FortiOS 5.4 CLI Referencedocshare02.docshare.tips/files/30730/307306382.pdfChangeLog ChangeLog Date ChangeDescription December16,2015 NewFortiOS5.4.0release. CLI Reference for FortiOS

FortiOS - CLI ReferenceVERSION 5.4.0

#

FORTINET DOCUMENT LIBRARY

http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATE COOKBOOK

http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER

http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: [email protected]

December-16-15

FortiOS - CLI Reference

01-540-99686-20151216

http://docs.fortinet.com/

http://video.fortinet.com/

https://blog.fortinet.com/

https://support.fortinet.com/

http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

http://cookbook.fortinet.com/

http://www.fortinet.com/training/

http://www.fortiguard.com/

http://www.fortinet.com/doc/legal/EULA.pdf

mailto:[email protected]

Change Log

Change Log

Date Change Description

December 16, 2015 New FortiOS 5.4.0 release.

CLI Reference for FortiOS 5.4 Fortinet Technologies Inc.

3

How this guide is organized Introduction

Introduction

This document describes FortiOS 5.4 CLI commands used to configure and manage a FortiGate unit from thecommand line interface (CLI).

How this guide is organized

This document contains the following sections:

Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGateunit boot-up.

config describes the commands for each configuration branch of the FortiOS CLI. The command branches andcommands are in alphabetical order. The information in this section has been extracted and formatted fromFortiOS source code. The extracted information includes the command syntax, command descriptions (extractedfrom CLI help) and default values. This is the first version of this content produced in this way. You can sendcomments about this content to [email protected].

execute describes execute commands.

get describes get commands.

tree describes the tree command.

Availability of commands and options

Some FortiOS™ CLI commands and options are not available on all FortiGate units. The CLI displays an errormessage if you attempt to enter a command or option that is not available. You can use the question mark ‘?’ toverify the commands and options that are available.

Commands and options may not be available for the following reasons:

FortiGate model

All commands are not available on all FortiGate models. For example, low-end FortiGate models do not supportthe aggregate interface type option of the config system interface command.

Hardware configuration

For example, some AMCmodule commands are only available when an AMCmodule is installed.

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

Commands for extended functionality are not available on all FortiGate models. The CLI Reference includescommands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.


4

mailto://[email protected]

Managing Firmware with the FortiGate BIOS Accessing the BIOS

Managing Firmware with the FortiGate BIOS

FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the web-based manager or by using the CLI execute restore command. From the console, you can also interrupt theFortiGate unit’s boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.

Using the BIOS, you can:

l view system informationl format the boot devicel load firmware and reboot (see )l reboot the FortiGate unit from the backup firmware, which then becomes the default firmware (see )

Accessing the BIOS

The BIOSmenu is available only through direct connection to the FortiGate unit’s Console port. During boot-up,“Press any key” appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOSmenu appears. If you are too late, the boot-up process continues as usual.

Navigating the menuThe main BIOSmenu looks like this:

[C]: Configure TFTP parameters[R]: Review TFTP paramters[T]: Initiate TFTP firmware transfer[F]: Format boot device[Q]: Quit menu and continue to boot[I]: System Information[B]: Boot with backup firmare and set as default[Q]: Quit menu and continue to boot[H]: Display this list of options

Enter C,R,T,F,I,B,Q,or H:

Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. Anoption value in square brackets at the end of the “Enter” line is the default value which you can enter simply bypressing Return. For example,

Enter image download port number [WAN1]:

In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.

Loading firmware

The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.You need to know the IP address of the server and the name of the firmware file to download.


5

Loading firmware Managing Firmware with the FortiGate BIOS

The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot thedownloaded firmware without saving it.

Configuring TFTP parametersStarting from the main BIOSmenu

[C]: Configure TFTP parameters.

Selecting the VLAN (if VLANs are used)

[V]: Set local VLAN ID.

Choose port and whether to use DHCP

[P]: Set firmware download port.

The options listed depend on the FortiGate model. Choose the network interface through which the TFTPserver can be reached. For example:

[0]: Any of port 1 - 7[1]: WAN1[2]: WAN2Enter image download port number [WAN1]:

[D]: Set DHCP mode.Please select DHCP setting[1]: Enable DHCP[2]: Disable DHCP

If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].

Non-DHCP steps

[I]: Set local IP address.Enter local IP address [192.168.1.188]:

This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the samesubnet to which the network interface connects.

[S]: Set local subnet mask.Enter local subnet mask [255.255.252.0]:

[G]: Set local gateway.

The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which theFortiGate unit is connected.

TFTP and filename

[T]: Set remote TFTP server IP address.Enter remote TFTP server IP address [192.168.1.145]:

[F]: Set firmware file name.Enter firmware file name [image.out]:

Enter [Q] to return to the main menu.

Initiating TFTP firmware transferStarting from the main BIOSmenu

[T]: Initiate TFTP firmware transfer.


6

Managing Firmware with the FortiGate BIOS Booting the backup firmware

Please connect TFTP server to Ethernet port 'WAN1'.

MAC: 00:09:0f:b5:55:28

Connect to tftp server 192.168.1.145 ...

##########################################################Image Received.Checking image... OKSave as Default firmware/Backup firmware/Run image withoutsaving:[D/B/R]?

After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while thefirmware is copied:

Programming the boot device now.................................................................................................................................

Booting the backup firmware

You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.

Starting from the main BIOSmenu

[B]: Boot with backup firmware and set as default.

If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:

Failed to mount filesystem. . .Mount back up partition failed.Back up image open failed.Press ‘Y’ or ‘y’ to boot default image.


7

Booting the backup firmware config

config

Use the config commands to change your FortiGate's configuration.

The command branches and commands are in alphabetical order. The information in this section has beenextracted and formatted from FortiOS source code. The extracted information includes the command syntax,command descriptions (extracted from CLI help) and default values. This is the first version of this contentproduced in this way. You can send comments about this content to [email protected]


8

mailto://[email protected]

alertemail/settingCLI Syntax

config alertemail setting edit <name_str> set username <string> set mailto1 <string> set mailto2 <string> set mailto3 <string> set filter-mode {category | threshold} set email-interval <integer> set IPS-logs {enable | disable} set firewall-authentication-failure-logs {enable | disable} set HA-logs {enable | disable} set IPsec-errors-logs {enable | disable} set FDS-update-logs {enable | disable} set PPP-errors-logs {enable | disable} set sslvpn-authentication-errors-logs {enable | disable} set antivirus-logs {enable | disable} set webfilter-logs {enable | disable} set configuration-changes-logs {enable | disable} set violation-traffic-logs {enable | disable} set admin-login-logs {enable | disable} set FDS-license-expiring-warning {enable | disable} set log-disk-usage-warning {enable | disable} set fortiguard-log-quota-warning {enable | disable} set amc-interface-bypass-mode {enable | disable} set FIPS-CC-errors {enable | disable} set FDS-license-expiring-days <integer> set local-disk-usage <integer> set emergency-interval <integer> set alert-interval <integer> set critical-interval <integer> set error-interval <integer> set warning-interval <integer> set notification-interval <integer> set information-interval <integer> set debug-interval <integer> set severity {emergency | alert | critical | error | warning | notification | information | debug} end


9

Description

Configuration Description Default Value

username Email from address. (Empty)

mailto1 Destination email address 1. (Empty)



filter-mode Filter mode. category

email-interval Interval between each email. 5

IPS-logs Enable/disable IPS Logs. disable

firewall-authentication-failure-logs

Enable/disable logging of firewall authenticationfailures.

disable

HA-logs Enable/disable HA Logs. disable

IPsec-errors-logs Enable/disable IPsec errors logs. disable

FDS-update-logs Enable/disable FortiGuard update logs. disable

PPP-errors-logs Enable/disable PPP errors logs. disable

sslvpn-authentication-errors-logs

Enable/disable logging of SSL-VPNauthentication error.

disable

antivirus-logs Enable/disable antivirus logs. disable

webfilter-logs Enable/disable web filter logging. disable

configuration-changes-logs

Enable/disable logging of configuration changes. disable

violation-traffic-logs Enable/disable logging of violation traffic. disable

admin-login-logs Enable/disable logging of administratorlogin/logouts.

disable

FDS-license-expiring-warning

Enable/disable FortiGuard license expirationwarning.

disable

log-disk-usage-warning Enable/disable logging of disk usage warning. disable


10

fortiguard-log-quota-warning

Enable/disable warning of FortiCloud log quota. disable

amc-interface-bypass-mode

Enable/disable Fortinet Advanced MezzanineCard (AMC) interface bypass mode.

disable

FIPS-CC-errors Enable/disable FIPS and Common Criteria errors. disable

FDS-license-expiring-days

Number of days to end alert email prior toFortiGuard license expiration (1 - 100 days).

