dynamic SIP firewallallow rule.
enable
sip-nat-trace Enable/disable adding original IP if NATed. enable
status Enable/disable this VDOM. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
606
sip-tcp-port TCP port the SIP proxy will monitor for SIP traffic. 5060
sip-udp-port UDP port the SIP proxy will monitor for SIP traffic. 5060
sip-ssl-port TCP SSL port the SIP proxy will monitor for SIPtraffic.
5061
sccp-port TCP port the SCCP proxy will monitor for SCCPtraffic.
2000
multicast-forward Enable/disable multicast forwarding. enable
multicast-ttl-notchange Enable/disable modification of multicast TTL. disable
multicast-skip-policy Enable/disable skip policy check and allowmulticast through.
disable
allow-subnet-overlap Enable/disable allow one interface subnet overlapwith other interfaces.
disable
deny-tcp-with-icmp Enable/disable deny TCP with ICMP. disable
ecmp-max-paths Maximum number of ECMP next-hops. 10
discovered-device-timeout
Discard discovered devices after N days ofinactivity.
28
email-portal-check-dns Enable/disable DNS to validate domain namesused in the email address collection captiveportal.
enable
default-voip-alg-mode Default ALG mode for VoIP traffic (when no VoIPprofile on firewall policy).
proxy-based
gui-icap Enable/disable ICAP settings in GUI. disable
gui-nat46-64 Enable/disable NAT46 and NAT64 settings inGUI.
disable
gui-implicit-policy Enable/disable implicit firewall policies in GUI. enable
gui-dns-database Enable/disable DNS database in GUI. disable
gui-load-balance Enable/disable load balance in GUI. disable
gui-multicast-policy Enable/disable multicast firewall policies in GUI. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
607
gui-dos-policy Enable/disable DoS policy display in GUI. enable
gui-object-colors Enable/disable object colors in GUI. enable
gui-replacement-message-groups
Enable/disable replacement message groups inGUI.
disable
gui-voip-profile Enable/disable VoIP profiles in GUI. disable
gui-ap-profile Enable/disable AP profiles in GUI. enable
gui-dynamic-profile-display
Enable/disable dynamic profiles in GUI. disable
gui-ipsec-manual-key Enable/disable IPsec manual Key configuration inGUI.
disable
gui-local-in-policy Enable/disable Local-In policies in GUI. disable
gui-local-reports Enable/disable local reports in the GUI. disable
gui-wanopt-cache Enable/disable WAN Opt & Cache configurationin GUI.
disable
gui-explicit-proxy Enable/disable explicit proxy configuration in GUI. disable
gui-dynamic-routing Enable/disable dynamic routing menus in GUI. enable
gui-dlp Enable/disable DLP settings in GUI. disable
gui-sslvpn-personal-bookmarks
Enable/disable SSL-VPN personal bookmarkmanagement in GUI.
disable
gui-sslvpn-realms Enable/disable SSL-VPN custom login pages inGUI.
disable
gui-policy-based-ipsec Enable/disable policy-based IPsec VPN. disable
gui-threat-weight Enable/disable threat weight feature in GUI. enable
gui-multiple-utm-profiles
Enable/disable multiple UTM profiles in GUI. enable
gui-spamfilter Enable/disable spamfilter profiles in GUI. disable
gui-application-control Enable/disable application control profiles in GUI. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
608
gui-casi Enable/disable CASI profiles in GUI. enable
gui-ips Enable/disable IPS sensors in GUI. enable
gui-endpoint-control Enable/disable endpoint control in GUI. enable
gui-dhcp-advanced Enable/disable advanced DHCP configuration inGUI.
enable
gui-vpn Enable/disable VPN tunnels in GUI. enable
gui-wireless-controller Enable/disable wireless controller in GUI. enable
gui-switch-controller Enable/disable switch controller in GUI. enable
gui-fortiap-split-tunneling
Enable/disable FortiAP split tunneling in GUI. disable
gui-webfilter-advanced Enable/disable advanced web filter configurationin GUI.
disable
gui-traffic-shaping Enable/disable traffic shaping in GUI. enable
gui-wan-load-balancing Enable/disable WAN link load balancing in GUI. enable
gui-antivirus Enable/disable AntiVirus profile display in GUI. enable
gui-webfilter Enable/disable WebFilter profile display in GUI. enable
gui-dnsfilter Enable/disable DNS Filter profile display in GUI. enable
gui-waf-profile Enable/disable Web Application Firewall Profiledisplay in GUI.
disable
gui-fortiextender-controller
Enable/disable FortiExtender controller in GUI. disable
gui-advanced-policy Enable/disable advanced policy configuration inGUI.
disable
gui-allow-unnamed-policy
Enable/disable relaxation of requirement forpolicy to have a name when created in GUI.
disable
gui-email-collection Enable/disable email collection feature. disable
gui-domain-ip-reputation
Enable/disable Domain and IP Reputationfeature.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
609
compliance-check Enable/disable PCI DSS compliance check. disable
ike-session-resume Enable/disable IKEv2 session resumption (RFC5723).
disable
ike-quick-crash-detect Enable/disable IKEv2 quick crash detection (RFC6290).
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
610
system/sflowCLI Syntax
config system sflow edit <name_str> set collector-ip <ipv4-address> set collector-port <integer> set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
611
Description
Configuration Description Default Value
collector-ip Collector IP. 0.0.0.0
collector-port sFlow collector port. 6343
source-ip Source IP for sFlow agent. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
612
system/sit-tunnelCLI Syntax
config system sit-tunnel edit <name_str> set name <string> set source <ipv4-address> set destination <ipv4-address> set ip6 <ipv6-prefix> set interface <string> set auto-asic-offload {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
613
Description
Configuration Description Default Value
name Tunnel name. (Empty)
source Source IP address of tunnel. 0.0.0.0
destination Destination IP address of tunnel. 0.0.0.0
ip6 IPv6 address of tunnel. ::/0
interface Interface name. (Empty)
auto-asic-offload Enable/disable tunnel ASIC offloading. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
614
system/sms-serverCLI Syntax
config system sms-server edit <name_str> set name <string> set mail-server <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
615
Description
Configuration Description Default Value
name Name of SMS server. (Empty)
mail-server Email-to-SMS server domain name. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
616
system/storageCLI Syntax
config system storage edit <name_str> set name <string> set partition <string> set media-type <string> set device <string> set size <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
617
Description
Configuration Description Default Value
name Storage name. default_n
partition Label of underlying partition. <unknown>
media-type Media of underlying disk. ?
device Partition device. ?
size Partition size. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
618
system/switch-interfaceCLI Syntax
config system switch-interface edit <name_str> set name <string> set vdom <string> set span-dest-port <string> config span-source-port edit <name_str> set interface-name <string> end config member edit <name_str> set interface-name <string> end set type {switch | hub} set intra-switch-policy {implicit | explicit} set span {disable | enable} set span-direction {rx | tx | both} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
619
Description
Configuration Description Default Value
name Interface name. (Empty)
vdom VDOM. (Empty)
span-dest-port Span destination port. (Empty)
span-source-port Span source ports. (Empty)
member Interfaces compose the virtual switch. (Empty)
type Type. switch
intra-switch-policy Enable/disable policies between the members ofthe switch interface.
implicit
span Enable/disable span port. disable
span-direction SPAN direction. both
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
620
system/tos-based-priorityCLI Syntax
config system tos-based-priority edit <name_str> set id <integer> set tos <integer> set priority {low | medium | high} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
621
Description
Configuration Description Default Value
id Item ID. 0
tos IP ToS value (0 - 15). 0
priority ToS based priority level. high
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
622
system/vdomCLI Syntax
config system vdom edit <name_str> set name <string> set vcluster-id <integer> set temporary <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
623
Description
Configuration Description Default Value
name VDOM name. (Empty)
vcluster-id Virtual cluster ID (0 - 4294967295). 0
temporary Temporary. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
624
system/vdom-dnsCLI Syntax
config system vdom-dns edit <name_str> set vdom-dns {enable | disable} set primary <ipv4-address> set secondary <ipv4-address> set ip6-primary <ipv6-address> set ip6-secondary <ipv6-address> set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
625
Description
Configuration Description Default Value
vdom-dns Enable/disable DNS per VDOM. disable
primary VDOM primary DNS IP. 0.0.0.0
secondary VDOM secondary DNS IP. 0.0.0.0
ip6-primary VDOM IPv6 primary DNS IP. ::
ip6-secondary VDOM IPv6 Secondary DNS IP. ::
source-ip Source IP for communications to DNS server. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
626
system/vdom-linkCLI Syntax
config system vdom-link edit <name_str> set name <string> set vcluster {vcluster1 | vcluster2} set type {ppp | ethernet} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
627
Description
Configuration Description Default Value
name VDOM link name. (Empty)
vcluster Virtual cluster. vcluster1
type Type. ppp
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
628
system/vdom-netflowCLI Syntax
config system vdom-netflow edit <name_str> set vdom-netflow {enable | disable} set collector-ip <ipv4-address> set collector-port <integer> set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
629
Description
Configuration Description Default Value
vdom-netflow Enable/disable NetFlow per VDOM. disable
collector-ip Collector IP. 0.0.0.0
collector-port NetFlow collector port. 2055
source-ip Source IP for NetFlow agent. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
630
system/vdom-propertyCLI Syntax
config system vdom-property edit <name_str> set name <string> set description <string> set snmp-index <integer> set session <user> set ipsec-phase1 <user> set ipsec-phase2 <user> set dialup-tunnel <user> set firewall-policy <user> set firewall-address <user> set firewall-addrgrp <user> set custom-service <user> set service-group <user> set onetime-schedule <user> set recurring-schedule <user> set user <user> set user-group <user> set sslvpn <user> set proxy <user> set log-disk-quota <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
631
Description
Configuration Description Default Value
name VDOM name. (Empty)
description Description. (Empty)
snmp-index Permanent SNMP Index of the virtual domain. 0
session Maximum number (guaranteed number) ofsessions.
0 0
ipsec-phase1 Maximum number (guaranteed number) of VPNIPsec phase1 tunnels.
0 0
ipsec-phase2 Maximum number (guaranteed number) of VPNIPsec phase2 tunnels.
0 0
dialup-tunnel Maximum number (guaranteed number) of dial-up tunnels.
0 0
firewall-policy Maximum number (guaranteed number) offirewall policies.
0 0
firewall-address Maximum number (guaranteed number) offirewall addresses.
0 0
firewall-addrgrp Maximum number (guaranteed number) offirewall address groups.
0 0
custom-service Maximum number (guaranteed number) offirewall custom services.
0 0
service-group Maximum number (guaranteed number) offirewall service groups.
0 0
onetime-schedule Maximum number (guaranteed number) offirewall one-time schedules.
0 0
recurring-schedule Maximum number (guaranteed number) offirewall recurring schedules.
0 0
user Maximum number (guaranteed number) of localusers.
0 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
632
user-group Maximum number (guaranteed number) of usergroups.
0 0
sslvpn Maximum number (guaranteed number) of SSL-VPN.
0 0
proxy Maximum number (guaranteed number) ofconcurrent proxy users.
0 0
log-disk-quota Log disk quota in MB. 0 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
633
system/vdom-radius-serverCLI Syntax
config system vdom-radius-server edit <name_str> set name <string> set status {enable | disable} set radius-server-vdom <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
634
Description
Configuration Description Default Value
name Name of virtual domain for server settings. (Empty)
status Enable/disable or disable the entry. disable
radius-server-vdom Virtual domain of dynamic profile radius server touse for dynamic profile traffic in the current vdom.
(Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
635
system/vdom-sflowCLI Syntax
config system vdom-sflow edit <name_str> set vdom-sflow {enable | disable} set collector-ip <ipv4-address> set collector-port <integer> set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
636
Description
Configuration Description Default Value
vdom-sflow Enable/disable sFlow per VDOM. disable
collector-ip Collector IP. 0.0.0.0
collector-port sFlow collector port. 6343
source-ip Source IP for sFlow agent. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
637
system/virtual-wan-linkCLI Syntax
config system virtual-wan-link edit <name_str> set status {disable | enable} set load-balance-mode {source-ip-based | weight-based | usage-based | source-dest-ip-based | measured-volume-based} set fail-detect {enable | disable} config fail-alert-interfaces edit <name_str> set name <string> end config members edit <name_str> set seq-num <integer> set interface <string> set gateway <ipv4-address> set weight <integer> set priority <integer> set spillover-threshold <integer> set ingress-spillover-threshold <integer> set volume-ratio <integer> set status {disable | enable} end config health-check edit <name_str> set name <string> set server <string> set protocol {ping | tcp-echo | udp-echo | http | twamp} set port <integer> set security-mode {none | authentication} set password <password> set packet-size <integer> set http-get <string> set http-match <string> set interval <integer> set timeout <integer> set failtime <integer> set recoverytime <integer> set update-cascade-interface {enable | disable} set update-static-route {enable | disable} set threshold-warning-packetloss <integer> set threshold-alert-packetloss <integer> set threshold-warning-latency <integer> set threshold-alert-latency <integer> set threshold-warning-jitter <integer> set threshold-alert-jitter <integer> end config service
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
638
edit <name_str> set name <string> set mode {auto | manual | priority} set quality-link <integer> set member <integer> set tos <user> set tos-mask <user> set protocol <integer> set start-port <integer> set end-port <integer> config dst edit <name_str> set name <string> end config src edit <name_str> set name <string> end config users edit <name_str> set name <string> end config groups edit <name_str> set name <string> end set internet-service {enable | disable} config internet-service-custom edit <name_str> set name <string> end config internet-service-id edit <name_str> set id <integer> end set health-check <string> set link-cost-factor {latency | jitter | packet-loss} config priority-members edit <name_str> set seq-num <integer> end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
639
Description
Configuration Description Default Value
status Enable/disable using the virtual-wan-link settings. disable
load-balance-mode Load balance mode among virtual WAN linkmembers.
source-ip-based
fail-detect Enable/disable fail detection. disable
fail-alert-interfaces Physical interfaces that will be alerted. (Empty)
members Members belong to the virtual-wan-link. (Empty)
health-check Health check. (Empty)
service Service to be distributed. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
640
system/virtual-wire-pairCLI Syntax
config system virtual-wire-pair edit <name_str> set name <string> config member edit <name_str> set interface-name <string> end set wildcard-vlan {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
641
Description
Configuration Description Default Value
name virtual-wire-pair name. (Empty)
member Interfaces belong to the port pair. (Empty)
wildcard-vlan Enable/disable wildcard VLAN. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
642
system/wccpCLI Syntax
config system wccp edit <name_str> set service-id <string> set router-id <ipv4-address> set cache-id <ipv4-address> set group-address <ipv4-address-multicast> set server-list <user> set router-list <user> set ports-defined {source | destination} set ports <user> set authentication {enable | disable} set password <password> set forward-method {GRE | L2 | any} set cache-engine-method {GRE | L2} set service-type {auto | standard | dynamic} set primary-hash {src-ip | dst-ip | src-port | dst-port} set priority <integer> set protocol <integer> set assignment-weight <integer> set assignment-bucket-format {wccp-v2 | cisco-implementation} set return-method {GRE | L2 | any} set assignment-method {HASH | MASK | any} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
643
Description
Configuration Description Default Value
service-id Service ID. (Empty)
router-id IP address which is known by all web cacheservers.
0.0.0.0
cache-id IP address which is known by all routers. 0.0.0.0
group-address IP multicast address. 0.0.0.0
server-list Addresses of potential cache servers. (Empty)
router-list Addresses of potential routers. (Empty)
ports-defined Match method. (Empty)
ports Service ports. (Empty)
authentication Enable/disable MD5 authentication. disable
password Password of MD5 authentication. (Empty)
forward-method Method traffic is forwarded to cache servers. GRE
cache-engine-method Method traffic is forwarded to route or returned tocache engine.
GRE
service-type Service type auto/standard/dynamic. auto
primary-hash Hash method. dst-ip
priority Service priority. 0
protocol Service protocol. 0
assignment-weight Cache server hash weight. 0
assignment-bucket-format
Hash table bucket format. cisco-implementation
return-method Method traffic is returned back to firewall. GRE
assignment-method Assignment method preference. HASH
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
644
system/zoneCLI Syntax
config system zone edit <name_str> set name <string> set intrazone {allow | deny} config interface edit <name_str> set interface-name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
645
Description
Configuration Description Default Value
name Zone name. (Empty)
intrazone Intra-zone traffic. deny
interface Interfaces belong to the zone. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
646
user/adgrpCLI Syntax
config user adgrp edit <name_str> set name <string> set server-name <string> set polling-id <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
647
Description
Configuration Description Default Value
name Name. (Empty)
server-name FSSO agent name. (Empty)
polling-id FSSO polling ID. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
648
user/deviceCLI Syntax
config user device edit <name_str> set alias <string> set mac <mac-address> set user <string> set master-device <string> set comment <var-string> set avatar <var-string> set type {ipad | iphone | gaming-console | blackberry-phone | blackberry-playbook | linux-pc | mac | windows-pc | android-phone | android-tablet | media-streaming | windows-phone | windows-tablet | fortinet-device | ip-phone | router-nat-device | printer | other-network-device} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
649
Description
Configuration Description Default Value
alias Device alias. (Empty)
mac Device MAC address(es). 00:00:00:00:00:00
user User name. (Empty)
master-device Master device (optional). (Empty)
comment Comment. (Empty)
avatar Image file for avatar (maximum 4K base64encoded).
(Empty)
type Device type. other-network-device
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
650
user/device-access-listCLI Syntax
config user device-access-list edit <name_str> set name <string> set default-action {accept | deny} config device-list edit <name_str> set id <integer> set device <string> set action {accept | deny} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
651
Description
Configuration Description Default Value
name Device access list name. (Empty)
default-action Allow or block unknown devices. accept
device-list Device list. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
652
user/device-categoryCLI Syntax
config user device-category edit <name_str> set name <string> set desc <var-string> set comment <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
653
Description
Configuration Description Default Value
name Device category name. (Empty)
desc Device category description. (Empty)
comment Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
654
user/device-groupCLI Syntax
config user device-group edit <name_str> set name <string> config member edit <name_str> set name <string> end set comment <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
655
Description
Configuration Description Default Value
name Device group name. (Empty)
member Device group member. (Empty)
comment Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
656
user/fortitokenCLI Syntax
config user fortitoken edit <name_str> set serial-number <string> set status {active | lock} set seed <string> set comments <var-string> set license <string> set activation-code <string> set activation-expire <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
657
Description
Configuration Description Default Value
serial-number Serial number. (Empty)
status Status active
seed Token seed. (Empty)
comments Comment. (Empty)
license Mobile token license. (Empty)
activation-code Mobile token user activation-code. (Empty)
activation-expire Mobile token user activation-code expire time. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
658
user/fssoCLI Syntax
config user fsso edit <name_str> set name <string> set server <string> set port <integer> set password <password> set server2 <string> set port2 <integer> set password2 <password> set server3 <string> set port3 <integer> set password3 <password> set server4 <string> set port4 <integer> set password4 <password> set server5 <string> set port5 <integer> set password5 <password> set ldap-server <string> set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
659
Description
Configuration Description Default Value
name Name. (Empty)
server Address of the 1st FSSO agent. (Empty)
port Port of the 1st FSSO agent. 8000
password Password of the 1st FSSO agent. (Empty)
server2 Address of the 2nd FSSO agent. (Empty)
port2 Port of the 2nd FSSO agent. 8000
password2 Password of the 2nd FSSO agent. (Empty)
server3 Address of the 3rd FSSO agent. (Empty)
port3 Port of the 3rd FSSO agent. 8000
password3 Password of the 3rd FSSO agent. (Empty)
server4 Address of the 4th FSSO agent. (Empty)
port4 Port of the 4th FSSO agent. 8000
password4 Password of the 4th FSSO agent. (Empty)
server5 Address of the 5th FSSO agent. (Empty)
port5 Port of the 5th FSSO agent. 8000
password5 Password of the 5th FSSO agent. (Empty)
ldap-server LDAP server to get group information. (Empty)
source-ip Source IP for communications to FSSO agent. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
660
user/fsso-pollingCLI Syntax
config user fsso-polling edit <name_str> set id <integer> set status {enable | disable} set server <string> set default-domain <string> set port <integer> set user <string> set password <password> set ldap-server <string> set logon-history <integer> set polling-frequency <integer> config adgrp edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
661
Description
Configuration Description Default Value
id Active Directory server ID. 0
status Enable/disable poll Active Directory status. enable
server Active Directory server name/IP address. (Empty)
default-domain Default domain in this server. (Empty)
port Port of the Active Directory server. 0
user Active Directory server user account. (Empty)
password Password to connect to Active Directory server. (Empty)
ldap-server LDAP Server NAME for group name and users. (Empty)
logon-history hours to keep as an active logon. 0 meanskeeping forever
8
polling-frequency Polling frequency (1 - 30 s). 10
adgrp LDAP Group Info. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
662
user/groupCLI Syntax
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
663
config user group edit <name_str> set name <string> set group-type {firewall | sslvpn | fsso-service | directory-service | active-directory | rsso | guest} set authtimeout <integer> set auth-concurrent-override {enable | disable} set auth-concurrent-value <integer> set http-digest-realm <string> set sso-attribute-value <string> config member edit <name_str> set name <string> end config match edit <name_str> set id <integer> set server-name <string> set group-name <string> end set user-id {email | auto-generate | specify} set password {auto-generate | specify | disable} set user-name {disable | enable} set sponsor {optional | mandatory | disabled} set company {optional | mandatory | disabled} set email {disable | enable} set mobile-phone {disable | enable} set sms-server {fortiguard | custom} set sms-custom-server <string> set expire-type {immediately | first-successful-login} set expire <integer> set max-accounts <integer> set multiple-guest-add {disable | enable} config guest edit <name_str> set user-id <string> set name <string> set group <string> set password <password> set mobile-phone <string> set sponsor <string> set company <string> set email <string> set expiration <user> set comment <var-string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
664
Description
Configuration Description Default Value
name Group name. (Empty)
group-type Type of user group. firewall
authtimeout Authentication timeout. 0
auth-concurrent-override
Enable/disable concurrent authenticationoverride.
disable
auth-concurrent-value Maximum number of concurrent authenticatedconnections per user (0 - 100).
0
http-digest-realm Realm attribute for MD5-digest authentication. (Empty)
sso-attribute-value Single Sign On Attribute Value. (Empty)
member Group members. (Empty)
match Group matches. (Empty)
user-id User ID. email
password Password. auto-generate
user-name Enable/disable user name. disable
sponsor Sponsor. optional
company Company. optional
email Enable/disable email address. enable
mobile-phone Enable/disable mobile phone. disable
sms-server Send SMS through FortiGuard or other externalserver.
fortiguard
sms-custom-server SMS server. (Empty)
expire-type Point at which expiration count down begins. immediately
expire Expiration (1 - 31536000 sec). 14400
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
665
max-accounts Maximum number of guest accounts that can becreated for this group (0 = unlimited).
0
multiple-guest-add Enable/disable addition of multiple guests. disable
guest Guest User. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
666
user/ldapCLI Syntax
config user ldap edit <name_str> set name <string> set server <string> set secondary-server <string> set tertiary-server <string> set source-ip <ipv4-address> set cnid <string> set dn <string> set type {simple | anonymous | regular} set username <string> set password <password> set group-member-check {user-attr | group-object} set group-object-filter <string> set secure {disable | starttls | ldaps} set ca-cert <string> set port <integer> set password-expiry-warning {enable | disable} set password-renewal {enable | disable} set member-attr <string> set search-type {nested} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
667
Description
Configuration Description Default Value
name LDAP server entry name. (Empty)
server {<name_str|ip_str>} LDAP server CN domainname or IP.
(Empty)
secondary-server {<name_str|ip_str>} secondary LDAP server CNdomain name or IP.
(Empty)
tertiary-server {<name_str|ip_str>} tertiary LDAP server CNdomain name or IP.
(Empty)
source-ip Source IP for communications to LDAP server. 0.0.0.0
cnid Common Name Identifier (default = "cn"). cn
dn Distinguished Name. (Empty)
type Type of LDAP binding. simple
username Username (full DN) for initial binding. (Empty)
password Password for initial binding. (Empty)
group-member-check Group-member checking options. user-attr
group-object-filter Filter used for group searching. (&(objectcategory=group)(member=*))
secure SSL connection. disable
ca-cert CA certificate name. (Empty)
port Port number of the LDAP server (default = 389). 389
password-expiry-warning
Enable/disable password expiry warnings. disable
password-renewal Enable/disable online password renewal. disable
member-attr Name of attribute from which to get groupmembership.
memberOf
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
668
search-type Search type. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
669
user/localCLI Syntax
config user local edit <name_str> set name <string> set status {enable | disable} set type {password | radius | tacacs+ | ldap} set passwd <password> set ldap-server <string> set radius-server <string> set tacacs+-server <string> set two-factor {disable | fortitoken | email | sms} set fortitoken <string> set email-to <string> set sms-server {fortiguard | custom} set sms-custom-server <string> set sms-phone <string> set passwd-policy <string> set passwd-time <user> set authtimeout <integer> set workstation <string> set auth-concurrent-override {enable | disable} set auth-concurrent-value <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
670
Description
Configuration Description Default Value
name User name. (Empty)
status Enable/disable user. enable
type Authentication type. (Empty)
passwd User password. (Empty)
ldap-server LDAP server name. (Empty)
radius-server RADIUS server name. (Empty)
tacacs+-server TACACS+ server name. (Empty)
two-factor Enable/disable two-factor authentication. disable
fortitoken Two-factor recipient's FortiToken serial number. (Empty)
email-to Two-factor recipient's email address. (Empty)
sms-server Send SMS through FortiGuard or other externalserver.
fortiguard
sms-custom-server Two-factor recipient's SMS server. (Empty)
sms-phone Two-factor recipient's mobile phone number. (Empty)
passwd-policy Password policy. (Empty)
passwd-time Password last update time. 0000-00-00 00:00:00
authtimeout Authentication timeout. 0
workstation Name of remote user workstation. (Empty)
auth-concurrent-override
Enable/disable concurrent authenticationoverride.
disable
auth-concurrent-value Maximum number of concurrent authenticatedconnections per user.
0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
671
user/password-policyCLI Syntax
config user password-policy edit <name_str> set name <string> set expire-days <integer> set warn-days <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
672
Description
Configuration Description Default Value
name Password policy name. (Empty)
expire-days Number of days password will expire. 180
warn-days Number of days to warn before passwordexpires.
15
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
673
user/peerCLI Syntax
config user peer edit <name_str> set name <string> set mandatory-ca-verify {enable | disable} set ca <string> set subject <string> set cn <string> set cn-type {string | email | FQDN | ipv4 | ipv6} set ldap-server <string> set ldap-username <string> set ldap-password <password> set ldap-mode {password | principal-name} set ocsp-override-server <string> set two-factor {enable | disable} set passwd <password> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
674
Description
Configuration Description Default Value
name Peer name. (Empty)
mandatory-ca-verify Enable/disable mandatory CA verify. disable
ca Peer certificate CA (CA name in local). (Empty)
subject Peer certificate name constraints. (Empty)
cn Peer certificate common name. (Empty)
cn-type Peer certificate common name type. string
ldap-server LDAP server for access rights check. (Empty)
ldap-username Username for LDAP server bind. (Empty)
ldap-password Password for LDAP server bind. (Empty)
ldap-mode Peer LDAP mode. password
ocsp-override-server OSCP server. (Empty)
two-factor Enable/disable 2-factor authentication (certificate+ password).
disable
passwd User password. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
675
user/peergrpCLI Syntax
config user peergrp edit <name_str> set name <string> config member edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
676
Description
Configuration Description Default Value
name Peer group name. (Empty)
member Peer group members. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
677
user/pop3CLI Syntax
config user pop3 edit <name_str> set name <string> set server <string> set port <integer> set secure {none | starttls | pop3s} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
678
Description
Configuration Description Default Value
name POP3 server entry name. (Empty)
server {<name_str|ip_str>} server domain name or IP. (Empty)
port POP3 service port number. 0
secure SSL connection. starttls
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
679
user/radiusCLI Syntax
config user radius edit <name_str> set name <string> set server <string> set secret <password> set secondary-server <string> set secondary-secret <password> set tertiary-server <string> set tertiary-secret <password> set timeout <integer> set all-usergroup {disable | enable} set use-management-vdom {enable | disable} set nas-ip <ipv4-address> set acct-interim-interval <integer> set radius-coa {enable | disable} set radius-port <integer> set h3c-compatibility {enable | disable} set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap} set source-ip <ipv4-address> set username-case-sensitive {enable | disable} set password-renewal {enable | disable} set rsso {enable | disable} set rsso-radius-server-port <integer> set rsso-radius-response {enable | disable} set rsso-validate-request-secret {enable | disable} set rsso-secret <password> set rsso-endpoint-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port} set rsso-endpoint-block-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Sess
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
680
ion-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port} set sso-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port} set sso-attribute-key <string> set sso-attribute-value-override {enable | disable} set rsso-context-timeout <integer> set rsso-log-period <integer> set rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | accounting-event | endpoint-block | radiusd-other | none} set rsso-flush-ip-session {enable | disable} config accounting-server edit <name_str> set id <integer> set status {enable | disable} set server <string> set secret <password> set port <integer> set source-ip <ipv4-address> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
681
Description
Configuration Description Default Value
name RADIUS server entry name. (Empty)
server {<name_str|ip_str>} primary server CN domainname or IP.
(Empty)
secret Secret key to access the primary server. (Empty)
secondary-server {<name_str|ip_str>} secondary RADIUS CNdomain name or IP.
(Empty)
secondary-secret Secret key to access the secondary server. (Empty)
tertiary-server {<name_str|ip_str>} tertiary RADIUS CN domainname or IP.
(Empty)
tertiary-secret Secret key to access the tertiary server. (Empty)
timeout Authentication time-out. 5
all-usergroup Enable/disable automatically include this RADIUSserver to all user groups.
disable
use-management-vdom
Enable/disable using management VDOM tosend requests.
disable
nas-ip NAS IP address and called station ID. 0.0.0.0
acct-interim-interval Number of seconds between each accoutinginterim update message (600 - 86400 sec).
0
radius-coa Enable/Disable RADIUS CoA. disable
radius-port RADIUS service port number. 0
h3c-compatibility Enable/disable H3C compatibility. disable
auth-type Authentication Protocol. auto
source-ip Source IP for communications to RADIUS server. 0.0.0.0
username-case-sensitive
Enable/disable username case sensitive. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
682
password-renewal Enable/disable password renewal. disable
rsso Enable/disable RADIUS based single sign onfeature.
disable
rsso-radius-server-port UDP port to listen on for RADIUS accountingpackets.
1813
rsso-radius-response Enable/disable sending RADIUS responsepackets.
disable
rsso-validate-request-secret
Enable/disable validating RADIUS request sharedsecret.
disable
rsso-secret RADIUS shared secret for responses / validatingrequests.
(Empty)
rsso-endpoint-attribute RADIUS Attribute used to hold End Point name. Calling-Station-Id
rsso-endpoint-block-attribute
RADIUS Attribute used to hold endpoint to block. (Empty)
sso-attribute RADIUS Attribute used to match the single signon group value.
Class
sso-attribute-key Key prefix for single-sign-on group value in thesso-attribute.
(Empty)
sso-attribute-value-override
Enable/disable override old attribute value withnew value for the same endpoint.
enable
rsso-context-timeout Timeout value for RADIUS server databaseentries (0 = infinite).
28800
rsso-log-period Minimum time period to use for event logs. 0
rsso-log-flags Events to log. protocol-error profile-missing accounting-stop-missedaccounting-eventendpoint-block radiusd-other
rsso-flush-ip-session Enable/disable flush user IP sessions on RADIUSaccounting stop.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
683
accounting-server Additional accounting servers. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
684
user/security-exempt-listCLI Syntax
config user security-exempt-list edit <name_str> set name <string> set description <string> config rule edit <name_str> set id <integer> config srcaddr edit <name_str> set name <string> end config devices edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
685
Description
Configuration Description Default Value
name Name of the exempt list. (Empty)
description Description. (Empty)
rule Exempt rules. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
686
user/settingCLI Syntax
config user setting edit <name_str> set auth-type {http | https | ftp | telnet} set auth-cert <string> set auth-ca-cert <string> set auth-secure-http {enable | disable} set auth-http-basic {enable | disable} set auth-multi-group {enable | disable} set auth-timeout <integer> set auth-timeout-type {idle-timeout | hard-timeout | new-session} set auth-portal-timeout <integer> set radius-ses-timeout-act {hard-timeout | ignore-timeout} set auth-blackout-time <integer> set auth-invalid-max <integer> set auth-lockout-threshold <integer> set auth-lockout-duration <integer> config auth-ports edit <name_str> set id <integer> set type {http | https | ftp | telnet} set port <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
687
Description
Configuration Description Default Value
auth-type Allowed firewall policy authentication methods. http https ftp telnet
auth-cert HTTPS server certificate for policy authentication. (Empty)
auth-ca-cert HTTPS CA certificate for policy authentication. (Empty)
auth-secure-http Enable/disable use of HTTPS for HTTPauthentication.
disable
auth-http-basic Enable/disable use of HTTP BASIC for HTTPauthentication.
disable
auth-multi-group Enable/disable retrieval of groups to which a userbelongs.
enable
auth-timeout Firewall user authentication time-out. 5
auth-timeout-type Authenticated policy expiration behavior. idle-timeout
auth-portal-timeout Firewall captive portal authentication time-out (1 -30 min, default - 3).
3
radius-ses-timeout-act RADIUS session timeout behavior. hard-timeout
auth-blackout-time Authentication blackout time (0 - 3600 s). 0
auth-invalid-max Number of invalid auth tries allowed beforeblackout.
5
auth-lockout-threshold Maximum number of failed login attempts beforelockout (1 - 10).
3
auth-lockout-duration Lockout period in seconds after too many loginfailures.
0
auth-ports Authentication port table. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
688
user/tacacs+CLI Syntax
config user tacacs+ edit <name_str> set name <string> set server <string> set secondary-server <string> set tertiary-server <string> set port <integer> set key <password> set secondary-key <password> set tertiary-key <password> set authen-type {mschap | chap | pap | ascii | auto} set authorization {enable | disable} set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
689
Description
Configuration Description Default Value
name TACACS+ server entry name. (Empty)
server {<name_str|ip_str>} server CN domain name orIP.
(Empty)
secondary-server {<name_str|ip_str>} secondary server CN domainname or IP.
(Empty)
tertiary-server {<name_str|ip_str>} tertiary server CN domainname or IP.
(Empty)
port Port number of the TACACS+ server. 49
key Key to access the server. (Empty)
secondary-key Key to access the secondary server. (Empty)
tertiary-key Key to access the tertiary server. (Empty)
authen-type Authentication type to use. auto
authorization Enable/disable TACACS+ authorization. disable
source-ip source IP for communications to TACACS+server.