15

local-disk-usage Percentage at which to send alert email prior todisk usage exceeding this threshold (1 - 99percent).

75

emergency-interval Emergency alert interval in minutes. 1

alert-interval Alert alert interval in minutes. 2

critical-interval Critical alert interval in minutes. 3

error-interval Error alert interval in minutes. 5

warning-interval Warning alert interval in minutes. 10

notification-interval Notification alert interval in minutes. 20

information-interval Information alert interval in minutes. 30

debug-interval Debug alert interval in minutes. 60

severity Lowest severity level to log. alert


11

antivirus/heuristicCLI Syntax

config antivirus heuristic edit <name_str> set mode {pass | block | disable} end


12

Description


mode Mode to use for heuristics. disable


13

antivirus/profileCLI Syntax

config antivirus profile edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set inspection-mode {proxy | flow-based} set ftgd-analytics {disable | suspicious | everything} set analytics-max-upload <integer> set analytics-wl-filetype <integer> set analytics-bl-filetype <integer> set analytics-db {disable | enable} set mobile-malware-db {disable | enable} config http edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} end config ftp edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} end config imap edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} set executables {default | virus} end config pop3 edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled}


14

set emulator {enable | disable} set executables {default | virus} end config smtp edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} set executables {default | virus} end config mapi edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} set executables {default | virus} end config nntp edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} end config smb edit <name_str> set options {scan | avmonitor | avquery | quarantine} set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled} set emulator {enable | disable} end config nac-quar edit <name_str> set infected {none | quar-src-ip | quar-interface} set expiry <user> set log {enable | disable} end set av-virus-log {enable | disable} set av-block-log {enable | disable} set scan-mode {quick | full} end


15

Description


name Profile name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

inspection-mode Inspection mode. flow-based

ftgd-analytics Submit suspicious or supposedly clean files toFortiSandbox.

disable

analytics-max-upload Maximum upload size to FortiSandbox (in MB). 10

analytics-wl-filetype Do not submit files matching this file-pattern tableto the FortiSandbox.

0

analytics-bl-filetype Only submit files matching this file-pattern tableto the FortiSandbox.

0

analytics-db Use signature database from FortiSandbox tosupplement the AV signature databases.

disable

mobile-malware-db Use mobile malware signature database. enable

http HTTP. Details below

Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enable

ftp FTP. Details below


imap IMAP. Details below


16

Configuration Default Valueoptions (Empty)archive-block (Empty)archive-log (Empty)emulator enableexecutables default

pop3 POP3. Details below


smtp SMTP. Details below


mapi MAPI. Details below


nntp NNTP. Details below


smb SMB. Details below


17


nac-quar Quarantine settings. Details below

Configuration Default Valueinfected noneexpiry 5mlog disable

av-virus-log Enable/disable logging for antivirus scanning. enable

av-block-log Enable/disable logging for antivirus file blocking. enable

scan-mode Choose between full scan mode and quick scanmode.

full


18

antivirus/quarantineCLI Syntax

config antivirus quarantine edit <name_str> set agelimit <integer> set maxfilesize <integer> set quarantine-quota <integer> set drop-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7} set store-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7} set drop-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s | ftps | mapi | mm1 | mm3 | mm4 | mm7} set store-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s | ftps | mapi | mm1 | mm3 | mm4 | mm7} set drop-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7} set store-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7} set lowspace {drop-new | ovrw-old} set destination {NULL | disk | FortiAnalyzer} end


19

Description


agelimit Age limit for quarantined files. 0

maxfilesize Maximum file size to quarantine. 0

quarantine-quota Quarantine quota. 0

drop-infected Ignore infected files from a protocol. (Empty)

store-infected Quarantine infected files from a protocol. imap smtp pop3 http ftpnntp imaps smtpspop3s https ftps mapi

drop-blocked Drop blocked files from a protocol. (Empty)

store-blocked Quarantine blocked files from a protocol. imap smtp pop3 http ftpnntp imaps smtpspop3s ftps mapi

drop-heuristic Ignore heuristically caught files from a protocol. (Empty)

store-heuristic Quarantine heuristically caught files from aprotocol.

imap smtp pop3 http ftpnntp imaps smtpspop3s https ftps mapi

lowspace Action when the disk is almost full. ovrw-old

destination Quarantine destination: disk/FortiAnalyzer. disk


20

antivirus/settingsCLI Syntax

config antivirus settings edit <name_str> set default-db {normal | extended | extreme} set grayware {enable | disable} end


21

Description


default-db Select AV database to be used for AV scanning. extended

grayware Enable/disable detection of grayware. disable


22

application/customCLI Syntax

config application custom edit <name_str> set tag <string> set name <string> set id <integer> set comment <string> set signature <string> set category <integer> set protocol <user> set technology <user> set behavior <user> set vendor <user> end


23

Description


tag Signature tag. (Empty)

name Application name. (Empty)

id Application ID. 0


signature Signature text. (Empty)

category Application category ID. 0

protocol Application protocol. (Empty)

technology Application technology. (Empty)

behavior Application behavior. (Empty)

vendor Application vendor. (Empty)


24

application/listCLI Syntax

config application list edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set other-application-action {pass | block} set app-replacemsg {disable | enable} set other-application-log {disable | enable} set unknown-application-action {pass | block} set unknown-application-log {disable | enable} set p2p-black-list {skype | edonkey | bittorrent} set deep-app-inspection {disable | enable} set options {allow-dns | allow-icmp | allow-http | allow-ssl} config entries edit <name_str> set id <integer> config risk edit <name_str> set level <integer> end config category edit <name_str> set id <integer> end config sub-category edit <name_str> set id <integer> end config application edit <name_str> set id <integer> end set protocols <user> set vendor <user> set technology <user> set behavior <user> set popularity {1 | 2 | 3 | 4 | 5} config tags edit <name_str> set name <string> end config parameters edit <name_str> set id <integer> set value <string> end set action {pass | block | reset}


25

set log {disable | enable} set log-packet {disable | enable} set rate-count <integer> set rate-duration <integer> set rate-mode {periodical | continuous} set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain} set session-ttl <integer> set shaper <string> set shaper-reverse <string> set per-ip-shaper <string> set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} end end


26

Description


name List name. (Empty)

comment comments (Empty)


other-application-action Action for other applications. pass

app-replacemsg Enable/disable replacement messages forblocked applications.

enable

other-application-log Enable/disable logging of other applications. disable

unknown-application-action

Action for unknown applications. pass

unknown-application-log

Enable/disable logging of unknown applications. disable

p2p-black-list Action for p2p black list. (Empty)

deep-app-inspection Enable/disable deep application inspection. disable

options Options. allow-dns

entries Application list entries. (Empty)


27

application/nameCLI Syntax

config application name edit <name_str> set name <string> set id <integer> set category <integer> set sub-category <integer> set popularity <integer> set risk <integer> set protocol <user> set technology <user> set behavior <user> set vendor <user> set parameter <string> config metadata edit <name_str> set id <integer> set metaid <integer> set valueid <integer> end end


28

Description


name Application name. (Empty)

id Application ID. 0

category Application category ID. 0

sub-category Application sub-category ID. 0

popularity Application popularity. 0

risk Application risk. 0

protocol Application protocol. (Empty)

technology Application technology. (Empty)

behavior Application behavior. (Empty)

vendor Application vendor. (Empty)

parameter Application parameter name. (Empty)

metadata Meta data. (Empty)


29

application/rule-settingsCLI Syntax

config application rule-settings edit <name_str> set id <integer> config tags edit <name_str> set name <string> end end


30

Description


id Rule ID. 0

tags Applied object tags. (Empty)


31

certificate/caCLI Syntax

config certificate ca edit <name_str> set name <string> set ca <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} set trusted {enable | disable} set scep-url <string> set auto-update-days <integer> set auto-update-days-warning <integer> set source-ip <ipv4-address> end


32

Description


name Name. (Empty)

ca CA certificate. (Empty)

range CA certificate range. global

source CA certificate source. user

trusted Enable/disable trusted CA. enable

scep-url URL of SCEP server. (Empty)

auto-update-days Days to auto-update before expired, 0=disabled. 0

auto-update-days-warning

Days to send update before auto-update(0=disabled).