0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
690
voip/profileCLI Syntax
config voip profile edit <name_str> set name <string> set comment <var-string> config sip edit <name_str> set status {disable | enable} set rtp {disable | enable} set open-register-pinhole {disable | enable} set open-contact-pinhole {disable | enable} set strict-register {disable | enable} set register-rate <integer> set invite-rate <integer> set max-dialogs <integer> set max-line-length <integer> set block-long-lines {disable | enable} set block-unknown {disable | enable} set call-keepalive <integer> set block-ack {disable | enable} set block-bye {disable | enable} set block-cancel {disable | enable} set block-info {disable | enable} set block-invite {disable | enable} set block-message {disable | enable} set block-notify {disable | enable} set block-options {disable | enable} set block-prack {disable | enable} set block-publish {disable | enable} set block-refer {disable | enable} set block-register {disable | enable} set block-subscribe {disable | enable} set block-update {disable | enable} set register-contact-trace {disable | enable} set open-via-pinhole {disable | enable} set open-record-route-pinhole {disable | enable} set rfc2543-branch {disable | enable} set log-violations {disable | enable} set log-call-summary {disable | enable} set nat-trace {disable | enable} set subscribe-rate <integer> set message-rate <integer> set notify-rate <integer> set refer-rate <integer> set update-rate <integer> set options-rate <integer> set ack-rate <integer> set prack-rate <integer>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
691
set info-rate <integer> set publish-rate <integer> set bye-rate <integer> set cancel-rate <integer> set preserve-override {disable | enable} set no-sdp-fixup {disable | enable} set contact-fixup {disable | enable} set max-idle-dialogs <integer> set block-geo-red-options {disable | enable} set hosted-nat-traversal {disable | enable} set hnt-restrict-source-ip {disable | enable} set max-body-length <integer> set unknown-header {discard | pass | respond} set malformed-request-line {discard | pass | respond} set malformed-header-via {discard | pass | respond} set malformed-header-from {discard | pass | respond} set malformed-header-to {discard | pass | respond} set malformed-header-call-id {discard | pass | respond} set malformed-header-cseq {discard | pass | respond} set malformed-header-rack {discard | pass | respond} set malformed-header-rseq {discard | pass | respond} set malformed-header-contact {discard | pass | respond} set malformed-header-record-route {discard | pass | respond} set malformed-header-route {discard | pass | respond} set malformed-header-expires {discard | pass | respond} set malformed-header-content-type {discard | pass | respond} set malformed-header-content-length {discard | pass | respond} set malformed-header-max-forwards {discard | pass | respond} set malformed-header-allow {discard | pass | respond} set malformed-header-p-asserted-identity {discard | pass | respond} set malformed-header-sdp-v {discard | pass | respond} set malformed-header-sdp-o {discard | pass | respond} set malformed-header-sdp-s {discard | pass | respond} set malformed-header-sdp-i {discard | pass | respond} set malformed-header-sdp-c {discard | pass | respond} set malformed-header-sdp-b {discard | pass | respond} set malformed-header-sdp-z {discard | pass | respond} set malformed-header-sdp-k {discard | pass | respond} set malformed-header-sdp-a {discard | pass | respond} set malformed-header-sdp-t {discard | pass | respond} set malformed-header-sdp-r {discard | pass | respond} set malformed-header-sdp-m {discard | pass | respond} set provisional-invite-expiry-time <integer> set ips-rtp {disable | enable} set ssl-mode {off | full} set ssl-send-empty-frags {enable | disable} set ssl-client-renegotiation {allow | deny | secure} set ssl-algorithm {high | medium | low} set ssl-pfs {require | deny | allow} set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} set ssl-client-certificate <string> set ssl-server-certificate <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
692
set ssl-server-certificate <string> set ssl-auth-client <string> set ssl-auth-server <string> end config sccp edit <name_str> set status {disable | enable} set block-mcast {disable | enable} set verify-header {disable | enable} set log-call-summary {disable | enable} set log-violations {disable | enable} set max-calls <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
693
Description
Configuration Description Default Value
name Profile name. (Empty)
comment Comment. (Empty)
sip SIP. Details below
Configuration Default Valuestatus enablertp enableopen-register-pinhole enableopen-contact-pinhole enablestrict-register disableregister-rate 0invite-rate 0max-dialogs 0max-line-length 998block-long-lines enableblock-unknown enablecall-keepalive 0block-ack disableblock-bye disableblock-cancel disableblock-info disableblock-invite disableblock-message disableblock-notify disableblock-options disableblock-prack disableblock-publish disableblock-refer disableblock-register disableblock-subscribe disableblock-update disableregister-contact-trace disableopen-via-pinhole disableopen-record-route-pinhole enablerfc2543-branch disablelog-violations disablelog-call-summary enablenat-trace enablesubscribe-rate 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
694
message-rate 0notify-rate 0refer-rate 0update-rate 0options-rate 0ack-rate 0prack-rate 0info-rate 0publish-rate 0bye-rate 0cancel-rate 0preserve-override disableno-sdp-fixup disablecontact-fixup enablemax-idle-dialogs 0block-geo-red-options disablehosted-nat-traversal disablehnt-restrict-source-ip disablemax-body-length 0unknown-header passmalformed-request-line passmalformed-header-via passmalformed-header-from passmalformed-header-to passmalformed-header-call-id passmalformed-header-cseq passmalformed-header-rack passmalformed-header-rseq passmalformed-header-contact passmalformed-header-record-route passmalformed-header-route passmalformed-header-expires passmalformed-header-content-type passmalformed-header-content-length passmalformed-header-max-forwards passmalformed-header-allow passmalformed-header-p-asserted-identity passmalformed-header-sdp-v passmalformed-header-sdp-o passmalformed-header-sdp-s passmalformed-header-sdp-i passmalformed-header-sdp-c passmalformed-header-sdp-b passmalformed-header-sdp-z pass
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
695
malformed-header-sdp-k passmalformed-header-sdp-a passmalformed-header-sdp-t passmalformed-header-sdp-r passmalformed-header-sdp-m passprovisional-invite-expiry-time 210ips-rtp enablessl-mode offssl-send-empty-frags enablessl-client-renegotiation allowssl-algorithm highssl-pfs allowssl-min-version tls-1.0ssl-max-version tls-1.2ssl-client-certificate (Empty)ssl-server-certificate (Empty)ssl-auth-client (Empty)ssl-auth-server (Empty)
sccp SCCP. Details below
Configuration Default Valuestatus enableblock-mcast disableverify-header disablelog-call-summary disablelog-violations disablemax-calls 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
696
vpn.certificate/caCLI Syntax
config vpn.certificate ca edit <name_str> set name <string> set ca <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} set trusted {enable | disable} set scep-url <string> set auto-update-days <integer> set auto-update-days-warning <integer> set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
697
Description
Configuration Description Default Value
name Name. (Empty)
ca CA certificate. (Empty)
range CA certificate range. vdom
source CA certificate source. user
trusted Enable/disable trusted CA. enable
scep-url URL of SCEP server. (Empty)
auto-update-days Days to auto-update before expired, 0=disabled. 0
auto-update-days-warning
Days to send update before auto-update(0=disabled).
0
source-ip Source IP for communications to SCEP server. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
698
vpn.certificate/crlCLI Syntax
config vpn.certificate crl edit <name_str> set name <string> set crl <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} set update-vdom <string> set ldap-server <string> set ldap-username <string> set ldap-password <password> set http-url <string> set scep-url <string> set scep-cert <string> set update-interval <integer> set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
699
Description
Configuration Description Default Value
name Name. (Empty)
crl Certificate Revocation List. (Empty)
range CRL range. vdom
source CRL source. user
update-vdom Virtual domain for CRL update. root
ldap-server LDAP server. (Empty)
ldap-username Login name for LDAP server. (Empty)
ldap-password Login password for LDAP server. (Empty)
http-url URL of HTTP server for CRL update. (Empty)
scep-url URL of CA server for CRL update via SCEP. (Empty)
scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL
update-interval Second between updates, 0=disabled. 0
source-ip Source IP for communications to CA(HTTP/SCEP) server.
0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
700
vpn.certificate/localCLI Syntax
config vpn.certificate local edit <name_str> set name <string> set password <password> set comments <string> set private-key <user> set certificate <user> set csr <user> set state <user> set scep-url <string> set range {global | vdom} set source {factory | user | bundle | fortiguard} set auto-regenerate-days <integer> set auto-regenerate-days-warning <integer> set scep-password <password> set ca-identifier <string> set name-encoding {printable | utf8} set source-ip <ipv4-address> set ike-localid <string> set ike-localid-type {asn1dn | fqdn} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
701
Description
Configuration Description Default Value
name Name. (Empty)
password Password. (Empty)
comments Comment. (Empty)
private-key Private key. (Empty)
certificate Certificate. (Empty)
csr Certificate Signing Request. (Empty)
state Certificate Signing Request State. (Empty)
scep-url URL of SCEP server. (Empty)
range Certificate range. vdom
source Certificate source. user
auto-regenerate-days Days to auto-regenerate before expired,0=disabled.
0
auto-regenerate-days-warning
Days to send warning before auto-regeneration,0=disabled.
0
scep-password SCEP server challenge password for auto-regeneration.
(Empty)
ca-identifier CA identifier of the CA server for signing viaSCEP.
(Empty)
name-encoding Name encoding for auto-regeneration. printable
source-ip Source IP for communications to SCEP server. 0.0.0.0
ike-localid IKE local ID. (Empty)
ike-localid-type IKE local ID type. asn1dn
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
702
vpn.certificate/ocsp-serverCLI Syntax
config vpn.certificate ocsp-server edit <name_str> set name <string> set url <string> set cert <string> set secondary-url <string> set secondary-cert <string> set unavail-action {revoke | ignore} set source-ip <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
703
Description
Configuration Description Default Value
name OCSP server entry name. (Empty)
url URL to OCSP server. (Empty)
cert OCSP server certificate. (Empty)
secondary-url URL to secondary OCSP server. (Empty)
secondary-cert Secondary OCSP server certificate. (Empty)
unavail-action Action when server is unavailable. revoke
source-ip Enable/disable source IP for communications toOCSP server.
0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
704
vpn.certificate/remoteCLI Syntax
config vpn.certificate remote edit <name_str> set name <string> set remote <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
705
Description
Configuration Description Default Value
name Name. (Empty)
remote Remote certificate. (Empty)
range Remote certificate range. vdom
source Remote certificate source. user
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
706
vpn.certificate/settingCLI Syntax
config vpn.certificate setting edit <name_str> set ocsp-status {enable | disable} set ocsp-default-server <string> set check-ca-cert {enable | disable} set strict-crl-check {enable | disable} set strict-ocsp-check {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
707
Description
Configuration Description Default Value
ocsp-status OCSP status. disable
ocsp-default-server Default OCSP server. (Empty)
check-ca-cert Enable/disable check CA certificate. enable
strict-crl-check Enable/disable check CRL in strict mode. disable
strict-ocsp-check Enable/disable check OCSP in strict mode. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
708
vpn.ipsec/concentratorCLI Syntax
config vpn.ipsec concentrator edit <name_str> set name <string> set src-check {disable | enable} config member edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
709
Description
Configuration Description Default Value
name Concentrator name. (Empty)
src-check Enable/disable use of source selector whenchoosing appropriate tunnel.
disable
member Concentrator members. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
710
vpn.ipsec/forticlientCLI Syntax
config vpn.ipsec forticlient edit <name_str> set realm <string> set usergroupname <string> set phase2name <string> set status {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
711
Description
Configuration Description Default Value
realm FortiClient realm name. (Empty)
usergroupname User group name. (Empty)
phase2name Tunnel (phase2) name. (Empty)
status Enable/disable realm status. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
712
vpn.ipsec/manualkeyCLI Syntax
config vpn.ipsec manualkey edit <name_str> set name <string> set interface <string> set remote-gw <ipv4-address> set local-gw <ipv4-address-any> set authentication {null | md5 | sha1 | sha256 | sha384 | sha512} set encryption {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 | aria256 | seed} set authkey <user> set enckey <user> set localspi <user> set remotespi <user> set npu-offload {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
713
Description
Configuration Description Default Value
name IPsec tunnel name. (Empty)
interface Interface name. (Empty)
remote-gw Peer gateway. 0.0.0.0
local-gw Local gateway. 0.0.0.0
authentication Authentication algorithm. null
encryption Encryption algorithm. null
authkey Authentication key. -
enckey Encryption key. -
localspi Local SPI. 0x100
remotespi Remote SPI. 0x100
npu-offload Enable/disable offloading NPU. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
714
vpn.ipsec/manualkey-interfaceCLI Syntax
config vpn.ipsec manualkey-interface edit <name_str> set name <string> set interface <string> set ip-version {4 | 6} set addr-type {4 | 6} set remote-gw <ipv4-address> set remote-gw6 <ipv6-address> set local-gw <ipv4-address-any> set local-gw6 <ipv6-address> set auth-alg {null | md5 | sha1 | sha256 | sha384 | sha512} set enc-alg {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 | aria256 | seed} set auth-key <user> set enc-key <user> set local-spi <user> set remote-spi <user> set npu-offload {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
715
Description
Configuration Description Default Value
name IPsec tunnel name. (Empty)
interface Interface name. (Empty)
ip-version IP version to use for VPN interface. 4
addr-type IP version to use for IP packets. 4
remote-gw Remote IPv4 address of VPN gateway. 0.0.0.0
remote-gw6 Remote IPv6 address of VPN gateway. ::
local-gw Local IPv4 address of VPN gateway. 0.0.0.0
local-gw6 Local IPv6 address of VPN gateway. ::
auth-alg Authentication algorithm. null
enc-alg Encryption algorithm. null
auth-key Authentication key. -
enc-key Encryption key. -
local-spi Local SPI. 0x100
remote-spi Remote SPI. 0x100
npu-offload Enable/disable offloading NPU. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
716
vpn.ipsec/phase1CLI Syntax
config vpn.ipsec phase1 edit <name_str> set name <string> set type {static | dynamic | ddns} set interface <string> set ike-version {1 | 2} set remote-gw <ipv4-address> set local-gw <ipv4-address> set remotegw-ddns <string> set keylife <integer> config certificate edit <name_str> set name <string> end set authmethod {psk | rsa-signature | signature} set mode {aggressive | main} set peertype {any | one | dialup | peer | peergrp} set peerid <string> set usrgrp <string> set peer <string> set peergrp <string> set autoconfig {disable | client | gateway} set mode-cfg {disable | enable} set assign-ip {disable | enable} set mode-cfg-ip-version {4 | 6} set assign-ip-from {range | usrgrp | dhcp} set ipv4-start-ip <ipv4-address> set ipv4-end-ip <ipv4-address> set ipv4-netmask <ipv4-netmask> set dns-mode {manual | auto} set ipv4-dns-server1 <ipv4-address> set ipv4-dns-server2 <ipv4-address> set ipv4-dns-server3 <ipv4-address> set ipv4-wins-server1 <ipv4-address> set ipv4-wins-server2 <ipv4-address> config ipv4-exclude-range edit <name_str> set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end set ipv4-split-include <string> set split-include-service <string> set ipv6-start-ip <ipv6-address> set ipv6-end-ip <ipv6-address> set ipv6-prefix <integer> set ipv6-dns-server1 <ipv6-address>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
717
set ipv6-dns-server2 <ipv6-address> set ipv6-dns-server3 <ipv6-address> config ipv6-exclude-range edit <name_str> set id <integer> set start-ip <ipv6-address> set end-ip <ipv6-address> end set ipv6-split-include <string> set unity-support {disable | enable} set domain <string> set banner <var-string> set include-local-lan {disable | enable} set save-password {disable | enable} set client-auto-negotiate {disable | enable} set client-keep-alive {disable | enable} config backup-gateway edit <name_str> set address <string> end set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria192-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512} set add-route {disable | enable} set exchange-interface-ip {enable | disable} set add-gw-route {enable | disable} set psksecret <password> set keepalive <integer> set distance <integer> set priority <integer> set localid <string> set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn} set auto-negotiate {enable | disable} set negotiate-timeout <integer> set fragmentation {enable | disable} set dpd {disable | on-idle | on-demand} set dpd-retrycount <integer> set dpd-retryinterval <user> set forticlient-enforcement {enable | disable} set comments <var-string> set npu-offload {enable | disable} set send-cert-chain {enable | disable} set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21} set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256} set eap {enable | disable} set eap-identity {use-id-payload | send-request} set acct-verify {enable | disable} set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
718
set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialup-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup-cisco-fw} set xauthtype {disable | client | pap | chap | auto} set reauth {disable | enable} set authusr <string> set authpasswd <password> set authusrgrp <string> set mesh-selector-type {disable | subnet | host} set idle-timeout {enable | disable} set idle-timeoutinterval <integer> set ha-sync-esp-seqno {enable | disable} set nattraversal {enable | disable | forced} set esn {require | allow | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
719
Description
Configuration Description Default Value
name IPsec remote gateway name. (Empty)
type Remote gateway type (static, dialup, or DDNS). static
interface Local outgoing interface. (Empty)
ike-version IKE protocol version (IKEv1 or IKEv2). 1
remote-gw Remote VPN gateway. 0.0.0.0
local-gw Local VPN gateway. 0.0.0.0
remotegw-ddns Domain name of remote gateway (eg.name.DDNS.com).
(Empty)
keylife Phase1 keylife. 86400
certificate Certificate name for signature. (Empty)
authmethod Authentication method. psk
mode Mode. main
peertype Peer type. any
peerid Peer ID. (Empty)
usrgrp User group. (Empty)
peer Accept this peer certificate. (Empty)
peergrp Accept this peer certificate group. (Empty)
autoconfig Auto-configuration type.
mode-cfg Enable/disable configuration method. disable
assign-ip Enable/disable assignment of IP to IPsecinterface via configuration method.
enable
mode-cfg-ip-version IP addressing to use for configuration method. 4
assign-ip-from Method by which the IP address will be assigned. range
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
720
ipv4-start-ip Start of IPv4 range. 0.0.0.0
ipv4-end-ip End of IPv4 range. 0.0.0.0
ipv4-netmask IPv4 Netmask. 255.255.255.255
dns-mode DNS server mode. manual
ipv4-dns-server1 IPv4 DNS server 1. 0.0.0.0
ipv4-dns-server2 IPv4 DNS server 2. 0.0.0.0
ipv4-dns-server3 IPv4 DNS server 3. 0.0.0.0
ipv4-wins-server1 WINS server 1. 0.0.0.0
ipv4-wins-server2 WINS server 2. 0.0.0.0
ipv4-exclude-range Configuration Method IPv4 exclude ranges. (Empty)
ipv4-split-include IPv4 split-include subnets. (Empty)
split-include-service Split-include services. (Empty)
ipv6-start-ip Start of IPv6 range. ::
ipv6-end-ip End of IPv6 range. ::
ipv6-prefix IPv6 prefix. 128
ipv6-dns-server1 IPv6 DNS server 1. ::
ipv6-dns-server2 IPv6 DNS server 2. ::
ipv6-dns-server3 IPv6 DNS server 3. ::
ipv6-exclude-range Configuration method IPv6 exclude ranges. (Empty)
ipv6-split-include IPv6 split-include subnets. (Empty)
unity-support Enable/disable support for Cisco UNITYConfiguration Method extensions.
enable
domain Instruct unity clients about the default DNSdomain.
(Empty)
banner Message that unity client should display afterconnecting.
(Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
721
include-local-lan Enable/disable allow local LAN access on unityclients.
disable
save-password Enable/disable saving XAuth username andpassword on VPN clients.
disable
client-auto-negotiate Enable/disable allowing the VPN client to bring upthe tunnel when there is no traffic.
disable
client-keep-alive Enable/disable allowing the VPN client to keepthe tunnel up when there is no traffic.
disable
backup-gateway Instruct unity clients about the backup gatewayaddress(es).
(Empty)
proposal Phase1 proposal. aes128-sha256aes256-sha256 3des-sha256 aes128-sha1aes256-sha1 3des-sha1
add-route Enable/disable control addition of a route to peerdestination selector.
disable
exchange-interface-ip Enable/disable exchange of IPsec interface IPaddress.
disable
add-gw-route Enable/disable automatically add a route to theremote gateway.
disable
psksecret Pre-shared secret for PSK authentication. (Empty)
keepalive NAT-T keep alive interval. 10
distance Distance for routes added by IKE (1 - 255). 15
priority Priority for routes added by IKE (0 -4294967295).
0
localid Local ID. (Empty)
localid-type Local ID type. auto
auto-negotiate Enable/disable automatic initiation of IKE SAnegotiation.
enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
722
negotiate-timeout IKE SA negotiation timeout in seconds. 30
fragmentation Enable/disable fragment IKE message on re-transmission.
enable
dpd Dead Peer Detection mode. on-demand
dpd-retrycount Number of DPD retry attempts. 3
dpd-retryinterval DPD retry interval. 20
forticlient-enforcement Enable/disable FortiClient enforcement. disable
comments Comment. (Empty)
npu-offload Enable/disable offloading NPU. enable
send-cert-chain Enable/disable sending certificate chain. enable
dhgrp DH group. 14 5
suite-b Use Suite-B. disable
eap Enable/disable IKEv2 EAP authentication. disable
eap-identity IKEv2 EAP peer identity type. use-id-payload
acct-verify Enable/disable verification of RADIUS accountingrecord.
disable
wizard-type GUI VPN Wizard Type. custom
xauthtype XAuth type. disable
reauth Enable/disable re-authentication upon IKE SAlifetime expiration.
disable
authusr XAuth user name. (Empty)
authpasswd XAuth password (max 35 characters). (Empty)
authusrgrp Authentication user group. (Empty)
mesh-selector-type Add selectors containing subsets of theconfiguration depending on traffic.
disable
idle-timeout Enable/disable IPsec tunnel idle timeout. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
723
idle-timeoutinterval IPsec tunnel idle timeout in minutes (10 - 43200). 15
ha-sync-esp-seqno Enable/disable sequence number jump ahead forIPsec HA.
enable
nattraversal Enable/disable NAT traversal. enable
esn Extended sequence number (ESN) negotiation. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
724
vpn.ipsec/phase1-interfaceCLI Syntax
config vpn.ipsec phase1-interface edit <name_str> set name <string> set type {static | dynamic | ddns} set interface <string> set ip-version {4 | 6} set ike-version {1 | 2} set local-gw <ipv4-address> set local-gw6 <ipv6-address> set remote-gw <ipv4-address> set remote-gw6 <ipv6-address> set remotegw-ddns <string> set keylife <integer> config certificate edit <name_str> set name <string> end set authmethod {psk | rsa-signature | signature} set mode {aggressive | main} set peertype {any | one | dialup | peer | peergrp} set peerid <string> set default-gw <ipv4-address> set default-gw-priority <integer> set usrgrp <string> set peer <string> set peergrp <string> set monitor <string> set monitor-hold-down-type {immediate | delay | time} set monitor-hold-down-delay <integer> set monitor-hold-down-weekday {everyday | sunday | monday | tuesday | wednesday | thursday | friday | saturday} set monitor-hold-down-time <user> set mode-cfg {disable | enable} set assign-ip {disable | enable} set mode-cfg-ip-version {4 | 6} set assign-ip-from {range | usrgrp | dhcp} set ipv4-start-ip <ipv4-address> set ipv4-end-ip <ipv4-address> set ipv4-netmask <ipv4-netmask> set dns-mode {manual | auto} set ipv4-dns-server1 <ipv4-address> set ipv4-dns-server2 <ipv4-address> set ipv4-dns-server3 <ipv4-address> set ipv4-wins-server1 <ipv4-address> set ipv4-wins-server2 <ipv4-address> config ipv4-exclude-range edit <name_str>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
725
set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end set ipv4-split-include <string> set split-include-service <string> set ipv6-start-ip <ipv6-address> set ipv6-end-ip <ipv6-address> set ipv6-prefix <integer> set ipv6-dns-server1 <ipv6-address> set ipv6-dns-server2 <ipv6-address> set ipv6-dns-server3 <ipv6-address> config ipv6-exclude-range edit <name_str> set id <integer> set start-ip <ipv6-address> set end-ip <ipv6-address> end set ipv6-split-include <string> set unity-support {disable | enable} set domain <string> set banner <var-string> set include-local-lan {disable | enable} set save-password {disable | enable} set client-auto-negotiate {disable | enable} set client-keep-alive {disable | enable} config backup-gateway edit <name_str> set address <string> end set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria192-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512} set add-route {disable | enable} set exchange-interface-ip {enable | disable} set add-gw-route {enable | disable} set psksecret <password> set keepalive <integer> set distance <integer> set priority <integer> set localid <string> set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn} set auto-negotiate {enable | disable} set negotiate-timeout <integer> set fragmentation {enable | disable} set dpd {disable | on-idle | on-demand} set dpd-retrycount <integer> set dpd-retryinterval <user>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
726
set dpd-retryinterval <user> set forticlient-enforcement {enable | disable} set comments <var-string> set npu-offload {enable | disable} set send-cert-chain {enable | disable} set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21} set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256} set eap {enable | disable} set eap-identity {use-id-payload | send-request} set acct-verify {enable | disable} set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialup-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup-cisco-fw} set xauthtype {disable | client | pap | chap | auto} set reauth {disable | enable} set authusr <string> set authpasswd <password> set authusrgrp <string> set mesh-selector-type {disable | subnet | host} set idle-timeout {enable | disable} set idle-timeoutinterval <integer> set ha-sync-esp-seqno {enable | disable} set auto-discovery-sender {enable | disable} set auto-discovery-receiver {enable | disable} set auto-discovery-forwarder {enable | disable} set auto-discovery-psk {enable | disable} set encapsulation {none | gre | vxlan} set encapsulation-address {ike | ipv4 | ipv6} set encap-local-gw4 <ipv4-address> set encap-local-gw6 <ipv6-address> set encap-remote-gw4 <ipv4-address> set encap-remote-gw6 <ipv6-address> set nattraversal {enable | disable | forced} set esn {require | allow | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
727
Description
Configuration Description Default Value
name IPsec remote gateway name. (Empty)
type Remote gateway type (static, dialup, or DDNS). static
interface Local outgoing interface. (Empty)
ip-version IP version to use for VPN interface. 4
ike-version IKE protocol version (IKEv1 or IKEv2). 1
local-gw Local IPv4 address of VPN. 0.0.0.0
local-gw6 Local IPv6 address of VPN. ::
remote-gw Remote IPv4 address of VPN gateway. 0.0.0.0
remote-gw6 Remote IPv6 address of VPN. ::
remotegw-ddns Domain name of remote gateway (eg.name.DDNS.com).
(Empty)
keylife Phase1 keylife. 86400
certificate Certificate name for signature. (Empty)
authmethod Authentication method. psk
mode Mode. main
peertype Peer type. any
peerid Peer ID. (Empty)
default-gw IPv4 address of default route gateway to use fortraffic exiting the interface.
0.0.0.0
default-gw-priority Priority for default gateway route. 0
usrgrp User group. (Empty)
peer Accept this peer certificate. (Empty)
peergrp Accept this peer certificate group. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
728
monitor IPsec interface to backup. (Empty)
monitor-hold-down-type Control recovery time when primary re-establishes.
immediate
monitor-hold-down-delay
Number of seconds to wait before recovery onceprimary re-establishes.
0
monitor-hold-down-weekday
Day of the week to recover once primary re-establishes.
sunday
monitor-hold-down-time Time of day to recover once primary re-establishes.
00:00
mode-cfg Enable/disable configuration method. disable
assign-ip Enable/disable assignment of IP to IPsecinterface via configuration method.
enable
mode-cfg-ip-version IP addressing to use for configuration method. 4
assign-ip-from Method by which the IP address will be assigned. range
ipv4-start-ip Start of IPv4 range. 0.0.0.0
ipv4-end-ip End of IPv4 range. 0.0.0.0
ipv4-netmask IPv4 Netmask. 255.255.255.255
dns-mode DNS server mode. manual
ipv4-dns-server1 IPv4 DNS server 1. 0.0.0.0
ipv4-dns-server2 IPv4 DNS server 2. 0.0.0.0
ipv4-dns-server3 IPv4 DNS server 3. 0.0.0.0
ipv4-wins-server1 WINS server 1. 0.0.0.0
ipv4-wins-server2 WINS server 2. 0.0.0.0
ipv4-exclude-range Configuration Method IPv4 exclude ranges. (Empty)
ipv4-split-include IPv4 split-include subnets. (Empty)
split-include-service Split-include services. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
729
ipv6-start-ip Start of IPv6 range. ::
ipv6-end-ip End of IPv6 range. ::
ipv6-prefix IPv6 prefix. 128
ipv6-dns-server1 IPv6 DNS server 1. ::
ipv6-dns-server2 IPv6 DNS server 2. ::
ipv6-dns-server3 IPv6 DNS server 3. ::
ipv6-exclude-range Configuration method IPv6 exclude ranges. (Empty)
ipv6-split-include IPv6 split-include subnets. (Empty)
unity-support Enable/disable support for Cisco UNITYConfiguration Method extensions.
enable
domain Instruct unity clients about the default DNSdomain.
(Empty)
banner Message that unity client should display afterconnecting.
(Empty)
include-local-lan Enable/disable allow local LAN access on unityclients.
disable
save-password Enable/disable saving XAuth username andpassword on VPN clients.
disable
client-auto-negotiate Enable/disable allowing the VPN client to bring upthe tunnel when there is no traffic.
disable
client-keep-alive Enable/disable allowing the VPN client to keepthe tunnel up when there is no traffic.
disable
backup-gateway Instruct unity clients about the backup gatewayaddress(es).
(Empty)
proposal Phase1 proposal. aes128-sha256aes256-sha256 3des-sha256 aes128-sha1aes256-sha1 3des-sha1
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
730
add-route Enable/disable control addition of a route to peerdestination selector.
enable
exchange-interface-ip Enable/disable exchange of IPsec interface IPaddress.
disable
add-gw-route Enable/disable automatically add a route to theremote gateway.
disable
psksecret Pre-shared secret for PSK authentication. (Empty)
keepalive NAT-T keep alive interval. 10
distance Distance for routes added by IKE (1 - 255). 15
priority Priority for routes added by IKE (0 -4294967295).
0
localid Local ID. (Empty)
localid-type Local ID type. auto
auto-negotiate Enable/disable automatic initiation of IKE SAnegotiation.
enable
negotiate-timeout IKE SA negotiation timeout in seconds. 30
fragmentation Enable/disable fragment IKE message on re-transmission.
enable
dpd Dead Peer Detection mode. on-demand
dpd-retrycount Number of DPD retry attempts. 3
dpd-retryinterval DPD retry interval. 20
forticlient-enforcement Enable/disable FortiClient enforcement. disable
comments Comment. (Empty)
npu-offload Enable/disable offloading NPU. enable
send-cert-chain Enable/disable sending certificate chain. enable
dhgrp DH group. 14 5
suite-b Use Suite-B. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
731
eap Enable/disable IKEv2 EAP authentication. disable
eap-identity IKEv2 EAP peer identity type. use-id-payload
acct-verify Enable/disable verification of RADIUS accountingrecord.
disable
wizard-type GUI VPN Wizard Type. custom
xauthtype XAuth type. disable
reauth Enable/disable re-authentication upon IKE SAlifetime expiration.
disable
authusr XAuth user name. (Empty)
authpasswd XAuth password (max 35 characters). (Empty)
authusrgrp Authentication user group. (Empty)
mesh-selector-type Add selectors containing subsets of theconfiguration depending on traffic.
disable
idle-timeout Enable/disable IPsec tunnel idle timeout. disable
idle-timeoutinterval IPsec tunnel idle timeout in minutes (10 - 43200). 15
ha-sync-esp-seqno Enable/disable sequence number jump ahead forIPsec HA.
enable
auto-discovery-sender Enable/disable sending auto-discovery short-cutmessages.
disable
auto-discovery-receiver Enable/disable accepting auto-discovery short-cutmessages.
disable
auto-discovery-forwarder
Enable/disable forwarding auto-discovery short-cut messages.
disable
auto-discovery-psk Enable/disable use of pre-shared secrets forauthentication of auto-discovery tunnels.
disable
encapsulation Enable/disable GRE/VXLAN encapsulation. none
encapsulation-address Source for GRE/VXLAN tunnel address. ike
encap-local-gw4 Local IPv4 address of GRE/VXLAN tunnel. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
732
encap-local-gw6 Local IPv6 address of GRE/VXLAN tunnel. ::
encap-remote-gw4 Remote IPv4 address of GRE/VXLAN tunnel. 0.0.0.0
encap-remote-gw6 Remote IPv6 address of GRE/VXLAN tunnel. ::
nattraversal Enable/disable NAT traversal. enable
esn Extended sequence number (ESN) negotiation. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
733
vpn.ipsec/phase2CLI Syntax
config vpn.ipsec phase2 edit <name_str> set name <string> set phase1name <string> set dhcp-ipsec {enable | disable} set use-natip {enable | disable} set selector-match {exact | subset | auto} set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-md5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 | aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null | aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-null | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | aria128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512} set pfs {enable | disable} set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21} set replay {enable | disable} set keepalive {enable | disable} set auto-negotiate {enable | disable} set add-route {phase1 | enable | disable} set keylifeseconds <integer> set keylifekbs <integer> set keylife-type {seconds | kbs | both} set single-source {enable | disable} set route-overlap {use-old | use-new | allow} set encapsulation {tunnel-mode | transport-mode} set l2tp {enable | disable} set comments <var-string> set protocol <integer> set src-name <string> set src-name6 <string> set src-addr-type {subnet | range | ip | name} set src-start-ip <ipv4-address-any> set src-start-ip6 <ipv6-address> set src-end-ip <ipv4-address-any> set src-end-ip6 <ipv6-address> set src-subnet <ipv4-classnet-any> set src-subnet6 <ipv6-prefix> set src-port <integer> set dst-name <string> set dst-name6 <string> set dst-addr-type {subnet | range | ip | name} set dst-start-ip <ipv4-address-any>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
734
set dst-start-ip6 <ipv6-address> set dst-end-ip <ipv4-address-any> set dst-end-ip6 <ipv6-address> set dst-subnet <ipv4-classnet-any> set dst-subnet6 <ipv6-prefix> set dst-port <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
735
Description
Configuration Description Default Value
name IPsec tunnel name. (Empty)
phase1name IKE phase1 name. (Empty)
dhcp-ipsec Enable/disable DHCP-IPsec. disable
use-natip Enable/disable source NAT selector fix-up. enable
selector-match Match type to use when comparing selectors. auto
proposal Phase2 proposal. aes128-sha1 aes256-sha1 3des-sha1aes128-sha256aes256-sha256 3des-sha256
pfs Enable/disable PFS feature. enable
dhgrp Phase2 DH group. 14 5
replay Enable/disable replay detection. enable
keepalive Enable/disable keep alive. disable
auto-negotiate Enable/disable IPsec SA auto-negotiation. disable
add-route Enable/disable automatic route addition. phase1
keylifeseconds Phase2 keylife in time. 43200
keylifekbs Phase2 keylife in traffic (kbps). 5120
keylife-type Keylife type. seconds
single-source Enable/disable single source IP restriction. disable
route-overlap Action for overlapping routes. use-new
encapsulation ESP encapsulation mode. tunnel-mode
l2tp Enable/disable L2TP over IPsec. disable
comments Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
736
protocol Quick mode protocol selector (1 - 255 or 0 for all). 0
src-name Local proxy ID name. (Empty)
src-name6 Local proxy ID name. (Empty)
src-addr-type Local proxy ID type. subnet
src-start-ip Local proxy ID start. 0.0.0.0
src-start-ip6 Local proxy ID IPv6 start. ::
src-end-ip Local proxy ID end. 0.0.0.0
src-end-ip6 Local proxy ID IPv6 end. ::
src-subnet Local proxy ID subnet. 0.0.0.0 0.0.0.0
src-subnet6 Local proxy ID IPv6 subnet. ::/0
src-port Quick mode source port (1 - 65535 or 0 for all). 0
dst-name Remote proxy ID name. (Empty)
dst-name6 Remote proxy ID name. (Empty)
dst-addr-type Remote proxy ID type. subnet
dst-start-ip Remote proxy ID IPv4 start. 0.0.0.0
dst-start-ip6 Remote proxy ID IPv6 start. ::
dst-end-ip Remote proxy ID IPv4 end. 0.0.0.0
dst-end-ip6 Remote proxy ID IPv6 end. ::
dst-subnet Remote proxy ID IPv4 subnet. 0.0.0.0 0.0.0.0
dst-subnet6 Remote proxy ID IPv6 subnet. ::/0
dst-port Quick mode destination port (1 - 65535 or 0 forall).
0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
737
vpn.ipsec/phase2-interfaceCLI Syntax
config vpn.ipsec phase2-interface edit <name_str> set name <string> set phase1name <string> set dhcp-ipsec {enable | disable} set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-md5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 | aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null | aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-null | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | aria128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512} set pfs {enable | disable} set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21} set replay {enable | disable} set keepalive {enable | disable} set auto-negotiate {enable | disable} set add-route {phase1 | enable | disable} set auto-discovery-sender {phase1 | enable | disable} set auto-discovery-forwarder {phase1 | enable | disable} set keylifeseconds <integer> set keylifekbs <integer> set keylife-type {seconds | kbs | both} set single-source {enable | disable} set route-overlap {use-old | use-new | allow} set encapsulation {tunnel-mode | transport-mode} set l2tp {enable | disable} set comments <var-string> set protocol <integer> set src-name <string> set src-name6 <string> set src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6} set src-start-ip <ipv4-address-any> set src-start-ip6 <ipv6-address> set src-end-ip <ipv4-address-any> set src-end-ip6 <ipv6-address> set src-subnet <ipv4-classnet-any> set src-subnet6 <ipv6-prefix> set src-port <integer> set dst-name <string> set dst-name6 <string> set dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6} set dst-start-ip <ipv4-address-any>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
738
set dst-start-ip6 <ipv6-address> set dst-end-ip <ipv4-address-any> set dst-end-ip6 <ipv6-address> set dst-subnet <ipv4-classnet-any> set dst-subnet6 <ipv6-prefix> set dst-port <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
739
Description
Configuration Description Default Value
name IPsec tunnel name. (Empty)
phase1name IKE phase1 name. (Empty)
dhcp-ipsec Enable/disable DHCP-IPsec. disable
proposal Phase2 proposal. aes128-sha1 aes256-sha1 3des-sha1aes128-sha256aes256-sha256 3des-sha256
pfs Enable/disable PFS feature. enable
dhgrp Phase2 DH group. 14 5
replay Enable/disable replay detection. enable
keepalive Enable/disable keep alive. disable
auto-negotiate Enable/disable IPsec SA auto-negotiation. disable
add-route Enable/disable automatic route addition. phase1
auto-discovery-sender Enable/disable sending short-cut messages. phase1
auto-discovery-forwarder
Enable/disable forwarding short-cut messages. phase1
keylifeseconds Phase2 keylife in time. 43200
keylifekbs Phase2 keylife in traffic (kbps). 5120
keylife-type Keylife type. seconds
single-source Enable/disable single source IP restriction. disable
route-overlap Action for overlapping routes. use-new
encapsulation ESP encapsulation mode. tunnel-mode
l2tp Enable/disable L2TP over IPsec. disable
comments Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
740
protocol Quick mode protocol selector (1 - 255 or 0 for all). 0
src-name Local proxy ID name. (Empty)
src-name6 Local proxy ID name. (Empty)
src-addr-type Local proxy ID type. subnet
src-start-ip Local proxy ID start. 0.0.0.0
src-start-ip6 Local proxy ID IPv6 start. ::
src-end-ip Local proxy ID end. 0.0.0.0
src-end-ip6 Local proxy ID IPv6 end. ::
src-subnet Local proxy ID subnet. 0.0.0.0 0.0.0.0
src-subnet6 Local proxy ID IPv6 subnet. ::/0
src-port Quick mode source port (1 - 65535 or 0 for all). 0
dst-name Remote proxy ID name. (Empty)
dst-name6 Remote proxy ID name. (Empty)
dst-addr-type Remote proxy ID type. subnet
dst-start-ip Remote proxy ID IPv4 start. 0.0.0.0
dst-start-ip6 Remote proxy ID IPv6 start. ::
dst-end-ip Remote proxy ID IPv4 end. 0.0.0.0
dst-end-ip6 Remote proxy ID IPv6 end. ::
dst-subnet Remote proxy ID IPv4 subnet. 0.0.0.0 0.0.0.0
dst-subnet6 Remote proxy ID IPv6 subnet. ::/0
dst-port Quick mode destination port (1 - 65535 or 0 forall).
0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
741
vpn.ssl.web/host-check-softwareCLI Syntax
config vpn.ssl.web host-check-software edit <name_str> set name <string> set type {av | fw} set version <string> set guid <user> config check-item-list edit <name_str> set id <integer> set action {require | deny} set type {file | registry | process} set target <string> set version <string> config md5s edit <name_str> set id <string> end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
742
Description
Configuration Description Default Value
name Name. (Empty)
type Type. av
version Version. (Empty)
guid Globally unique ID. "00000000-0000-0000-0000-000000000000"
check-item-list Check item list. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
743
vpn.ssl.web/portalCLI Syntax
config vpn.ssl.web portal edit <name_str> set name <string> set tunnel-mode {enable | disable} set ip-mode {range | user-group} set auto-connect {enable | disable} set keep-alive {enable | disable} set save-password {enable | disable} config ip-pools edit <name_str> set name <string> end set exclusive-routing {enable | disable} set service-restriction {enable | disable} set split-tunneling {enable | disable} config split-tunneling-routing-address edit <name_str> set name <string> end set dns-server1 <ipv4-address> set dns-server2 <ipv4-address> set wins-server1 <ipv4-address> set wins-server2 <ipv4-address> set ipv6-tunnel-mode {enable | disable} config ipv6-pools edit <name_str> set name <string> end set ipv6-exclusive-routing {enable | disable} set ipv6-service-restriction {enable | disable} set ipv6-split-tunneling {enable | disable} config ipv6-split-tunneling-routing-address edit <name_str> set name <string> end set ipv6-dns-server1 <ipv6-address> set ipv6-dns-server2 <ipv6-address> set ipv6-wins-server1 <ipv6-address> set ipv6-wins-server2 <ipv6-address> set web-mode {enable | disable} set display-bookmark {enable | disable} set user-bookmark {enable | disable} set user-group-bookmark {enable | disable} config bookmark-group edit <name_str> set name <string> config bookmarks
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
744
edit <name_str> set name <string> set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | telnet | vnc | web} set url <var-string> set host <var-string> set folder <var-string> set additional-params <var-string> set listening-port <integer> set remote-port <integer> set show-status-window {enable | disable} set description <var-string> set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwerty | sv-se-qwerty | failsafe} set port <integer> set logon-user <var-string> set logon-password <password> set sso {disable | static | auto} config form-data edit <name_str> set name <string> set value <var-string> end set sso-credential {sslvpn-login | alternative} set sso-username <var-string> set sso-password <password> end end set display-connection-tools {enable | disable} set display-history {enable | disable} set display-status {enable | disable} set heading <string> set redir-url <var-string> set theme {blue | green | red | melongene} set custom-lang <string> set host-check {none | av | fw | av-fw | custom} set host-check-interval <integer> config host-check-policy edit <name_str> set name <string> end set limit-user-logins {enable | disable} set mac-addr-check {enable | disable} set mac-addr-action {allow | deny} config mac-addr-check-rule edit <name_str> set name <string> set mac-addr-mask <integer> config mac-addr-list edit <name_str> set addr <mac-address> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
745
end set os-check {enable | disable} config os-check-list edit <name_str> set name <string> set action {deny | allow | check-up-to-date} set tolerance <integer> set latest-patch-level <user> end set virtual-desktop {enable | disable} set virtual-desktop-app-list <string> set virtual-desktop-clipboard-share {enable | disable} set virtual-desktop-desktop-switch {enable | disable} set virtual-desktop-logout-when-browser-close {enable | disable} set virtual-desktop-network-share-access {enable | disable} set virtual-desktop-printing {enable | disable} set virtual-desktop-removable-media-access {enable | disable} set skip-check-for-unsupported-os {enable | disable} set skip-check-for-unsupported-browser {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
746
Description
Configuration Description Default Value
name Portal name. (Empty)
tunnel-mode Enable/disable SSL VPN tunnel mode. disable
ip-mode IP mode is range or by user group. range
auto-connect Enable/disable automatic connect by client whensystem is up.
disable
keep-alive Enable/disable automatic re-connect by client. disable
save-password Enable/disable save of user password by client. disable
ip-pools Tunnel IP pools. (Empty)
exclusive-routing Enable/disable all traffic go through tunnel only. disable
service-restriction Enable/disable tunnel service restriction. disable
split-tunneling Enable/disable split tunneling. enable
split-tunneling-routing-address
Split tunnelling address range for client routing. (Empty)
dns-server1 DNS server 1. 0.0.0.0
dns-server2 DNS server 2. 0.0.0.0
wins-server1 WINS server 1. 0.0.0.0
wins-server2 WINS server 2. 0.0.0.0
ipv6-tunnel-mode Enable/disable SSL VPN IPV6 tunnel mode. disable
ipv6-pools Tunnel IP pools. (Empty)
ipv6-exclusive-routing Enable/disable all IPv6 traffic go through tunnelonly.
disable
ipv6-service-restriction Enable/disable IPv6 tunnel service restriction. disable
ipv6-split-tunneling Enable/disable IPv6 split tunneling. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
747
ipv6-split-tunneling-routing-address
IPv6 split tunnelling address range for clientrouting.
(Empty)
ipv6-dns-server1 IPv6 DNS server 1. ::
ipv6-dns-server2 IPv6 DNS server 2. ::
ipv6-wins-server1 IPv6 WINS server 1. ::
ipv6-wins-server2 IPv6 WINS server 2. ::
web-mode Enable/disable SSL VPN web mode. disable
display-bookmark Enable/disable displaying of bookmark widget. enable
user-bookmark Enable/disable user defined bookmark. enable
user-group-bookmark Enable/disable user group defined bookmark. enable
bookmark-group Portal bookmark group. (Empty)
display-connection-tools
Enable/disable displaying of connection toolswidget.
enable
display-history Enable/disable displaying of user login historywidget.
enable
display-status Enable/disable display of status widget. enable
heading Portal heading message. SSL-VPN Portal
redir-url Client login redirect URL. (Empty)
theme Color scheme for the portal. blue
custom-lang Custom portal language. (Empty)
host-check Configure host check settings. none
host-check-interval Periodic host check interval. 0
host-check-policy Host check policy. (Empty)
limit-user-logins Enable/disable allow users to have only oneactive SSL VPN connection at a time.
disable
mac-addr-check Client MAC address check. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
748
mac-addr-action Client MAC address action. allow
mac-addr-check-rule Client MAC address check rule. (Empty)
os-check Enable/disable SSL VPN OS check. disable
os-check-list SSL VPN OS checks. (Empty)
virtual-desktop Enable/disable SSL VPN virtual desktop. disable
virtual-desktop-app-list Virtual desktop application list. (Empty)
virtual-desktop-clipboard-share
Enable/disable sharing of clipboard in virtualdesktop.
disable
virtual-desktop-desktop-switch
Enable/disable switch to virtual desktop. enable
virtual-desktop-logout-when-browser-close
Enable/disable logout when browser is close invirtual desktop.
disable
virtual-desktop-network-share-access
Enable/disable network share access in virtualdesktop.
disable
virtual-desktop-printing Enable/disable printing in virtual desktop. disable
virtual-desktop-removable-media-access
Enable/disable access to removable media invirtual desktop.
disable
skip-check-for-unsupported-os
Skip check for unsupported OS. enable
skip-check-for-unsupported-browser
Skip check for unsupported browsers. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
749
vpn.ssl.web/realmCLI Syntax
config vpn.ssl.web realm edit <name_str> set url-path <string> set max-concurrent-user <integer> set login-page <var-string> set virtual-host <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
750
Description
Configuration Description Default Value
url-path URL path to access SSL-VPN login page. (Empty)
max-concurrent-user Maximum concurrent users (0 - 65535, 0 forunlimited).
0
login-page Replacement HTML for SSL-VPN login page. (Empty)
virtual-host Virtual host name for realm. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
751
vpn.ssl.web/user-bookmarkCLI Syntax
config vpn.ssl.web user-bookmark edit <name_str> set name <string> set custom-lang <string> config bookmarks edit <name_str> set name <string> set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | telnet | vnc | web} set url <var-string> set host <var-string> set folder <var-string> set additional-params <var-string> set listening-port <integer> set remote-port <integer> set show-status-window {enable | disable} set description <var-string> set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwerty | sv-se-qwerty | failsafe} set port <integer> set logon-user <var-string> set logon-password <password> set sso {disable | static | auto} config form-data edit <name_str> set name <string> set value <var-string> end set sso-credential {sslvpn-login | alternative} set sso-username <var-string> set sso-password <password> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
752
Description
Configuration Description Default Value
name User and group name. (Empty)
custom-lang Personal language. (Empty)
bookmarks Bookmark table. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
753
vpn.ssl.web/virtual-desktop-app-listCLI Syntax
config vpn.ssl.web virtual-desktop-app-list edit <name_str> set name <string> set action {allow | block} config apps edit <name_str> set name <string> config md5s edit <name_str> set id <string> end end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
754
Description
Configuration Description Default Value
name Application list name. (Empty)
action Action. allow
apps Applications. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
755
vpn.ssl/settingsCLI Syntax
config vpn.ssl settings edit <name_str> set reqclientcert {enable | disable} set sslv2 {enable | disable} set sslv3 {enable | disable} set tlsv1-0 {enable | disable} set tlsv1-1 {enable | disable} set tlsv1-2 {enable | disable} set ssl-big-buffer {enable | disable} set ssl-insert-empty-fragment {enable | disable} set https-redirect {enable | disable} set ssl-client-renegotiation {disable | enable} set force-two-factor-auth {enable | disable} set unsafe-legacy-renegotiation {enable | disable} set servercert <string> set algorithm {default | high | low} set idle-timeout <integer> set auth-timeout <integer> config tunnel-ip-pools edit <name_str> set name <string> end config tunnel-ipv6-pools edit <name_str> set name <string> end set dns-suffix <var-string> set dns-server1 <ipv4-address> set dns-server2 <ipv4-address> set wins-server1 <ipv4-address> set wins-server2 <ipv4-address> set ipv6-dns-server1 <ipv6-address> set ipv6-dns-server2 <ipv6-address> set ipv6-wins-server1 <ipv6-address> set ipv6-wins-server2 <ipv6-address> set route-source-interface {enable | disable} set url-obscuration {enable | disable} set http-compression {enable | disable} set http-only-cookie {enable | disable} set deflate-compression-level <integer> set deflate-min-data-size <integer> set port <integer> set port-precedence {enable | disable} set auto-tunnel-static-route {enable | disable} set header-x-forwarded-for {pass | add | remove} config source-interface edit <name_str>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
756
set name <string> end config source-address edit <name_str> set name <string> end set source-address-negate {enable | disable} config source-address6 edit <name_str> set name <string> end set source-address6-negate {enable | disable} set default-portal <string> config authentication-rule edit <name_str> set id <integer> config source-interface edit <name_str> set name <string> end config source-address edit <name_str> set name <string> end set source-address-negate {enable | disable} config source-address6 edit <name_str> set name <string> end set source-address6-negate {enable | disable} config users edit <name_str> set name <string> end config groups edit <name_str> set name <string> end set portal <string> set realm <string> set client-cert {enable | disable} set cipher {any | high | medium} set auth {any | local | radius | tacacs+ | ldap} end set dtls-tunnel {enable | disable} set check-referer {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
757
Description
Configuration Description Default Value
reqclientcert Enable/disable require client certificate. disable
sslv2 Enable/disable SSLv2. disable
sslv3 Enable/disable SSLv3. disable
tlsv1-0 Enable/disable TLSv1.0. disable
tlsv1-1 Enable/disable TLSv1.1. enable
tlsv1-2 Enable/disable TLSv1.2. enable
ssl-big-buffer Enable/disable big SSLv3 buffer. disable
ssl-insert-empty-fragment
Enable/disable insertion of empty fragment. enable
https-redirect Enable/disable redirect of port 80 to SSL-VPNport.
disable
ssl-client-renegotiation Allow/block client renegotiation by server. disable
force-two-factor-auth Enable/disable force two-factor authentication. disable
unsafe-legacy-renegotiation
Enable/disable unsafe legacy re-negotiation. disable
servercert Server certificate. Fortinet_Factory
algorithm Allow algorithms. high
idle-timeout SSL VPN disconnects if idle for specified time. 300
auth-timeout Forced re-authentication after timeout. 28800
tunnel-ip-pools Tunnel IP pools. (Empty)
tunnel-ipv6-pools Tunnel IPv6 pools. (Empty)
dns-suffix DNS suffix. (Empty)
dns-server1 DNS server 1. 0.0.0.0
dns-server2 DNS server 2. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
758
wins-server1 WINS server 1. 0.0.0.0
wins-server2 WINS server 2. 0.0.0.0
ipv6-dns-server1 IPv6 DNS server 1. ::
ipv6-dns-server2 IPv6 DNS server 2. ::
ipv6-wins-server1 IPv6 WINS server 1. ::
ipv6-wins-server2 IPv6 WINS server 2. ::
route-source-interface Enable/disable bind client side outgoing interface. disable
url-obscuration Enable/disable URL obscuration. disable
http-compression Enable/disable support HTTP compression. disable
http-only-cookie Enable/disable support HTTP only cookie. enable
deflate-compression-level
Compression level (0~9). 6
deflate-min-data-size Minimum size to start compression (200 - 65535). 300
port SSL VPN access HTTPS port (1 - 65535). 10443
port-precedence Enable/disable SSLVPN port precedence overadmin GUI HTTPS port.
enable
auto-tunnel-static-route Enable/disable auto create static route for tunnelIP addresses.
enable
header-x-forwarded-for Action when HTTP x-forwarded-for header toforwarded requests.
add
source-interface SSL VPN source interface of incoming traffic. (Empty)
source-address Source address of incoming traffic. (Empty)
source-address-negate Enable/disable negated source address match. disable
source-address6 IPv6 source address of incoming traffic. (Empty)
source-address6-negate
Enable/disable negated source IPv6 addressmatch.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
759
default-portal Default SSL VPN portal. (Empty)
authentication-rule Authentication rule for SSL VPN. (Empty)
dtls-tunnel Enable/disable DTLS tunnel. enable
check-referer Enable/disable verification of referer field in HTTPrequest header.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
760
vpn/l2tpCLI Syntax
config vpn l2tp edit <name_str> set eip <ipv4-address> set sip <ipv4-address> set status {enable | disable} set usrgrp <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
761
Description
Configuration Description Default Value
eip End IP. 0.0.0.0
sip Start IP. 0.0.0.0
status Enable/disable FortiGate as a L2TP gateway. disable
usrgrp User group. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
762
vpn/pptpCLI Syntax
config vpn pptp edit <name_str> set status {enable | disable} set ip-mode {range | usrgrp} set eip <ipv4-address> set sip <ipv4-address> set local-ip <ipv4-address> set usrgrp <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
763
Description
Configuration Description Default Value
status Enable/disable FortiGate as a PPTP gateway. disable
ip-mode IP assignment mode for PPTP client. range
eip End IP. 0.0.0.0
sip Start IP. 0.0.0.0
local-ip Local IP to be used for peer's remote IP. 0.0.0.0
usrgrp User group. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
764
waf/main-classCLI Syntax
config waf main-class edit <name_str> set name <string> set id <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
765
Description
Configuration Description Default Value
name Main signature class name. (Empty)
id Main signature class ID. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
766
waf/profileCLI Syntax
config waf profile edit <name_str> set name <string> set external {disable | enable} config signature edit <name_str> config main-class edit <name_str> set id <integer> set status {enable | disable} set action {allow | block | erase} set log {enable | disable} set severity {high | medium | low} end config disabled-sub-class edit <name_str> set id <integer> end config disabled-signature edit <name_str> set id <integer> end set credit-card-detection-threshold <integer> config custom-signature edit <name_str> set name <string> set status {enable | disable} set action {allow | block | erase} set log {enable | disable} set severity {high | medium | low} set direction {request | response} set case-sensitivity {disable | enable} set pattern <string> set target {arg | arg-name | req-body | req-cookie | req-cookie-name | req-filename | req-header | req-header-name | req-raw-uri | req-uri | resp-body | resp-hdr | resp-status} end end config constraint edit <name_str> config header-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
767
end config content-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config param-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config line-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config url-param-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config version edit <name_str> set status {enable | disable} set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config method edit <name_str> set status {enable | disable} set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config hostname edit <name_str> set status {enable | disable} set action {allow | block} set log {enable | disable} set severity {high | medium | low}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
768
set severity {high | medium | low} end config malformed edit <name_str> set status {enable | disable} set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config max-cookie edit <name_str> set status {enable | disable} set max-cookie <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config max-header-line edit <name_str> set status {enable | disable} set max-header-line <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config max-url-param edit <name_str> set status {enable | disable} set max-url-param <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config max-range-segment edit <name_str> set status {enable | disable} set max-range-segment <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config exception edit <name_str> set id <integer> set pattern <string> set regex {enable | disable} set address <string> set header-length {enable | disable} set content-length {enable | disable} set param-length {enable | disable} set line-length {enable | disable} set url-param-length {enable | disable} set version {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
769
set version {enable | disable} set method {enable | disable} set hostname {enable | disable} set malformed {enable | disable} set max-cookie {enable | disable} set max-header-line {enable | disable} set max-url-param {enable | disable} set max-range-segment {enable | disable} end end config method edit <name_str> set status {enable | disable} set log {enable | disable} set severity {high | medium | low} set default-allowed-methods {get | post | put | head | connect | trace | options | delete | others} config method-policy edit <name_str> set id <integer> set pattern <string> set regex {enable | disable} set address <string> set allowed-methods {get | post | put | head | connect | trace | options | delete | others} end end config address-list edit <name_str> set status {enable | disable} set blocked-log {enable | disable} set severity {high | medium | low} config trusted-address edit <name_str> set name <string> end config blocked-address edit <name_str> set name <string> end end config url-access edit <name_str> set id <integer> set address <string> set action {bypass | permit | block} set log {enable | disable} set severity {high | medium | low} config access-pattern edit <name_str> set id <integer> set srcaddr <string> set pattern <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
770
set pattern <string> set regex {enable | disable} set negate {enable | disable} end end set comment <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
771
Description
Configuration Description Default Value
name WAF Profile name. (Empty)
external Disable/Enable external HTTP Inspection. disable
signature WAF signatures. Details below
Configuration Default Valuemain-class (Empty)disabled-sub-class (Empty)disabled-signature (Empty)credit-card-detection-threshold 3custom-signature (Empty)
constraint WAF HTTP protocol restrictions. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
772
Configuration Default Value
header-length {"status":"disable","length":8192,"action":"allow","log":"disable","severity":"medium"}
content-length {"status":"disable","length":67108864,"action":"allow","log":"disable","severity":"medium"}
param-length {"status":"disable","length":8192,"action":"allow","log":"disable","severity":"medium"}
line-length {"status":"disable","length":1024,"action":"allow","log":"disable","severity":"medium"}
url-param-length {"status":"disable","length":8192,"action":"allow","log":"disable","severity":"medium"}
version {"status":"disable","action":"allow","log":"disable","severity":"medium"}
method {"status":"disable","action":"allow","log":"disable","severity":"medium"}
hostname {"status":"disable","action":"allow","log":"disable","severity":"medium"}
malformed {"status":"disable","action":"allow","log":"disable","severity":"medium"}
max-cookie {"status":"disable","max-cookie":16,"action":"allow","log":"disable","severity":"medium"}
max-header-line {"status":"disable","max-header-line":32,"action":"allow","log":"disable","severity":"medium"}
max-url-param {"status":"disable","max-url-param":16,"action":"allow","log":"disable","severity":"medium"}
max-range-segment {"status":"disable","max-range-segment":5,"action":"allow","log":"disable","severity":"medium"}
exception (Empty)
method Method restriction. Details below
Configuration Default Valuestatus disablelog disableseverity mediumdefault-allowed-methods (Empty)method-policy (Empty)
address-list Black address list and white address list. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
773
Configuration Default Valuestatus disableblocked-log disableseverity mediumtrusted-address (Empty)blocked-address (Empty)
url-access URL access list (Empty)
comment Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
774
waf/signatureCLI Syntax
config waf signature edit <name_str> set desc <string> set id <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
775
Description
Configuration Description Default Value
desc Signature description. (Empty)
id Signature ID. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
776
waf/sub-classCLI Syntax
config waf sub-class edit <name_str> set name <string> set id <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
777
Description
Configuration Description Default Value
name Signature subclass name. (Empty)
id Signature subclass ID. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
778
wanopt/auth-groupCLI Syntax
config wanopt auth-group edit <name_str> set name <string> set auth-method {cert | psk} set psk <password> set cert <string> set peer-accept {any | defined | one} set peer <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
779
Description
Configuration Description Default Value
name Auth-group name. (Empty)
auth-method Group authentication method. cert
psk Pre-shared secret for PSK authentication. (Empty)
cert Name of certificate to identify this host. (Empty)
peer-accept Peer acceptance method. any
peer Peer host ID. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
780
wanopt/peerCLI Syntax
config wanopt peer edit <name_str> set peer-host-id <string> set ip <ipv4-address-any> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
781
Description
Configuration Description Default Value
peer-host-id Peer host ID. (Empty)
ip Peer IP address. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
782
wanopt/profileCLI Syntax
config wanopt profile edit <name_str> set name <string> set transparent {enable | disable} set comments <var-string> set auth-group <string> config http edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set prefer-chunking {dynamic | fix} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable} set port <integer> set ssl {enable | disable} set ssl-port <integer> set unknown-http-version {reject | tunnel | best-effort} set tunnel-non-http {enable | disable} end config cifs edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set prefer-chunking {dynamic | fix} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable} set port <integer> end config mapi edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable} set port <integer> end config ftp edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set prefer-chunking {dynamic | fix} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
783
set port <integer> end config tcp edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set byte-caching-opt {mem-only | mem-disk} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable} set port <user> set ssl {enable | disable} set ssl-port <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
784
Description
Configuration Description Default Value
name Profile name. (Empty)
transparent Enable/disable transparent mode. enable
comments Comment. (Empty)
auth-group Peer authentication group. (Empty)
http HTTP protocol settings. Details below
Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching enableprefer-chunking fixtunnel-sharing privatelog-traffic enableport 80ssl disablessl-port 443unknown-http-version tunneltunnel-non-http disable
cifs CIFS protocol settings. Details below
Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching enableprefer-chunking fixtunnel-sharing privatelog-traffic enableport 445
mapi MAPI protocol settings. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
785
Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching enabletunnel-sharing privatelog-traffic enableport 135
ftp FTP protocol settings. Details below
Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching enableprefer-chunking fixtunnel-sharing privatelog-traffic enableport 21
tcp TCP protocol settings. Details below
Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching disablebyte-caching-opt mem-onlytunnel-sharing privatelog-traffic enableport 1-65535ssl disablessl-port 443 990 995 465 993
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
786
wanopt/settingsCLI Syntax
config wanopt settings edit <name_str> set host-id <string> set tunnel-ssl-algorithm {high | medium | low} set auto-detect-algorithm {simple | diff-req-resp} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
787
Description
Configuration Description Default Value
host-id Host identity. default-id
tunnel-ssl-algorithm Relative strength of encryption algorithmsaccepted in tunnel negotiation.
high
auto-detect-algorithm Auto detection algorithms used in tunnelnegotiation.
simple
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
788
wanopt/storageCLI Syntax
config wanopt storage edit <name_str> set name <string> set size <integer> set webcache-storage-percentage <integer> set webcache-storage-size <user> set wan-optimization-cache-storage-size <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
789
Description
Configuration Description Default Value
name Storage name. (Empty)
size Maximum total size of files within the storage(MB).
1024
webcache-storage-percentage
Percentage of storage available for Web cache.The rest is used for WAN optimization
50
webcache-storage-size Web cache storage size. (Empty)
wan-optimization-cache-storage-size
WAN optimization cache storage size. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
790
wanopt/webcacheCLI Syntax
config wanopt webcache edit <name_str> set max-object-size <integer> set neg-resp-time <integer> set fresh-factor <integer> set max-ttl <integer> set min-ttl <integer> set default-ttl <integer> set ignore-ims {enable | disable} set ignore-conditional {enable | disable} set ignore-pnc {enable | disable} set ignore-ie-reload {enable | disable} set cache-expired {enable | disable} set cache-cookie {enable | disable} set reval-pnc {enable | disable} set always-revalidate {enable | disable} set cache-by-default {enable | disable} set host-validate {enable | disable} set external {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
791
Description
Configuration Description Default Value
max-object-size Maximum cacheable object size in kB, themaximum is 2147483 (2GB).
512000
neg-resp-time Duration of negative responses cache. 0
fresh-factor Fresh factor percentage (1 - 100 percent). 100
max-ttl Maximum TTL in minutes (default = 7200 (5days); maximum = 5256000 (100 years)).
7200
min-ttl Minimum TTL in minutes (default = 5; maximum= 5256000 (100 years)).
5
default-ttl Default TTL minutes (default = 1440 (1 day);maximum = 5256000 (100 years)).
1440
ignore-ims Enable/disable ignore if-modified-since. disable
ignore-conditional Enable/disable ignore HTTP 1.1 conditionals. disable
ignore-pnc Enable/disable ignore pragma-no-cache. disable
ignore-ie-reload Enable/disable ignore IE reload. enable
cache-expired Enable/disable cache expired objects. disable
cache-cookie Enable/disable caching of HTTP response withSet-Cookie header.
disable
reval-pnc Enable/disable re-validation of pragma-no-cache. disable
always-revalidate Enable/disable re-validation of requested cachedobject with content server before serving it toclient.
disable
cache-by-default Enable/disable caching of content lacking explicitcaching policy from server.
disable
host-validate Enable/disable validating "Host:" with originalserver IP.
disable
external Enable/disable external cache. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
792
web-proxy/debug-urlCLI Syntax
config web-proxy debug-url edit <name_str> set name <string> set url-pattern <string> set status {enable | disable} set exact {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
793
Description
Configuration Description Default Value
name Debug URL name. (Empty)
url-pattern URL exemption pattern. (Empty)
status Enable/disable this URL exemption. enable
exact Enable/disable match exact path. enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
794
web-proxy/explicitCLI Syntax
config web-proxy explicit edit <name_str> set status {enable | disable} set ftp-over-http {enable | disable} set socks {enable | disable} set http-incoming-port <integer> set https-incoming-port <integer> set ftp-incoming-port <integer> set socks-incoming-port <integer> set incoming-ip <ipv4-address-any> set outgoing-ip <ipv4-address-any> set ipv6-status {enable | disable} set incoming-ip6 <ipv6-address> set outgoing-ip6 <ipv6-address> set strict-guest {enable | disable} set pref-dns-result {ipv4 | ipv6} set unknown-http-version {reject | best-effort} set realm <string> set sec-default-action {accept | deny} set https-replacement-message {enable | disable} set message-upon-server-error {enable | disable} set pac-file-server-status {enable | disable} set pac-file-server-port <integer> set pac-file-name <string> set pac-file-data <user> set pac-file-url <user> set ssl-algorithm {high | medium | low} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
795
Description
Configuration Description Default Value
status Enable/disable explicit Web proxy. disable
ftp-over-http Enable/disable FTP-over-HTTP. disable
socks Enable/disable SOCKS proxy. disable
http-incoming-port Accept incoming HTTP requests on ports otherthan port 80.
8080
https-incoming-port Accept incoming HTTPS requests on this port. 0
ftp-incoming-port Accept incoming FTP-over-HTTP requests on thisport.
0
socks-incoming-port Accept incoming SOCKS proxy requests on thisport.
0
incoming-ip Accept incoming HTTP requests from this IP. Aninterface must have this IP address.
0.0.0.0
outgoing-ip Outgoing HTTP requests will leave this IP. Aninterface must have this IP address.
(Empty)
ipv6-status Enable/disable IPv6 destination in policy. disable
incoming-ip6 Accept incoming HTTP requests from this IP. Aninterface must have this IP address.
::
outgoing-ip6 Outgoing HTTP requests will leave this IP. Aninterface must have this IP address.
(Empty)
strict-guest Enable/disable strict guest user check in explicitproxy.
disable
pref-dns-result IPv4 or IPv6 DNS result preference. ipv4
unknown-http-version Unknown HTTP version handling. reject
realm Authentication realm. default
sec-default-action Default action to allow or deny when no web-proxy firewall policy exists.
deny
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
796
https-replacement-message
Default action to enable or disable returnreplacement message for HTTPS requests.
enable
message-upon-server-error
Enable/disable return of replacement messageupon server error detection.
enable
pac-file-server-status Enable/disable PAC file server. disable
pac-file-server-port PAC file server listening port. 0
pac-file-name PAC file name. proxy.pac
pac-file-data PAC file contents. (Empty)
pac-file-url PAC file access URL. (Empty)
ssl-algorithm Relative strength of encryption algorithmsaccepted in HTTPS deep-scan.
high
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
797
web-proxy/forward-serverCLI Syntax
config web-proxy forward-server edit <name_str> set name <string> set ip <ipv4-address-any> set fqdn <string> set addr-type {ip | fqdn} set port <integer> set healthcheck {disable | enable} set monitor <string> set server-down-option {block | pass} set comment <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
798
Description
Configuration Description Default Value
name Server name. (Empty)
ip Forward server IP. 0.0.0.0
fqdn Forward server FQDN. (Empty)
addr-type Address type. ip
port Forward server port. 3128
healthcheck Enable/disable forward server health checking. disable
monitor Forward health checking URL. http://www.google.com
server-down-option Action when forward server is down. block
comment Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
799
web-proxy/forward-server-groupCLI Syntax
config web-proxy forward-server-group edit <name_str> set name <string> set affinity {enable | disable} set ldb-method {weighted | least-session} set group-down-option {block | pass} config server-list edit <name_str> set name <string> set weight <integer> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
800
Description
Configuration Description Default Value
name Forward server group name. (Empty)
affinity Enable/disable affinity. enable
ldb-method Load balance method. weighted
group-down-option Action when group is down. block
server-list Forward server list. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
801
web-proxy/globalCLI Syntax
config web-proxy global edit <name_str> set proxy-fqdn <string> set max-request-length <integer> set max-message-length <integer> set strict-web-check {enable | disable} set forward-proxy-auth {enable | disable} set tunnel-non-http {enable | disable} set unknown-http-version {reject | tunnel | best-effort} set forward-server-affinity-timeout <integer> set max-waf-body-cache-length <integer> set webproxy-profile <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
802
Description
Configuration Description Default Value
proxy-fqdn Proxy FQDN. default.fqdn
max-request-length Maximum length of HTTP request line (1kB units(1024 Bytes)).
4
max-message-length Maximum length of HTTP message not includingbody (1kB units (1024 Bytes)).
32
strict-web-check Enable/disable strict web check. disable
forward-proxy-auth Enable/disable forward proxy authentication. disable
tunnel-non-http Enable/disable non-HTTP tunnel. enable
unknown-http-version Unknown HTTP version handling. best-effort
forward-server-affinity-timeout
Timeout of the forward server affinity (6 - 60 min,default = 30 min).
30
max-waf-body-cache-length
Maximum length of HTTP message (1kB units(1024 Bytes)) processed by Web ApplicationFirewall.
100
webproxy-profile Web proxy profile using when none matchedpolicy.
(Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
803
web-proxy/profileCLI Syntax
config web-proxy profile edit <name_str> set name <string> set header-client-ip {pass | add | remove} set header-via-request {pass | add | remove} set header-via-response {pass | add | remove} set header-x-forwarded-for {pass | add | remove} set header-front-end-https {pass | add | remove} config headers edit <name_str> set id <integer> set name <string> set action {add-to-request | add-to-response | remove-from-request | remove-from-response} set content <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
804
Description
Configuration Description Default Value
name Profile name. (Empty)
header-client-ip Action when HTTP client-IP header to forwardedrequests.
pass
header-via-request Action when HTTP via header to forwardedrequests.
pass
header-via-response Action when HTTP via header to forwardedresponses.
pass
header-x-forwarded-for Action when HTTP x-forwarded-for header toforwarded requests.
pass
header-front-end-https Action when HTTP front-end-HTTPS header toforwarded requests.
pass
headers Configure HTTP forwarded requests headers. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
805
web-proxy/url-matchCLI Syntax
config web-proxy url-match edit <name_str> set name <string> set status {enable | disable} set url-pattern <string> set forward-server <string> set cache-exemption {enable | disable} set comment <var-string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
806
Description
Configuration Description Default Value
name Configure URL name. (Empty)
status Enable/disable per URL pattern web proxyforwarding and cache exemptions.
enable
url-pattern URL pattern. (Empty)
forward-server Forward server name. (Empty)
cache-exemption Enable/disable cache exemption for this URLpattern.
disable
comment Comment. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
807
webfilter/contentCLI Syntax
config webfilter content edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set name <string> set pattern-type {wildcard | regexp} set status {enable | disable} set lang {western | simch | trach | japanese | korean | french | thai | spanish | cyrillic} set score <integer> set action {block | exempt} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
808
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
entries Configure web filter banned word. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
809
webfilter/content-headerCLI Syntax
config webfilter content-header edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set pattern <string> set action {block | allow | exempt} set category <user> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
810
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
entries Configure content types used by web filter. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
811
webfilter/cookie-ovrdCLI Syntax
config webfilter cookie-ovrd edit <name_str> set auth-epoch <integer> set redir-host <string> set redir-port <integer> set cookie-name <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
812
Description
Configuration Description Default Value
auth-epoch Current authentication epoch - changing thisvalue will invalidate all currently issued overridecookies.
0
redir-host Domain name or IP of host that will be used tovalidate override authentication cookies.
(Empty)
redir-port TCP port that will be used on "redir-host" tovalidate override authentication cookies.
20080
cookie-name Name to use for override authentication cookies. wfovrdZnkHSb2CESh
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
813
webfilter/fortiguardCLI Syntax
config webfilter fortiguard edit <name_str> set cache-mode {ttl | db-ver} set cache-prefix-match {enable | disable} set cache-mem-percent <integer> set ovrd-auth-port-http <integer> set ovrd-auth-port-https <integer> set ovrd-auth-port-warning <integer> set ovrd-auth-https {enable | disable} set warn-auth-https {enable | disable} set close-ports {enable | disable} set request-packet-size-limit <integer> set ovrd-auth-port <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
814
Description
Configuration Description Default Value
cache-mode Cache entry expiration mode. ttl
cache-prefix-match Enable/disable prefix matching in the cache. enable
cache-mem-percent Maximum percentage of available memoryallocated to caching (1 - 15%).
2
ovrd-auth-port-http Port to use for FortiGuard Web Filter HTTPoverride authentication
8008
ovrd-auth-port-https Port to use for FortiGuard Web Filter HTTPSoverride authentication.
8010
ovrd-auth-port-warning Port to use for FortiGuard Web Filter Warningoverride authentication.
8020
ovrd-auth-https Enable/disable use of HTTPS for overrideauthentication.
enable
warn-auth-https Enable/disable use of HTTPS for warning andauthentication.
enable
close-ports Close ports used for HTTP/HTTPS overrideauthentication and disable user overrides.
disable
request-packet-size-limit
Limit size of URL request packets sent toFortiGuard server (0 for default).
0
ovrd-auth-port Port to use for FortiGuard Web Filter overrideauthentication.
8008
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
815
webfilter/ftgd-local-catCLI Syntax
config webfilter ftgd-local-cat edit <name_str> set id <integer> set desc <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
816
Description
Configuration Description Default Value
id Local category ID. 0
desc Local category description. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
817
webfilter/ftgd-local-ratingCLI Syntax
config webfilter ftgd-local-rating edit <name_str> set url <string> set status {enable | disable} set rating <user> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
818
Description
Configuration Description Default Value
url URL to rate locally. (Empty)
status Enable/disable local rating. enable
rating Local rating.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
819
webfilter/ftgd-warningCLI Syntax
config webfilter ftgd-warning edit <name_str> set id <integer> set status {enable | disable} set scope {user | user-group | ip | ip6} set ip <ipv4-address> set user <string> set user-group <string> set old-profile <string> set expires <user> set rating <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
820
Description
Configuration Description Default Value
id Specify the override rule ID. 0
status Enable/disable override rule. disable
scope Specify the scope of the override rule. user
ip Specify the IP address for which the overrideapplies.
0.0.0.0
user Specify the username for which the overrideapplies.
(Empty)
user-group Specify the user group for which the overrideapplies.
(Empty)
old-profile Specify the web-filter profile for which theoverride applies.