0

source-ip Source IP for communications to SCEP server. 0.0.0.0


33

certificate/crlCLI Syntax

config certificate crl edit <name_str> set name <string> set crl <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} set update-vdom <string> set ldap-server <string> set ldap-username <string> set ldap-password <password> set http-url <string> set scep-url <string> set scep-cert <string> set update-interval <integer> set source-ip <ipv4-address> end


34

Description


name Name. (Empty)

crl Certificate Revocation List. (Empty)

range CRL range. global

source CRL source. user

update-vdom Virtual domain for CRL update. root

ldap-server LDAP server. (Empty)

ldap-username Login name for LDAP server. (Empty)

ldap-password Login password for LDAP server. (Empty)

http-url URL of HTTP server for CRL update. (Empty)

scep-url URL of CA server for CRL update via SCEP. (Empty)

scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL

update-interval Second between updates, 0=disabled. 0

source-ip Source IP for communications to CA(HTTP/SCEP) server.

0.0.0.0


35

certificate/localCLI Syntax

config certificate local edit <name_str> set name <string> set password <password> set comments <string> set private-key <user> set certificate <user> set csr <user> set state <user> set scep-url <string> set range {global | vdom} set source {factory | user | bundle | fortiguard} set auto-regenerate-days <integer> set auto-regenerate-days-warning <integer> set scep-password <password> set ca-identifier <string> set name-encoding {printable | utf8} set source-ip <ipv4-address> set ike-localid <string> set ike-localid-type {asn1dn | fqdn} end


36

Description


name Name. (Empty)

password Password. (Empty)

comments Comment. (Empty)

private-key Private key. (Empty)

certificate Certificate. (Empty)

csr Certificate Signing Request. (Empty)

state Certificate Signing Request State. (Empty)


range Certificate range. global

source Certificate source. user

auto-regenerate-days Days to auto-regenerate before expired,0=disabled.

0

auto-regenerate-days-warning

Days to send warning before auto-regeneration,0=disabled.

0

scep-password SCEP server challenge password for auto-regeneration.

(Empty)

ca-identifier CA identifier of the CA server for signing viaSCEP.

(Empty)

name-encoding Name encoding for auto-regeneration. printable


ike-localid IKE local ID. (Empty)

ike-localid-type IKE local ID type. asn1dn


37

dlp/filepatternCLI Syntax

config dlp filepattern edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set filter-type {pattern | type} set pattern <string> set file-type {7z | arj | cab | lzh | rar | tar | zip | bzip | gzip | bzip2 | xz | bat | msc | uue | mime | base64 | binhex | bin | elf | exe | hta | html | jad | class | cod | javascript | msoffice | msofficex | fsg | upx | petite | aspack | prc | sis | hlp | activemime | jpeg | gif | tiff | png | bmp | ignored | unknown | mpeg | mov | mp3 | wma | wav | pdf | avi | rm | torrent | hibun} end end


38

Description


id ID. 0

name Name of table. (Empty)


entries Configure file patterns used by DLP blocking. (Empty)


39

dlp/fp-doc-sourceCLI Syntax

config dlp fp-doc-source edit <name_str> set name <string> set server-type {samba} set server <string> set period {none | daily | weekly | monthly} set vdom {mgmt | current} set scan-subdirectories {enable | disable} set scan-on-creation {enable | disable} set remove-deleted {enable | disable} set keep-modified {enable | disable} set username <string> set password <password> set file-path <string> set file-pattern <string> set sensitivity <string> set tod-hour <integer> set tod-min <integer> set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set date <integer> end


40

Description


name DLP Server. (Empty)

server-type DLP Server. samba

server Server location (can be IP or IPv6 address). (Empty)

period Select periodic server checking. none

vdom Select source on management or current VDOM. mgmt

scan-subdirectories Enable/disable scanning of subdirectories. enable

scan-on-creation Enable/disable force scan of server to happenwhen document source is created or edited.

enable

remove-deleted Enable/disable removing chunks of files deletedfrom the server.

enable

keep-modified Enable/disable retaining old chunks of modifiedfiles.

enable

username Login username. (Empty)

password Login password. (Empty)

file-path File path on server. (Empty)

file-pattern File patterns to fingerprint (wildcard). *

sensitivity DLP fingerprint sensitivity defined for these files. (Empty)

tod-hour Time of day to run scans (hour part, 24 hourclock).

1

tod-min Time of day to run scans (min). 0

weekday Day of week to run scans. sunday

date Date within a month to run scans. 1


41

dlp/fp-sensitivityCLI Syntax

config dlp fp-sensitivity edit <name_str> set name <string> end


42

Description


name DLP Sensitivity Levels. (Empty)


43

dlp/sensorCLI Syntax

config dlp sensor edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> config filter edit <name_str> set id <integer> set name <string> set severity {info | low | medium | high | critical} set type {file | message} set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7} set filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprint | watermark | encrypted} set file-size <integer> set company-identifier <string> config fp-sensitivity edit <name_str> set name <string> end set match-percentage <integer> set file-type <integer> set regexp <string> set archive {disable | enable} set action {allow | log-only | block | ban | quarantine-ip | quarantine-port} set expiry <user> end set dlp-log {enable | disable} set nac-quar-log {enable | disable} set flow-based {enable | disable} set options {} set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7} set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7} end


44

Description


name Name. (Empty)



filter Configure DLP filters. (Empty)

dlp-log Enable/disable logging for data leak prevention. enable

nac-quar-log Enable/disable logging for NAC quarantinecreation.

disable

flow-based Enable/disable flow-based data leak prevention. disable

options options

full-archive-proto Protocols to always content archive. (Empty)

summary-proto Protocols to always log summary. (Empty)


45

dlp/settingsCLI Syntax

config dlp settings edit <name_str> set storage-device <string> set size <integer> set db-mode {stop-adding | remove-modified-then-oldest | remove-oldest} set cache-mem-percent <integer> set chunk-size <integer> end


46

Description


storage-device Storage name. (Empty)

size Maximum total size of files within the storage(MB).

16

db-mode Method of maintaining database size. stop-adding

cache-mem-percent Maximum percentage of available memoryallocated to caching (1 - 15%).

2

chunk-size Maximum fingerprint chunk size. **Changing willflush the entire database**.

2800


47

dnsfilter/profileCLI Syntax

config dnsfilter profile edit <name_str> set name <string> set comment <var-string> config urlfilter edit <name_str> set urlfilter-table <integer> end config ftgd-dns edit <name_str> set options {error-allow | ftgd-disable} config filters edit <name_str> set id <integer> set category <integer> set action {block | monitor} set log {enable | disable} end end set log-all-url {enable | disable} set block-action {block | redirect} set redirect-portal <ipv4-address> set block-botnet {disable | enable} end


48

Description




urlfilter URL filter settings. Details below

Configuration Default Valueurlfilter-table 0

ftgd-dns FortiGuard DNS Filter settings. Details below

Configuration Default Valueoptions (Empty)filters (Empty)

log-all-url Enable/disable log all URLs visited. disable

block-action Action to take for blocked domains. redirect

redirect-portal IP address of the SDNS portal. 0.0.0.0

block-botnet Enable/disable block of botnet C&C. disable


49

dnsfilter/urlfilterCLI Syntax

config dnsfilter urlfilter edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set id <integer> set url <string> set type {simple | regex | wildcard} set action {block | allow | monitor} set status {enable | disable} end end


50

Description


id ID. 0



entries DNS URL filter. (Empty)


51

endpoint-control/clientCLI Syntax

config endpoint-control client edit <name_str> set id <integer> set ftcl-uid <string> set src-ip <ipv4-address-any> set src-mac <mac-address> set info <user> set ad-groups <var-string> end


52

Description


id Endpoint client ID. 0

ftcl-uid Endpoint FortiClient UID. (Empty)

src-ip Endpoint client IP address. 0.0.0.0

src-mac Endpoint client MAC address. 00:00:00:00:00:00

info Endpoint client information. (Empty)

ad-groups Endpoint client AD logon groups. (Empty)


53

endpoint-control/forticlient-registration-syncCLI Syntax

config endpoint-control forticlient-registration-sync edit <name_str> set peer-name <string> set peer-ip <ipv4-address> end