(Empty)
expires Specify when the override expires. 1969/12/31 16:00:00
rating Ratings associated with the overridden filter. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
821
webfilter/ips-urlfilter-cache-settingCLI Syntax
config webfilter ips-urlfilter-cache-setting edit <name_str> set dns-retry-interval <integer> set extended-ttl <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
822
Description
Configuration Description Default Value
dns-retry-interval Retry interval. Refresh DNS faster than TTL tocapture multiple IPs for hosts. 0 means use DNSserver's TTL only.
0
extended-ttl Extend time to live beyond reported by DNS. 0means use DNS server's TTL
0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
823
webfilter/ips-urlfilter-settingCLI Syntax
config webfilter ips-urlfilter-setting edit <name_str> set device <string> set distance <integer> set gateway <ipv4-address> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
824
Description
Configuration Description Default Value
device Enable/disable gateway out interface. (Empty)
distance Administrative distance (1 - 255). 1
gateway Gateway IP for this route. 0.0.0.0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
825
webfilter/overrideCLI Syntax
config webfilter override edit <name_str> set id <integer> set status {enable | disable} set scope {user | user-group | ip | ip6} set ip <ipv4-address> set user <string> set user-group <string> set old-profile <string> set new-profile <string> set ip6 <ipv6-address> set expires <user> set initiator <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
826
Description
Configuration Description Default Value
id Specify the override rule ID. 0
status Enable/disable override rule. disable
scope Specify the scope of the override rule. user
ip Specify the IP address for which the overrideapplies.
0.0.0.0
user Specify the username for which the overrideapplies.
(Empty)
user-group Specify the user group for which the overrideapplies.
(Empty)
old-profile Specify the web-filter profile for which theoverride applies.
(Empty)
new-profile Specify the new web-filter profile to applyoverride.
(Empty)
ip6 Specify the IPv6 address for which the overrideapplies.
::
expires Specify when the override expires. 1969/12/31 16:00:00
initiator Initiating user of override (not settable). (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
827
webfilter/override-userCLI Syntax
config webfilter override-user edit <name_str> set id <integer> set status {enable | disable} set scope {user | user-group | ip | ip6} set ip <ipv4-address> set user <string> set user-group <string> set old-profile <string> set new-profile <string> set ip6 <ipv6-address> set expires <user> set initiator <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
828
Description
Configuration Description Default Value
id Specify the override rule ID. 0
status Enable/disable override rule. disable
scope Specify the scope of the override rule. user
ip Specify the IP address for which the overrideapplies.
0.0.0.0
user Specify the username for which the overrideapplies.
(Empty)
user-group Specify the user group for which the overrideapplies.
(Empty)
old-profile Specify the web-filter profile for which theoverride applies.
(Empty)
new-profile Specify the new web-filter profile to applyoverride.
(Empty)
ip6 Specify the IPv6 address for which the overrideapplies.
::
expires Specify when the override expires. 1969/12/31 16:00:00
initiator Initiating user of override (not settable). (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
829
webfilter/profileCLI Syntax
config webfilter profile edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set inspection-mode {proxy | flow-based | dns} set options {rangeblock | activexfilter | cookiefilter | javafilter | block-invalid-url | jscript | js | vbs | unknown | intrinsic | wf-referer | wf-cookie | https-url-scan | per-user-bwl} set https-replacemsg {enable | disable} set ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override | contenttype-check-override} set post-action {normal | comfort | block} config override edit <name_str> set ovrd-cookie {allow | deny} set ovrd-scope {user | user-group | ip | browser | ask} set profile-type {list | radius} set ovrd-dur-mode {constant | ask} set ovrd-dur <user> set profile-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port} config ovrd-user-group edit <name_str> set name <string> end config profile edit <name_str> set name <string> end end config web edit <name_str> set bword-threshold <integer> set bword-table <integer> set urlfilter-table <integer> set content-header-list <integer> set blacklist {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
830
set whitelist {exempt-av | exempt-webcontent | exempt-activex-java-cookie | exempt-dlp | exempt-rangeblock | extended-log-others} set safe-search {url | header} set youtube-edu-filter-id <string> set log-search {enable | disable} config keyword-match edit <name_str> set pattern <string> end end config ftgd-wf edit <name_str> set options {error-allow | http-err-detail | rate-image-urls | rate-server-ip | redir-block | connect-request-bypass | ftgd-disable} set category-override <user> set exempt-quota <user> set ovrd <user> config filters edit <name_str> set id <integer> set category <integer> set action {block | authenticate | monitor | warning} set warn-duration <user> config auth-usr-grp edit <name_str> set name <string> end set log {enable | disable} set override-replacemsg <string> set warning-prompt {per-domain | per-category} set warning-duration-type {session | timeout} end config quota edit <name_str> set id <integer> set category <user> set type {time | traffic} set unit {B | KB | MB | GB} set value <integer> set duration <user> set override-replacemsg <string> end set max-quota-timeout <integer> set rate-image-urls {disable | enable} set rate-javascript-urls {disable | enable} set rate-css-urls {disable | enable} set rate-crl-urls {disable | enable} end set wisp {enable | disable} set log-all-url {enable | disable} set web-content-log {enable | disable} set web-filter-activex-log {enable | disable} set web-filter-command-block-log {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
831
set web-filter-command-block-log {enable | disable} set web-filter-cookie-log {enable | disable} set web-filter-applet-log {enable | disable} set web-filter-jscript-log {enable | disable} set web-filter-js-log {enable | disable} set web-filter-vbs-log {enable | disable} set web-filter-unknown-log {enable | disable} set web-filter-referer-log {enable | disable} set web-filter-cookie-removal-log {enable | disable} set web-url-log {enable | disable} set web-invalid-domain-log {enable | disable} set web-ftgd-err-log {enable | disable} set web-ftgd-quota-usage {enable | disable} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
832
Description
Configuration Description Default Value
name Profile name. (Empty)
comment Comment. (Empty)
replacemsg-group Replacement message group. (Empty)
inspection-mode Web filtering inspection mode. proxy
options Options. (Empty)
https-replacemsg Enable replacement message display for non-deep SSL inspection.
enable
ovrd-perm Override permit option. (Empty)
post-action Action for HTTP POST requests. normal
override Web Filter override settings. Details below
Configuration Default Valueovrd-cookie denyovrd-scope userprofile-type listovrd-dur-mode constantovrd-dur 15mprofile-attribute Login-LAT-Serviceovrd-user-group (Empty)profile (Empty)
web Web settings. Details below
Configuration Default Valuebword-threshold 10bword-table 0urlfilter-table 0content-header-list 0blacklist disablewhitelist (Empty)safe-search (Empty)youtube-edu-filter-id (Empty)log-search disablekeyword-match (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
833
ftgd-wf FortiGuard Web Filter settings. Details below
Configuration Default Valueoptions ftgd-disablecategory-overrideexempt-quota 17ovrdfilters (Empty)quota (Empty)max-quota-timeout 300rate-image-urls enablerate-javascript-urls enablerate-css-urls enablerate-crl-urls enable
wisp Enable/disable web proxy WISP. disable
log-all-url Enable/disable log all URLs visited. disable
web-content-log Enable/disable logging for web filter contentblocking.
enable
web-filter-activex-log Enable/disable logging for web script filtering onActiveX.
enable
web-filter-command-block-log
Enable/disable logging for web filtering oncommand blocking.
enable
web-filter-cookie-log Enable/disable logging for web script filtering oncookies.
enable
web-filter-applet-log Enable/disable logging for web script filtering onJava applets.
enable
web-filter-jscript-log Enable/disable logging for web script filtering onJScripts.
enable
web-filter-js-log Enable/disable logging for web script filtering onJava scripts.
enable
web-filter-vbs-log Enable/disable logging for web script filtering onVB scripts.
enable
web-filter-unknown-log Enable/disable logging for web script filtering onunknown scripts.
enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
834
web-filter-referer-log Enable/disable logging of web filter referrer block. enable
web-filter-cookie-removal-log
Enable/disable logging of web filter cookie block. enable
web-url-log Enable/disable logging for URL filtering. enable
web-invalid-domain-log Enable/disable logging for web filtering of invaliddomain name.
enable
web-ftgd-err-log Enable/disable logging for FortiGuard Web Filterrating errors.
enable
web-ftgd-quota-usage Enable/disable logging for FortiGuard Web Filterquota usage each day.
enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
835
webfilter/search-engineCLI Syntax
config webfilter search-engine edit <name_str> set name <string> set hostname <string> set url <string> set query <string> set safesearch {disable | url | header} set charset {utf-8 | gb2312} set safesearch-str <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
836
Description
Configuration Description Default Value
name Search engine name. (Empty)
hostname Hostname regular expression. (Empty)
url URL regular expression. (Empty)
query Query string (must end with an equals character). (Empty)
safesearch Safe search enable. disable
charset Search engine charset. utf-8
safesearch-str Safe search parameter. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
837
webfilter/urlfilterCLI Syntax
config webfilter urlfilter edit <name_str> set id <integer> set name <string> set comment <var-string> set one-arm-ips-urlfilter {enable | disable} set ip-addr-block {enable | disable} config entries edit <name_str> set id <integer> set url <string> set type {simple | regex | wildcard} set action {exempt | block | allow | monitor} set status {enable | disable} set exempt {av | filepattern | web-content | activex-java-cookie | dlp | fortiguard | range-block | pass | all} set web-proxy-profile <string> set referrer-host <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
838
Description
Configuration Description Default Value
id ID. 0
name Name of table. (Empty)
comment Comment. (Empty)
one-arm-ips-urlfilter Enable/disable DNS resolver for one-arm IPSURL filter operation.
disable
ip-addr-block Enable/disable block URLs when hostnameappears as an IP address.
disable
entries Web filter/URL filter. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
839
wireless-controller/ap-statusCLI Syntax
config wireless-controller ap-status edit <name_str> set id <integer> set bssid <mac-address> set ssid <string> set status {rogue | accepted | suppressed} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
840
Description
Configuration Description Default Value
id AP ID. 0
bssid AP's BSSID. 00:00:00:00:00:00
ssid AP's SSID. (Empty)
status AP status. rogue
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
841
wireless-controller/globalCLI Syntax
config wireless-controller global edit <name_str> set name <string> set location <string> set max-retransmit <integer> set data-ethernet-II {enable | disable} set mesh-eth-type <integer> set discovery-mc-addr <ipv4-address-multicast> set max-clients <integer> set rogue-scan-mac-adjacency <integer> set ap-log-server {enable | disable} set ap-log-server-ip <ipv4-address> set ap-log-server-port <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
842
Description
Configuration Description Default Value
name Name. (Empty)
location Location. (Empty)
max-retransmit Maximum # of retransmissions for tunnel packet. 3
data-ethernet-II Enable/disable ethernet frame type with 802.3data tunnel mode.
disable
mesh-eth-type Ethernet type for wireless backhaul tunnel packet. 8755
discovery-mc-addr Discovery multicast address. 224.0.1.140
max-clients Maximum number of stations supported by theAC.
0
rogue-scan-mac-adjacency
Range of numerical difference between AP'sEthernet MAC and AP's BSSID, given theidentical OUI (default = 7).
7
ap-log-server Enable/disable AP log server. disable
ap-log-server-ip AP log server IP address. 0.0.0.0
ap-log-server-port AP log server port. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
843
wireless-controller/settingCLI Syntax
config wireless-controller setting edit <name_str> set account-id <string> set country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | BZ | BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG | SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN | ID | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU | MO | MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA | PG | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA | ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY | UZ | VE | VN | YE | ZW | JP | AU | CA} end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
844
Description
Configuration Description Default Value
account-id FortiCloud customer account ID. (Empty)
country Country. US
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
845
wireless-controller/timersCLI Syntax
config wireless-controller timers edit <name_str> set echo-interval <integer> set discovery-interval <integer> set client-idle-timeout <integer> set rogue-ap-log <integer> set fake-ap-log <integer> set darrp-optimize <integer> set darrp-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday} config darrp-time edit <name_str> set time <string> end set sta-stats-interval <integer> set vap-stats-interval <integer> set radio-stats-interval <integer> set sta-capability-interval <integer> set sta-locate-timer <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
846
Description
Configuration Description Default Value
echo-interval Interval before WTP sends Echo Request afterjoining AC (1 - 255, default = 30 sec).
30
discovery-interval Interval between Discovery Request (2 - 180 sec,default = 5 sec).
5
client-idle-timeout Wireless station idle timeout (0 no client-idlecheck, 20 - 3600 sec, default = 300 sec).
300
rogue-ap-log Rogue AP periodic log reporting interval (default= 0 min).
0
fake-ap-log Fake AP periodic log reporting interval (default =1 min).
1
darrp-optimize DARRP optimization interval (default = 1800 sec). 1800
darrp-day Weekday on which DARRP optimization isexecuted.
(Empty)
darrp-time Time at which DARRP optimization is executed(Up to 8 time points).
(Empty)
sta-stats-interval WTP interval for which station statistics are sent(1 - 255, default = 1 sec).
1
vap-stats-interval WTP interval for which vap statistics are sent (1 -255, default = 15 sec).
15
radio-stats-interval WTP interval for which radio statistics are sent (1- 255, default = 15 sec).
15
sta-capability-interval WTP interval for which station capabilityinformation is sent (1 - 255, default = 30 sec).
30
sta-locate-timer Interval at which the WTP flushes the stationpresence (default = 1800 sec).
1800
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
847
wireless-controller/vapCLI Syntax
config wireless-controller vap edit <name_str> set name <string> set vdom <string> set fast-roaming {enable | disable} set external-fast-roaming {enable | disable} set mesh-backhaul {enable | disable} set max-clients <integer> set max-clients-ap <integer> set ssid <string> set broadcast-ssid {enable | disable} set security-obsolete-option {enable | disable} set security {open | captive-portal | wep64 | wep128 | wpa-personal | wpa-personal+captive-portal | wpa-enterprise | wpa-only-personal | wpa-only-personal+captive-portal | wpa-only-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa2-only-enterprise} set pmf {disable | enable | optional} set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer> set okc {disable | enable} set tkip-counter-measure {enable | disable} set external-web <string> set radius-mac-auth {enable | disable} set radius-mac-auth-server <string> set auth {psk | radius | usergroup} set encrypt {TKIP | AES | TKIP-AES} set keyindex <integer> set key <password> set passphrase <password> set radius-server <string> set acct-interim-interval <integer> config usergroup edit <name_str> set name <string> end set portal-message-override-group <string> config portal-message-overrides edit <name_str> set auth-disclaimer-page <string> set auth-reject-page <string> set auth-login-page <string> set auth-login-failed-page <string> end set portal-type {auth | auth+disclaimer | disclaimer | email-collect} config selected-usergroups edit <name_str> set name <string>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
848
end set security-exempt-list <string> set security-redirect-url <string> set intra-vap-privacy {enable | disable} set schedule <string> set local-standalone {enable | disable} set local-standalone-nat {enable | disable} set ip <ipv4-classnet-host> set local-bridging {enable | disable} set split-tunneling {enable | disable} set local-authentication {enable | disable} set local-switching {enable | disable} set vlanid <integer> set vlan-auto {enable | disable} set dynamic-vlan {enable | disable} set alias <string> set multicast-rate {0 | 6000 | 12000 | 24000} set multicast-enhance {enable | disable} set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arp-unknown | arp-reply | arp-poison | netbios-ns | netbios-ds | ipv6 | all-other-mc | all-other-bc} set me-disable-thresh <integer> set probe-resp-suppression {enable | disable} set probe-resp-threshold <string> set vlan-pooling {wtp-group | round-robin | hash | disable} config vlan-pool edit <name_str> set id <integer> set wtp-group <string> end set ptk-rekey {enable | disable} set ptk-rekey-intv <integer> set gtk-rekey {enable | disable} set gtk-rekey-intv <integer> set eap-reauth {enable | disable} set eap-reauth-intv <integer> set rates-11a {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 6 | 6-basic | 9 | 9-basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic | 48 | 48-basic | 54 | 54-basic} set rates-11bg {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 6 | 6-basic | 9 | 9-basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic | 48 | 48-basic | 54 | 54-basic} set rates-11n-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1 | mcs7/1 | mcs8/2 | mcs9/2 | mcs10/2 | mcs11/2 | mcs12/2 | mcs13/2 | mcs14/2 | mcs15/2} set rates-11n-ss34 {mcs16/3 | mcs17/3 | mcs18/3 | mcs19/3 | mcs20/3 | mcs21/3 | mcs22/3 | mcs23/3 | mcs24/4 | mcs25/4 | mcs26/4 | mcs27/4 | mcs28/4 | mcs29/4 | mcs30/4 | mcs31/4} set rates-11ac-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1 | mcs7/1 | mcs8/1 | mcs9/1 | mcs0/2 | mcs1/2 | mcs2/2 | mcs3/2 | mcs4/2 | mcs5/2 | mcs6/2 | mcs7/2 | mcs8/2 | mcs9/2} set rates-11ac-ss34 {mcs0/3 | mcs1/3 | mcs2/3 | mcs3/3 | mcs4/3 | mcs5/3 | mcs6/3 | mcs7/3 | mcs8/3 | mcs9/3 | mcs0/4 | mcs1/4 | mcs2/4 | mcs3/4 | mcs4/4 | mcs5/4 | mcs6/4 | mcs7/4 | mcs8/4 | mcs9/4}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
849
6/4 | mcs7/4 | mcs8/4 | mcs9/4} set mac-filter {enable | disable} set mac-filter-policy-other {allow | deny} config mac-filter-list edit <name_str> set id <integer> set mac <mac-address> set mac-filter-policy {allow | deny} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
850
Description
Configuration Description Default Value
name Virtual AP name. (Empty)
vdom Owning VDOM. (Empty)
fast-roaming Enable/disable fast roaming. enable
external-fast-roaming Enable/disable fast roaming with external non-managed AP.
disable
mesh-backhaul Enable/disable mesh backhaul. disable
max-clients Maximum number of STAs supported by theVAP.
0
max-clients-ap Maximum number of STAs supported by the VAP(per AP radio).
0
ssid IEEE 802.11 Service Set Identifier. fortinet
broadcast-ssid Enable/disable SSID broadcast in the beacon. enable
security-obsolete-option
Enable/disable obsolete security options. disable
security Wireless access security of SSID. wpa2-only-personal
pmf Protected Management Frames (PMF) support. disable
pmf-assoc-comeback-timeout
Protected Management Frames (PMF) comebackmaximum timeout (1-20 sec).
1
pmf-sa-query-retry-timeout
Protected Management Frames (PMF) SA queryretry timeout interval (1 - 5 in 100s of msec).
2
okc Enable/disable Opportunistic Key Caching (OKC). enable
tkip-counter-measure Enable/disable TKIP counter measure. enable
external-web URL of external authentication web server. (Empty)
radius-mac-auth Enable/disable RADIUS-based MACauthentication.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
851
radius-mac-auth-server RADIUS-based MAC authentication server. (Empty)
auth Authentication protocol. psk
encrypt Data encryption. AES
keyindex WEP key index (1 - 4). 1
key WEP Key. (Empty)
passphrase Pre-shared key for WPA. (Empty)
radius-server WiFi RADIUS server. (Empty)
acct-interim-interval WiFi RADIUS accounting interim interval (60 -86400 sec, default = 0).
0
usergroup Selected user group. (Empty)
portal-message-override-group
Specify captive portal replacement messageoverride group.
(Empty)
portal-message-overrides
Individual message overrides. Details below
Configuration Default Valueauth-disclaimer-page (Empty)auth-reject-page (Empty)auth-login-page (Empty)auth-login-failed-page (Empty)
portal-type Captive portal type. auth
selected-usergroups Selected user group. (Empty)
security-exempt-list Security exempt list name. (Empty)
security-redirect-url URL redirection after disclaimer/authentication. (Empty)
intra-vap-privacy Enable/disable intra-SSID privacy. disable
schedule VAP schedule name. (Empty)
local-standalone Enable/disable AP local standalone. disable
local-standalone-nat Enable/disable AP local standalone NAT mode. disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
852
ip IP address and subnet mask for the localstandalone NAT subnet.
0.0.0.0 0.0.0.0
local-bridging Enable/disable FortiAP local VAP-to-Ethernetbridge.
disable
split-tunneling Enable/disable split tunneling. disable
local-authentication Enable/disable AP local authentication. disable
local-switching Enable/disable FortiAP local VAP trafficswitching.
enable
vlanid Optional VLAN ID. 0
vlan-auto Enable/disable automatic management of SSIDVLAN interface.
disable
dynamic-vlan Enable/disable dynamic VLAN assignment. disable
alias Alias. (Empty)
multicast-rate Multicast rate (kbps). 0
multicast-enhance Enable/disable multicast enhancement. disable
broadcast-suppression Suppress broadcast frames from WiFi clients. dhcp-up arp-known
me-disable-thresh Threshold of number of multicast clients todisable multicast enhancement.
32
probe-resp-suppression
Enable/disable probe response suppression. disable
probe-resp-threshold Threshold at which FortiAP responds to proberequests (signal level must be no lower than thisvalue).
-80
vlan-pooling Enable/disable VLAN pooling. disable
vlan-pool VLAN pool. (Empty)
ptk-rekey Enable/disable PTK rekey for WPA-Enterprisesecurity.
disable
ptk-rekey-intv PTK rekey interval interval (1800 - 864000 sec,default = 86400).
86400
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
853
gtk-rekey Enable/disable GTK rekey for WPA security. disable
gtk-rekey-intv GTK rekey interval interval (1800 - 864000 sec,default = 86400).
86400
eap-reauth Enable/disable EAP re-authentication for WPA-Enterprise security.
disable
eap-reauth-intv EAP re-authentication interval (1800 - 864000sec, default = 86400).
86400
rates-11a Configure allowed data rates for 802.11a. (Empty)
rates-11bg Configure allowed data rates for 802.11b/g. (Empty)
rates-11n-ss12 Configure allowed data rates for 802.11n with 1 or2 spatial streams.
(Empty)
rates-11n-ss34 Configure allowed data rates for 802.11n with 3 or4 spatial streams.
(Empty)
rates-11ac-ss12 Configure allowed data rates for 802.11ac with 1or 2 spatial streams.
(Empty)
rates-11ac-ss34 Configure allowed data rates for 802.11ac with 3or 4 spatial streams.
(Empty)
mac-filter Enable/disable MAC filter status. disable
mac-filter-policy-other Deny or allow STAs whose MAC addresses arenot in the filter list.
allow
mac-filter-list MAC filter list. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
854
wireless-controller/vap-groupCLI Syntax
config wireless-controller vap-group edit <name_str> set name <string> set comment <var-string> config vaps edit <name_str> set name <string> end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
855
Description
Configuration Description Default Value
name Group Name (Empty)
comment Comment. (Empty)
vaps Selected list of SSIDs to be included in the group. (Empty)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
856
wireless-controller/wids-profileCLI Syntax
config wireless-controller wids-profile edit <name_str> set name <string> set comment <string> set ap-scan {disable | enable} set ap-bgscan-period <integer> set ap-bgscan-intv <integer> set ap-bgscan-duration <integer> set ap-bgscan-idle <integer> set ap-bgscan-report-intv <integer> set ap-bgscan-disable-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set ap-bgscan-disable-start <user> set ap-bgscan-disable-end <user> set ap-fgscan-report-intv <integer> set ap-scan-passive {enable | disable} set rogue-scan {enable | disable} set ap-auto-suppress {enable | disable} set wireless-bridge {enable | disable} set deauth-broadcast {enable | disable} set null-ssid-probe-resp {enable | disable} set long-duration-attack {enable | disable} set long-duration-thresh <integer> set invalid-mac-oui {enable | disable} set weak-wep-iv {enable | disable} set auth-frame-flood {enable | disable} set auth-flood-time <integer> set auth-flood-thresh <integer> set assoc-frame-flood {enable | disable} set assoc-flood-time <integer> set assoc-flood-thresh <integer> set spoofed-deauth {enable | disable} set asleap-attack {enable | disable} set eapol-start-flood {enable | disable} set eapol-start-thresh <integer> set eapol-start-intv <integer> set eapol-logoff-flood {enable | disable} set eapol-logoff-thresh <integer> set eapol-logoff-intv <integer> set eapol-succ-flood {enable | disable} set eapol-succ-thresh <integer> set eapol-succ-intv <integer> set eapol-fail-flood {enable | disable} set eapol-fail-thresh <integer> set eapol-fail-intv <integer> set eapol-pre-succ-flood {enable | disable} set eapol-pre-succ-thresh <integer>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
857
set eapol-pre-succ-intv <integer> set eapol-pre-fail-flood {enable | disable} set eapol-pre-fail-thresh <integer> set eapol-pre-fail-intv <integer> set deauth-unknown-src-thresh <integer> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
858
Description
Configuration Description Default Value
name WIDS profile name. (Empty)
comment Comment. (Empty)
ap-scan Enable/disable AP scan. disable
ap-bgscan-period Interval between two rounds of scanning (60 -3600 sec).
600
ap-bgscan-intv Interval between two scanning channels (1 - 600sec).
1
ap-bgscan-duration Listening time on a scanning channel (10 - 1000msec).
20
ap-bgscan-idle Channel idle time before scanning channel (0 -1000 msec).
0
ap-bgscan-report-intv Interval between two background scan reports(15 - 600 sec).
30
ap-bgscan-disable-day Weekday on which background scan is disabled. (Empty)
ap-bgscan-disable-start Start time at which background scan is disabled. 00:00
ap-bgscan-disable-end End time at which background scan is disabled. 00:00
ap-fgscan-report-intv Interval between two foreground scan reports (15- 600 sec)
15
ap-scan-passive Enable/disable passive scan on all channels. disable
rogue-scan Enable/disable rogue AP on-wire scan. disable
ap-auto-suppress Enable/disable on-wire rogue AP auto-suppress. disable
wireless-bridge Enable/disable wireless bridge detection. disable
deauth-broadcast Enable/disable broadcasting de-authenticationdetection.
disable
null-ssid-probe-resp Enable/disable null SSID probe responsedetection.
disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
859
long-duration-attack Enable/disable long duration attack detectionbased on user configured threshold.
disable
long-duration-thresh Threshold value (usec) for long duration attackdetection.
8200
invalid-mac-oui Enable/disable invalid MAC OUI detection. disable
weak-wep-iv Enable/disable weak WEP IV (InitializationVector) detection.
disable
auth-frame-flood Enable/disable authentication frame floodingdetection.
disable
auth-flood-time Number of seconds after which an STA isconsidered not connected.
10
auth-flood-thresh The threshold value for authentication flooding. 30
assoc-frame-flood Enable/disable association frame floodingdetection.
disable
assoc-flood-time Number of seconds after which an STA isconsidered not connected.
10
assoc-flood-thresh The threshold value for association flooding. 30
spoofed-deauth Enable/disable spoofed de-authenticationdetection.
disable
asleap-attack Enable/disable asleap attack detection. disable
eapol-start-flood Enable/disable EAPOL-Start flooding (to AP)detection.
disable
eapol-start-thresh The threshold value for EAPOL-Start flooding inspecified interval.
10
eapol-start-intv The detection interval for EAPOL-Start flooding insec.
1
eapol-logoff-flood Enable/disable EAPOL-Logoff flooding (to AP)detection.
disable
eapol-logoff-thresh The threshold value for EAPOL-Logoff flooding inspecified interval.
10
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
860
eapol-logoff-intv The detection interval for EAPOL-Logoff floodingin sec.
1
eapol-succ-flood Enable/disable EAPOL-Success flooding (to AP)detection.
disable
eapol-succ-thresh The threshold value for EAPOL-Success floodingin specified interval.
10
eapol-succ-intv The detection interval for EAPOL-Successflooding in sec.
1
eapol-fail-flood Enable/disable EAPOL-Failure flooding (to AP)detection.
disable
eapol-fail-thresh The threshold value for EAPOL-Failure floodingin specified interval.
10
eapol-fail-intv The detection interval for EAPOL-Failure floodingin sec.
1
eapol-pre-succ-flood Enable/disable premature EAPOL-Successflooding (to STA) detection.
disable
eapol-pre-succ-thresh The threshold value for premature EAPOL-Success flooding in specified interval.
10
eapol-pre-succ-intv The detection interval for premature EAPOL-Success flooding in sec.
1
eapol-pre-fail-flood Enable/disable premature EAPOL-Failureflooding (to STA) detection.
disable
eapol-pre-fail-thresh The threshold value for premature EAPOL-Failure flooding in specified interval.
10
eapol-pre-fail-intv The detection interval for premature EAPOL-Failure flooding in sec.
1
deauth-unknown-src-thresh
Threshold value per second to deauth unknownsrc for DoS attack(0: no limit).
10
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
861
wireless-controller/wtpCLI Syntax
config wireless-controller wtp edit <name_str> set wtp-id <string> set index <integer> set admin {discovered | disable | enable} set name <string> set location <string> set wtp-mode {normal | remote} set wtp-profile <string> set override-led-state {enable | disable} set led-state {enable | disable} set override-wan-port-mode {enable | disable} set wan-port-mode {wan-lan | wan-only} set override-ip-fragment {enable | disable} set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable} set tun-mtu-uplink <integer> set tun-mtu-downlink <integer> set override-split-tunnel {enable | disable} set split-tunneling-acl-local-ap-subnet {enable | disable} config split-tunneling-acl edit <name_str> set id <integer> set dest-ip <ipv4-classnet> end set override-lan {enable | disable} config lan edit <name_str> set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port-ssid <string> set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port1-ssid <string> set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port2-ssid <string> set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port3-ssid <string> set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port4-ssid <string> set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port5-ssid <string> set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port6-ssid <string> set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port7-ssid <string> set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port8-ssid <string> end set override-allowaccess {enable | disable}
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
862
set allowaccess {telnet | http} set override-login-passwd-change {enable | disable} set login-passwd-change {yes | default | no} set login-passwd <password> config radio-1 edit <name_str> set radio-id <integer> set override-band {enable | disable} set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11ac-only} set override-analysis {enable | disable} set spectrum-analysis {enable | disable} set override-txpower {enable | disable} set auto-power-level {enable | disable} set auto-power-high <integer> set auto-power-low <integer> set power-level <integer> set override-vaps {enable | disable} set vap-all {enable | disable} config vaps edit <name_str> set name <string> end set override-channel {enable | disable} config channel edit <name_str> set chan <string> end end config radio-2 edit <name_str> set radio-id <integer> set override-band {enable | disable} set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11ac-only} set override-analysis {enable | disable} set spectrum-analysis {enable | disable} set override-txpower {enable | disable} set auto-power-level {enable | disable} set auto-power-high <integer> set auto-power-low <integer> set power-level <integer> set override-vaps {enable | disable} set vap-all {enable | disable} config vaps edit <name_str> set name <string> end set override-channel {enable | disable} config channel edit <name_str>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
863
edit <name_str> set chan <string> end end set image-download {enable | disable} set mesh-bridge-enable {default | enable | disable} set coordinate-enable {enable | disable} set coordinate-x <string> set coordinate-y <string> end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
864
Description
Configuration Description Default Value
wtp-id WTP ID. (Empty)
index Index (0 - 4294967295). 0
admin Admin status. enable
name WTP name. (Empty)
location WTP location. (Empty)
wtp-mode WTP mode. normal
wtp-profile WTP profile name. (Empty)
override-led-state Enable/disable override of LED state. disable
led-state Enable/disable use of LEDs on WTP. enable
override-wan-port-mode
Enable/disable override of wan-port-mode. disable
wan-port-mode Enable/disable use of WAN port as LAN port. wan-only
override-ip-fragment Enable/disable override of IP fragmentprevention.
disable
ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunnelledcontrol and data packets.
tcp-mss-adjust
tun-mtu-uplink Uplink tunnel MTU. 0
tun-mtu-downlink Downlink tunnel MTU. 0
override-split-tunnel Enable/disable override of split tunneling. disable
split-tunneling-acl-local-ap-subnet
Enable/disable split tunneling ACL local APsubnet.
disable
split-tunneling-acl Split tunneling ACL filter list. (Empty)
override-lan Enable/disable override of WTP LAN port. disable
lan WTP LAN port mapping. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
865
Configuration Default Valueport-mode offlineport-ssid (Empty)port1-mode offlineport1-ssid (Empty)port2-mode offlineport2-ssid (Empty)port3-mode offlineport3-ssid (Empty)port4-mode offlineport4-ssid (Empty)port5-mode offlineport5-ssid (Empty)port6-mode offlineport6-ssid (Empty)port7-mode offlineport7-ssid (Empty)port8-mode offlineport8-ssid (Empty)
override-allowaccess Enable/disable override of management accessto managed AP.
disable
allowaccess Allow management access to managed AP. (Empty)
override-login-passwd-change
Enable/disable override of login password ofmanaged AP.
disable
login-passwd-change Configuration options for login password ofmanaged AP.
no
login-passwd Login password of managed AP. (Empty)
radio-1 Radio 1. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
866
Configuration Default Valueradio-id 0override-band disableband (Empty)override-analysis disablespectrum-analysis disableoverride-txpower disableauto-power-level disableauto-power-high 17auto-power-low 10power-level 100override-vaps disablevap-all enablevaps (Empty)override-channel disablechannel (Empty)
radio-2 Radio 2. Details below
Configuration Default Valueradio-id 1override-band disableband (Empty)override-analysis disablespectrum-analysis disableoverride-txpower disableauto-power-level disableauto-power-high 17auto-power-low 10power-level 100override-vaps disablevap-all enablevaps (Empty)override-channel disablechannel (Empty)
image-download Enable/disable WTP image download. enable
mesh-bridge-enable Enable/disable mesh Ethernet bridge when WTPis configured as a mesh branch/leaf AP.
default
coordinate-enable Enable/disable WTP coordinates. disable
coordinate-x X axis coordinate. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
867
coordinate-y Y axis coordinate. 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
868
wireless-controller/wtp-profileCLI Syntax
config wireless-controller wtp-profile edit <name_str> set name <string> set comment <var-string> config platform edit <name_str> set type {FWF | 220A | 220B | 223B | 210B | 222B | 112B | 320B | 11C | 14C | 28C | 320C | 221C | 25D | 222C | 224D | 214B | 21D | 24D | 112D | 223C | 321C | S321C | S323C | S311C | S313C} end set wan-port-mode {wan-lan | wan-only} config lan edit <name_str> set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port-ssid <string> set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port1-ssid <string> set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port2-ssid <string> set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port3-ssid <string> set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port4-ssid <string> set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port5-ssid <string> set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port6-ssid <string> set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port7-ssid <string> set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port8-ssid <string> end set led-state {enable | disable} set dtls-policy {clear-text | dtls-enabled} set dtls-in-kernel {enable | disable} set max-clients <integer> set handoff-rssi <integer> set handoff-sta-thresh <integer> set handoff-roaming {enable | disable} config deny-mac-list edit <name_str> set id <integer> set mac <mac-address> end set ap-country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | BZ | BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG | SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
869
| ID | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU | MO | MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA | PG | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA | ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY | UZ | VE | VN | YE | ZW | JP | AU | CA} set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable} set tun-mtu-uplink <integer> set tun-mtu-downlink <integer> set split-tunneling-acl-local-ap-subnet {enable | disable} config split-tunneling-acl edit <name_str> set id <integer> set dest-ip <ipv4-classnet> end set allowaccess {telnet | http} set login-passwd-change {yes | default | no} set login-passwd <password> set lldp {enable | disable} config radio-1 edit <name_str> set radio-id <integer> set mode {disabled | ap | monitor | sniffer} set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11ac-only} set protection-mode {rtscts | ctsonly | disable} set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate-follow} set amsdu {enable | disable} set coexistence {enable | disable} set short-guard-interval {enable | disable} set channel-bonding {80MHz | 40MHz | 20MHz} set auto-power-level {enable | disable} set auto-power-high <integer> set auto-power-low <integer> set power-level <integer> set dtim <integer> set beacon-interval <integer> set rts-threshold <integer> set frag-threshold <integer> set ap-sniffer-bufsize <integer> set ap-sniffer-chan <integer> set ap-sniffer-addr <mac-address> set ap-sniffer-mgmt-beacon {enable | disable} set ap-sniffer-mgmt-probe {enable | disable} set ap-sniffer-mgmt-other {enable | disable} set ap-sniffer-ctl {enable | disable} set ap-sniffer-data {enable | disable} set spectrum-analysis {enable | disable} set wids-profile <string> set darrp {enable | disable} set max-clients <integer> set max-distance <integer>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
870
set max-distance <integer> set frequency-handoff {enable | disable} set ap-handoff {enable | disable} set vap-all {enable | disable} config vaps edit <name_str> set name <string> end config channel edit <name_str> set chan <string> end end config radio-2 edit <name_str> set radio-id <integer> set mode {disabled | ap | monitor | sniffer} set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11ac-only} set protection-mode {rtscts | ctsonly | disable} set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate-follow} set amsdu {enable | disable} set coexistence {enable | disable} set short-guard-interval {enable | disable} set channel-bonding {80MHz | 40MHz | 20MHz} set auto-power-level {enable | disable} set auto-power-high <integer> set auto-power-low <integer> set power-level <integer> set dtim <integer> set beacon-interval <integer> set rts-threshold <integer> set frag-threshold <integer> set ap-sniffer-bufsize <integer> set ap-sniffer-chan <integer> set ap-sniffer-addr <mac-address> set ap-sniffer-mgmt-beacon {enable | disable} set ap-sniffer-mgmt-probe {enable | disable} set ap-sniffer-mgmt-other {enable | disable} set ap-sniffer-ctl {enable | disable} set ap-sniffer-data {enable | disable} set spectrum-analysis {enable | disable} set wids-profile <string> set darrp {enable | disable} set max-clients <integer> set max-distance <integer> set frequency-handoff {enable | disable} set ap-handoff {enable | disable} set vap-all {enable | disable} config vaps edit <name_str>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
871
edit <name_str> set name <string> end config channel edit <name_str> set chan <string> end end config lbs edit <name_str> set ekahau-blink-mode {enable | disable} set ekahau-tag <mac-address> set erc-server-ip <ipv4-address-any> set erc-server-port <integer> set aeroscout {enable | disable} set aeroscout-server-ip <ipv4-address-any> set aeroscout-server-port <integer> set aeroscout-mu-factor <integer> set aeroscout-mu-timeout <integer> set fortipresence {enable | disable} set fortipresence-server <ipv4-address-any> set fortipresence-port <integer> set fortipresence-secret <password> set fortipresence-project <string> set fortipresence-frequency <integer> set fortipresence-rogue {enable | disable} set fortipresence-unassoc {enable | disable} set station-locate {enable | disable} end end
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
872
Description
Configuration Description Default Value
name WTP profile name. (Empty)
comment Comment. (Empty)
platform WTP platform. Details below
Configuration Default Valuetype 220B
wan-port-mode Enable/disable use of WAN port as LAN port. wan-only
lan WTP LAN port mapping. Details below
Configuration Default Valueport-mode offlineport-ssid (Empty)port1-mode offlineport1-ssid (Empty)port2-mode offlineport2-ssid (Empty)port3-mode offlineport3-ssid (Empty)port4-mode offlineport4-ssid (Empty)port5-mode offlineport5-ssid (Empty)port6-mode offlineport6-ssid (Empty)port7-mode offlineport7-ssid (Empty)port8-mode offlineport8-ssid (Empty)
led-state Enable/disable use of LEDs on WTP. enable
dtls-policy WTP data channel DTLS policy. clear-text
dtls-in-kernel Enable/disable data channel DTLS in kernel. disable
max-clients Maximum number of STAs supported by theWTP.