54

Description


peer-name Peer name. (Empty)

peer-ip Peer connecting IP. 0.0.0.0


55

endpoint-control/profileCLI Syntax

config endpoint-control profile edit <name_str> set profile-name <string> config forticlient-winmac-settings edit <name_str> set view-profile-details {enable | disable} set forticlient-av {enable | disable} set av-realtime-protection {enable | disable} set scan-download-file {enable | disable} set sandbox-scan {enable | disable} set sandbox-address <string> set wait-sandbox-result {enable | disable} set use-sandbox-signature {enable | disable} set block-malicious-website {enable | disable} set block-attack-channel {enable | disable} set av-scheduled-scan {enable | disable} set av-scan-type {quick | full | custom} set av-scan-folder <string> set av-scan-schedule {daily | weekly | monthly} set av-scan-day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set av-scan-day-of-month <integer> set av-scan-time <user> config av-scan-exclusions edit <name_str> set id <integer> set type {file | folder} set name <string> end set forticlient-application-firewall {enable | disable} set forticlient-application-firewall-list <string> set monitor-unknown-application {enable | disable} set install-ca-certificate {enable | disable} set forticlient-wf {enable | disable} set forticlient-wf-profile <string> set disable-wf-when-protected {enable | disable} set forticlient-vuln-scan {enable | disable} set forticlient-vuln-scan-schedule {daily | weekly | monthly} set forticlient-vuln-scan-on-registration {enable | disable} set forticlient-vpn-provisioning {enable | disable} set forticlient-advanced-vpn {enable | disable} set forticlient-advanced-vpn-buffer <var-string> config forticlient-vpn-settings edit <name_str> set name <string> set type {ipsec | ssl} set remote-gw <string>


56

set sslvpn-access-port <integer> set sslvpn-require-certificate {enable | disable} set auth-method {psk | certificate} set preshared-key <password> end set disable-unregister-option {enable | disable} set forticlient-log-upload {enable | disable} set forticlient-log-upload-server <string> set forticlient-log-ssl-upload {enable | disable} set forticlient-log-upload-schedule {hourly | daily} set forticlient-update-from-fmg {enable | disable} config forticlient-update-server edit <name_str> set name <string> end set forticlient-update-failover-to-fdn {enable | disable} set forticlient-settings-lock {enable | disable} set forticlient-settings-lock-passwd <password> set auto-vpn-when-off-net {enable | disable} set auto-vpn-name <user> set client-log-when-on-net {enable | disable} set forticlient-ad {enable | disable} set fsso-ma {enable | disable} set fsso-ma-server <string> set fsso-ma-psk <password> set allow-personal-vpn {enable | disable} set disable-user-disconnect {enable | disable} set vpn-before-logon {enable | disable} set vpn-captive-portal {enable | disable} set forticlient-ui-options {av | wf | af | vpn | vs} set forticlient-advanced-cfg {enable | disable} set forticlient-advanced-cfg-buffer <var-string> config extra-buffer-entries edit <name_str> set id <integer> set buffer <var-string> end end config forticlient-android-settings edit <name_str> set forticlient-wf {enable | disable} set forticlient-wf-profile <string> set disable-wf-when-protected {enable | disable} set forticlient-vpn-provisioning {enable | disable} set forticlient-advanced-vpn {enable | disable} set forticlient-advanced-vpn-buffer <var-string> config forticlient-vpn-settings edit <name_str> set name <string> set type {ipsec | ssl} set remote-gw <string> set sslvpn-access-port <integer> set sslvpn-require-certificate {enable | disable}


57

set sslvpn-require-certificate {enable | disable} set auth-method {psk | certificate} set preshared-key <password> end end config forticlient-ios-settings edit <name_str> set forticlient-wf {enable | disable} set forticlient-wf-profile <string> set disable-wf-when-protected {enable | disable} set client-vpn-provisioning {enable | disable} config client-vpn-settings edit <name_str> set name <string> set type {ipsec | ssl} set vpn-configuration-name <string> set vpn-configuration-content <var-string> set remote-gw <string> set sslvpn-access-port <integer> set sslvpn-require-certificate {enable | disable} set auth-method {psk | certificate} set preshared-key <password> end set distribute-configuration-profile {enable | disable} set configuration-name <string> set configuration-content <var-string> end set description <var-string> config src-addr edit <name_str> set name <string> end config device-groups edit <name_str> set name <string> end config users edit <name_str> set name <string> end config user-groups edit <name_str> set name <string> end config on-net-addr edit <name_str> set name <string> end set replacemsg-override-group <string> end


58

Description


profile-name Profile name. (Empty)

forticlient-winmac-settings

FortiClient settings for Windows/Mac platform. Details below

Configuration Default Valueview-profile-details enableforticlient-av enableav-realtime-protection enablescan-download-file enablesandbox-scan disablesandbox-address (Empty)wait-sandbox-result disableuse-sandbox-signature disableblock-malicious-website disableblock-attack-channel disableav-scheduled-scan disableav-scan-type quickav-scan-folder (Empty)av-scan-schedule dailyav-scan-day-of-week sundayav-scan-day-of-month 0av-scan-time 00:00av-scan-exclusions (Empty)forticlient-application-firewall disableforticlient-application-firewall-list (Empty)monitor-unknown-application disableinstall-ca-certificate disableforticlient-wf enableforticlient-wf-profile defaultdisable-wf-when-protected enableforticlient-vuln-scan disableforticlient-vuln-scan-schedule monthlyforticlient-vuln-scan-on-registration enableforticlient-vpn-provisioning disableforticlient-advanced-vpn disableforticlient-advanced-vpn-buffer (Empty)forticlient-vpn-settings (Empty)disable-unregister-option disableforticlient-log-upload disableforticlient-log-upload-server (Empty)


59

forticlient-log-ssl-upload enableforticlient-log-upload-schedule dailyforticlient-update-from-fmg disableforticlient-update-server (Empty)forticlient-update-failover-to-fdn enableforticlient-settings-lock disableforticlient-settings-lock-passwd (Empty)auto-vpn-when-off-net disableauto-vpn-name (Empty)client-log-when-on-net disableforticlient-ad disablefsso-ma disablefsso-ma-server (Empty)fsso-ma-psk (Empty)allow-personal-vpn enabledisable-user-disconnect disablevpn-before-logon disablevpn-captive-portal disableforticlient-ui-options av wf vpnforticlient-advanced-cfg disableforticlient-advanced-cfg-buffer (Empty)extra-buffer-entries (Empty)

forticlient-android-settings

FortiClient settings for Android platform. Details below

Configuration Default Valueforticlient-wf disableforticlient-wf-profile (Empty)disable-wf-when-protected enableforticlient-vpn-provisioning disableforticlient-advanced-vpn disableforticlient-advanced-vpn-buffer (Empty)forticlient-vpn-settings (Empty)

forticlient-ios-settings FortiClient settings for iOS platform. Details below


60

Configuration Default Valueforticlient-wf disableforticlient-wf-profile (Empty)disable-wf-when-protected enableclient-vpn-provisioning disableclient-vpn-settings (Empty)distribute-configuration-profile disableconfiguration-name (Empty)configuration-content (Empty)

description Description. (Empty)

src-addr Source addresses. (Empty)

device-groups Device groups. (Empty)

users Users. (Empty)

user-groups User groups. (Empty)

on-net-addr Addresses for on-net detection. (Empty)

replacemsg-override-group

Specify endpoint control replacement messageoverride group.

(Empty)


61

endpoint-control/registered-forticlientCLI Syntax

config endpoint-control registered-forticlient edit <name_str> set uid <string> set vdom <string> set ip <ipv4-address-any> set mac <mac-address> set status <integer> set flag <integer> set reg-fortigate <string> end


62

Description


uid FortiClient UID. (Empty)

vdom Registering vdom. (Empty)

ip Endpoint IP address. 0.0.0.0

mac Endpoint MAC address. 00:00:00:00:00:00

status FortiClient registration status. 1

flag FortiClient registration flag. 0

reg-fortigate Registering FortiGate SN. (Empty)


63

endpoint-control/settingsCLI Syntax

config endpoint-control settings edit <name_str> set forticlient-reg-key-enforce {enable | disable} set forticlient-reg-key <password> set forticlient-reg-timeout <integer> set download-custom-link <string> set download-location {fortiguard | custom} set forticlient-keepalive-interval <integer> set forticlient-sys-update-interval <integer> end


64

Description


forticlient-reg-key-enforce

Enable/disable enforcement of FortiClientregistration key.

disable

forticlient-reg-key FortiClient registration key. (Empty)

forticlient-reg-timeout FortiClient registration license timeout (days, min= 1, max = 180, 0 = unlimited).