0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
873
handoff-rssi Minimum RSSI value for handoff. 25
handoff-sta-thresh Threshold value for AP handoff. 30
handoff-roaming Enable/disable handoff when a client is roaming. enable
deny-mac-list Deny MAC filter list. (Empty)
ap-country AP country code. NA
ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunneledcontrol and data packets.
tcp-mss-adjust
tun-mtu-uplink Uplink tunnel MTU. 0
tun-mtu-downlink Downlink tunnel MTU. 0
split-tunneling-acl-local-ap-subnet
Enable/disable split tunneling ACL local APsubnet.
disable
split-tunneling-acl Split tunneling ACL filter list. (Empty)
allowaccess Allow management access to managed AP. (Empty)
login-passwd-change Configuration options for login password ofmanaged AP.
no
login-passwd Login password of managed AP. (Empty)
lldp Enable/disable LLDP. disable
radio-1 Radio 1. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
874
Configuration Default Valueradio-id 0mode apband (Empty)protection-mode disablepowersave-optimize (Empty)amsdu enablecoexistence enableshort-guard-interval disablechannel-bonding 20MHzauto-power-level disableauto-power-high 17auto-power-low 10power-level 100dtim 1beacon-interval 100rts-threshold 2346frag-threshold 2346ap-sniffer-bufsize 16ap-sniffer-chan 36ap-sniffer-addr 00:00:00:00:00:00ap-sniffer-mgmt-beacon enableap-sniffer-mgmt-probe enableap-sniffer-mgmt-other enableap-sniffer-ctl enableap-sniffer-data enablespectrum-analysis disablewids-profile (Empty)darrp disablemax-clients 0max-distance 0frequency-handoff disableap-handoff disablevap-all enablevaps (Empty)channel (Empty)
radio-2 Radio 2. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
875
Configuration Default Valueradio-id 1mode apband (Empty)protection-mode disablepowersave-optimize (Empty)amsdu enablecoexistence enableshort-guard-interval disablechannel-bonding 20MHzauto-power-level disableauto-power-high 17auto-power-low 10power-level 100dtim 1beacon-interval 100rts-threshold 2346frag-threshold 2346ap-sniffer-bufsize 16ap-sniffer-chan 6ap-sniffer-addr 00:00:00:00:00:00ap-sniffer-mgmt-beacon enableap-sniffer-mgmt-probe enableap-sniffer-mgmt-other enableap-sniffer-ctl enableap-sniffer-data enablespectrum-analysis disablewids-profile (Empty)darrp disablemax-clients 0max-distance 0frequency-handoff disableap-handoff disablevap-all enablevaps (Empty)channel (Empty)
lbs Location based service. Details below
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
876
Configuration Default Valueekahau-blink-mode disableekahau-tag 01:18:8e:00:00:00erc-server-ip 0.0.0.0erc-server-port 8569aeroscout disableaeroscout-server-ip 0.0.0.0aeroscout-server-port 0aeroscout-mu-factor 20aeroscout-mu-timeout 5fortipresence disablefortipresence-server 0.0.0.0fortipresence-port 3000fortipresence-secret fortinetfortipresence-project fortipresencefortipresence-frequency 30fortipresence-rogue disablefortipresence-unassoc disablestation-locate disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
877
execute backup
execute
The execute commands perform immediate operations on the FortiGate unit, including:
l Maintenance operations, such as back up and restore the system configuration, reset the configuration to factorysettings, update antivirus and attack definitions, view and delete log messages, set the date and time.
l Network operations, such as view and clear DHCP leases, clear arp table entries, use ping or traceroute to diagnosenetwork problems.
l Generate certificate requests and install certificates for VPN authentication.
backup
Back up the FortiGate configuration files, logs, or IPS user-defined signatures file to a TFTP or FTP server, USBdisk, or a management station. Management stations can either be a FortiManager unit, or FortiGuard Analysisand Management Service. For more information, see "fortiguard" on page 1 or "central-management" on page 1.
When virtual domain configuration is enabled (in global, vdom-admin is enabled), the content of the backup filedepends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settingsfor all of the VDOMs. Only the super admin can restore the configuration from this file.
When you back up the system configuration from a regular administrator account, the backup file contains theglobal settings and the settings for the VDOM to which the administrator belongs. Only a regular administratoraccount can restore the configuration from this file.
Syntaxexecute backup config flash <comment>execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> [<password_str>]] [<backup_password_str>]execute backup config management-station <comment_str>execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]execute backup config usb <filename_str> [<backup_password_str>]execute backup config-with-forticlient-info usb-mode [<backup_password_str>]execute backup config-with-forticlient-info ftp <filename_str> <server_ipv4[:port_int]
| server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]execute backup config-with-forticlient-info tftp <filename_str> <server_ipv4> [<backup_
password_str>]execute backup config-with-forticlient-info usb [<backup_password_str>]execute backup config-with-forticlient-info usb-mode [<backup_password_str>]execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]execute backup full-config usb <filename_str> [<backup_password_str>]execute backup full-config usb-mode <filename_str> [<backup_password_str>]execute backup ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]]execute backup ipsuserdefsig tftp tftp <filename_str> <server_ipv4>execute backup {disk | memory} alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>]
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
878
backup execute
execute backup {disk | memory} alllogs tftp <server_ipv4>execute backup {disk | memory} alllogs usbexecute backup {disk | memory} log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]
> <username_str> <password_str> {traffic | event | ids | virus | webfilter | spam| dlp | voip | app-ctrl | netscan}
execute backup {disk | memory} log tftp <server_ipv4> {traffic | event | ids | virus| webfilter | spam | dlp | voip | app-ctrl | netscan}
execute backup {disk | memory} log usb {traffic | event | ids | virus | webfilter| spam | dlp | voip | app-ctrl | netscan}
Variable Description
config flash <comment> Back up the system configuration to the flash disk.Optionally, include a comment.
config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str>[<password_str>]] [<backup_password_str>]
Back up the system configuration to an FTP server.
Optionally, you can specify a password to protect thesaved data.
config management-station<comment_str>
Back up the system configuration to a configuredmanagement station. If you are adding a comment, donot add spaces, underscore characters (_), or quotationmarks (“ “) or any other punctuation marks.
The comment you enter displays in both the portalwebsite and FortiGate web-based manager (System >Maintenance >Revision).
config tftp <filename_str><server_ipv4> [<backup_password_str>]
Back up the system configuration to a file on a TFTPserver. Optionally, you can specify a password to protectthe saved data.
config usb <filename_str>[<backup_password_str>]
Back up the system configuration to a file on a USB disk.Optionally, you can specify a password to protect thesaved data.
config usb-mode [<backup_password_str>]
Back up the system configuration to a USB disk (Globaladmin only). Optionally, you can specify a password toprotect the saved data.
config-with-forticlient-info ftp<filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str> [<password_str>]][<backup_password_str>]
Back up the system configuration to a file on an FTPserver. Optionally, you can specify a password to protectthe saved data.
config-with-forticlient-info tftp<filename_str> <server_ipv4>[<backup_password_str>]
Back up the system configuration to a file on a TFTPserver. Optionally, you can specify a password to protectthe saved data.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
879
execute backup
Variable Description
config-with-forticlient-info usb[<backup_password_str>]
Back up the system configuration to a file on a USB disk.Optionally, you can specify a password to protect thesaved data.
config-with-forticlient-info usb-mode [<backup_password_str>]
Back up the system configuration to a USB disk (Globaladmin only). Optionally, you can specify a password toprotect the saved data.
full-config ftp <filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str>[<password_str>]] [<backup_password_str>]
Back up the full system configuration to a file on an FTPserver. You can optionally specify a password to protectthe saved data.
full-config tftp <filename_str><server_ipv4> [<backup_password_str>]
Back up the full system configuration to a file on a TFTPserver. You can optionally specify a password to protectthe saved data.
full-config usb <filename_str>[<backup_password_str>]
Back up the full system configuration to a file on a USBdisk. You can optionally specify a password to protectthe saved data.
full-config usb-mode <filename_str> [<backup_password_str>]
Back up the full system configuration to a file on a USBdisk (Global admin only). You can optionally specify apassword to protect the saved data.
ipsuserdefsig ftp <filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str>[<password_str>]]
Backup IPS user-defined signatures to a file on an FTPserver.
ipsuserdefsig tftp tftp <filename_str> <server_ipv4>
Back up IPS user-defined signatures to a file on a TFTPserver.
{disk | memory} alllogs ftp<server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str><password_str>]
Back up either all memory or all hard disk log files for thisVDOM to an FTP server. The disk option is available onFortiGate models that log to a hard disk.
The file name has the form: <log_file_name>_<VDOM>_<date>_<time>
{disk | memory} alllogs tftp<server_ipv4>
Back up either all memory or all hard disk log files for thisVDOM to a TFTP server. he disk option is available onFortiGate models that log to a hard disk.
The file name has the form: <log_file_name>_<VDOM>_<date>_<time>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
880
batch execute
Variable Description
{disk | memory} alllogs usb Back up either all memory or all hard disk log files for thisVDOM to a USB disk. he disk option is available onFortiGate models that log to a hard disk.The file name has the form: <log_file_name>_<VDOM>_<date>_<time>
{disk | memory} log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> <username_str><password_str> {traffic | event| ids | virus | webfilter | spam| dlp | voip | app-ctrl | netscan}
Back up the specified type of log file from either harddisk or memory to an FTP server.
The disk option is available on FortiGate models that logto a hard disk.
{disk | memory} log tftp <server_ipv4> {traffic | event | ids| virus | webfilter | spam | dlp| voip | app-ctrl | netscan}
Back up the specified type of log file from either harddisk or memory to a TFTP server.
The disk option is available on FortiGate models that logto a hard disk.
{disk | memory} log usb{traffic | event | ids | virus| webfilter | spam | dlp | voip| app-ctrl | netscan}
Back up the specified type of log file from either harddisk or memory to a USB disk.
The disk option is available on FortiGate models that logto a hard disk.
Example
This example shows how to backup the FortiGate unit system configuration to a file named fgt.cfg on aTFTP server at IP address 192.168.1.23.
execute backup config tftp fgt.cfg 192.168.1.23
batch
Execute a series of CLI commands. execute batch commands are controlled by the Maintenance (mntgrp)access control group.
Syntaxexecute batch [<cmd_cue>]
where <cmd_cue> is one of:
end— exit session and run the batch commands
lastlog— read the result of the last batch commands
start— start batch mode
status— batch mode status reporting if batch mode is running or stopped
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
881
execute bypass-mode
Example
To start batch mode:
execute batch startEnter batch mode...
To enter commands to run in batch mode:
config system globalset refresh 5
end
To execute the batch commands:
execute batch endExit and run batch commands...
bypass-mode
Use this command to manually switch a FortiGate-600C or FortiGate-1000C into bypass mode. This is availablein transparent mode only. If manually switched to bypass mode, the unit remains in bypass-mode until bypassmode is disabled.
Syntaxexecute bypass-mode {enable | disable}
carrier-license
Use this command to enter a l FortiOS Carrier license key if you have installed a FortiOS Carrier build on aFortiGate unit and need to enter a license key to enable FortiOS Carrier functionality.
Contact Fortinet Support for more information about this command.
Syntaxexecute carrier-license <license_key>
Variable Description
<license_key> Enter the FortiOS Carrier license key supplied by Fortinet.
central-mgmt
Update Central Management Service account information. Also used receive configuration file updates from anattached FortiManager unit.
Syntaxexecute central-mgmt set-mgmt-id <management_id>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
882
cfg reload execute
execute central-mgmt register-device <fmg-serial-number> <fmg-register-password> <fgt-user-name> <fgt-password>
execute central-mgmt unregister-device <fmg-serial-number>
set-mgmt-id is used to change or initially set the management ID, or your account number for CentralManagement Services. This account ID must be set for the service to be enabled.
register-device registers the FortiGate unit with a specific FortiManager unit specified by serial number.You must also specify the administrator name and password that the FortiManager unit uses to log on to theFortiGate unit.
unregister-device removes the FortiGate unit from the specified FortiManager unit’s device list.
update is used to update your Central Management Service contract with your new management account ID.This command is to be used if there are any changes to your management service account.
Example
If you are registering with the Central Management Service for the first time, and your account number is 123456,you would enter the following:
execute central-mgmt set-mgmt-id 123456
cfg reload
Use this command to restore the saved configuration when the configuration change mode is manual orrevert. This command has no effect if the mode is automatic, the default. The set cfg-save commandin system global sets the configuration change mode.
When you reload the saved system configuration, the your session ends and the FortiGate unit restarts.
In the default configuration change mode, automatic, CLI commands become part of the saved unitconfiguration when you execute them by entering either next or end.
In manual mode, commands take effect but do not become part of the saved configuration unless you executethe execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.Configuration changes that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are saved automatically if theadministrative session is idle for more than a specified timeout period. This provides a way to recover from anerroneous configuration change, such as changing the IP address of the interface you are using foradministration. You set the timeout in system global using the set cfg-revert-timeout command.
Syntaxexecute cfg reload
Example
This is sample output from the command when successful:
# execute cfg reloadconfigs reloaded. system will reboot.This is sample output from the command when not in
runtime-only configuration mode:# execute cfg reloadno config to be reloaded.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
883
execute cfg save
cfg save
Use this command to save configuration changes when the configuration change mode is manual or revert. Ifthe mode is automatic, the default, all changes are added to the saved configuration as you make them andthis command has no effect. The set cfg-save command in system global sets the configuration changemode.
In manual mode, commands take effect but do not become part of the saved configuration unless you executethe execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.Configuration changes that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are reverted automatically ifthe administrative session is idle for more than a specified timeout period. This provides a way to recover from anerroneous configuration change, such as changing the IP address of the interface you are using foradministration. To change the timeout from the default of 600 seconds, go to system global and use theset cfg-revert-timeout command.
Syntaxexecute cfg save
Example
This is sample output from the command:
# execute cfg saveconfig saved.
This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-onlyconfiguration mode and no changes have been made:
# execute cfg saveno config to be saved.
clear system arp table
Clear all the entries in the arp table.
Syntaxexecute clear system arp table
cli check-template-status
Reports the status of the secure copy protocol (SCP) script template.
Syntaxexecute cli check-template-status
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
884
cli status-msg-only execute
cli status-msg-only
Enable or disable displaying standardized CLI error output messages. If executed, this command stops otherdebug messages from displaying in the current CLI session. This command is used for compatibility withFortiManager.
Syntaxexecute cli status-msg-only [enable | disable]
Variable Description Default
status-msg-only[enable | disable]
Enable or disable standardized CLI error output messages.Entering the command without enable or disable disablesdisplaying standardized output.
enable
client-reputation
Use these commands to retrieve or remove client reputation information.
Syntax
To erase all client reputation data
execute client-reputation erase
To retrieve client reputation host count
execute client-reputation host-count <rows>
To retrieve client reputation host details
execute client-reputation host detail <host>
To retrieve client reputation host summary
execute client-reputation host summary <host>
To purge old data
execute client-reputation purge
To view the top n records
execute client-reputation <n | all>
date
Get or set the system date.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
885
execute disk
Syntaxexecute date [<date_str>]
date_str has the form yyyy-mm-dd, where
yyyy is the year and can be 2001 to 2037
mm is the month and can be 01 to 12
dd is the day of the month and can be 01 to 31
If you do not specify a date, the command returns the current system date. Shortened values, such as ‘06’instead of ‘2006’ for the year or ‘1’ instead of ‘01’ for month or day, are not valid.
Example
This example sets the date to 17 September 2004:
execute date 2004-09-17
disk
Use this command to list and format hard disks installed in FortiGate units or individual partitions on these harddisks.
Syntaxexecute disk format <partition1_ref_int> [...<partitionn_ref_int>]execute disk listexecute disk scan <ref_int>
Variable Description
format
Format the referenced disk partitions or disks. Separatereference numbers with spaces.
If you enter a partition reference number the disk partition isformatted. If you enter a disk reference number the entire diskand all of its partitions are formatted.
listList the disks and partitions and the reference number for eachone.
scan Scan a disk or partition and repair errors.
<ref_int> Disk (device) or partition reference number.
The execute disk format command formats the specified partitions or disks and then reboots the system ifa reboot is required.
In most cases you need to format the entire disk only if there is a problem with the partition. Formatting thepartition removes all data from the partition. Formatting the disk removes all data from the entire disk and createsa single partition on the disk.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
886
disk raid execute
Examples
Use the following command to list the disks and partitions.
execute disk list
Disk Internal(boot) ref: 14.9GB type: SSD [ATA SanDisk SSD U100] dev: /dev/sdapartition ref: 3 14.4GB, 14.4GB free mounted: Y label: 7464A257123E07BB dev: /dev/sda3
In this example, there is only one partition and its reference number is 3.
Enter the following command to format the partition.
execute disk format 3
After a confirmation message the FortiGate unit formats the partition and restarts. This can take a few minutes.
disk raid
Use this command to view information about and change the raid settings on FortiGate units that support RAID.
Syntaxexecute disk raid disableexecute disk raid enable {Raid-0 | Raid-1 | Raid-5}execute disk raid rebuildexecute disk raid status
Variable Description
disable Disable raid for the FortiGate unit.
enable {Raid-0 | Raid-1| Raid-5} Change the RAID level on the FortiGate unit.
rebuildRebuild RAID on the FortiGate unit at the same RAID level. You can onlyexecute this command if a RAID error has been detected. Changing theRAID level takes a while and deletes all data on the disk array.
status Display information about the RAID disk array in the FortiGate unit.
Examples
Use the following command to display information about the RAID disk array in a FortiGate-82C.
execute disk raid statusRAID Level: Raid-1RAID Status: OKRAID Size: 1000GB
Disk 1: OK Used 1000GBDisk 2: OK Used 1000GBDisk 3: OK Used 1000GBDisk 4: Unavailable Not-Used 0GB
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
887
execute disk scan
disk scan
Use this command to run a disk check operation.
Syntaxexecute disk scan <ref_int>
where n is the partition "ref:" number for the disk, shown by execute disk list.
The operation requires the FortiGate unit to reboot. The command responds:
Example# execute disk scan 3scan requested for: 3/Internal (device=/dev/sda3)This action requires the unit to reboot.Do you want to continue? (y/n)
dhcp lease-clear
Clear all DHCP address leases.
Syntax
For IPv4:
execute dhcp lease-clear
For IPv6
execute dhcp6 lease-clear
dhcp lease-list
Display DHCP leases on a given interface
Syntax
For IPv4:
execute dhcp lease-list [interface_name]
For IPv6:
execute dhcp6 lease-list [interface_name]
If you specify an interface, the command lists only the leases issued on that interface. Otherwise, the list includesall leases issued by DHCP servers on the FortiGate unit.
If there are no DHCP leases in user on the FortiGate unit, an error will be returned.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
888
disconnect-admin-session execute
disconnect-admin-session
Disconnect an administrator who is logged in.
Syntaxexecute disconnect-admin-session <index_number>
To determine the index of the administrator that you want to disconnect, view the list of logged-in administratorsby using the following command:
execute disconnect-admin-session ?
The list of logged-in administrators looks like this:
Connected:INDEX USERNAME TYPE FROM TIME0 admin WEB 172.20.120.51 Mon Aug 14 12:57:23 20061 admin2 CLI ssh(172.20.120.54) Mon Aug 14 12:57:23 2006
Example
This example shows how to disconnect the logged administrator admin2 from the above list.
execute disconnect-admin-session 1
enter
Use this command to go from global commands to a specific virtual domain (VDOM).
Only available when virtual domains are enabled and you are in config global.
After you enter the VDOM, the prompt will not change from “(global)”. However you will be in the VDOM withall the commands that are normally available in VDOMs.
Syntaxexecute enter <vdom>
Use “?” to see a list of available VDOMs.
erase-disk
Use this command to reformat the boot device or an attached hard disk. Optionally, this command can restorethe image from a TFTP server after erasing.
Syntaxexecute erase-disk <disk_name>
The <disk_name> for the boot device is boot.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
889
execute factoryreset
factoryreset
Reset the FortiGate configuration to factory default settings.
Syntaxexecute factoryreset [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.
Apart from the keepvmlicense option, this procedure deletes all changes that you have made to the FortiGateconfiguration and reverts the system to its original configuration, including resetting interface addresses.
factoryreset2
Reset the FortiGate configuration to factory default settings except VDOM and interface settings.
Syntaxexecute factoryreset2 [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.
formatlogdisk
Format the FortiGate hard disk to enhance performance for logging.
Syntaxexecute formatlogdisk
In addition to deleting logs, this operation will erase all other data on thedisk, including system configuration, quarantine files, and databases forantivirus and IPS.
forticarrier-license
Use this command to perform a FortiCarrier license upgrade.
Syntaxexecute forticarrier-license <activation-code>
forticlient
Use these commands to manage FortiClient licensing.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
890
FortiClient-NAC execute
Syntax
To view FortiClient license information
execute forticlient info
To show current FortiClient count
execute forticlient list <connection_type>
where <connection_type> is one of:
0 - IPsec
1 - SSLVPN
2 - NAC (Endpoint Security)
3 - WAN optimization
4 - Test
To upgrade FortiClient licenses
execute forticlient upgrade <license_key_str>
FortiClient-NAC
Use the following command to load a FortiClient license onto a FortiGate unit.
Syntaxexecute FortiClient-NAC update-registration-license <code>
where <code> is the FortiClient registration license key/activation code.
fortiguard-log
Use this to manage FortiGuard Analysis and Management Service (FortiCloud) operation.
Syntax
To create a FortiCloud account
execute fortiguard-log create-account
To perform FortiCloud certification
execute fortiguard-log certification
To retrieve the FortiCloud agreement
execute fortiguard-log agreement
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
891
execute fortitoken
To test connection to a FortiCloud account
execute fortiguard-log try <account-id> <password>
To join FortiCloud
execute fortiguard-log join
To log in to a FortiCloud account
execute fortiguard-log login <account-id> <password>
To update the FortiGuard Analysis and Management Service contract
execute fortiguard-log update
fortitoken
Use these commands to activate and synchronize a FortiToken device. FortiToken devices are used in two-factorauthentication of administrator and user account logons. The device generates a random six-digit code that youenter during the logon process along with user name and password.
Before they can be used to authenticate account logins, FortiToken devices must be activated with theFortiGuard service. When successfully activated, the status of the FortiToken device will change from New toActive.
Synchronization is sometimes needed due to the internal clock drift of the FortiToken device. It is not unusual fornew FortiToken units to require synchronization before being put into service. Synchronization is accomplished byentering two sequential codes provided by the FortiToken.
Syntax
To activate one or more FortiToken devices
execute fortitoken activate <serial_number> [serial_number2 ... serial_numbern]
To import FortiToken OTP seeds
execute fortitoken import <seeds_file> <seeds_file_preshared_key>
To synchronize a FortiToken device
execute fortitoken sync <serial_number> <code> <next code>
To import a set of FortiToken serial numbers
execute fortitoken import-sn-file <ftk-sn>
FortiCare returns a set of 200 serial numbers that are in the same serial number range as the specifiedFortiToken device.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
892
fortitoken-mobile execute
fortitoken-mobile
Use these commands to activate and synchronize a FortiToken Mobile card. FortiToken Mobile cards are used intwo-factor authentication of administrator and user account logons. The FortiGate unit sends a random six-digitcode to the mobile device by email or SMS that the user enters during the logon process along with user nameand password.
Syntax
To import the FortiToken Mobile card serial number
execute fortitoken-mobile import <activation_code>
To poll a FortiToken Mobile token state
execute fortitoken-mobile poll
To provision a FortiToken Mobile token
execute fortitoken-mobile provision <token_serial_number>
fsso refresh
Use this command to manually refresh user group information from Directory Service servers connected to theFortiGate unit using the Fortinet Single Sign On (FSSO) agent.
Syntaxexecute fsso refresh
ha disconnect
Use this command to disconnect a FortiGate unit from a functioning cluster. You must specify the serial numberof the unit to be disconnected. You must also specify an interface name and assign an IP address and netmask tothis interface of the disconnected unit. You can disconnect any unit from the cluster even the primary unit. Afterthe unit is disconnected the cluster responds as if the disconnected unit has failed. The cluster may renegotiateand may select a new primary unit.
To disconnect the unit from the cluster, the execute ha disconnect command sets the HA mode of thedisconnected unit to standalone. In addition, all interface IP addresses of the disconnected unit are set to 0.0.0.0.The interface specified in the command is set to the IP address and netmask that you specify in the command. Inaddition all management access to this interface is enabled. Once the FortiGate unit is disconnected you can useSSH, telnet, HTTPS, or HTTP to connect to and manage the FortiGate unit.
Syntaxexecute ha disconnect <cluster-member-serial_str> <interface_str> <address_ipv4>
<address_ipv4mask>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
893
execute ha ignore-hardware-revision
Variable Description
cluster-member-serial_str
The serial number of the cluster unit to be disconnected.
interface_strThe name of the interface to configure. The commandconfigures the IP address and netmask for this interface and alsoenables all management access for this interface.
Example
This example shows how to disconnect a cluster unit with serial number FGT5002803033050. The internalinterface of the disconnected unit is set to IP address 1.1.1.1 and netmask 255.255.255.0.
execute ha disconnect FGT5002803033050 internal 1.1.1.1 255.255.255.0
ha ignore-hardware-revision
Use this command to set ignore-hardware-revision status.
Syntax
To view ignore-hardware-revision status
execute ha ignore-hardware-revision status
To set ignore-hardware-revision status
execute ha ignore-hardware-revision {enable | disable}
ha manage
Use this command from the CLI of a FortiGate unit in an HA cluster to log into the CLI of another unit in thecluster. Usually you would use this command from the CLI of the primary unit to log into the CLI of a subordinateunit. However, if you have logged into a subordinate unit CLI, you can use this command to log into the primaryunit CLI, or the CLI of another subordinate unit.
You can use CLI commands to manage the cluster unit that you have logged into. If you make changes to theconfiguration of any cluster unit (primary or subordinate unit) these changes are synchronized to all cluster units.
Syntaxexecute ha manage <cluster-index>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
894
ha synchronize execute
Variable Description
cluster-index
The cluster index is assigned by the FortiGate ClusteringProtocol according to cluster unit serial number. The cluster unitwith the highest serial number has a cluster index of 0. Thecluster unit with the second highest serial number has a clusterindex of 1 and so on.
Enter ? to list the cluster indexes of the cluster units that you canlog into. The list does not show the unit that you are alreadylogged into.
Example
This example shows how to log into a subordinate unit in a cluster of three FortiGate units. In this example youhave already logged into the primary unit. The primary unit has serial number FGT3082103000056. Thesubordinate units have serial numbers FGT3012803021709 and FGT3082103021989.
execute ha manage ?<id> please input slave cluster index.<0> Subsidary unit FGT3012803021709<1> Subsidary unit FGT3082103021989
Type 0 and press enter to connect to the subordinate unit with serial number FGT3012803021709. The CLIprompt changes to the host name of this unit. To return to the primary unit, type exit.
From the subordinate unit you can also use the execute ha manage command to log into the primary unit orinto another subordinate unit. Enter the following command:
execute ha manage ?<id> please input slave cluster index.<1> Subsidary unit FGT3082103021989<2> Subsidary unit FGT3082103000056
Type 2 and press enter to log into the primary unit or type 1 and press enter to log into the other subordinate unit.The CLI prompt changes to the host name of this unit.
ha synchronize
Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with theprimary unit or to stop a synchronization process that is in progress.
Syntaxexecute ha synchronize {start | stop}
Variable Description
start Start synchronizing the cluster configuration.
stop Stop the cluster from completing synchronizing its configuration.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
895
execute interface dhcpclient-renew
interface dhcpclient-renew
Renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCPconnection on the specified port, there is no output.
Syntaxexecute interface dhcpclient-renew <port>
Example
This is the output for renewing the DHCP client on port1 before the session closes:
# execute interface dhcpclient-renew port1renewing dhcp lease on port1
interface pppoe-reconnect
Reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoEconnection on the specified port, there is no output.
Syntaxexecute interface pppoe-reconnect <port>
log backup
Use this command to back up all logs, index files, and report databases. The files are compressed and combinedinto a TAR archive.
Syntaxexecute log backup <file name>
where <file name> is the name of the backup file to create.
log client-reputation-report
Use these commands to control client-reputation log actions.
Syntax
To accept a host so that it has its own baselines
execute log client-reputation-report accept <policy-id> <host>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
896
log client-reputation-report execute
To clear all auto-profile data
execute log client-reputation-report clear
To ignore a host, removing it from the abnormal list
execute log client-reputation-report ignore <policy-id> <host>
To refresh the data of one option result
execute log client-reputation-report refresh <policy-id> <option> <action>
<option> is one of bandwidth, session, failconn, geo, or app
<action> is one of data, baseline, or data_baseline (both data and baseline)
To get baseline/average information of one option
execute log client-reputation-report result baseline <policy-id> <option>
<option> is one of bandwidth, session, or failconn
To get hourly data of a host visiting a country or using an application
execute log client-reputation-report result details {hourly | total} <policy-id><option> <name> <host>
<option> is geo or app
<name> is the name of the country or application
To list abnormal hosts of one or all options
execute log client-reputation-report result list <policy-id> <option>
<option> is geo, app, or all
To list periodical data of one host of one option
execute log client-reputation-report result period <policy-id> <option> <host><periods>
<option> is one of bandwidth, session, failconn, geo, or app
<periods> is number of periods to list
To list the top 10 abnormal hosts of one option
execute log client-reputation-report result top10 <policy-id> <option>
<option> is one of bandwidth, session, failconn, geo, or app
To run reports immediately
execute log client-reputation-report run <policy-id>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
897
execute log convert-oldlogs
log convert-oldlogs
Use this command to convert old compact logs to the new format. This command is available only if you haveupgraded from an earlier version of FortiOS and have old compact logs on your system.
Syntaxexecute log convert-oldlogs
log delete-all
Use this command to clear all log entries for this VDOM in memory and current log files on hard disk. If yourFortiGate unit has no hard disk, only log entries in system memory will be cleared. You will be prompted toconfirm the command.
Syntaxexecute log delete-all
log delete-oldlogs
Use this command to delete old compact logs. This command is available only if you have upgraded from anearlier version of FortiOS and have old compact logs on your system.
Syntaxexecute log delete-oldlogs
log detail
Display UTM-related log entries for traffic log entries in this VDOM.
Syntaxexecute log detail <category> <utm-ref>
where <category> is one of:
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-spam
9: utm-dlp
10: utm-app-ctrl
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
898
log display execute
You can obtain <utm-ref> from the execute log display output.
log display
Use this command to display log messages for this VDOM that you have selected with the execute logfilter command.
Syntaxexecute log display
The console displays the first 10 log messages. To view more messages, run the command again. You can dothis until you have seen all of the selected log messages. To restart viewing the list from the beginning, use thecommands
execute log filter start-line 1execute log display
You can restore the log filters to their default values using the command
execute log filter reset
log downgrade-log
Use this command to downgrade existing logs to v5.0 format prior to a firmware downgrade to FortiOS v5.0.
Syntaxexecute log downgrade-log
log filter
Use this command to select log messages in this VDOM for viewing or deletion. You can view one log category onone device at a time. Optionally, you can filter the messages to select only specified date ranges or severities oflog messages. For traffic logs, you can filter log messages by source or destination IP address.
Commands are cumulative. If you omit a required variable, the command displays the current setting.
Use as many execute log filter commands as you need to define the log messages that you want toview.
Syntaxexecute log filter category <category_name>execute log filter device {disk | memory}execute log filter dumpexecute log filter field <name> <value> [<value2>,...<valuen>] [not]execute log filter ha-member <unitsn_str>execute log filter reset [all | field]execute log filter rolled_number <number>execute log filter sortby <field> [max-sort-lines]execute log filter start-line <line_number>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
899
execute log fortianalyzer test-connectivity
execute log filter view-lines <count>
Variable Description Default
category<category_name>
Enter the type of log you want to select. Tosee a list of available categories, enter
execute log filter category
event
device {disk| memory}
Device where the logs are stored. disk
dump Display current filter settings.Nodefault.
field <name><value>[<value2>,...<valuen>] [not]
Enter execute log filter field toview the list of field names.
Press Enter after <name> to view informationabout value parameters for that field.
not inverts the field value condition.
Nodefault.
ha-member<unitsn_str>
Select logs from the specified HA clustermember. Enter the serial number of the unit.
reset [all | field]Execute this command to reset all filtersettings. You can use field option to reset onlyfilter field settings.
Nodefault.
rolled_number<number>
Select logs from rolled log file. 0 selectscurrent log file.
0
sortby <field>[max-sort-lines]
Sort logs by specified field.Nodefault.
start-line <line_number>
Select logs starting at specified line number. 1
view-lines <count> Set lines per view. Range: 5 to 1000 10
log fortianalyzer test-connectivity
Use this command to test the connection to the FortiAnalyzer unit. This command is available only whenFortiAnalyzer is configured.
Syntaxexecute log fortianalyzer test-connectivity
Example
When FortiAnalyzer is connected, the output looks like this:
FortiAnalyzer Host Name: FortiAnalyzer-800B
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
900
log list execute
FortiGate Device ID: FG50B3G06500085Registration: registeredConnection: allowDisk Space (Used/Allocated): 468/1003 MBTotal Free Space: 467088 MBLog: Tx & RxReport: Tx & RxContent Archive: Tx & RxQuarantine: Tx & Rx
When FortiAnalyzer is not connected, the output is: Connect Error
log list
You can view the list of current and rolled log files for this VDOM on the console. The list shows the file name,size and timestamp.
Syntaxexecute log list <category>
To see a list of available categories, enter
execute log list
Example
The output looks like this:
elog 8704 Fri March 6 14:24:35 2009elog.1 1536 Thu March 5 18:02:51 2009elog.2 35840 Wed March 4 22:22:47 2009
At the end of the list, the total number of files in the category is displayed. For example:
501 event log file(s) found.
log rebuild-sqldb
Use this command to rebuild the SQL database from log files.
If run in the VDOM context, only this VDOM’s SQL database is rebuilt. If run in the global context, the SQLdatabase is rebuilt for all VDOMs.
If SQL logging is disabled, this command is unavailable.
Syntaxexecute log rebuild-sqldb
log recreate-sqldb
Use this command to recreate SQL log database.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
901
execute log-report reset
If SQL logging is disabled, this command is unavailable.
Syntaxexecute log recreate-sqldb
log-report reset
Use this command to delete all logs, archives and user configured report templates.
Syntaxexecute log-report reset
log restore
Use this command to restore up all logs, index files, and report databases from a backup file created with the "logbackup" on page 27 command.
This command will wipe out all existing logs and report database for the vdom. It is only available for debugfirmware builds.
It is recommended to kill reportd and miglogd prior to running this command.
kill -3 1killall miglogdkillall reportd
Syntaxexecute log restore <file name>
where <file name> is the name of the backup file to use.
log roll
Use this command to roll all log files.