7

download-custom-link Customized URL for downloading FortiClient. (Empty)

download-location FortiClient download location. fortiguard

forticlient-keepalive-interval

Interval between two KeepAlive messages fromFortiClient (in seconds).

60

forticlient-sys-update-interval

Interval between two system update messagesfrom FortiClient (in minutes).

720


65

extender-controller/extenderCLI Syntax

config extender-controller extender edit <name_str> set id <string> set admin {disable | discovered | enable} set ifname <string> set vdom <integer> set role {none | primary | secondary} set mode {standalone | redundant} set dial-mode {dial-on-demand | always-connect} set redial {none | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10} set redundant-intf <string> set dial-status <integer> set conn-status <integer> set ext-name <string> set description <string> set quota-limit-mb <integer> set billing-start-day <integer> set at-dial-script <string> set modem-passwd <password> set initiated-update {enable | disable} set modem-type {cdma | gsm/lte | wimax} set ppp-username <string> set ppp-password <password> set ppp-auth-protocol {auto | pap | chap} set ppp-echo-request {enable | disable} set wimax-carrier <string> set wimax-realm <string> set wimax-auth-protocol {tls | ttls} set sim-pin <password> set access-point-name <string> set multi-mode {auto | auto-3g | force-lte | force-3g | force-2g} set roaming {enable | disable} set cdma-nai <string> set aaa-shared-secret <password> set ha-shared-secret <password> set primary-ha <string> set secondary-ha <string> set cdma-aaa-spi <string> set cdma-ha-spi <string> end


66

Description


id FortiExtender serial number. (Empty)

admin FortiExtender Administration (enable or disable). disable

ifname FortiExtender interface name. (Empty)

vdom VDOM 0

role FortiExtender work role(Primary, Secondary,None).

none

mode FortiExtender mode. standalone

dial-mode Dial mode (dial-on-demand or always-connect). always-connect

redial Number of redials allowed based on failedattempts.

none

redundant-intf Redundant interface. (Empty)

dial-status Dial status. 0

conn-status Connection status. 0

ext-name FortiExtender name. (Empty)


quota-limit-mb Monthly quota limit (MB). 0

billing-start-day Billing start day. 1

at-dial-script Initialization AT commands specific to theMODEM.

(Empty)

modem-passwd MODEM password. (Empty)

initiated-update Allow/disallow network initiated updates to theMODEM.

disable

modem-type MODEM type (CDMA, GSM/LTE or WIMAX). gsm/lte

ppp-username PPP username. (Empty)


67

ppp-password PPP password. (Empty)

ppp-auth-protocol PPP authentication protocol (PAP,CHAP or auto). auto

ppp-echo-request Enable/disable PPP echo request. disable

wimax-carrier WiMax carrier. (Empty)

wimax-realm WiMax realm. (Empty)

wimax-auth-protocol WiMax authentication protocol(TLS or TTLS). tls

sim-pin SIM PIN. (Empty)

access-point-name Access point name(APN). (Empty)

multi-mode MODEM mode of operation(3G,LTE,etc). auto

roaming Enable/disable MODEM roaming. disable

cdma-nai NAI for CDMA MODEMS. (Empty)

aaa-shared-secret AAA shared secret. (Empty)

ha-shared-secret HA shared secret. (Empty)

primary-ha Primary HA. (Empty)

secondary-ha Secondary HA. (Empty)

cdma-aaa-spi CDMA AAA SPI. (Empty)

cdma-ha-spi CDMA HA SPI. (Empty)


68

firewall.ipmacbinding/settingCLI Syntax

config firewall.ipmacbinding setting edit <name_str> set bindthroughfw {enable | disable} set bindtofw {enable | disable} set undefinedhost {allow | block} end


69

Description


bindthroughfw Enable/disable going through firewall. disable

bindtofw Enable/disable going to firewall. disable

undefinedhost Allow/block traffic for undefined hosts. block


70

firewall.ipmacbinding/tableCLI Syntax

config firewall.ipmacbinding table edit <name_str> set seq-num <integer> set ip <ipv4-address> set mac <mac-address> set name <string> set status {enable | disable} end


71

Description


seq-num Entry number. 0

ip IP address. 0.0.0.0

mac MAC address. 00:00:00:00:00:00

name Name (optional, default = no name). noname

status Enable/disable IP-mac binding. disable


72

firewall.schedule/groupCLI Syntax

config firewall.schedule group edit <name_str> set name <string> config member edit <name_str> set name <string> end set color <integer> end


73

Description


name Schedule group name. (Empty)

member Schedule group member. (Empty)

color GUI icon color. 0


74

firewall.schedule/onetimeCLI Syntax

config firewall.schedule onetime edit <name_str> set name <string> set start <user> set end <user> set color <integer> set expiration-days <integer> end


75

Description


name Onetime schedule name. (Empty)

start Start time and date. 00:00 2001/01/01

end End time and date. 00:00 2001/01/01


expiration-days Generate event log before schedule expires (1-100 days, 0 = disable).

3


76

firewall.schedule/recurringCLI Syntax

config firewall.schedule recurring edit <name_str> set name <string> set start <user> set end <user> set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | none} set color <integer> end


77

Description


name Recurring schedule name. (Empty)

start Start time. 00:00

end End time. 00:00

day weekday sunday



78

firewall.service/categoryCLI Syntax

config firewall.service category edit <name_str> set name <string> set comment <var-string> end


79

Description


name Service category name. (Empty)



80

firewall.service/customCLI Syntax

config firewall.service custom edit <name_str> set name <string> set explicit-proxy {enable | disable} set category <string> set protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP | HTTP | FTP | CONNECT | SOCKS | SOCKS-TCP | SOCKS-UDP | ALL} set iprange <user> set fqdn <string> set protocol-number <integer> set icmptype <integer> set icmpcode <integer> set tcp-portrange <user> set udp-portrange <user> set sctp-portrange <user> set tcp-halfclose-timer <integer> set tcp-halfopen-timer <integer> set tcp-timewait-timer <integer> set udp-idle-timer <integer> set session-ttl <integer> set check-reset-range {disable | strict | default} set comment <var-string> set color <integer> set visibility {enable | disable} end


81

Description


name Custom service name. (Empty)

explicit-proxy Enable/disable explicit web proxy service. disable

category Service category. (Empty)

protocol Protocol type. TCP/UDP/SCTP

iprange Start IP-End IP. 0.0.0.0

fqdn Fully qualified domain name. (Empty)

protocol-number IP protocol number. 0

icmptype ICMP type. (Empty)

icmpcode ICMP code. (Empty)

tcp-portrange Multiple TCP port ranges. (Empty)

udp-portrange Multiple UDP port ranges. (Empty)

sctp-portrange Multiple SCTP port ranges. (Empty)

tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, 0 =default).

0

tcp-halfopen-timer TCP half close timeout (1 - 86400 sec, 0 =default).

0

tcp-timewait-timer TCP half close timeout (1 - 300 sec, 0 = default). 0

udp-idle-timer TCP half close timeout (0 - 86400 sec, 0 =default).

0

session-ttl Session TTL (300 - 604800, 0 = default). 0

check-reset-range Enable/disable RST check. default



visibility Enable/disable service visibility. enable


82

firewall.service/groupCLI Syntax

config firewall.service group edit <name_str> set name <string> config member edit <name_str> set name <string> end set explicit-proxy {enable | disable} set comment <var-string> set color <integer> end


83

Description


name Address group name. (Empty)

member Address group member. (Empty)

explicit-proxy Enable/disable explicit web proxy service group. disable




84

firewall.shaper/per-ip-shaperCLI Syntax

config firewall.shaper per-ip-shaper edit <name_str> set name <string> set max-bandwidth <integer> set bandwidth-unit {kbps | mbps | gbps} set max-concurrent-session <integer> set diffserv-forward {enable | disable} set diffserv-reverse {enable | disable} set diffservcode-forward <user> set diffservcode-rev <user> end


85

Description


name Traffic shaper name. (Empty)

max-bandwidth Maximum bandwidth value (0 - 16776000). 0

bandwidth-unit Bandwidth unit (default = kbps). kbps

max-concurrent-session

Maximum concurrent session (0 - 2097000). 0

diffserv-forward Forward (original) traffic DiffServ. disable

diffserv-reverse Reverse (reply) traffic DiffServ. disable

diffservcode-forward Forward (original) traffic DiffServ code pointvalue.

000000

diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000


86

firewall.shaper/traffic-shaperCLI Syntax

config firewall.shaper traffic-shaper edit <name_str> set name <string> set guaranteed-bandwidth <integer> set maximum-bandwidth <integer> set bandwidth-unit {kbps | mbps | gbps} set priority {low | medium | high} set per-policy {disable | enable} set diffserv {enable | disable} set diffservcode <user> end


87

Description


name Traffic shaper name. (Empty)

guaranteed-bandwidth Guaranteed bandwidth value (0 - 16776000). 0

maximum-bandwidth Maximum bandwidth value (0 - 16776000). 0

bandwidth-unit Bandwidth unit (default = kbps). kbps

priority Traffic priority. high

per-policy Enable/disable use a separate shaper for eachpolicy.

disable

diffserv Enable/disable traffic DiffServ. disable

diffservcode Traffic DiffServ code point value. 000000


88

firewall.ssl/settingCLI Syntax

config firewall.ssl setting edit <name_str> set proxy-connect-timeout <integer> set ssl-dh-bits {768 | 1024 | 1536 | 2048} set ssl-send-empty-frags {enable | disable} set no-matching-cipher-action {bypass | drop} set cert-cache-capacity <integer> set cert-cache-timeout <integer> set session-cache-capacity <integer> set session-cache-timeout <integer> end


89

Description


proxy-connect-timeout Time limit to make an internal connection to theappropriate proxy process (1 - 60 sec).

30

ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSAnegotiation.

2048

ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV(SSL 3.0 & TLS 1.0 only).

enable

no-matching-cipher-action

Bypass or drop the connection when no matchingcipher was found.

bypass

cert-cache-capacity Maximum capacity of the host certificate cache (0- 500).

200

cert-cache-timeout Minutes to keep certificate cache (1 - 120 min). 10

session-cache-capacity Obsolete. 500

session-cache-timeout Number of minutes to keep SSL session state. 20


90

firewall/addressCLI Syntax

config firewall address edit <name_str> set name <string> set uuid <uuid> set subnet <ipv4-classnet-any> set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn} set start-ip <ipv4-address-any> set end-ip <ipv4-address-any> set fqdn <string> set country <string> set wildcard-fqdn <string> set cache-ttl <integer> set wildcard <ipv4-classnet-any> set comment <var-string> set visibility {enable | disable} set associated-interface <string> set color <integer> config tags edit <name_str> set name <string> end set allow-routing {enable | disable} end


91

Description


name Address name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-0000-000000000000

subnet IP address and netmask. 0.0.0.0 0.0.0.0

type Type. ipmask

start-ip Start IP. 0.0.0.0

end-ip End IP. 0.0.0.0

fqdn Fully qualified domain name. (Empty)

country Country name. (Empty)

wildcard-fqdn Wildcard FQDN. (Empty)

cache-ttl Minimal TTL of individual IP addresses in FQDNcache.

0

wildcard IP address and wildcard netmask. 0.0.0.0 0.0.0.0


visibility Enable/disable address visibility. enable

associated-interface Associated interface name. (Empty)



allow-routing Enable/disable use of this address in the staticroute configuration.

disable


92

firewall/address6CLI Syntax

config firewall address6 edit <name_str> set name <string> set uuid <uuid> set type {ipprefix | iprange} set ip6 <ipv6-network> set start-ip <ipv6-address> set end-ip <ipv6-address> set visibility {enable | disable} set color <integer> config tags edit <name_str> set name <string> end set comment <var-string> end


93

Description




type Type. ipprefix

ip6 IPv6 address prefix. ::/0

start-ip Start IP. ::

end-ip End IP. ::

visibility Enable/disable address visibility. enable





94

firewall/addrgrpCLI Syntax

config firewall addrgrp edit <name_str> set name <string> set uuid <uuid> config member edit <name_str> set name <string> end set comment <var-string> set visibility {enable | disable} set color <integer> config tags edit <name_str> set name <string> end set allow-routing {enable | disable} end


95

Description




member Address group member. (Empty)


visibility Enable/disable address group visibility. enable



allow-routing Enable/disable use of this group in the static routeconfiguration.

disable


96

firewall/addrgrp6CLI Syntax

config firewall addrgrp6 edit <name_str> set name <string> set uuid <uuid> set visibility {enable | disable} set color <integer> set comment <var-string> config member edit <name_str> set name <string> end config tags edit <name_str> set name <string> end end


97

Description


name IPv6 address group name. (Empty)


visibility Enable/disable address group6 visibility. enable



member IPv6 address group member. (Empty)



98

firewall/auth-portalCLI Syntax

config firewall auth-portal edit <name_str> config groups edit <name_str> set name <string> end set portal-addr <string> set portal-addr6 <string> set identity-based-route <string> end


99

Description


groups Group name. (Empty)

portal-addr Address (or domain name) of authenticationportal.

(Empty)

portal-addr6 IPv6 address (or domain name) of authenticationportal.

(Empty)

identity-based-route Name of identity-based routing rule. (Empty)


100

firewall/central-snat-mapCLI Syntax

config firewall central-snat-map edit <name_str> set policyid <integer> set status {enable | disable} config orig-addr edit <name_str> set name <string> end config dst-addr edit <name_str> set name <string> end config nat-ippool edit <name_str> set name <string> end set protocol <integer> set orig-port <integer> set nat-port <user> end


101

Description


policyid Policy ID. 0

status Enable/disable policy status. enable

orig-addr Original address. (Empty)

dst-addr Destination address. (Empty)

nat-ippool IP pool names for translated address. (Empty)

protocol Protocol (0 - 255). 0

orig-port Original port. 0

nat-port Translated port or port range. 0


102

firewall/dnstranslationCLI Syntax

config firewall dnstranslation edit <name_str> set id <integer> set src <ipv4-address> set dst <ipv4-address> set netmask <ipv4-netmask> end


103

Description


id ID. 0

src Source IP. 0.0.0.0

dst Destination IP. 0.0.0.0

netmask Network mask. 255.255.255.255


104

firewall/DoS-policyCLI Syntax

config firewall DoS-policy edit <name_str> set policyid <integer> set status {enable | disable} set interface <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end config anomaly edit <name_str> set name <string> set status {disable | enable} set log {enable | disable} set action {pass | block | proxy} set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} set threshold <integer> set threshold(default) <integer> end end


105

Description




interface Interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

service Service name. (Empty)

anomaly Anomaly. (Empty)


106

firewall/DoS-policy6CLI Syntax

config firewall DoS-policy6 edit <name_str> set policyid <integer> set status {enable | disable} set interface <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end config anomaly edit <name_str> set name <string> set status {disable | enable} set log {enable | disable} set action {pass | block | proxy} set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} set threshold <integer> set threshold(default) <integer> end end


107

Description








anomaly Anomaly. (Empty)


108

firewall/explicit-proxy-addressCLI Syntax

config firewall explicit-proxy-address edit <name_str> set name <string> set uuid <uuid> set type {host-regex | url | category | method | ua | header | src-advanced | dst-advanced} set host <string> set host-regex <string> set path <string> config category edit <name_str> set id <integer> end set method {get | post | put | head | connect | trace | options | delete} set ua {chrome | ms | firefox | safari | other} set header-name <string> set header <string> set case-sensitivity {disable | enable} config header-group edit <name_str> set id <integer> set header-name <string> set header <string> set case-sensitivity {disable | enable} end set color <integer> config tags edit <name_str> set name <string> end set comment <var-string> set visibility {enable | disable} end


109

Description




type Address type. url

host Host address (Empty)

host-regex Host regular expression. (Empty)

path URL path regular expression. (Empty)

category FortiGuard category ID. (Empty)

method HTTP methods. (Empty)

ua User agent. (Empty)

header-name HTTP header. (Empty)

header HTTP header regular expression. (Empty)

case-sensitivity Case sensitivity in pattern. disable

header-group HTTP header group. (Empty)




visibility Enable/disable address visibility. disable


110

firewall/explicit-proxy-addrgrpCLI Syntax

config firewall explicit-proxy-addrgrp edit <name_str> set name <string> set type {src | dst} set uuid <uuid> config member edit <name_str> set name <string> end set color <integer> config tags edit <name_str> set name <string> end set comment <var-string> set visibility {enable | disable} end