Syntaxexecute log roll
log shift-time
Use this command in conjunction with the "log backup" on page 27 and "log restore" on page 33 commands. Youcan load a log set generated previously to do demos or testing without needing to regenerate data.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
902
log upload-progress execute
Syntaxexecute log shift-time <number of hours>
log upload-progress
Use this command to display the progress of the latest log upload.
Syntaxexecute log upload-progress
modem dial
Dial the modem.
The dial command dials the accounts configured in config system modem until it makes a connection or ithas made the maximum configured number of redial attempts.
This command can be used if the modem is in Standalone mode.
Syntaxexecute modem dial
modem hangup
Hang up the modem.
This command can be used if the modem is in Standalone mode.
Syntaxexecute modem hangup
modem trigger
This command sends a signal to the modem daemon, which causes the state machine to re-evaluate its currentstate. If for some reason the modem should be connected but isn't, then it will trigger a redial. If the modemshould not be connected but is, this command will cause the modem to disconnect.
Syntaxexecute modem trigger
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
903
execute mrouter clear
mrouter clear
Clear multicast routes, RP-sets, IGMPmembership records or routing statistics.
Syntax
Clear IGMPmemberships:
execute mrouter clear igmp-group {{<group-address>} <interface-name>}execute mrouter clear igmp-interface <interface-name>
Clear multicast routes:
execute mrouter clear <route-type> {<group-address> {<source-address>}}
Clear PIM-SM RP-sets learned from the bootstrap router (BSR):
execute mrouter clear sparse-mode-bsr
Clear statistics:
execute mrouter clear statistics {<group-address> {<source-address>}}
Variable Description
<interface-name>Enter the name of the interface on which you want to clear IGMPmemberships.
<group-address>Optionally enter a group address to limit the command to aparticular group.
<route-type>
Enter one of:
dense-routes - clear only PIM dense routes
multicast-routes - clear all types of multicast routes
sparse-routes - clear only sparse routes
<source-address>Optionally, enter a source address to limit the command to aparticular source address. You must also specifygroup-address.
netscan
Use this command to start and stop the network vulnerability scanner and perform related functions.
Syntaxexecute netscan importexecute netscan listexecute netscan start scanexecute netscan statusexecute netscan stop
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
904
pbx execute
Variable Description
import Import hosts discovered on the last asset discovery scan.
list List the hosts discovered on the last asset discover scan.
start scan Start configured vulnerability scan.
status Display the status of the current network vulnerability scan.
stop Stop the current network vulnerability scan.
pbx
Use this command to view active channels and to delete, list or upload music files for when music is playing whilea caller is on hold.
Syntaxexecute pbx active-call <list>execute pbx extension <list>execute pbx ftgd-voice-pkg {sip-trunk}execute pbx music-on-hold {delete | list | upload}execute pbx prompt upload ftp <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]execute pbx prompt upload tftp <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]execute pbx prompt upload usb <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]execute pbx restore-default-promptsexecute pbx sip-trunk list
Variables Description
active-call <list>Enter to display a list of the active calls being processed by theFortiGate Voice unit.
extension <list>Enter to display the status of all extensions with SIP phones thathave connected to the FortiGate Voice unit.
ftgd-voice-pkg{sip-trunk}
Enter to retrieve FortiGuard voice package sip trunk information.
music-on-hold{delete | list | upload}
Enter to either delete, list or upload music on hold files. You canupload music on hold files using FTP, TFTP, or from a USB driveplugged into the FortiGate Voice unit.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
905
execute pbx
Variables Description
prompt upload ftp<file.tgz> <ftp_server_address>[:port] [<username>][password>]
Upload new pbx voice prompt files using FTP. The voice promptfiles should be added to a tar file and zipped. This file wouldusually have the extension tgz. You must include the filename,FTP server address (domain name of IPv4 address) and ifrequired the username and password for the server.
prompt upload tftp<file.tgz> <ftp_server_address>[:port] [<username>][password>]
Upload new pbx voice prompt files using TFTP. The voiceprompt files should be added to a tar file and zipped. This filewould usually have the extension tgz. You must include thefilename and TFTP server IP address.
prompt upload usb<file.tgz> <ftp_server_address>[:port] [<username>][password>]
Upload new pbx voice prompt files from a USB drive plugged intothe FortiGate Voice unit. The voice prompt files should be addedto a tar file and zipped. This file would usually have the extensiontgz. You must include the filename.
restore-default-prompts
Restore default English voicemail and other PBX systemprompts. Use this command if you have changed the defaultprompts and want to restore the default settings.
sip-trunk listEnter to display the status of all SIP trunks that have been addedto the FortiGate Voice configuration.
Example command output
Enter the following command to view active calls:
execute pbx active-call
Call-From Call-To Durationed6016 6006 00:00:46
Enter the following command to display the status of all extensions
execute pbx extension listExtension Host Dialplan6052 Unregister company-default6051 Unregister company-default6050 Unregister company-default6022 Unregister company-default6021/6021 172.30.63.34 company-default6020 Unregister company-default
Enter the following command to display the status of all SIP trunks
execute pbx sip-trunk listName Host Username Account-Type StateProvider_1 192.169.20.1 +5555555 Static N/A
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
906
ping execute
ping
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and anothernetwork device.
Syntaxexecute ping {<address_ipv4> | <host-name_str>}
<host-name_str> should be an IP address, or a fully qualified domain name.
Example
This example shows how to ping a host with the IP address 172.20.120.16.
#execute ping 172.20.120.16
PING 172.20.120.16 (172.20.120.16): 56 data bytes64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5 ms64 bytes from 172.20.120.16: icmp_seq=1 ttl=128 time=0.2 ms64 bytes from 172.20.120.16: icmp_seq=2 ttl=128 time=0.2 ms64 bytes from 172.20.120.16: icmp_seq=3 ttl=128 time=0.2 ms64 bytes from 172.20.120.16: icmp_seq=4 ttl=128 time=0.2 ms
--- 172.20.120.16 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max = 0.2/0.2/0.5 ms
ping-options, ping6-options
Set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiGateunit and another network device.
Syntaxexecute ping-options data-size <bytes>execute ping-options df-bit {yes | no}execute ping-options pattern <2-byte_hex>execute ping-options repeat-count <repeats>execute ping-options source {auto | <source-intf_ip>}execute ping-options timeout <seconds>execute ping-options tos <service_type>execute ping-options ttl <hops>execute ping-options validate-reply {yes | no}execute ping-options view-settings
Variable Description Default
data-size<bytes>
Specify the datagram size in bytes. 56
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
907
execute ping-options, ping6-options
Variable Description Default
df-bit {yes | no}Set df-bit to yes to prevent the ICMP packetfrom being fragmented. Set df-bit to no toallow the ICMP packet to be fragmented.
no
pattern <2-byte_hex>
Used to fill in the optional data buffer at the end ofthe ICMP packet. The size of the buffer isspecified using the data_size parameter. Thisallows you to send out packets of different sizesfor testing the effect of packet size on theconnection.
Nodefault.
repeat-count<repeats>
Specify how many times to repeat ping. 5
source{auto |<source-intf_ip>}
Specify the FortiGate interface from which to sendthe ping. If you specify auto, the FortiGate unitselects the source address and interface based onthe route to the <host-name_str> or <host_ip>. Specifying the IP address of a FortiGateinterface tests connections to different networksegments from the specified interface.
auto
timeout<seconds>
Specify, in seconds, how long to wait until pingtimes out.
2
tos <service_type>
Set the ToS (Type of Service) field in the packetheader to provide an indication of the quality ofservice wanted.
lowdelay = minimize delay
throughput = maximize throughput
reliability = maximize reliability
lowcost = minimize cost
0
ttl <hops>Specify the time to live. Time to live is the numberof hops the ping packet should be allowed to makebefore being discarded or returned.
64
validate-reply{yes | no}
Select yes to validate reply data. no
view-settings Display the current ping-option settings.Nodefault.
Example
Use the following command to increase the number of pings sent.
execute ping-options repeat-count 10
Use the following command to send all pings from the FortiGate interface with IP address 192.168.10.23.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
908
ping6 execute
execute ping-options source 192.168.10.23
ping6
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and an IPv6capable network device.
Syntaxexecute ping6 {<address_ipv6> | <host-name_str>}
Example
This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.
execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF
policy-packet-capture delete-all
Use this command to delete captured packets.
Syntaxexecute policy-packet-capture delete-all
You will be asked to confirm that you want delete the packets.
reboot
Restart the FortiGate unit.
Abruptly powering off your FortiGate unit may corrupt its configuration.Using the reboot and shutdown options here or in the web-based managerensure proper shutdown procedures are followed to prevent any loss ofconfiguration.
Syntaxexecute reboot <comment “comment_string”>
<comment “comment_string”> allows you to optionally add a message that will appear in the hard disk logindicating the reason for the reboot. If the message is more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execute reboot comment “December monthly maintenance”
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
909
execute report
report
Use these commands to manage reports.
Syntax
To flash report caches:
execute report flash-cache
To recreate the report database:
execute report recreate-db
To generate a report:
execute report run [<layout_name>["start-time" "end-time"]]
The start and end times have the format yyyy-mm-dd hh:mm:ss
report-config reset
Use this command to reset report templates to the factory default. Logs are not deleted.
If SQL logging is disabled, this command is unavailable.
Syntaxexecute report-config reset
restore
Use this command to
l restore the configuration from a filel change the FortiGate firmwarel change the FortiGate backup firmwarel restore an IPS custom signature file
When virtual domain configuration is enabled (in system global, vdom-admin is enabled), the content ofthe backup file depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settingsfor all of the VDOMs. Only the super admin account can restore the configuration from this file.
A backup file from a regular administrator account contains the global settings and the settings for the VDOM towhich the administrator belongs. Only a regular administrator account can restore the configuration from this file.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
910
restore execute
Syntaxexecute restore av ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>
[<username_str> <password_str>]execute restore av tftp <filename_str> <server_ipv4[:port_int]>execute restore config flash <revision>execute restore config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>] [<backup_password_str>]execute restore config management-station {normal | template | script} <rev_int>execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]execute restore config usb <filename_str> [<backup_password_str>]execute restore config usb-mode [<backup_password_str>]execute restore forticlient tftp <filename_str> <server_ipv4>execute restore image flash <revision>execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>]execute restore image management-station <version_int>execute restore image tftp <filename_str> <server_ipv4>execute restore image usb <filename_str>execute restore ips ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]
> [<username_str> <password_str>]execute restore ips tftp <filename_str> <server_ipv4>execute restore ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> <password_str>]execute restore ipsuserdefsig tftp <filename_str> <server_ipv4>execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_
fqdn[:port_int]> [<username_str> <password_str>]execute restore secondary-image tftp <filename_str> <server_ipv4>execute restore secondary-image usb <filename_str>execute restore src-vis <src-vis-pkgfile>execute restore vcm {ftp | tftp} <filename_str> <server_ipv4>execute restore vmlicense {ftp | tftp} <filename_str> <server_ipv4>
Variable Description
av ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]
Download the antivirus database file from an FTP server to theFortiGate unit.
av tftp <filename_str> <server_ipv4[:port_int]>
Download the antivirus database file from a TFTP server to theFortiGate unit.
config flash<revision>
Restore the specified revision of the system configuration fromthe flash disk.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
911
execute restore
Variable Description
config ftp<filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>][<backup_password_str>]
Restore the system configuration from an FTP server. The newconfiguration replaces the existing configuration, includingadministrator accounts and passwords.
If the backup file was created with a password, you must specifythe password.
configmanagement-station {normal| template | script}<rev_int>
Restore the system configuration from the central managementserver. The new configuration replaces the existingconfiguration, including administrator accounts and passwords.
rev_int is the revision number of the saved configuration torestore. Enter 0 for the most recent revision.
config tftp<filename_str><server_ipv4>[<backup_password_str>]
Restore the system configuration from a file on a TFTP server.The new configuration replaces the existing configuration,including administrator accounts and passwords.
If the backup file was created with a password, you must specifythe password.
config usb<filename_str>[<backup_password_str>]
Restore the system configuration from a file on a USB disk. Thenew configuration replaces the existing configuration, includingadministrator accounts and passwords.
If the backup file was created with a password, you must specifythe password.
config usb-mode[<backup_password_str>]
Restore the system configuration from a USB disk. The newconfiguration replaces the existing configuration, includingadministrator accounts and passwords. When the USB drive isremoved, the FortiGate unit needs to reboot and revert to theunit’s existing configuration.
If the backup file was created with a password, you must specifythe password.
forticlient tftp<filename_str><server_ipv4>
Download the FortiClient image from a TFTP server to theFortiGate unit. The filename must have the format:FortiClientSetup_versionmajor.versionminor.build.exe.For example, FortiClientSetup.4.0.377.exe.
image flash<revision>
Restore specified firmware image from flash disk.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
912
restore execute
Variable Description
image ftp<filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]
Download a firmware image from an FTP server to the FortiGateunit. The FortiGate unit reboots, loading the new firmware.
This command is not available in multiple VDOM mode.
imagemanagement-station <version_int>
Download a firmware image from the central managementstation. This is available if you have configured a FortiManagerunit as a central management server. This is also available ifyour account with FortiGuard Analysis and Management Serviceallows you to upload firmware images.
image tftp<filename_str><server_ipv4>
Download a firmware image from a TFTP server to the FortiGateunit. The FortiGate unit reboots, loading the new firmware.
This command is not available in multiple VDOM mode.
image usb<filename_str>
Download a firmware image from a USB disk to the FortiGateunit. The FortiGate unit reboots, loading the new firmware.
ips ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]
Download the IPS database file from an FTP server to theFortiGate unit.
ips tftp <filename_str> <server_ipv4>
Download the IPS database file from a TFTP server to theFortiGate unit.
ipsuserdefsig ftp<filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]
Restore IPS custom signature file from an FTP server. The filewill overwrite the existing IPS custom signature file.
ipsuserdefsig tftp<filename_str><server_ipv4>
Restore an IPS custom signature file from a TFTP server. Thefile will overwrite the existing IPS custom signature file.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
913
execute revision
Variable Description
secondary-image ftp<filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]
Download a firmware image from an FTP server as the backupfirmware of the FortiGate unit. Available on models that supportbackup firmware images.
secondary-imagetftp <filename_str><server_ipv4>
Download a firmware image from a TFTP server as the backupfirmware of the FortiGate unit. Available on models that supportbackup firmware images.
secondary-imageusb <filename_str>
Download a firmware image from a USB disk as the backupfirmware of the FortiGate unit. The unit restarts when the uploadis complete. Available on models that support backup firmwareimages.
src-vis <src-vis-pkgfile>
Download source visibility signature package.
vcm {ftp | tftp}<filename_str><server_ipv4>
Restore VCM engine/plugin from an ftp or tftp server.
vmlicense {ftp | tftp}<filename_str><server_ipv4>
Restore VM license (VM version of product only).
Example
This example shows how to upload a configuration file from a TFTP server to the FortiGate unit and restart theFortiGate unit with this configuration. The name of the configuration file on the TFTP server is backupconfig.The IP address of the TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
revision
Use these commands to manage configuration and firmware image files on the local disk.
Syntax
To delete a configuration file
execute revision delete config <revision>
To delete a firmware image file
execute revision delete image <revision>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
914
router clear bfd session execute
To list the configuration files
execute revision list config
To delete a firmware image file
execute revision list image
router clear bfd session
Use this command to clear bi-directional forwarding session.
Syntaxexecute router clear bfd session <src_ip> <dst_ip> <interface>
Variable Description
<src_ip> Select the source IP address of the session.
<dst_ip> Select the destination IP address of the session.
<interface> Select the interface for the session.
router clear bgp
Use this command to clear BGP peer connections.
Syntaxexecute router clear bgp all [soft] [in | out]execute router clear bgp as <as_number> [soft] [in | out]execute router clear bgp dampening {ip_address | ip/netmask}execute router clear bgp external {in prefix-filter} [soft] [in | out]execute router clear bgp flap-statistics {ip_address | ip/netmask}execute router clear bgp ip <ip_address> [soft] [in | out]
Variable Description
all Clear all BGP peer connections.
as <as_number> Clear BGP peer connections by AS number.
dampening {ip_address |ip/netmask}
Clear route flap dampening information for peer or network.
external {in prefix-filter}
Clear all external peers.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
915
execute router clear ospf process
Variable Description
ip <ip_address> Clear BGP peer connections by IP address.
peer-group Clear all members of a BGP peer-group.
[in | out] Optionally limit clear operation to inbound only or outbound only.
flap-statistics {ip_address |ip/netmask}
Clear flap statistics for peer or network.
softDo a soft reset that changes the configuration but does notdisturb existing sessions.
router clear ospf process
Use this command to clear and restart the OSPF router.
Syntax
IPv4:
execute router clear ospf process
IPv6:
execute router clear ospf6 process
router restart
Use this command to restart the routing software.
Syntaxexecute router restart
send-fds-statistics
Use this command to send an FDS statistics report now, without waiting for the FDS statistics report interval toexpire.
Syntaxexecute send-fds-statistics
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
916
set system session filter execute
set system session filter
Use these commands to define the session filter for get system session commands.
Syntax
To clear the filter settings
execute set system session filter clear{all|dport|dst|duration|expire|policy|proto|sport|src|vd}
To specify destination port
execute set system session filter dport <port_range>
To specify destination IP address
execute set system session filter dst <ip_range>
To specify duration
execute set system session filter duration <duration_range>
To specify expiry
execute set system session filter expire <expire_range>
To list the filter settings
execute set system session filter list
To invert a filter setting
execute set system session filter negate{dport|dst|duration|expire|policy|proto|sport|src|vd}
To specify firewall policy ID
execute set system session filter policy <policy_range>
To specify protocol
execute set system session filter proto <protocol_range>
To specify source port
execute set system session filter sport <port_range>
To specify source IP address
execute set system session filter src <ip_range>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
917
execute set-next-reboot
To specify virtual domain
execute set system session filter vd <vdom_index>
Variable Description
<duration_range> The start and end times, separated by a space.
<expire_range> The start and end times, separated by a space.
<ip_range> The start and end IP addresses, separated by a space.
<policy_range> The start and end policy numbers, separated by a space.
<port_range> The start and end port numbers, separated by a space.
<protocol_range> The start and end protocol numbers, separated by a space.
<vdom_index> The VDOM index number. -1 means all VDOMs.
set-next-reboot
Use this command to start the FortiGate unit with primary or secondary firmware after the next reboot. Availableon models that can store two firmware images. By default, the FortiGate unit loads the firmware from the primarypartition.
VDOM administrators do not have permission to run this command. It must be executed by a super administrator.
Syntaxexecute set-next-reboot {primary | secondary}
sfp-mode-sgmii
Change the SFPmode for an NP2 card to SGMII. By default when an AMC card is inserted the SFPmode is setto SERDESmode by default.
If a configured NP2 card is removed and re-inserted, the SFPmode goes back to the default.
In these situations, the sfpmode-sgmii command will change the SFPmode from SERDES to SGMII for theinterface specified.
Syntaxexecute sfpmode-sgmii <interface>
<interface> is the NP2 interface where you are changing the SFPmode.
shutdown
Shut down the FortiGate unit now. You will be prompted to confirm this command.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
918
ssh execute
Abruptly powering off your FortiGate unit may corrupt its configuration.Using the reboot and shutdown options here or in the web-based managerensure proper shutdown procedures are followed to prevent any loss ofconfiguration.
Syntaxexecute shutdown [comment <comment_string>]
comment is optional but you can use it to add a message that will appear in the event log message that recordsthe shutdown. The comment message of the does not appear on the Alert Message console. If the message ismore than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execute shutdown comment “emergency facility shutdown”
An event log message similar to the following is recorded:
2009-09-08 11:12:31 critical admin 41986 ssh(172.20.120.11) shutdown User admin shutdownthe device from ssh(172.20.120.11). The reason is 'emergency facility shutdown'
ssh
Use this command to establish an ssh session with another system.
Syntaxexecute ssh <destination> [<port>]
<destination> - the destination in the form user@ip or user@host.
[<port>] - optional TCP port number
Exampleexecute ssh [email protected]
To end an ssh session, type exit:
FGT-6028030112 # exitConnection to 172.20.120.122 closed.FGT-8002805000 #
sync-session
Use this command to force a session synchronization.
Syntaxexecute sync-session
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
919
execute system custom-language import
system custom-language import
Use this command to import a custom language file from a TFTP server.
The web-based manager provides a downloadable template file. Go to System > Config > Advanced.
Syntaxexecute system custom-language import <lang_name> <file_name> <tftp_server_ip>
<lang_name> - language name
<file_name> - the language file name
<tftp_server_ip> the TFTP server IP address
system fortisandbox test-connectivity
Use this command to query FortiSandbox connection status.
Syntaxexecute fortisandbox test-connectivity
tac report
Use this command to create a debug report to send to Fortinet Support. Normally you would only use thiscommand if requested to by Fortinet Support.
Syntaxexecute tac report
telnet
Use telnet client. You can use this tool to test network connectivity.
Syntaxexecute telnet <telnet_ipv4>
<telnet_ipv4> is the address to connect with.
Type exit to close the telnet session.
time
Get or set the system time.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
920
traceroute execute
Syntaxexecute time [<time_str>]
time_str has the form hh:mm:ss, where
hh is the hour and can be 00 to 23
mm is the minutes and can be 00 to 59
ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current system time.
You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1are allowed.
Example
This example sets the system time to 15:31:03:
execute time 15:31:03
traceroute
Test the connection between the FortiGate unit and another network device, and display information about thenetwork hops between the device and the FortiGate unit.
Syntaxexecute traceroute {<ip_address> | <host-name>}
Example
This example shows how to test the connection with http://docs.forticare.com. In this example the traceroutecommand times out after the first hop indicating a possible problem.
#execute traceoute docs.forticare.comtraceroute to docs.forticare.com (65.39.139.196), 30 hops max, 38 byte packets1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms 2 * * *
If your FortiGate unit is not connected to a working DNS server, you will not be able to connect to remote host-named locations with traceroute.
tracert6
Test the connection between the FortiGate unit and another network device using IPv6 protocol, and displayinformation about the network hops between the device and the FortiGate unit.
Syntaxtracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl][-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]host [paddatalen]
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
921
execute update-av
Variable Description
-F Set Don’t Fragment bit.
-d Enable debugging.
-n Do not resolve numeric address to domain name.
-f <first_ttl> Set the initial time-to-live used in the first outgoing probe packet.
-i <interface> Select interface to use for tracert.
-m <max_ttl> Set the max time-to-live (max number of hops) used in outgoingprobe packets.
-s <src_addr> Set the source IP address to use in outgoing probe packets.
-q <nprobes> Set the number probes per hop.
-w <waittime> Set the time in seconds to wait for response to a probe. Defaultis 5.
-z <sendwait> Set the time in milliseconds to pause between probes.
host Enter the IP address or FQDN to probe.
<paddatalen> Set the packet size to use when probing.
update-av
Use this command to manually initiate the virus definitions and engines update. To update both virus and attackdefinitions, use the execute update-now command.
Syntaxexecute update-av
update-geo-ip
Use this command to obtain an update to the IP geography database from FortiGuard.
Syntaxexecute update-geo-ip
update-ips
Use this command to manually initiate the Intrusion Prevention System (IPS) attack definitions and engineupdate. To update both virus and attack definitions, use the execute update-now command.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
922
update-list execute
Syntaxexecute update-ips
update-list
Use this command to download an updated FortiGuard server list.
Syntaxexecute update-list
update-now
Use this command to manually initiate both virus and attack definitions and engine updates. To initiate only virusor attack definitions, use the execute update-av or execute update-ids command respectively.
Syntaxexecute update-now
update-src-vis
Use this command to trigger an FDS update of the source visibility signature package.
Syntaxexecute update-src-vis
upd-vd-license
Use this command to enter a Virtual Domain (VDOM) license key.
If you have a FortiGate- unit that supports VDOM licenses, you can purchase a license key from Fortinet toincrease the maximum number of VDOMs to 25, 50, 100 or 500. By default, FortiGate units support a maximumof 10 VDOMs.
Available on FortiGate models that can be licensed for more than 10 VDOMs.
Syntaxexecute upd-vd-license <license_key>
Variable Description
<license_key>The license key is a 32-character string supplied by Fortinet.Fortinet requires your unit serial number to generate the licensekey.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
923
execute upload
upload
Use this command to upload system configurations and firmware images to the flash disk from FTP, TFTP, orUSB sources.
Syntax
To upload configuration files:
execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute upload config tftp <filename_str> <comment> <server_ipv4>execute upload config usb <filename_str> <comment>
To upload firmware image files:
execute upload image ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]]
execute upload image tftp <filename_str> <comment> <server_ipv4>execute upload image usb <filename_str> <comment>
To upload report image files:
execute upload report-img ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]]
execute upload report-img tftp <filename_str> <server_ipv4>
Variable Description
<comment> Comment string.
<filename_str> Filename to upload.
<server_fqdn[:port_int]>
Server fully qualified domain name and optional port.
<server_ipv4[:port_int]>
Server IP address and optional port number.
<username_str> Username required on server.
<password_str> Password required on server.
<backup_password_str>
Password for backup file.
usb-device
Use these commands to manage FortiExplorer IOS devices.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
924
usb-disk execute
Syntax
List connected FortiExplorer IOS devices
execute usb-device list
Disconnect FortiExplorer IOS devices
execute usb-device disconnect
usb-disk
Use these commands to manage your USB disks.
Syntaxexecute usb-disk delete <filename>execute usb-disk formatexecute usb-disk listexecute usb-disk rename <old_name> <new_name>
Variable Description
delete <filename> Delete the named file from the USB disk.
format Format the USB disk.
list List the files on the USB disk.
rename <old_name> <new_name>
Rename a file on the USB disk.
vpn certificate ca
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiGate unit, or to export a CAcertificate from the FortiGate unit to a TFTP server.
Before using this command you must obtain a CA certificate issued by a CA.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate thatthe FortiGate unit uses to authenticate itself to other devices.
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digitalcertificates are an advanced feature provided for the convenience of systemadministrators. This manual assumes the user has prior knowledge of howto configure digital certificates for their implementation.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
925
execute vpn certificate crl
Syntaxexecute vpn certificate ca export tftp <certificate-name_str> <file-name_str> <tftp_ip>execute vpn certificate ca import auto <ca_server_url> <ca_identifier_str>execute vpn certificate ca import tftp <file-name_str> <tftp_ip>
Variable Description
importImport the CA certificate from a TFTP server to the FortiGateunit.
exportExport or copy the CA certificate from the FortiGate unit to a fileon the TFTP server. Type ? for a list of certificates.
<certificate-name_str>
Enter the name of the CA certificate.
<file-name_str> Enter the file name on the TFTP server.
<tftp_ip> Enter the TFTP server address.
auto Retrieve a CA certificate from a SCEP server.
tftpImport the CA certificate to the FortiGate unit from a file on aTFTP server (local administrator PC).
<ca_server_url> Enter the URL of the CA certificate server.
<ca_identifier_str> CA identifier on CA certificate server (optional).
Examples
Use the following command to import the CA certificate named trust_ca to the FortiGate unit from a TFTPserver with the address 192.168.21.54.
execute vpn certificate ca import trust_ca 192.168.21.54
vpn certificate crl
Use this command to get a CRL via LDAP, HTTP, or SCEP protocol, depending on the auto-update configuration.
In order to use the command execute vpn certificate crl, the authentication servers must already be configured.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate thatthe FortiGate unit uses to authenticate itself to other devices.
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digitalcertificates are an advanced feature provided for the convenience of systemadministrators. This manual assumes the user has prior knowledge of howto configure digital certificates for their implementation.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
926
vpn certificate local export execute
Syntaxexecute vpn certificate crl import auto <crl-name>
Variable Description
importImport the CRL from the configured LDAP, HTTP, or SCEPauthentication server to the FortiGate unit.
<crl-name> Enter the name of the CRL.
autoTrigger an auto-update of the CRL from the configured LDAP,HTTP, or SCEP authentication server.
vpn certificate local export
Use this command to export a local certificate from the FortiGate unit to a TFTP server.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate thatthe FortiGate unit uses to authenticate itself to other devices.
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digitalcertificates are an advanced feature provided for the convenience of systemadministrators. This manual assumes the user has prior knowledge of howto configure digital certificates for their implementation.
Syntaxexecute vpn certificate local export tftp <certificate-name_str> <file-name_str> <tftp_
ip>
Variable Description
exportExport or copy the local certificate from the FortiGate unit to afile on the TFTP server. Type ? for a list of certificates.
<certificate-name_str>
Enter the name of the local certificate.
To view a list of the local certificates, you can enter:
execute vpn certificate local export tftp ?
<file-name_str> Enter the file name on the TFTP server.
<tftp_ip> Enter the TFTP server address.
Example
Use the following command to export the local certificate request generated in the above example from theFortiGate unit to a TFTP server. The example uses the file name testcert for the downloaded file and the
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
927
execute vpn certificate local generate
TFTP server address 192.168.21.54.
execute vpn certificate local export branch_cert testcert 192.168.21.54
vpn certificate local generate
Use this command to generate a local certificate.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate thatthe FortiGate unit uses to authenticate itself to other devices.
When you generate a certificate request, you create a private and public key pair for the local FortiGate unit. Thepublic key accompanies the certificate request. The private key remains confidential.
When you receive the signed certificate from the CA, use the vpn certificate local command to install iton the FortiGate unit.
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digitalcertificates are an advanced feature provided for the convenience of systemadministrators. This manual assumes the user has prior knowledge of howto configure digital certificates for their implementation.
Syntax
To generate the default CA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-ca
To generate the default server key used by SSL Inspection
execute vpn certificate local generate default-ssl-serv-key
To generate an elliptical curve certificate request
execute vpn certificate local generate ec <certificate-name_str> <elliptic-curve-name><subject_str> [<optional_information>]
To generate an RSA certificate request
execute vpn certificate local generate rsa <certificate-name_str> <key-length><subject_str> [<optional_information>]
Variable Description
<certificate-name_str>
Enter a name for the certificate. The name can contain numbers(0-9), uppercase and lowercase letters (A-Z, a-z), and the specialcharacters - and _. Other special characters and spaces are notallowed.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
928
vpn certificate local generate execute
Variable Description
<elliptic-curve-name>
Enter the elliptic curve name: secp256rl, secp384rl, orsecp521rl.
<key-length>Enter 1024, 1536 or 2048 for the size in bits of the encryptionkey.
<subject_str>
Enter the FortiGate unit host IP address, its fully qualifieddomain name, or an email address to identify the FortiGate unitbeing certified.
An IP address or domain name is preferred. If this is impossible(such as with a dialup client), use an e-mail address.
If you specify a host IP or domain name, use the IP address ordomain name associated with the interface on which IKEnegotiations will take place (usually the external interface of thelocal FortiGate unit). If the IP address in the certificate does notmatch the IP address of this interface (or if the domain name inthe certificate does not match a DNS query of the FortiGateunit’s IP), then some implementations of IKEmay reject theconnection. Enforcement of this rule varies for different IPSecproducts.
[<optional_information>]
Enter optional_information as required to further identifythe certificate. See Optional information variables on page 60 forthe list of optional information variables. You must enter theoptional variables in order that they are listed in the table. Toenter any optional variable you must enter all of the variablesthat come before it in the list. For example, to enter theorganization_name_str, you must first enter thecountry_code_str, state_name_str, and city_name_str. While entering optional variables, you can type ? for helpon the next required variable.
Optional information variables
Variable Description
<country_code_str>
Enter the two-character country code. Enter execute vpncertificates local generate <name_str>country followed by a ? for a list of country codes. The countrycode is case sensitive. Enter null if you do not want to specifya country.
<state_name_str>Enter the name of the state or province where the FortiGate unitis located.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
929
execute vpn certificate local import
Variable Description
<city_name_str>Enter the name of the city, or town, where the person ororganization certifying the FortiGate unit resides.
<organization-name_str>
Enter the name of the organization that is requesting thecertificate for the FortiGate unit.
<organization-unit_name_str>
Enter a name that identifies the department or unit within theorganization that is requesting the certificate for the FortiGateunit.
<email_address_str> Enter a contact e-mail address for the FortiGate unit.
<ca_server_url>Enter the URL of the CA (SCEP) certificate server that allowsauto-signing of the request.
<challenge_password>
Enter the challenge password for the SCEP certificate server.
Example
Use the following command to generate a local certificate request with the name branch_cert, the domainname www.example.com and a key size of 1536.
execute vpn certificate local generate branch_cert 1536 www.example.com
vpn certificate local import
Use this command to import a local certificate to the FortiGate unit from a TFTP server.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate thatthe FortiGate unit uses to authenticate itself to other devices.
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digitalcertificates are an advanced feature provided for the convenience of systemadministrators. This manual assumes the user has prior knowledge of howto configure digital certificates for their implementation.
Syntaxexecute vpn certificate local import tftp <file-name_str> <tftp_ip>
Variable Description
<certificate-name_str>
Enter the name of the local certificate.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
930
vpn certificate remote execute
Variable Description
<file-name_str> Enter the file name on the TFTP server.
<tftp_ip> Enter the TFTP server address.
Example
Use the following command to import the signed local certificate named branch_cert to the FortiGate unitfrom a TFTP server with the address 192.168.21.54.
execute vpn certificate local import branch_cert 192.168.21.54
vpn certificate remote
Use this command to import a remote certificate from a TFTP server, or export a remote certificate from theFortiGate unit to a TFTP server. The remote certificates are public certificates without a private key. They areused as OCSP (Online Certificate Status Protocol) server certificates.
Syntaxexecute vpn certificate remote import tftp <file-name_str> <tftp_ip>execute vpn certificate remote export tftp <certificate-name_str> <file-name_str>
<tftp_ip>
Field/variable Description
importImport the remote certificate from the TFTP server to theFortiGate unit.
exportExport or copy the remote certificate from the FortiGate unit to afile on the TFTP server. Type ? for a list of certificates.
<certificate-name_str>
Enter the name of the public certificate.
<file-name_str> Enter the file name on the TFTP server.
<tftp_ip> Enter the TFTP server address.
tftp Import/export the remote certificate via a TFTP server.
vpn ipsec tunnel down
Use this command to shut down an IPsec VPN tunnel.
Syntaxexecute vpn ipsec tunnel down <phase2> [<phase1> <phase2_serial>]
where:
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
931
execute vpn ipsec tunnel up
<phase2> is the phase 2 name
<phase1> is the phase 1 name
<phase2_serial> is the phase 2 serial number
<phase1> is required on a dial-up tunnel.
vpn ipsec tunnel up
Use this command to activate an IPsec VPN tunnel.
Syntaxexecute vpn ipsec tunnel up <phase2> [<phase1> <phase2_serial>]
where:
<phase2> is the phase 2 name
<phase1> is the phase 1 name
<phase2_serial> is the phase 2 serial number
This command cannot activate a dial-up tunnel.
vpn sslvpn del-all
Use this command to delete all SSL VPN connections in this VDOM.
Syntaxexecute vpn sslvpn del-all
vpn sslvpn del-tunnel
Use this command to delete an SSL tunnel connection.
Syntaxexecute vpn sslvpn del-tunnel <tunnel_index>
<tunnel_index> identifies which tunnel to delete if there is more than one active tunnel.
vpn sslvpn del-web
Use this command to delete an active SSL VPN web connection.
Syntaxexecute vpn sslvpn del-web <web_index>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
932
vpn sslvpn list execute
<web_index> identifies which web connection to delete if there is more than one active connection.
vpn sslvpn list
Use this command to list current SSL VPN tunnel connections.
Syntaxexecute vpn sslvpn list {web | tunnel}
webfilter quota-reset
Use this command to reset user quota.
Syntaxexecute webfilter quota-reset <wf-profile> <user_ip4addr>execute webfilter quota-reset <wf-profile> <user_name>
wireless-controller delete-wtp-image
Use this command to delete all firmware images for WLAN Termination Points (WTPs), also known as physicalaccess points.
Syntaxexecute wireless-controller delete-wtp-image
wireless-controller list-wtp-image
Use this command to list all firmware images for WLAN Termination Points (WTPs), also known asWiFi physicalaccess points.
Syntaxexecute wireless-controller list-wtp-image
Example outputWTP Images on AC:ImageName ImageSize(B) ImageInfo ImageMTimeFAP22A-IMG.wtp 3711132 FAP22A-v4.0-build212 Mon Jun 6 12:26:41 2011
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
933
execute wireless-controller reset-wtp
wireless-controller reset-wtp
Use this command to reset a physical access point (WTP).
If the FortiGate unit has a more recent version of the FortiAP firmware, the FortiAP unit will download and installit. Use the command execute wireless-controller upload-wtp-image to upload FortiAP firmware to the FortiGateunit.
Syntaxexecute wireless-controller reset-wtp {<serialNumber_str> | all}
where <serialNumber_str> is the FortiWiFi unit serial number.
Use the all option to reset all APs.
wireless-controller restart-acd
Use this command to restart the wireless-controller daemon.
Syntaxexecute wireless-controller restart-acd
wireless-controller restart-wtpd
Use this command to restart the wireless access point daemon.
Syntaxexecute wireless-controller restart-wtpd
wireless-controller upload-wtp-image
Use this command to upload a FortiWiFi firmware image to the FortiGate unit. Wireless APs controlled by thiswireless controller can download the image as needed. Use the execute wireless-controller reset-wtp commandto trigger FortiAP units to update their firmware.