111

Description



type Address group type. src


member Address group members. (Empty)




visibility Enable/disable address visibility. disable


112

firewall/explicit-proxy-policyCLI Syntax

config firewall explicit-proxy-policy edit <name_str> set uuid <uuid> set policyid <integer> set proxy {web | ftp | wanopt} config dstintf edit <name_str> set name <string> end config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end set srcaddr-negate {enable | disable} set dstaddr-negate {enable | disable} set service-negate {enable | disable} set action {accept | deny} set status {enable | disable} set schedule <string> set logtraffic {all | utm | disable} config srcaddr6 edit <name_str> set name <string> end config dstaddr6 edit <name_str> set name <string> end set identity-based {enable | disable} set ip-based {enable | disable} set active-auth-method {ntlm | basic | digest | form | none} set sso-auth-method {fsso | rsso | none} set require-tfa {enable | disable} set web-auth-cookie {enable | disable} set transaction-based {enable | disable} config identity-based-policy edit <name_str> set id <integer> set schedule <string>


113

set logtraffic {all | utm | disable} set logtraffic-start {enable | disable} set scan-botnet-connections {disable | block | monitor} set utm-status {enable | disable} set profile-type {single | group} set profile-group <string> set av-profile <string> set webfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string> set icap-profile <string> set waf-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> config groups edit <name_str> set name <string> end config users edit <name_str> set name <string> end set disclaimer {disable | domain | policy | user} set replacemsg-override-group <string> end set webproxy-forward-server <string> set webproxy-profile <string> set transparent {enable | disable} set webcache {enable | disable} set webcache-https {disable | any | enable} set disclaimer {disable | domain | policy | user} set utm-status {enable | disable} set profile-type {single | group} set profile-group <string> set av-profile <string> set webfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string> set icap-profile <string> set waf-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> set replacemsg-override-group <string> set logtraffic-start {enable | disable} config tags edit <name_str> set name <string>


114

set name <string> end set label <string> set global-label <string> set scan-botnet-connections {disable | block | monitor} set comments <var-string> end


115

Description




proxy Explicit proxy type. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. [srcaddr or srcaddr6(webproxy only) must be set].

(Empty)

dstaddr Destination address name. [dstaddr ordstaddr6(web proxy only) must be set].

(Empty)


srcaddr-negate Enable/disable negated source address match. disable

dstaddr-negate Enable/disable negated destination addressmatch.

disable

service-negate Enable/disable negated service match. disable

action Policy action. deny


schedule Schedule name. (Empty)

logtraffic Enable/disable policy log traffic. utm

srcaddr6 IPv6 source address (web proxy only). [srcaddr6or srcaddr must be set].

(Empty)

dstaddr6 IPv6 destination address (web proxy only).[dstaddr6 or dstaddr must be set].

(Empty)

identity-based Enable/disable identity-based policy. disable

ip-based Enable/disable IP-based authentication. disable

active-auth-method Active authentication method. basic


116

sso-auth-method SSO authentication method. none

require-tfa Enable/disable requirement of 2-factorauthentication.

disable

web-auth-cookie Enable/disable Web authentication cookie. disable

transaction-based Enable/disable transaction based authentication. disable

identity-based-policy Identity-based policy. (Empty)

webproxy-forward-server

Web proxy forward server. (Empty)

webproxy-profile Web proxy profile. (Empty)

transparent Use IP address of client to connect to server. disable

webcache Enable/disable web cache. disable

webcache-https Enable/disable web cache for HTTPS. disable

disclaimer Web proxy disclaimer setting. disable

utm-status Enable AV/web/IPS protection profile. disable

profile-type profile type single

profile-group profile group (Empty)

av-profile Antivirus profile. (Empty)

webfilter-profile Web filter profile. (Empty)

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor DLP sensor. (Empty)

ips-sensor IPS sensor. (Empty)

application-list Application list. (Empty)

casi-profile CASI profile. (Empty)

icap-profile ICAP profile. (Empty)

waf-profile Web application firewall profile. (Empty)


117

profile-protocol-options Profile protocol options. (Empty)

ssl-ssh-profile SSL SSH Profile. (Empty)


Specify authentication replacement messageoverride group.

(Empty)

logtraffic-start Enable/disable policy log traffic start. disable


label Label for section view. (Empty)

global-label Label for global view. (Empty)

scan-botnet-connections

Enable/disable scanning of connections to Botnetservers.

disable



118

firewall/identity-based-routeCLI Syntax

config firewall identity-based-route edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set gateway <ipv4-address> set device <string> config groups edit <name_str> set name <string> end end end


119

Description


name Name. (Empty)

comments Description/comments. (Empty)

rule Rule. (Empty)


120

firewall/interface-policyCLI Syntax

config firewall interface-policy edit <name_str> set policyid <integer> set status {enable | disable} set logtraffic {all | utm | disable} set address-type {ipv4 | ipv6} set interface <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end set application-list-status {enable | disable} set application-list <string> set casi-profile-status {enable | disable} set casi-profile <string> set ips-sensor-status {enable | disable} set ips-sensor <string> set dsri {enable | disable} set av-profile-status {enable | disable} set av-profile <string> set webfilter-profile-status {enable | disable} set webfilter-profile <string> set spamfilter-profile-status {enable | disable} set spamfilter-profile <string> set dlp-sensor-status {enable | disable} set dlp-sensor <string> set scan-botnet-connections {disable | block | monitor} set label <string> end


121

Description




logtraffic Enable/disable interface log traffic. utm

address-type Policy address type. ipv4





application-list-status Enable/disable application control. disable

application-list Application list name. (Empty)

casi-profile-status Enable/disable CASI. disable

casi-profile CASI profile name. (Empty)

ips-sensor-status Enable/disable IPS sensor. disable

ips-sensor IPS sensor name. (Empty)

dsri Enable/disable DSRI. disable

av-profile-status Enable/disable antivirus. disable


webfilter-profile-status Enable/disable web filter profile. disable


spamfilter-profile-status Enable/disable spam filter. disable


dlp-sensor-status Enable/disable DLP sensor. disable


122




disable

label Label. (Empty)


123

firewall/interface-policy6CLI Syntax

config firewall interface-policy6 edit <name_str> set policyid <integer> set status {enable | disable} set logtraffic {all | utm | disable} set address-type {ipv4 | ipv6} set interface <string> config srcaddr6 edit <name_str> set name <string> end config dstaddr6 edit <name_str> set name <string> end config service6 edit <name_str> set name <string> end set application-list-status {enable | disable} set application-list <string> set casi-profile-status {enable | disable} set casi-profile <string> set ips-sensor-status {enable | disable} set ips-sensor <string> set dsri {enable | disable} set av-profile-status {enable | disable} set av-profile <string> set webfilter-profile-status {enable | disable} set webfilter-profile <string> set spamfilter-profile-status {enable | disable} set spamfilter-profile <string> set dlp-sensor-status {enable | disable} set dlp-sensor <string> set scan-botnet-connections {disable | block | monitor} set label <string> end


124

Description




logtraffic Enable/disable interface log traffic. utm

address-type Policy address type. ipv6


srcaddr6 IPv6 source address name. (Empty)

dstaddr6 IPv6 destination address name. (Empty)

service6 Service name. (Empty)










webfilter-profile-status Enable/disable web filter profile. disable






125




disable

label Label. (Empty)


126

firewall/ip-translationCLI Syntax

config firewall ip-translation edit <name_str> set transid <integer> set type {SCTP} set startip <ipv4-address-any> set endip <ipv4-address-any> set map-startip <ipv4-address-any> end


127

Description


transid IP translation ID. 0

type IP translation type. SCTP

startip Start IP. 0.0.0.0

endip End IP. 0.0.0.0

map-startip Mapped start IP. 0.0.0.0


128

firewall/ippoolCLI Syntax

config firewall ippool edit <name_str> set name <string> set type {overload | one-to-one | fixed-port-range | port-block-allocation} set startip <ipv4-address-any> set endip <ipv4-address-any> set source-startip <ipv4-address-any> set source-endip <ipv4-address-any> set block-size <integer> set num-blocks-per-user <integer> set permit-any-host {disable | enable} set arp-reply {disable | enable} set arp-intf <string> set comments <var-string> end


129

Description


name IP pool name. (Empty)

type IP pool type. overload

startip Start IP. 0.0.0.0

endip End IP. 0.0.0.0

source-startip Source start IP. 0.0.0.0

source-endip Source end IP. 0.0.0.0

block-size Block size. 128

num-blocks-per-user Number of blocks per user (1 - 128). 8

permit-any-host Enable/disable full cone. disable

arp-reply Enable/disable ARP reply. enable

arp-intf ARP reply interface. Any if unset. (Empty)



130

firewall/ippool6CLI Syntax

config firewall ippool6 edit <name_str> set name <string> set startip <ipv6-address> set endip <ipv6-address> set comments <var-string> end


131

Description


name IPv6 pool name. (Empty)

startip Start IP. ::

endip End IP. ::



132

firewall/ipv6-eh-filterCLI Syntax

config firewall ipv6-eh-filter edit <name_str> set hop-opt {enable | disable} set dest-opt {enable | disable} set hdopt-type <integer> set routing {enable | disable} set routing-type <integer> set fragment {enable | disable} set auth {enable | disable} set no-next {enable | disable} end


133

Description


hop-opt Block packets with Hop-by-Hop Options header. disable

dest-opt Block packets with Destination Options header. disable

hdopt-type Block specific Hop-by-Hop and/or DestinationOption types (maximum 7 types, each between 0and 255).