Syntax
FTP:
execute wireless-controller upload-wtp-image ftp <filename_str> <server_ipv4[:port_int]> [<username_str> <password_str>]
TFTP:
execute wireless-controller upload-wtp-image tftp <filename_str> <server_ipv4>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
934
endpoint-control app-detect get
get
The get commands retrieve information about the operation and performance of your FortiGate unit.
endpoint-control app-detect
Use this command to retrieve information about predefined application detection signatures for Endpoint NAC.
Syntaxget endpoint-control app-detect predefined-category statusget endpoint-control app-detect predefined-group statusget endpoint-control app-detect predefined-signature statusget endpoint-control app-detect predefined-vendor status
Example output (partial)get endpoint-control app-detect predefined-category statusFG200A2907500558 # get endpoint-control app-detect predefined-category statusname: "Anti-Malware Software"id: 1group: 1
name: "Authentication and Authorization"id: 2group: 1
name: "Encryption, PKI"id: 3group: 1
name: "Firewalls"id: 4group: 1
get endpoint-control app-detect predefined-group statusFG200A2907500558 # get endpoint-control app-detect predefined-group statusname: "Security"id: 1
name: "Multimedia"id: 2
name: "Communication"id: 3
name: "Critical Functions"id: 4
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
935
get extender modem-status
get endpoint-control app-detect predefined-signature statusFG200A2907500558 # get endpoint-control app-detect predefined-signature statusname: "Apache HTTP Server"id: 256category: 26vendor: 149
name: "RealPlayer (32-bit)"id: 1category: 10vendor: 68
name: "VisualSVN Server"id: 257category: 26vendor: 162
name: "QQ2009"id: 2category: 14vendor: 78
get endpoint-control app-detect predefined-vendor statusFG200A2907500558 # get endpoint-control app-detect predefined-vendor statusname: "Access Remote PC (www.access-remote-pc.com)"id: 3
name: "ACD Systems, Ltd."id: 4
name: "Adobe Systems Incorporated"id: 5
name: "Alen Soft"id: 6
extender modem-status
Use this command to display detailed FortiExtender modem status information.
Syntaxget extender modem-status <serno>
where <serno> is the FortiExtender serial number.
Example outputphysical_port: Internalmanufacture: Sierra Wireless, Incorporatedproduct: AirCard 313Umodel: AirCard 313Urevision: SWI9200X_03.05.10.02AP R4684 CARMD-EN-10527 2012/02/25 11:58:38imsi: 310410707582825
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
936
extender sys-info get
pin_status: READYservice: N/Asignal_strength: 73RSSI: -68 dBmconnection_status: connectedProfile 1: broadbandProfile 2: broadbandProfile 13: wap.cingularProfile 15: broadbandNAI: w.tpProfile: 0 Disabledhome_addr: 127.219.10.128primary_ha: 127.218.246.40secondary_ha: 119.75.69.176aaa_spi: 0ha_spi: 4esn_imei: 012615000227604activation_status: Activatedroaming_status: N/Ausim_status: N/Aoma_dm_version: N/Aplmn: N/Aband: B17signal_rsrq: N/Asignal_rsrp: N/Alte_sinr: N/Alte_rssi: N/Alte_rs_throughput: N/Alte_ts_throughput: N/Alte_physical_cellid: N/Amodem_type:drc_cdma_evdo: N/Acurrent_snr: N/Awireless_operator:operating_mode: N/Awireless_signal: 73usb_wan_mac: 16:78:f7:db:01:07
extender sys-info
Use this command to display detailed FortiExtender system information.
Syntaxget extender sys-info
firewall dnstranslation
Use this command to display the firewall DNS translation table.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
937
get firewall iprope appctrl
Syntaxget firewall dnstranslation
firewall iprope appctrl
Use this command to list all application control signatures added to an application control list and display asummary of the application control configuration.
Syntaxget firewall iprope appctrl {list | status}
Example output
In this example, the FortiGate unit includes one application control list that blocks the FTP application.
get firewall iprope appctrl listapp-list=app_list_1/2000 other-action=Passapp-id=15896 list-id=2000 action=Block
get firewall iprope appctrl statusappctrl table 3 list 1 app 1 shaper 0
firewall iprope list
Use this command to list all of the FortiGate unit iprope firewall policies. Optionally include a group number inhexidecimal format to display a single policy. Policies are listed in FortiOS format.
Syntaxget firewall iprope list [<group_number_hex>]
Example outputget firewall iprope list 0010000c
policy flag (8000000): pol_statsflag2 (20): ep_block shapers: / per_ip=imflag: sockport: 1011 action: redirect index: 0schedule() group=0010000c av=00000000 au=00000000 host=0 split=00000000chk_client_info=0x0 app_list=0 misc=0 grp_info=0 seq=0 hash=0npu_sensor_id=0tunnel=zone(1): 0 ->zone(1): 0source(0):dest(0):source wildcard(0):destination wildcard(0):service(1):[6:0x8:1011/(0,65535)->(80,80)]
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
938
firewall proute, proute6 get
nat(0):mms: 0 0
firewall proute, proute6
Use these commands to list policy routes.
Syntax
For IPv4 policy routes:
get firewall proute
For IPv6 policy routes:
get firewall proute6
Example outputget firewall proutelist route policy info(vf=root):iff=5 src=1.1.1.0/255.255.255.0 tos=0x00 tos_mask=0x00 dst=0.0.0.0/0.0.0.0 protocol=80
port=1:65535oif=3 gwy=1.2.3.4
firewall service custom
Use this command to view the list of custom services. If you do not specify a <service_name> the command listsall of the pre-defined services.
Syntaxget firewall service custom
This lists the services.
To view details about all services
config firewall service customshow full-configuration
To view details about a specific service
This example lists the configuration for the ALL_TCP service:
config firewall service customedit ALL_TCP
show full-configuration
Example output
This is a partial output.
get firewall service custom
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
939
get firewall shaper
== [ ALL ]name: ALL== [ ALL_TCP ]name: ALL_TCP== [ ALL_UDP ]name: ALL_UDP== [ ALL_ICMP ]name: ALL_ICMP== [ ALL_ICMP6 ]name: ALL_ICMP6== [ GRE ]name: GRE== [ AH ]name: AH== [ ESP ]name: ESP== [ AOL ]name: AOL== [ BGP ]name: BGP== [ DHCP ]name: DHCP== [ DNS ]name: DNS== [ FINGER ]name: FINGER
firewall shaper
Use these command to retrieve information about traffic shapers.
Syntax
To get information about per-ip traffic shapers
get firewall shaper per-ip
To get information about shared traffic shapers
get firewall shaper traffic-shaper
grep
In many cases the get and show (and diagnose) commands may produce a large amount of output. If you arelooking for specific information in a large get or show command output you can use the grep command to filterthe output to only display what you are looking for. The grep command is based on the standard UNIX grep,used for searching text output based on regular expressions.
Information about how to use grep and regular expressions is available from the Internet. For example, seehttp://www.opengroup.org/onlinepubs/009695399/utilities/grep.html.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
940
gui console status get
Syntax{get | show| diagnose} | grep <regular_expression>
Example output
Use the following command to display the MAC address of the FortiGate unit internal interface:
get hardware nic internal | grep Current_HWaddrCurrent_HWaddr 00:09:0f:cb:c2:75
Use the following command to display all TCP sessions in the session list and include the session list line numberin the output
get system session list | grep -n tcp19:tcp 1110 10.31.101.10:1862 172.20.120.122:30670 69.111.193.57:1469 -27:tcp 3599 10.31.101.10:2061 - 10.31.101.100:22 -38:tcp 3594 10.31.101.10:4780 172.20.120.122:49700 172.20.120.100:445 -43:tcp 3582 10.31.101.10:4398 172.20.120.122:49574 24.200.188.171:48726 -
Use the following command to display all lines in HTTP replacement message commands that contain URL(upper or lower case):
show system replacemsg http | grep -i urlset buffer "<HTML><BODY>The page you requested has been blocked because it contains a
banned word. URL = %%PROTOCOL%%%%URL%%</BODY></HTML>"config system replacemsg http "url-block"set buffer "<HTML><BODY>The URL you requested has been blocked. URL =
%%URL%%</BODY></HTML>"config system replacemsg http "urlfilter-err"
.
.
.
gui console status
Display information about the CLI console.
Syntaxget gui console status
Example
The output looks like this:Preferences: User: admin Colour scheme (RGB): text=FFFFFF, background=000000 Font: style=monospace, size=10pt History buffer=50 lines, external input=disabled
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
941
get gui topology status
gui topology status
Display information about the topology viewer database. The topology viewer is available only if the Topologywidget has been added to a customized web-based manager menu layout.
Syntaxget gui topology status
Example outputPreferences: Canvas dimensions (pixels): width=780, height=800 Colour scheme (RGB): canvas=12ff08, lines=bf0f00, exterior=ddeeee Background image: type=none, placement: x=0, y=0 Line style: thickness=2
Custom background image file: none
Topology element database: __FortiGate__: x=260, y=340 Office: x=22, y=105 ISPnet: x=222, y=129 __Text__: x=77, y=112: "Ottawa" __Text__: x=276, y=139: "Internet"
hardware cpu
Use this command to display detailed information about all of the CPUs in your FortiGate unit.
Syntaxget hardware cpu
Example outputget hardware npu legacy listNo npu ports are found
620_ha_1 # get hardware cpuprocessor : 0vendor_id : GenuineIntelcpu family : 6model : 15model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHzstepping : 13cpu MHz : 1795.545cache size : 64 KBfdiv_bug : nohlt_bug : nof00f_bug : nocoma_bug : no
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
942
hardware memory get
fpu : yesfpu_exception : yescpuid level : 10wp : yesflags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 estbogomips : 3578.26
processor : 1vendor_id : GenuineIntelcpu family : 6model : 15model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHzstepping : 13cpu MHz : 1795.545cache size : 64 KBfdiv_bug : nohlt_bug : nof00f_bug : nocoma_bug : nofpu : yesfpu_exception : yescpuid level : 10wp : yesflags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 estbogomips : 3578.26
hardware memory
Use this command to display information about FortiGate unit memory use including the total, used, and freememory.
Syntaxget hardware memory
Example outputget hardware memorytotal: used: free: shared: buffers: cached: shm:Mem: 3703943168 348913664 3355029504 0 192512 139943936 137314304Swap: 0 0 0MemTotal: 3617132 kBMemFree: 3276396 kBMemShared: 0 kBBuffers: 188 kBCached: 136664 kBSwapCached: 0 kBActive: 22172 kBInactive: 114740 kBHighTotal: 1703936 kBHighFree: 1443712 kBLowTotal: 1913196 kBLowFree: 1832684 kB
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
943
get hardware nic
SwapTotal: 0 kBSwapFree: 0 kB
hardware nic
Use this command to display hardware and status information about each FortiGate interface. The hardwareinformation includes details such as the driver name and version and chip revision. Status information includestransmitted and received packets, and different types of errors.
Syntaxget hardware nic <interface_name>
Variable Description
<interface_name> A FortiGate interface name such as port1, wan1, internal, etc.
Example outputget hardware nic port9Chip_Model FA2/ISCP1B-v3/256MBFPGA_REV_TAG 06101916Driver Name iscp1a/b-DEDriver Version 0.1Driver Copyright Fortinet Inc.
Link downSpeed N/ADuplex N/AState up
Rx_Packets 0Tx_Packets 0Rx_Bytes 0Tx_Bytes 0
Current_HWaddr 00:09:0f:77:09:68Permanent_HWaddr 00:09:0f:77:09:68
Frame_Received 0Bad Frame Received 0Tx Frame 0Tx Frame Drop 0Receive IP Error 0FIFO Error 0
Small PktBuf Left 125Normal PktBuf Left 1021Jumbo PktBuf Left 253NAT Anomaly 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
944
hardware npu get
hardware npu
Use this command to display information about the network processor unit (NPU) hardware installed in aFortiGate unit. The NPUs can be built-in or on an installed AMCmodule.
Syntaxget hardware npu legacy {list | session <device_name_str> | setting <device_name_str>}get hardware npu np1 {list | status}get hardware npu np2 {list | performance <device_id_int> | status <device_id_int>}get hardware npu np4 {list | status <device_id_int>}get hardware npu sp {list | status}
Example outputget hardware npu np1 listID Interface0 port9 port10
get hardware npu np1 statusISCP1A 10ee:0702RX SW Done 0 MTP 0x00000000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Total Number of Interfaces: 2Number of Interface In-Use: 2Interface[0] Tx done: 0desc_size = 0x00004000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000TX timeout = 0x00000000 BD_empty = 0x00000000HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000Interface[1] Tx done: 0desc_size = 0x00004000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000TX timeout = 0x00000000 BD_empty = 0x00000000HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000NAT Information:head = 0x00000001 tail = 00000001ISCP1A Performance [Top]:Nr_int : 0x00000000 INTwoInd : 0x00000000 RXwoDone : 0x00000000PKTwoEnd : 0x00000000 PKTCSErr : 0x00000000PKTidErr : 0x00000000 PHY0Int : 0x00000000 PHY1INT : 0x00000000CSUMOFF : 0x00000000 BADCSUM : 0x00000000 MSGINT : 0x00000000IPSEC : 0x00000000 IPSVLAN : 0x00000000 SESMISS : 0x00000000TOTUP : 0x00000000 RSVD MEMU : 0x00000010MSG Performance:QLEN: 0x00001000(QW) HEAD: 0x00000000Performance:TOTMSG: 0x00000000 BADMSG: 0x00000000 TOUTMSG: 0x00000000 QUERY: 0x00000000NULLTK: 0x00000000NAT Performance: BYPASS (Enable) BLOCK (Disable)IRQ : 00000001 QFTL : 00000000 DELF : 00000000 FFTL : 00000000OVTH : 00000001 QRYF : 00000000 INSF : 00000000 INVC : 00000000ALLO : 00000000 FREE : 00000000 ALLOF : 00000000 BPENTR: 00000000 BKENTR: 00000000PBPENTR: 00000000 PBKENTR: 00000000 NOOP : 00000000 THROT : 00000000(0x002625a0)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
945
get hardware npu
SWITOT : 00000000 SWDTOT : 00000000 ITDB : 00000000 OTDB : 00000000SPISES : 00000000 FLUSH : 00000000APS (Disabled) information:MODE: BOTH UDPTH 255 ICMPTH 255 APSFLAGS: 0x00000000IPSEC Offload Status: 0x58077dcb
get hardware npu np2 listID PORTS-- -----0 amc-sw1/10 amc-sw1/20 amc-sw1/30 amc-sw1/4ID PORTS-- -----1 amc-dw2/1ID PORTS-- -----2 amc-dw2/2
get hardware npu np2 status 0NP2 Status
ISCP2 f7750000 (Neighbor 00000000) 1a29:0703 256MB Base f8aad000 DBG 0x00000000RX SW Done 0 MTP 0x0desc_alloc = f7216000desc_size = 0x2000 count = 0x100nxt_to_u = 0x0 nxt_to_f = 0x0Total Interfaces: 4 Total Ports: 4Number of Interface In-Use: 4Interface f7750100 netdev 81b1e000 0 Name amc-sw1-1PHY: AttachedLB Mode 0 LB IDX 0/1 LB Ports: f7750694, 00000000, 00000000, 00000000Port f7750694 Id 0 Status Down ictr 4desc = 8128c000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Intf f7750100Interface f7750264 netdev 81b2cc00 1 Name amc-sw1-2PHY: AttachedLB Mode 0 LB IDX 0/1 LB Ports: f7750748, 00000000, 00000000, 00000000Port f7750748 Id 1 Status Down ictr 0desc = 81287000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Intf f7750264Interface f77503c8 netdev 81b2c800 2 Name amc-sw1-3PHY: AttachedLB Mode 0 LB IDX 0/1 LB Ports: f77507fc, 00000000, 00000000, 00000000Port f77507fc Id 2 Status Down ictr 0desc = 81286000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Intf f77503c8Interface f775052c netdev 81b2c400 3 Name amc-sw1-4
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
946
hardware status get
PHY: AttachedLB Mode 0 LB IDX 0/1 LB Ports: f77508b0, 00000000, 00000000, 00000000Port f77508b0 Id 3 Status Down ictr 0desc = 81281000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Intf f775052cNAT Information:cmdq_qw = 0x2000 cmdq = 82160000head = 0x1 tail = 0x1APS (Enabled) information:Session Install when TMM TSE OOE: DisableSession Install when TMM TAE OOE: DisableIPS anomaly check policy: Follow configMSG Base = 82150000 QL = 0x1000 H = 0x0
hardware status
Report information about the FortiGate unit hardware including FortiASIC version, CPU type, amount of memory,flash drive size, hard disk size (if present), USB flash size (if present), network card chipset, and WiFi chipset(FortiWifi models). This information can be useful for troubleshooting, providing information about your FortiGateunit to Fortinet Support, or confirming the features that your FortiGate model supports.
Syntaxget hardware status
Example outputModel name: Fortigate-620BASIC version: CP6ASIC SRAM: 64MCPU: Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHzRAM: 2020 MBCompact Flash: 493 MB /dev/sdaHard disk: 76618 MB /dev/sdbUSB Flash: not availableNetwork Card chipset: Broadcom 570x Tigon3 Ethernet Adapter (rev.0x5784100)
ips decoder status
Displays all the port settings of all the IPS decoders.
Syntaxget ips decoder status
Example output# get ips decoder status
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
947
get ips rule status
decoder-name: "back_orifice"
decoder-name: "dns_decoder"port_list: 53
decoder-name: "ftp_decoder"port_list: 21
decoder-name: "http_decoder"
decoder-name: "im_decoder"
decoder-name: "imap_decoder"port_list: 143
Ports are shown only for decoders with configurable port settings.
ips rule status
Displays current configuration information about IPS rules.
Syntaxget ips rule status
Example output# get ips rule statusrule-name: "IP.Land"rule-id: 12588rev: 2.464action: passstatus: disablelog: enablelog-packet: disableseverity: 3.highservice: Alllocation: server, clientos: Allapplication: All
rule-name: "IP.Loose.Src.Record.Route.Option"rule-id: 12805rev: 2.464action: passstatus: disablelog: enablelog-packet: disableseverity: 2.mediumservice: Alllocation: server, clientos: Allapplication: All
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
948
ips session get
ips session
Displays current IPS session status.
Syntaxget ips session
Example outputget ips session
SYSTEM:memory capacity 279969792memory used 5861008recent pps\bps 0\0Ksession in-use 0TCP: in-use\active\total 0\0\0UDP: in-use\active\total 0\0\0ICMP: in-use\active\total 0\0\0
ipsec tunnel
List the current IPSec VPN tunnels and their status.
Syntax
To view details of all IPsec tunnels:
get ipsec tunnel details
To list IPsec tunnels by name:
get ipsec tunnel name
To view a summary of IPsec tunnel information:
get ipsec tunnel summary
ips view-map
Use this command to view the policies examined by IPS. This is mainly used for debugging. If there is no ips viewmap, it means IPS is not used or enabled.
Syntaxget ips view-map <id>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
949
get mgmt-data status
Example outputid : 1id-policy-id : 0policy-id : 2vdom-id : 0which : firewall
Variable Description
id IPS policy ID
id-policy-id Identity-based policy ID (0 means none)
policy-id Policy ID
vdom-id VDOM, identified by ID number
whichType of policy id: firewall, firewall6, sniffer, sniffer6, interface,interface6
mgmt-data status
Use this command to display information additional to that provided by get system status orget hardware status.
Syntaxget mgmt-data status
Sample output
FG100D3G12801361 # get mgmt-data status
Model name: FortiGate-100DCPU: 4RAM: 1977 MBis_ssd_available: 0is_logdisk_mounted: 1is_support_log_on_boot_device: 1is_rev_support_wanopt: 1
netscan settings
Use this command to display tcp and udp ports that are scanned by the current scan mode.
Syntaxget netscan settings
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
950
pbx branch-office get
Example outputscan-mode : fulltcp-ports : 1-65535udp-ports : 1-65535
pbx branch-office
Use this command to list the configured branch offices.
Syntaxget pbx branch-office
Example output== [ Branch 15 ]name: Branch 15== [ Branch 12 ]name: Branch 12
pbx dialplan
Use this command to list the configured dial plans.
Syntaxget pbx dialplan
Example output== [ company-default ]name: company-default== [ inbound ]name: inbound
pbx did
Use this command to list the configured direct inward dial (DID) numbers.
Syntaxget pbx did
Example output== [ Operator ]name: Operator== [ Emergency ]name: Emergency
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
951
get pbx extension
pbx extension
Use this command to list the configured extensions.
Syntaxget pbx extension
Example output== [ 6555 ]extension: 6555== [ 6777 ]extension: 6777== [ 6111 ]extension: 6111
pbx ftgd-voice-pkg
Use this command to display the current FortiGate Voice service package status.
Syntaxget pbx ftgd-voice-pkg status
Example outputStatus: ActivatedTotal 1 Packages:Package Type: B, Credit Left: 50.00, Credit Used: 0.00,Expiration Date: 2011-01-01 12:00:00
Total 1 Dids:12345678901Total 1 Efaxs:12345678902Total 0 Tollfrees:
pbx global
Use this command to display the current global pbx settings.
Syntaxget pbx global
Example outputblock-blacklist : enablecountry-area : USAcountry-code : 1
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
952
pbx ringgrp get
efax-check-interval : 5extension-pattern : 6XXXfax-admin-email : [email protected] : service.fortivoice.comlocal-area-code : 408max-voicemail : 60outgoing-prefix : 9ring-timeout : 20rtp-hold-timeout : 0rtp-timeout : 60voicemail-extension : *97
pbx ringgrp
Use this command to display the currently configured ring groups.
Syntaxget pbx ringgrp
Example output== [ 6001 ]name: 6001== [ 6002 ]name: 6002
pbx sip-trunk
Use this command to display the currently configured SIP trunks.
Syntaxget pbx sip-trunk
Example output== [ __FtgdVoice_1 ]name: __FtgdVoice_1
pbx voice-menu
Use this command to display the current voice menu and recorder extension configuration.
Syntaxget pbx voice-menu
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
953
get router info bfd neighbor
Example outputcomment : generalpassword : *press-0:ring-group : 6001type : ring-grouppress-1:type : voicemailpress-2:type : directorypress-3:type : nonepress-4:type : nonepress-5:type : nonepress-6:type : nonepress-7:type : nonepress-8:type : nonepress-9:type : nonerecorder-exten : *30
router info bfd neighbor
Use this command to list state information about the neighbors in the bi-directional forwarding table.
Syntaxget router info bfd neighbour
router info bgp
Use this command to display information about the BGP configuration.
Syntaxget router info bgp <keyword>
<keyword> Description
cidr-only Show all BGP routes having non-natural network masks.
community Show all BGP routes having their COMMUNITY attribute set.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
954
router info bgp get
<keyword> Description
community-infoShow general information about the configured BGPcommunities, including the routes in each community and theirassociated network addresses.
community-list Show all routes belonging to configured BGP community lists.
dampening{dampened-paths| flap-statistics| parameters}
Display information about dampening:
Type dampened-paths to show all paths that have beensuppressed due to flapping.
Type flap-statistics to show flap statistics related to BGProutes.
Type parameters to show the current dampening settings.
filter-list Show all routes matching configured AS-path lists.
inconsistent-asShow all routes associated with inconsistent autonomoussystems of origin.
memory Show the BGPmemory table.
neighbors[<address_ipv4>| <address_ipv4>advertised-routes| <address_ipv4>received prefix-filter| <address_ipv4>received-routes| <address_ipv4>routes]
Show information about connections to TCP and BGP neighbors.
network [<address_ipv4mask>]
Show general information about the configured BGP networks,including their network addresses and associated prefixes.
network-longer-prefixes <address_ipv4mask>
Show general information about the BGP route that you specify(for example, 12.0.0.0/14) and any specific routesassociated with the prefix.
pathsShow general information about BGP AS paths, including theirassociated network addresses.
prefix-list <name> Show all routes matching configured prefix list <name>.
quote-regexp<regexp_str>
Enter the regular expression to compare to the AS_PATHattribute of BGP routes (for example, ^730$) and enable the useof output modifiers (for example, include, exclude, andbegin) to search the results.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
955
get router info bgp
<keyword> Description
regexp <regexp_str>Enter the regular expression to compare to the AS_PATHattribute of BGP routes (for example, ^730$).
route-map Show all routes matching configured route maps.
scanShow information about next-hop route scanning, including thescan interval setting.
summary Show information about BGP neighbor status.
Example outputget router info bgp memoryMemory type Alloc count Alloc bytes=================================== ============= ===============BGP structure : 2 1408BGP VR structure : 2 104BGP global structure : 1 56BGP peer : 2 3440BGP as list master : 1 24Community list handler : 1 32BGP Damp Reuse List Array : 2 4096BGP table : 62 248----------------------------------- ------------- ---------------Temporary memory : 4223 96095Hash : 7 140Hash index : 7 28672Hash bucket : 11 132Thread master : 1 564Thread : 4 144Link list : 32 636Link list node : 24 288Show : 1 396Show page : 1 4108Show server : 1 36Prefix IPv4 : 10 80Route table : 4 32Route node : 63 2772Vector : 2180 26160Vector index : 2180 18284Host config : 1 2Message of The Day : 1 100IMI Client : 1 708VTY master : 1 20VTY if : 11 2640VTY connected : 5 140Message handler : 2 120NSM Client Handler : 1 12428NSM Client : 1 1268Host : 1 64Log information : 2 72Context : 1 232----------------------------------- ------------- ---------------bgp proto specifc allocations : 9408 B
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
956
router info isis get
bgp generic allocations : 196333 Bbgp total allocations : 205741 B
router info isis
Use this command to display information about the FortiGate ISIS.
Syntaxget router info isis interfaceget router info isis neighborget router info isis is-neighborget router info isis databaseget router info isis routeget router info isis topology
router info kernel
Use this command to display the FortiGate kernel routing table. The kernel routing table displays informationabout all of the routes in the kernel.
Syntaxget router info kernel [<routing_type_int>]
router info multicast
Use this command to display information about a Protocol Independent Multicasting (PIM) configuration.Multicast routing is supported in the root virtual domain only.
Syntaxget router info multicast <keywords>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
957
get router info multicast
<keywords> Description
igmp
Show Internet Group Management Protocol (IGMP) membershipinformation according to one of these qualifiers:
Type groups [{<interface-name> | <group-address>}] to show IGMP information for the multicast group(s) associated with the specified interface or multicast groupaddress.
Type groups-detail [{<interface-name> |<group-address>}] to show detailed IGMP information forthe multicast group(s) associated with the specified interface ormulticast group address.
Type interface [<interface-name>] to show IGMPinformation for all multicast groups associated with the specifiedinterface.
pim dense-mode
Show information related to dense mode operation according toone of these qualifiers:
Type interface to show information about PIM-enabledinterfaces.
Type interface-detail to show detailed information aboutPIM-enabled interfaces.
Type neighbor to show the current status of PIM neighbors.
Type neighbor-detail to show detailed information aboutPIM neighbors.
Type next-hop to show information about next-hop PIMrouters.
Type table [<group-address>][<source-address>]to show the multicast routing table entries associated with thespecified multicast group address and/or multicast sourceaddress.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
958
router info ospf get
<keywords> Description
pim sparse-mode
Show information related to sparse mode operation according toone of these qualifiers:
Type bsr-info to show Boot Strap Router (BSR) information.
Type interface to show information about PIM-enabledinterfaces.
Type interface-detail to show detailed information aboutPIM-enabled interfaces.
Type neighbor to show the current status of PIM neighbors.
Type neighbor-detail to show detailed information aboutPIM neighbors.
Type next-hop to show information about next-hop PIMrouters.
Type rp-mapping to show Rendezvous Point (RP) information.
Type table [<group-address>][<source-address>]to show the multicast routing table entries associated with thespecified multicast group address and/or multicast sourceaddress.
table[<group-address>][<source-address>]
Show the multicast routing table entries associated with thespecified multicast group address and/or multicast sourceaddress.
table-count[<group-address>][<source-address>]
Show statistics related to the specified multicast group addressand/or multicast source address.
router info ospf
Use this command to display information about the FortiGate OSPF configuration and/or the Link-StateAdvertisements (LSAs) that the FortiGate unit obtains and generates. An LSA identifies the interfaces of allOSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select theshortest path to a destination.
Syntaxget router info ospf <keyword>
<keyword> Description
border-routersShow OSPF routing table entries that have an AreaBorder Router (ABR) or Autonomous SystemBoundary Router (ASBR) as a destination.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
959
get router info ospf
<keyword> Description
database <qualifier>
Show information from the OSPF routing databaseaccording to the of these qualifiers.
Some qualifiers require a target that can be one ofthe following values:
Type adv_router <address_ipv4> to limit theinformation to LSAs originating from the router at thespecified IP address.
Type self-originate <address_ipv4> tolimit the information to LSAs originating from theFortiGate unit.
adv-router<address_ipv4>
Type adv-router <address_ipv4> to showospf Advertising Router link states for the router atthe given IP address.
asbr-summary<target>
Type asbr-summary to show information aboutASBR summary LSAs.
briefType brief to show the number and type of LSAsassociated with each OSPF area.
external<target>
Type external to show information about externalLSAs.
max-age Type max-age to show all LSAs in the MaxAge list.
network<target>
Type network to show information about networkLSAs.
nssa-external<target>
Type nssa-external to show information aboutnot-so-stubby external LSAs.
opaque-area<address_ipv4>
Type opaque-area <address_ipv4> to showinformation about opaque Type 10 (area-local) LSAs(see RFC 2370).
opaque-as<address_ipv4>
Type opaque-as <address_ipv4> to showinformation about opaque Type 11 LSAs (see RFC2370), which are flooded throughout the AS.
opaque-link<address_ipv4>
Type opaque-link <address_ipv4> to showinformation about opaque Type 9 (link-local) LSAs(see RFC 2370).
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
960
router info protocols get
<keyword> Description
router<target>
Type router to show information about routerLSAs.
self-originate
Type self-originate to show self-originatedLSAs.
summary<target>
Type summary to show information about summaryLSAs.
interface [<interface_name>]Show the status of one or all FortiGate interfacesand whether OSPF is enabled on those interfaces.
neighbor [all | <neighbor_id>| detail | detail all| interface <address_ipv4>]
Show general information about OSPF neighbors,excluding down-status neighbors:
Type all to show information about all neighbors,including down-status neighbors.
Type <neighbor_id> to show detailedinformation about the specified neighbor only.
Type detail to show detailed information about allneighbors, excluding down-status neighbors.
Type detail all to show detailed informationabout all neighbors, including down-statusneighbors.
Type interface <address_ipv4> to showneighbor information based on the FortiGateinterface IP address that was used to establish theneighbor’s relationship.
route Show the OSPF routing table.
statusShow general information about the OSPF routingprocesses.
virtual-links Show information about OSPF virtual links.
router info protocols
Use this command to show the current states of active routing protocols. Inactive protocols are not displayed.
Syntaxget router info protocols
Routing Protocol is "rip"Sending updates every 30 seconds with +/-50%Timeout after 180 seconds, garbage collect after 120 secondsOutgoing update filter list for all interface is not set
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
961
get router info rip
Incoming update filter list for all interface is not setDefault redistribution metric is 1Redistributing:Default version control: send version 2, receive version 2Interface Send Recv Key-chainRouting for Networks:Routing Information Sources:Gateway Distance Last Update Bad Packets Bad RoutesDistance: (default is 120)
Routing Protocol is "ospf 0"Invalid after 0 seconds, hold down 0, flushed after 0Outgoing update filter list for all interfaces isIncoming update filter list for all interfaces isRedistributing:Routing for Networks:Routing Information Sources: Gateway Distance Last UpdateDistance: (default is 110) Address Mask Distance List
Routing Protocol is "bgp 5"IGP synchronization is disabledAutomatic route summarization is disabledDefault local-preference applied to incoming route is 100Redistributing:Neighbor(s):Address AddressFamily FiltIn FiltOut DistIn DistOut RouteMapIn RouteMapOut Weight 192.168.20.10 unicast
router info rip
Use this command to display information about the RIP configuration.
Syntaxget router info rip <keyword>
<keyword> Description
database Show the entries in the RIP routing database.
interface[<interface_name>]
Show the status of the specified FortiGate unit interface<interface_name> and whether RIP is enabled.
If interface is used alone it lists all the FortiGate unit interfacesand whether RIP is enabled on each.
router info routing-table
Use this command to display the routes in the routing table.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
962
router info vrrp get
Syntaxget router info routing-table <keyword>
<keyword> Description
all Show all entries in the routing table.
bgp Show the BGP routes in the routing table.
connected Show the connected routes in the routing table.
database Show the routing information database.
details [<address_ipv4mask>]
Show detailed information about a route in the routing table,including the next-hop routers, metrics, outgoing interfaces, andprotocol-specific information.
ospf Show the OSPF routes in the routing table.
rip Show the RIP routes in the routing table.
static Show the static routes in the routing table.
router info vrrp
Use this command to display information about the VRRP configuration.
Syntaxget router info vrrp
Example outputInterface: port1, primary IP address: 9.1.1.2
VRID: 1vrip: 9.1.1.254, priority: 100, state: BACKUPadv_interval: 1, preempt: 1, start_time: 3vrdst: 0.0.0.0
router info6 bgp
Use this command to display information about the BGP IPv6 configuration.
Syntaxget router info6 bgp <keyword>
<keyword> Description
community Show all BGP routes having their COMMUNITY attribute set.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
963
get router info6 interface
<keyword> Description
community-list Show all routes belonging to configured BGP community lists.
dampening{dampened-paths| flap-statistics| parameters}
Display information about dampening:
Type dampened-paths to show all paths that have beensuppressed due to flapping.
Type flap-statistics to show flap statistics related to BGProutes.
Type parameters to show the current dampening settings.
filter-list Show all routes matching configured AS-path lists.
inconsistent-asShow all routes associated with inconsistent autonomoussystems of origin.
neighbors[<address_ipv6mask>
Show information about connections to TCP and BGP neighbors.
network [<address_ipv6mask>]
Show general information about the configured BGP networks,including their network addresses and associated prefixes.
network-longer-prefixes <address_ipv6mask>
Show general information about the BGP route that you specify(for example, 12.0.0.0/14) and any specific routesassociated with the prefix.
pathsShow general information about BGP AS paths, including theirassociated network addresses.
prefix-list <name> Show all routes matching configured prefix list <name>.
quote-regexp<regexp_str>
Enter the regular expression to compare to the AS_PATHattribute of BGP routes (for example, ^730$) and enable the useof output modifiers (for example, include, exclude, andbegin) to search the results.
regexp <regexp_str>Enter the regular expression to compare to the AS_PATHattribute of BGP routes (for example, ^730$).
route-map Show all routes matching configured route maps.
summary Show information about BGP neighbor status.
router info6 interface
Use this command to display information about IPv6 interfaces.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
964
router info6 kernel get
Syntaxget router info6 interface <interface_name>
Example output
The command returns the status of the interface and the assigned IPv6 address.
dmz2 [administratively down/down]2001:db8:85a3:8d3:1319:8a2e:370:7348fe80::209:fff:fe04:4cfd
router info6 kernel
Use this command to display the FortiGate kernel routing table. The kernel routing table displays informationabout all of the routes in the kernel.
Syntaxget router info6 kernel
router info6 ospf
Use this command to display information about the OSPF IPv6 configuration.
Syntaxget router info6 ospf
router info6 protocols
Use this command to display information about the configuration of all IPv6 dynamic routing protocols.
Syntaxget router info6 protocols
router info6 rip
Use this command to display information about the RIPng configuration.
Syntaxget router info6 rip
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
965
get router info6 routing-table
router info6 routing-table
Use this command to display the routes in the IPv6 routing table.
Syntaxget router info6 routing-table <item>
where <item> is one of the following:
Variable Description
<ipv6_ip> Destination IPv6 address or prefix.
bgp Show BGP routing table entries.
connected Show connected routing table entries.
database Show routing information base.
ospf Show OSPF routing table entries.
rip Show RIP routing table entries.
static Show static routing table entries.
system admin list
View a list of all the current administration sessions.
Syntaxget system admin list
Example output# get system admin listusername local device remote startedadmin sshv2 port1:172.20.120.148:22 172.20.120.16:4167 2006-08-09 12:24:20admin https port1:172.20.120.148:443 172.20.120.161:56365 2006-08-09 12:24:20admin https port1:172.20.120.148:443 172.20.120.16:4214 2006-08-09 12:25:29
Variable Description
username Name of the admin account for this session
local The protocol this session used to connect to the FortiGate unit.
deviceThe interface, IP address, and port used by this session toconnect to the FortiGate unit.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
966
system admin status get
Variable Description
remoteThe IP address and port used by the originating computer toconnect to the FortiGate unit.
started The time the current session started.
system admin status
View the status of the currently logged in admin and their session.
Syntaxget system admin status
Example
The output looks like this:
# get system admin statususername: adminlogin local: sshv2login device: port1:172.20.120.148:22login remote: 172.20.120.16:4167login vdom: rootlogin started: 2006-08-09 12:24:20current time: 2006-08-09 12:32:12
Variable Description
username Name of the admin account currently logged in.
login local The protocol used to start the current session.
login deviceThe login information from the FortiGate unit including interface,IP address, and port number.
login remoteThe computer the user is logging in from including the IP addressand port number.
login vdom The virtual domain the admin is current logged into.
login started The time the current session started.
current time The current time of day on the FortiGate unit
system arp
View the ARP table entries on the FortiGate unit.
This command is not available in multiple VDOM mode.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
967
get system auto-update
Syntaxget system arp
Example output# get system arpAddress Age(min) Hardware Addr Interface172.20.120.16 0 00:0d:87:5c:ab:65 internal172.20.120.138 0 00:08:9b:09:bb:01 internal
system auto-update
Use this command to display information about the status FortiGuard updates on the FortiGate unit.
Syntaxget system auto-update statusget system auto-update versions
Example outputget system auto-update statusFDN availability: available at Thu Apr 1 08:22:58 2010
Push update: disableScheduled update: enable
Update daily: 8:22Virus definitions update: enableIPS definitions update: enableServer override: disablePush address override: disableWeb proxy tunneling: disable
system central-management
View information about the Central Management System configuration.
Syntaxget system central-management
Example
The output looks like this:
FG600B3908600705 # get system central-managementstatus : enabletype : fortimanagerauto-backup : disableschedule-config-restore: enableschedule-script-restore: enableallow-push-configuration: enable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
968
system checksum get
allow-pushd-firmware: enableallow-remote-firmware-upgrade: enableallow-monitor : enablefmg : 172.20.120.161vdom : rootauthorized-manager-only: enableserial-number : "FMG-3K2404400063"
system checksum
View the checksums for global, root, and all configurations. These checksums are used by HA to compare theconfigurations of each cluster unit.
Syntaxget system checksum status
Example output# get system checksum statusglobal: 7a 87 3c 14 93 bc 98 92 b0 58 16 f2 eb bf a4 15root: bb a4 80 07 42 33 c2 ff f1 b5 6e fe e4 bb 45 fball: 1c 28 f1 06 fa 2e bc 1f ed bd 6b 21 f9 4b 12 88
system cmdb status
View information about cmdbsvr on the FortiGate unit. FortiManager uses some of this information.
Syntaxget system cmdb status
Example output# get system cmdb statusversion: 1owner id: 18update index: 6070config checksum: 12879299049430971535last request pid: 68last request type: 29last request: 78
Variable Description
version Version of the cmdb software.
owner id Process ID of the cmdbsvr daemon.
update indexThe updated index shows how many changes have been made incmdb.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
969
get system fortianalyzer-connectivity
Variable Description
config checksum The config file version used by FortiManager.
last request pid The last process to access the cmdb.
last requst type Type of the last attempted access of cmdb.
last request The number of the last attempted access of cmdb.
system fortianalyzer-connectivity
Display connection and remote disk usage information about a connected FortiAnalyzer unit.
Syntaxget fortianalyzer-connectivity status
Example output# get system fortianalyzer-connectivity statusStatus: connectedDisk Usage: 0%
system fortiguard-log-service status
Command returns information about the status of the FortiGuard Log & Analysis Service including license anddisk information.
Syntaxget system fortiguard-log-service status
Example output# get system fortiguard-log-service statusFortiGuard Log & Analysis ServiceExpire on: 20071231Total disk quota: 1111 MBMax daily volume: 111 MBCurrent disk quota usage: n/a
system fortiguard-service status
COMMAND REPLACED. Command returns information about the status of the FortiGuard service including thename, version late update, method used for the last update and when the update expires. This information isshown for the AV Engine, virus definitions, attack definitions, and the IPS attack engine.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
970
system ha-nonsync-csum get
Syntaxget system fortiguard-service status
Example outputNAME VERSION LAST UPDATE METHOD EXPIREAV Engine 2.002 2006-01-26 19:45:00 manual 2006-06-12 08:00:00Virus Definitions 6.513 2006-06-02 22:01:00 manual 2006-06-12 08:00:00Attack Definitions 2.299 2006-06-09 19:19:00 manual 2006-06-12 08:00:00IPS Attack Engine 1.015 2006-05-09 23:29:00 manual 2006-06-12 08:00:00
system ha-nonsync-csum
FortiManager uses this command to obtain a system checksum.
Syntaxget system ha-nonsync-csum
system ha status
Use this command to display information about an HA cluster. The command displays general HA configurationsettings. The command also displays information about how the cluster unit that you have logged into isoperating in the cluster.
Usually you would log into the primary unit CLI using SSH or telnet. In this case the get system ha statuscommand displays information about the primary unit first, and also displays the HA state of the primary unit (theprimary unit operates in the work state). However, if you log into the primary unit and then use the execute hamanage command to log into a subordinate unit, (or if you use a console connection to log into a subordinateunit) the get system status command displays information about this subordinate unit first, and alsodisplays the HA state of this subordinate unit. The state of a subordinate unit is work for an active-active clusterand standby for an active-passive cluster.
For a virtual cluster configuration, the get system ha status command displays information about how thecluster unit that you have logged into is operating in virtual cluster 1 and virtual cluster 2. For example, if youconnect to the cluster unit that is the primary unit for virtual cluster 1 and the subordinate unit for virtual cluster 2,the output of the get system ha status command shows virtual cluster 1 in the work state and virtualcluster 2 in the standby state. The get system ha status command also displays additional informationabout virtual cluster 1 and virtual cluster 2.
Syntaxget system ha status
The command display includes the following fields. For more information see the examples that follow.
Variable Description
Model The FortiGate model number.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
971
get system ha status
Variable Description
Mode The HAmode of the cluster: a-a or a-p.
Group The group ID of the cluster.
Debug The debug status of the cluster.
ses_pickup The status of session pickup: enable or disable.
load_balanceThe status of the load-balance-all field: enable or disable.Displayed for active-active clusters only.
scheduleThe active-active load balancing schedule. Displayed for active-active clusters only.
Master
Slave
Master displays the device priority, host name, serial number,and actual cluster index of the primary (or master) unit.
Slave displays the device priority, host name, serial number,and actual cluster index of the subordinate (or slave, or backup)unit or units.
The list of cluster units changes depending on how you log intothe CLI. Usually you would use SSH or telnet to log into theprimary unit CLI. In this case the primary unit would be at the topthe list followed by the other cluster units.
If you use execute ha manage or a console connection to loginto a subordinate unit CLI, and then enter get system hastatus the subordinate unit that you have logged into appearsat the top of the list of cluster units.
number of vclusterThe number of virtual clusters. If virtual domains are notenabled, the cluster has one virtual cluster. If virtual domains areenabled the cluster has two virtual clusters.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
972
system ha status get
Variable Description
vcluster 1
The HA state (hello, work, or standby) and HA heartbeat IPaddress of the cluster unit that you have logged into in virtualcluster 1. If virtual domains are not enabled, vcluster 1displays information for the cluster. If virtual domains areenabled, vcluster 1 displays information for virtual cluster 1.
The HA heartbeat IP address is 10.0.0.1 if you are logged into athe primary unit of virtual cluster 1 and 10.0.0.2 if you are loggedinto a subordinate unit of virtual cluster 1.
vcluster 1 also lists the primary unit (master) andsubordinate units (slave) in virtual cluster 1. The list includes theoperating cluster index and serial number of each cluster unit invirtual cluster 1. The cluster unit that you have logged into is atthe top of the list.
If virtual domains are not enabled and you connect to the primaryunit CLI, the HA state of the cluster unit in virtual cluster 1 iswork. The display lists the cluster units starting with the primaryunit.
If virtual domains are not enabled and you connect to asubordinate unit CLI, the HA state of the cluster unit in virtualcluster 1 is standby. The display lists the cluster units startingwith the subordinate unit that you have logged into.
If virtual domains are enabled and you connect to the virtualcluster 1 primary unit CLI, the HA state of the cluster unit invirtual cluster 1 is work. The display lists the cluster units startingwith the virtual cluster 1 primary unit.
If virtual domains are enabled and you connect to the virtualcluster 1 subordinate unit CLI, the HA state of the cluster unit invirtual cluster 1 is standby. The display lists the cluster unitsstarting with the subordinate unit that you are logged into.
In a cluster consisting of two cluster units operating withoutvirtual domains enabled all clustering actually takes place invirtual cluster 1. HA is designed to work this way to support virtualclustering. If this cluster was operating with virtual domainsenabled, adding virtual cluster 2 is similar to adding a new copyof virtual cluster 1. Virtual cluster 2 is visible in the get systemha status command output when you add virtual domains tovirtual cluster 2.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
973
get system info admin status
Variable Description
vcluster 2
vcluster 2 only appears if virtual domains are enabled.vcluster 2 displays the HA state (hello, work, or standby) andHA heartbeat IP address of the cluster unit that you have loggedinto in virtual cluster 2. The HA heartbeat IP address is 10.0.0.2 ifyou are logged into the primary unit of virtual cluster 2 and10.0.0.1 if you are logged into a subordinate unit of virtual cluster2.
vcluster 2 also lists the primary unit (master) andsubordinate units (slave) in virtual cluster 2. The list includes thecluster index and serial number of each cluster unit in virtualcluster 2. The cluster unit that you have logged into is at the topof the list.
If you connect to the virtual cluster 2 primary unit CLI, the HAstate of the cluster unit in virtual cluster 2 is work. The displaylists the cluster units starting with the virtual cluster 2 primaryunit.
If you connect to the virtual cluster 2 subordinate unit CLI, the HAstate of the cluster unit in virtual cluster 2 is standby. Thedisplay lists the cluster units starting with the subordinate unitthat you are logged into.
system info admin status
Use this command to display administrators that are logged into the FortiGate unit.
Syntaxget system info admin status
Example
This shows sample output.
Index User name Login type From0 admin CLI ssh(172.20.120.16)1 admin WEB 172.20.120.16
Variable Description
Index The order the administrators logged in.
User name The name of the user account logged in.
Login type Which interface was used to log in.
From The IP address this user logged in from.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
974
system info admin ssh get
Related topics
"system info admin ssh" on page 106
system info admin ssh
Use this command to display information about the SSH configuration on the FortiGate unit such as:
the SSH port number
the interfaces with SSH enabled
the hostkey DSA fingerprint
the hostkey RSA fingerprint
Syntaxget system info admin ssh
Example output# get system info admin sshSSH v2 is enabled on port 22SSH is enabled on the following 1 interfaces:internalSSH hostkey DSA fingerprint = cd:e1:87:70:bb:f0:9c:7d:e3:7b:73:f7:44:23:a5:99SSH hostkey RSA fingerprint = c9:5b:49:1d:7c:ba:be:f3:9d:39:33:4d:48:9d:b8:49
system interface physical
Use this command to list information about the unit’s physical network interfaces.
Syntaxget system interface physical
The output looks like this:
# get system interface physical== [onboard]==[dmz1]mode: staticip: 0.0.0.0 0.0.0.0status: downspeed: n/a==[dmz2]mode: staticip: 0.0.0.0 0.0.0.0status: downspeed: n/a==[internal]mode: staticip: 172.20.120.146 255.255.255.0status: up
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
975
get system mgmt-csum
speed: 100==[wan1]mode: pppoeip: 0.0.0.0 0.0.0.0status: downspeed: n/a==[wan2]mode: staticip: 0.0.0.0 0.0.0.0status: downspeed: n/a==[modem]mode: staticip: 0.0.0.0 0.0.0.0status: downspeed: n/a
system mgmt-csum
FortiManager uses this command to obtain checksum information from FortiGate units.
Syntaxget system mgmt-csum {global | vdom | all}
where
global retrieves global object checksums
vdom retrieves VDOM object checksums
all retrieves all object checksums.
system performance firewall
Use this command to display packet distribution and traffic statistics information for the FortiGate firewall.
Syntaxget system performance firewall packet-distributionget system performance firewall statistics
Variable Description
packet-distribution
Display a list of packet size ranges and the number of packets ofeach size accepted by the firewall since the system restarted.You can use this information to learn about the packet sizedistribution on your network.
Note: these counts do not include packets offloaded to the NPU.
statisticsDisplay a list of traffic types (browsing, email, DNS etc) and thenumber of packets and number of payload bytes accepted by thefirewall for each type since the FortiGate unit was restarted.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
976
system performance status get
Example outputget system performance firewall packet-distributiongetting packet distribution statistics...0 bytes - 63 bytes: 655283 packets64 bytes - 127 bytes: 1678278 packets128 bytes - 255 bytes: 58823 packets256 bytes - 383 bytes: 70432 packets384 bytes - 511 bytes: 1610 packets512 bytes - 767 bytes: 3238 packets768 bytes - 1023 bytes: 7293 packets1024 bytes - 1279 bytes: 18865 packets1280 bytes - 1500 bytes: 58193 packets> 1500 bytes: 0 packets
get system performance firewall statisticsgetting traffic statistics...Browsing: 623738 packets, 484357448 bytesDNS: 5129187383836672 packets, 182703613804544 bytesE-Mail: 23053606 packets, 2 bytesFTP: 0 packets, 0 bytesGaming: 0 packets, 0 bytesIM: 0 packets, 0 bytesNewsgroups: 0 packets, 0 bytesP2P: 0 packets, 0 bytesStreaming: 0 packets, 0 bytesTFTP: 654722117362778112 packets, 674223966126080 bytesVoIP: 16834455 packets, 10 bytesGeneric TCP: 266287972352 packets, 8521215115264 bytesGeneric UDP: 0 packets, 0 bytesGeneric ICMP: 0 packets, 0 bytesGeneric IP: 0 packets, 0 bytes
system performance status
Use this command to display FortiGate CPU usage, memory usage, network usage, sessions, virus, IPS attacks,and system up time.
Syntaxget system performance status
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
977
get system performance top
Variable Description
CPU states
The percentages of CPU cycles used by user, system, nice andidle categories of processes. These categories are:
user -CPU usage of normal user-space processes
system -CPU usage of kernel
nice - CPU usage of user-space processes having other-than-normal running priority
idle - Idle CPU cycles
Adding user, system, and nice produces the total CPU usage asseen on the CPU widget on the web-based system statusdashboard.
Memory states The percentage of memory used.
Average networkusage
The average amount of network traffic in kbps in the last 1, 10and 30 minutes.
Average sessionsThe average number of sessions connected to the FortiGate unitover the list 1, 10 and 30 minutes.
Virus caughtThe number of viruses the FortiGate unit has caught in the last 1minute.
IPS attacks blockedThe number of IPS attacks that have been blocked in the last 1minute.
Uptime How long since the FortiGate unit has been restarted.
Example output# get system performance statusCPU states: 0% user 0% system 0% nice 100% idleMemory states: 18% usedAverage network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 1 kbps in 30 minutesAverage sessions: 5 sessions in 1 minute, 6 sessions in 10 minutes, 5 sessions in 30
minutesVirus caught: 0 total in 1 minuteIPS attacks blocked: 0 total in 1 minuteUptime: 9days, 22 hours, 0 minutes
system performance top
Use this command to display the list of processes running on the FortiGate unit (similar to the Linux topcommand).
You can use the following commands when get system performance top is running:
• Press Q or Ctrl+C to quit.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
978
system session list get
• Press P to sort the processes by the amount of CPU that the processes are using.
• Press M to sort the processes by the amount of memory that the processes are using.
Syntaxget system performance top [<delay_int>] <max_lines_int>]]
Variable Description
<delay_int>The delay, in seconds, between updating the process list. Thedefault is 5 seconds.
<max_lines_int>
The maximum number of processes displayed in the output. Thedefault is 20 lines.
system session list
Command returns a list of all the sessions active on the FortiGate unit. or the current virtual domain if virtualdomain mode is enabled.
Syntaxget system session list
Example outputPROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NATtcp 0 127.0.0.1:1083 - 127.0.0.1:514 -tcp 0 127.0.0.1:1085 - 127.0.0.1:514 -tcp 10 127.0.0.1:1087 - 127.0.0.1:514 -tcp 20 127.0.0.1:1089 - 127.0.0.1:514 -tcp 30 127.0.0.1:1091 - 127.0.0.1:514 -tcp 40 127.0.0.1:1093 - 127.0.0.1:514 -tcp 60 127.0.0.1:1097 - 127.0.0.1:514 -tcp 70 127.0.0.1:1099 - 127.0.0.1:514 -tcp 80 127.0.0.1:1101 - 127.0.0.1:514 -tcp 90 127.0.0.1:1103 - 127.0.0.1:514 -tcp 100 127.0.0.1:1105 - 127.0.0.1:514 -tcp 110 127.0.0.1:1107 - 127.0.0.1:514 -tcp 103 172.20.120.16:3548 - 172.20.120.133:22 -tcp 3600 172.20.120.16:3550 - 172.20.120.133:22 -udp 175 127.0.0.1:1026 - 127.0.0.1:53 -tcp 5 127.0.0.1:1084 - 127.0.0.1:514 -tcp 5 127.0.0.1:1086 - 127.0.0.1:514 -tcp 15 127.0.0.1:1088 - 127.0.0.1:514 -tcp 25 127.0.0.1:1090 - 127.0.0.1:514 -tcp 45 127.0.0.1:1094 - 127.0.0.1:514 -tcp 59 127.0.0.1:1098 - 127.0.0.1:514 -tcp 69 127.0.0.1:1100 - 127.0.0.1:514 -tcp 79 127.0.0.1:1102 - 127.0.0.1:514 -tcp 99 127.0.0.1:1106 - 127.0.0.1:514 -tcp 109 127.0.0.1:1108 - 127.0.0.1:514 -tcp 119 127.0.0.1:1110 - 127.0.0.1:514 -
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
979
get system session status
Variable Description
PROTO The transfer protocol of the session.
EXPIRE How long before this session will terminate.
SOURCE The source IP address and port number.
SOURCE-NAT The source of the NAT. ‘-’ indicates there is no NAT.
DESTINATION The destination IP address and port number.
DESTINATION-NAT The destination of the NAT. ‘-’ indicates there is no NAT.
system session status
Use this command to display the number of active sessions on the FortiGate unit, or if virtual domain mode isenabled it returns the number of active sessions on the current VDOM. In both situations it will say ‘the currentVDOM.
Syntaxget system session status
Example outputThe total number of sessions for the current VDOM: 3100
system session-helper-info list
Use this command to list the FortiGate session helpers and the protocol and port number configured for eachone.
Syntaxget system sesion-helper-info list
Example outputlist builtin help module:mgcpdcerpcrshpmapdns-tcpdns-udprtsppptpsipmmstns
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
980
system session-info get
h245h323rastftpftplist session help:help=pmap, protocol=17 port=111help=rtsp, protocol=6 port=8554help=rtsp, protocol=6 port=554help=pptp, protocol=6 port=1723help=rtsp, protocol=6 port=7070help=sip, protocol=17 port=5060help=pmap, protocol=6 port=111help=rsh, protocol=6 port=512help=dns-udp, protocol=17 port=53help=tftp, protocol=17 port=69help=tns, protocol=6 port=1521help=mgcp, protocol=17 port=2727help=dcerpc, protocol=17 port=135help=rsh, protocol=6 port=514help=ras, protocol=17 port=1719help=ftp, protocol=6 port=21help=mgcp, protocol=17 port=2427help=dcerpc, protocol=6 port=135help=mms, protocol=6 port=1863help=h323, protocol=6 port=1720
system session-info
Use this command to display session information.
Syntaxget system session-info expectationget system session-info full-statget system session-info listget system session-info statisticsget system session-info ttl
Variable Description
expectation Display expectation sessions.
full-statDisplay detailed information about the FortiGate session tableincluding a session table and expect session table summary,firewall error statistics, and other information.
list
Display detailed information about all current FortiGate sessions.For each session the command displays the protocol number,traffic shaping information, policy information, state information,statistics and other information.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
981
get system source-ip
Variable Description
statisticsDisplay the same information as the full-stat commandexcept for the session table and expect session table summary.
ttlDisplay the current setting of the config system session-ttl command including the overall session timeout as well asthe timeouts for specific protocols.
Example outputget system session-info statisticsmisc info: session_count=15 exp_count=0 clash=0 memory_tension_drop=0 ephemeral=1/32752
removeable=14delete=0, flush=0, dev_down=0/0firewall error stat:error1=00000000error2=00000000error3=00000000error4=00000000tt=00000000cont=00000000ids_recv=00000000url_recv=00000000av_recv=00000000fqdn_count=00000001tcp reset stat:syncqf=0 acceptqf=0 no-listener=227 data=0 ses=0 ips=0global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
system source-ip
Use this command to list defined source-IPs.
Syntaxget system source-ip
Example output# get sys source-ip statusThe following services force their communication to usea specific source IP address:
service=NTP source-ip=172.18.19.101service=DNS source-ip=172.18.19.101vdom=root service=RADIUS name=server-pc25 source-ip=10.1.100.101vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=10.1.100.101vdom=root service=FSAE name=pc26 source-ip=172.18.19.101vdom=V1 service=RADIUS name=pc25-Radius source-ip=172.16.200.101vdom=V1 service=TACACS+ name=pc25-tacacs+ source-ip=172.16.200.101vdom=V1 service=FSAE name=pc16 source-ip=172.16.200.101
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
982
system startup-error-log get
system startup-error-log
Use this command to display information about system startup errors. This command only displays information ifan error occurs when the FortiGate unit starts up.
Syntaxget system startup-error-log
system status
Use this command to display system status information including:
FortiGate firmware version, build number and branch point
virus and attack definitions version
FortiGate unit serial number and BIOS version
log hard disk availability
host name
operation mode
virtual domains status: current VDOM, max number of VDOMs, number of NAT and TPmode VDOMs andVDOM status
current HA status
system time
the revision of the WiFi chip in a FortiWiFi unit
Syntaxget system status
Example outputVersion: Fortigate-620B v4.0,build0271,100330 (MR2)Virus-DB: 11.00643(2010-03-31 17:49)Extended DB: 11.00643(2010-03-31 17:50)Extreme DB: 0.00000(2003-01-01 00:00)IPS-DB: 2.00778(2010-03-31 12:55)FortiClient application signature package: 1.167(2010-04-01 10:11)Serial-Number: FG600B3908600705BIOS version: 04000006Log hard disk: AvailableHostname: 620_ha_1Operation Mode: NATCurrent virtual domain: rootMax number of virtual domains: 10Virtual domains status: 1 in NAT mode, 0 in TP modeVirtual domain configuration: disable
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
983
get test
FIPS-CC mode: disableCurrent HA mode: a-p, masterDistribution: InternationalBranch point: 271Release Version Information: MR2System time: Thu Apr 1 15:27:29 2010
test
Use this command to display information about FortiGate applications and perform operations on FortiGateapplications. You can specify an application name and a test level. Enter ? to display the list of applications. Thetest level performs various functions depending on the application but can include displaying memory usage,dropping connections and restarting the application.
The test levels are different for different applications. In some cases when you enter the command and includean application name but no test level (or an invalid test level) the command output includes a list of valid testlevels.
Syntaxget test <application_name_str> <test_level_int>
Example outputget test httpProxy Worker 0 - http[0:H] HTTP Proxy Test Usage[0:H][0:H] 2: Drop all connections[0:H] 22: Drop max idle connections[0:H] 222: Drop all idle connections[0:H] 4: Display connection stat[0:H] 44: Display info per connection[0:H] 444: Display connections per state[0:H] 4444: Display per-VDOM statistics[0:H] 44444: Display information about idle connections[0:H] 55: Display tcp info per connection
get test http 4HTTP CommonCurrent Connections 0/8032
HTTP StatBytes sent 0 (kb)Bytes received 0 (kb)Error Count (alloc) 0Error Count (accept) 0Error Count (bind) 0Error Count (connect) 0Error Count (socket) 0Error Count (read) 0Error Count (write) 0Error Count (retry) 0Error Count (poll) 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
984
user adgrp get
Error Count (scan reset) 0Error Count (urlfilter wait) 0Last Error 0Web responses clean 0Web responses scan errors 0Web responses detected 0Web responses infected with worms 0Web responses infected with viruses 0Web responses infected with susp 0Web responses file blocked 0Web responses file exempt 0Web responses bannedword detected 0Web requests oversize pass 0Web requests oversize block 0URL requests exempt 0URL requests blocked 0URL requests passed 0URL requests submit error 0URL requests rating error 0URL requests rating block 0URL requests rating allow 0URL requests infected with worms 0Web requests detected 0Web requests file blocked 0Web requests file exempt 0POST requests clean 0POST requests scan errors 0POST requests infected with viruses 0POST requests infected with susp 0POST requests file blocked 0POST requests bannedword detected 0POST requests oversize pass 0POST requests oversize block 0Web request backlog drop 0Web response backlog drop 0
HTTP Accountingsetup_ok=0 setup_fail=0 conn_ok=0 conn_inp=0urlfilter=0/0/0 uf_lookupf=0scan=0 clt=0 srv=0
user adgrp
Use this command to list Directory Service user groups.
Syntaxget user adgrp [<dsgroupname>]
If you do not specify a group name, the command returns information for all Directory Service groups. Forexample:
== [ DOCTEST/Cert Publishers ]name: DOCTEST/Cert Publishers server-name: DSserv1== [ DOCTEST/Developers ]name: DOCTEST/Developers server-name: DSserv1
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
985
get vpn ike gateway
== [ DOCTEST/Domain Admins ]name: DOCTEST/Domain Admins server-name: DSserv1== [ DOCTEST/Domain Computers ]name: DOCTEST/Domain Computers server-name: DSserv1== [ DOCTEST/Domain Controllers ]name: DOCTEST/Domain Controllers server-name: DSserv1== [ DOCTEST/Domain Guests ]name: DOCTEST/Domain Guests server-name: DSserv1== [ DOCTEST/Domain Users ]name: DOCTEST/Domain Users server-name: DSserv1== [ DOCTEST/Enterprise Admins ]name: DOCTEST/Enterprise Admins server-name: DSserv1== [ DOCTEST/Group Policy Creator Owners ]name: DOCTEST/Group Policy Creator Owners server-name: DSserv1== [ DOCTEST/Schema Admins ]name: DOCTEST/Schema Admins server-name: DSserv1
If you specify a Directory Service group name, the command returns information for only that group. For example:
name : DOCTEST/Developersserver-name : ADserv1
The server-name is the name you assigned to the Directory Service server when you configured it in the userfsae command.
vpn ike gateway
Use this command to display information about FortiGate IPsec VPN IKE gateways.
Syntaxget vpn ike gateway [<gateway_name_str>]
vpn ipsec tunnel details
Use this command to display information about IPsec tunnels.
Syntaxget vpn ipsec tunnel details
vpn ipsec tunnel name
Use this command to display information about a specified IPsec VPN tunnel.
Syntaxget vpn ipsec tunnel name <tunnel_name_str>
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
986
vpn ipsec stats crypto get
vpn ipsec stats crypto
Use this command to display information about the FortiGate hardware and software crypto configuration.
Syntaxget vpn ipsec stats crypto
Example outputget vpn ipsec stats crypto
IPsec crypto devices in use:
CP6 (encrypted/decrypted): null: 0 0 des: 0 0 3des: 0 0 aes: 0 0CP6 (generated/validated): null: 0 0 md5: 0 0 sha1: 0 0
sha256: 0 0
SOFTWARE (encrypted/decrypted): null: 0 0 des: 0 0 3des: 0 0 aes: 0 0SOFTWARE (generated/validated): null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0
vpn ipsec stats tunnel
Use this command to view information about IPsec tunnels.
Syntaxget vpn ipsec stats tunnel
Example output#get vpn ipsec stats tunneltunnelstotal: 0static/ddns: 0dynamic: 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
987
get vpn ssl monitor
manual: 0errors: 0selectorstotal: 0up: 0
vpn ssl monitor
Use this command to display information about logged in SSL VPN users and current SSL VPN sessions.
Syntaxget vpn ssl monitor
Example output
vpn status l2tp
Use this command to display information about L2TP tunnels.
Syntaxget vpn status l2tp
vpn status pptp
Use this command to display information about PPTP tunnels.
Syntaxget vpn status pptp
vpn status ssl
Use this command to display SSL VPN tunnels and to also verify that the FortiGate unit includes the CP6 orgreater FortiASIC device that supports SSL acceleration.
Syntaxget vpn status ssl hw-acceleration-statusget vpn status ssl list
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
988
webfilter ftgd-statistics get
Variable Description
hw-acceleration-status
Display whether or not the FortiGate unit contains a FortiASICdevice that supports SSL acceleration.
list Display information about all configured SSL VPN tunnels.
webfilter ftgd-statistics
Use this command to display FortiGuard Web Filtering rating cache and daemon statistics.
Syntaxget webfilter ftgd-statistics
Example outputget webfilter ftgd-statistics
Rating Statistics:=====================DNS failures : 0DNS lookups : 0Data send failures : 0Data read failures : 0Wrong package type : 0Hash table miss : 0Unknown server : 0Incorrect CRC : 0Proxy request failures : 0Request timeout : 0Total requests : 0Requests to FortiGuard servers : 0Server errored responses : 0Relayed rating : 0Invalid profile : 0
Allowed : 0Blocked : 0Logged : 0Errors : 0
Cache Statistics:=====================Maximum memory : 0Memory usage : 0
Nodes : 0Leaves : 0Prefix nodes : 0Exact nodes : 0
Requests : 0
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
989
get webfilter status
Misses : 0Hits : 0Prefix hits : 0Exact hits : 0
No cache directives : 0Add after prefix : 0Invalid DB put : 0DB updates : 0
Percent full : 0%Branches : 0%Leaves : 0%Prefix nodes : 0%Exact nodes : 0%
Miss rate : 0%Hit rate : 0%Prefix hits : 0%Exact hits : 0%
webfilter status
Use this command to display FortiGate Web Filtering rating information.
Syntaxget webfilter status [<refresh-rate_int>]
wireless-controller client-info
Use this command to get information about WiFi clients.
Syntaxget wireless-controller client-info <vfid> <interface> <client_ip>
The output looks like this:
# get wireless-controller client-info 0 test-local 192.168.2.100count=1status: sta_mac=10:fe:ed:26:aa:e0 ap_sn=FP320C3X14006184, ap_name=FP320C3X14006184,
chan=6, radio_type=11N
wireless-controller rf-analysis
Use this command to show information about RF conditions at the access point.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
990
wireless-controller scan get
Syntaxget wireless-controller rf-analysis [<wtp_id>]
Example output# get wireless-controller rf-analysis<wtp-id> wtp id
FWF60C3G11004319 (global) # get wireless-controller rf-analysisWTP: FWF60C-WIFI0 0-127.0.0.1:15246channel rssi-total rf-score overlap-ap interfere-ap1 418 1 24 262 109 5 0 343 85 7 1 344 64 9 0 355 101 6 1 356 307 1 8 117 82 7 0 168 69 8 1 159 42 10 0 1510 53 10 0 1411 182 1 5 612 43 10 0 613 20 10 0 514 8 10 0 5Controller: FWF60C3G11004319-0channel rssi_total1 4182 1093 854 645 1016 3077 828 699 4210 5311 18212 4313 2014 8
wireless-controller scan
Use this command to view the list of access points detected by wireless scanning.
Syntaxget wireless-controller scan
Example outputCMW SSID BSSID CHAN RATE S:N INT CAPS ACT LIVE AGE WIREDUNN 00:0e:8f:24:18:6d 64 54M 16:0 100 Es N 62576 1668 ?
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
991
get wireless-controller status
UNN ftiguest 00:15:55:23:d8:62 157 130M 6:0 100 EPs N 98570 2554 ?
wireless-controller status
Use this command to view the numbers of wtp sessions and clients.
Syntaxget wireless-controller status
Example output# get wireless-controller statusWireless Controller :wtp-session-count: 1client-count : 1/0
wireless-controller vap-status
Use this command to view information about your SSIDs.
Syntaxget wireless-controller vap-status
Example output# get wireless-controller vap-statusWLAN: mesh.rootname : mesh.rootvdom : rootssid : fortinet.mesh.rootstatus : upmesh backhaul : yesip : 0.0.0.0mac : 00:ff:0a:57:95:castation info : 0/0WLAN: wifiname : wifivdom : rootssid : ft-meshstatus : upmesh backhaul : yesip : 10.10.80.1mac : 00:ff:45:e1:55:81station info : 1/0
wireless-controller wlchanlistlic
Use this command to display a list of the channels allowed in your region, including
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
992
wireless-controller wlchanlistlic get
the maximum permitted power for each channel
the channels permitted for each wireless type (802.11n, for example)
The list is in XML format.
Syntaxget wireless-controller wlchanlistlic
Sample outputcountry name: UNITED STATES2, country code:841, iso name:USchannels on 802.11A band without channel bonding:channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=165 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channels on 802.11B band without channel bonding:channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channels on 802.11G band without channel bonding:channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channels on 802.11N 2.4GHz band without channel bonding:channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
993
get wireless-controller wtp-status
channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channels on 802.11N 2.4GHz band with channel bonding plus:channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channels on 802.11N 2.4GHz band with channel bonding minus:channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2
channels on 802.11N 5GHz band without channel bonding:channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=165 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channels on 802.11N 5GHz band with channel bonding all:channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
wireless-controller wtp-status
Syntaxget wireless-controller wtp-status
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
994
wireless-controller wtp-status get
Example output# get wireless-controller wtp-statusWTP: FAP22B3U11005354 0-192.168.3.110:5246wtp-id : FAP22B3U11005354region-code :name :mesh-uplink : meshmesh-downlink : disabledmesh-hop-count : 1parent-wtp-id :software-version :local-ipv4-addr : 0.0.0.0board-mac : 00:00:00:00:00:00join-time : Mon Apr 2 10:23:32 2012connection-state : Disconnectedimage-download-progress: 0last-failure : 0 -- N/Alast-failure-param:last-failure-time: N/ARadio 1 : MonitorRadio 2 : Apcountry-name : NAcountry-code : N/Aclient-count : 0base-bssid : 00:00:00:00:00:00max-vaps : 7oper-chan : 0Radio 3 : Not ExistWTP: FWF60C-WIFI0 0-127.0.0.1:15246wtp-id : FWF60C-WIFI0region-code : ALLname :mesh-uplink : ethernetmesh-downlink : enabledmesh-hop-count : 0parent-wtp-id :software-version : FWF60C-v5.0-build041local-ipv4-addr : 127.0.0.1board-mac : 00:09:0f:fe:cc:56join-time : Mon Apr 2 10:23:35 2012connection-state : Connectedimage-download-progress: 0last-failure : 0 -- N/Alast-failure-param:last-failure-time: N/ARadio 1 : Apcountry-name : UScountry-code : N/Aclient-count : 1base-bssid : 00:0e:8e:3b:63:99max-vaps : 7oper-chan : 1Radio 2 : Not ExistRadio 3 : Not Exist
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
995
tree
tree
The tree command displays FortiOS config CLI commands in a tree structure called the configuration tree.Each configuration command forms a branch of the tree.
Syntaxtree [branch] [sub-branch]
You can enter the tree command from the top of the configuration tree the command displays the completeconfiguration tree. Commands are displayed in the order that they are processed when the FortiGate unit startsup. For example, the following output shows the first 10 lines of tree command output:
tree-- -- system -- [vdom] --*name (12)+- vcluster-id (0,0)|- <global> -- language|- gui-ipv6|- gui-voip-profile|- gui-lines-per-page (20,1000)|- admintimeout (0,0)|- admin-concurrent|- admin-lockout-threshold (0,0)|- admin-lockout-duration (1,2147483647)|- refresh (0,2147483647)|- interval (0,0)|- failtime (0,0)|- daily-restart|- restart-time
...You can include a branch name with the tree command to view the commands in that branch:
tree user-- user -- [radius] --*name (36)
|- server (64) |- secret |- secondary-server (64) |- secondary-secret...
|- [tacacs+] --*name (36) |- server (64) |- secondary-server (64) |- tertiary-server (64)...
|- [ldap] --*name (36) |- server (64) |- secondary-server (64) |- tertiary-server (64) |- port (1,65535)...
You can include a branch and sub branch name with the tree command to view the commands in that sub branch:
tree user local-- [local] --*name (36)|- status
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
996
tree
|- type|- passwd|- ldap-server (36)|- radius-server (36)+- tacacs+-server (36)
...If you enter the tree command from inside the configuration tree the command displays the tree for thecurrent command:
config user ldaptree-- [ldap] --*name (36)|- server (64)|- cnid (21)|- dn (512)|- port (1,65535)|- type
...The tree command output includes information about field limits. These apply in both the CLI and the web-based manager. For a numeric field, the two numbers in in parentheses show the lower and upper limits. Forexample (0,32) indicates that values from 0 to 32 inclusive are accepted. For string values, the number inparentheses is one more than the maximum number of characters permitted.
In the following example, the FQDN can contain up to 255 characters.
config firewall addresstree-- [address] --*name (64)
|- subnet |- type |- start-ip |- end-ip |- fqdn (256) |- country (3) |- cache-ttl (0,86400) |- wildcard |- comment |- visibility |- associated-interface (36) |- color (0,32) +- [tags] --*name (64)
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
997
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or companynames may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, andactual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing hereinrepresents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding writtencontract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identifiedperformancemetrics and, in such event, only the specific performancemetrics expressly identified in such binding written contract shall be binding on Fortinet. Forabsolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make anycommitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,transfer, or otherwise revise this publication without notice, and themost current version of the publication shall be applicable.
CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.
998