(Empty)

routing Block packets with Routing header. enable

routing-type Block specific Routing header types (maximum 7types, each between 0 and 255).

0

fragment Block packets with Fragment header. disable

auth Block packets with Authentication header. disable

no-next Block packets with No Next header. disable


134

firewall/ldb-monitorCLI Syntax

config firewall ldb-monitor edit <name_str> set name <string> set type {ping | tcp | http | passive-sip} set interval <integer> set timeout <integer> set retry <integer> set port <integer> set http-get <string> set http-match <string> set http-max-redirects <integer> end


135

Description


name Monitor name. (Empty)

type Monitor type. (Empty)

interval Detect interval. 10

timeout Detect request timeout. 2

retry Number of detect tries before bring server down. 3

port Service port. 0

http-get HTTP get URL string. (Empty)

http-match String for matching HTTP-get response. (Empty)

http-max-redirects The maximum number of HTTP redirects to beallowed.

0


136

firewall/local-in-policyCLI Syntax

config firewall local-in-policy edit <name_str> set policyid <integer> set ha-mgmt-intf-only {enable | disable} set intf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} config service edit <name_str> set name <string> end set schedule <string> set auto-asic-offload {enable | disable} set status {enable | disable} end


137

Description


policyid User defined local in policy ID. 0

ha-mgmt-intf-only Enable/disable dedication of HA managementinterface only for local-in policy.

disable

intf Source interface name. (Empty)



action Local-In policy action. deny



auto-asic-offload Enable/disable policy traffic ASIC offloading. enable



138

firewall/local-in-policy6CLI Syntax

config firewall local-in-policy6 edit <name_str> set policyid <integer> set intf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} config service edit <name_str> set name <string> end set schedule <string> set status {enable | disable} end


139

Description


policyid User defined local in policy ID. 0

intf Source interface name. (Empty)



action Local-In policy action. deny





140

firewall/multicast-addressCLI Syntax

config firewall multicast-address edit <name_str> set name <string> set type {multicastrange | broadcastmask} set subnet <ipv4-classnet-any> set start-ip <ipv4-address-any> set end-ip <ipv4-address-any> set comment <var-string> set visibility {enable | disable} set associated-interface <string> set color <integer> config tags edit <name_str> set name <string> end end


141

Description


name Multicast address name. (Empty)

type type multicastrange

subnet Broadcast address and subnet. 0.0.0.0 0.0.0.0

start-ip Start IP. 0.0.0.0

end-ip End IP. 0.0.0.0


visibility Enable/disable multicast address visibility. enable

associated-interface Associated interface name. (Empty)




142

firewall/multicast-address6CLI Syntax

config firewall multicast-address6 edit <name_str> set name <string> set ip6 <ipv6-network> set comment <var-string> set visibility {enable | disable} set color <integer> config tags edit <name_str> set name <string> end end


143

Description


name IPv6 multicast address name. (Empty)

ip6 IPv6 address prefix. ::/0


visibility Enable/disable multicast address visibility. enable




144

firewall/multicast-policyCLI Syntax

config firewall multicast-policy edit <name_str> set id <integer> set status {enable | disable} set logtraffic {enable | disable} set srcintf <string> set dstintf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set snat {enable | disable} set snat-ip <ipv4-address> set dnat <ipv4-address-any> set action {accept | deny} set protocol <integer> set start-port <integer> set end-port <integer> set auto-asic-offload {enable | disable} end


145

Description


id Policy ID. 0


logtraffic Enable/disable policy log traffic. disable

srcintf Source interface name. (Empty)




snat Enable/disable NAT source address. disable

snat-ip NAT source address. 0.0.0.0

dnat NAT destination address. 0.0.0.0

action Policy action. accept

protocol Protocol number. 0

start-port Start port number. 1

end-port End port number. 65535



146

firewall/multicast-policy6CLI Syntax

config firewall multicast-policy6 edit <name_str> set id <integer> set status {enable | disable} set logtraffic {enable | disable} set srcintf <string> set dstintf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} set protocol <integer> set start-port <integer> set end-port <integer> set auto-asic-offload {enable | disable} end


147

Description


id Policy ID. 0

status Enable/disable multicast IPv6 policy status. enable

logtraffic Enable/disable multicast IPv6 policy log traffic. disable

srcintf IPv6 source interface name. (Empty)

dstintf IPv6 destination interface name. (Empty)

srcaddr IPv6 source address name. (Empty)

dstaddr IPv6 destination address name. (Empty)

action Policy action. accept






148

firewall/policyCLI Syntax

config firewall policy edit <name_str> set policyid <integer> set name <string> set uuid <uuid> config srcintf edit <name_str> set name <string> end config dstintf edit <name_str> set name <string> end config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set rtp-nat {disable | enable} config rtp-addr edit <name_str> set name <string> end set action {accept | deny | ipsec | ssl-vpn} set send-deny-packet {disable | enable} set firewall-session-dirty {check-all | check-new} set status {enable | disable} set schedule <string> set schedule-timeout {enable | disable} config service edit <name_str> set name <string> end set utm-status {enable | disable} set profile-type {single | group} set profile-group <string> set av-profile <string> set webfilter-profile <string> set dnsfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string>


149

set voip-profile <string> set icap-profile <string> set waf-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> set logtraffic {all | utm | disable} set logtraffic-start {enable | disable} set capture-packet {enable | disable} set auto-asic-offload {enable | disable} set wanopt {enable | disable} set wanopt-detection {active | passive | off} set wanopt-passive-opt {default | transparent | non-transparent} set wanopt-profile <string> set wanopt-peer <string> set webcache {enable | disable} set webcache-https {disable | ssl-server | any | enable} set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> set nat {enable | disable} set permit-any-host {enable | disable} set permit-stun-host {enable | disable} set fixedport {enable | disable} set ippool {enable | disable} config poolname edit <name_str> set name <string> end set session-ttl <integer> set vlan-cos-fwd <integer> set vlan-cos-rev <integer> set inbound {enable | disable} set outbound {enable | disable} set natinbound {enable | disable} set natoutbound {enable | disable} set wccp {enable | disable} set ntlm {enable | disable} set ntlm-guest {enable | disable} config ntlm-enabled-browsers edit <name_str> set user-agent-string <string> end set fsso {enable | disable} set wsso {enable | disable} set rsso {enable | disable} set fsso-agent-for-ntlm <string> config groups edit <name_str> set name <string> end config users edit <name_str> set name <string>


150

set name <string> end config devices edit <name_str> set name <string> end set auth-path {enable | disable} set disclaimer {enable | disable} set vpntunnel <string> set natip <ipv4-classnet> set match-vip {enable | disable} set diffserv-forward {enable | disable} set diffserv-reverse {enable | disable} set diffservcode-forward <user> set diffservcode-rev <user> set tcp-mss-sender <integer> set tcp-mss-receiver <integer> set comments <var-string> set label <string> set global-label <string> set auth-cert <string> set auth-redirect-addr <string> set redirect-url <string> set identity-based-route <string> set block-notification {enable | disable} config custom-log-fields edit <name_str> set field_id <string> end config tags edit <name_str> set name <string> end set replacemsg-override-group <string> set srcaddr-negate {enable | disable} set dstaddr-negate {enable | disable} set service-negate {enable | disable} set timeout-send-rst {enable | disable} set captive-portal-exempt {enable | disable} set ssl-mirror {enable | disable} config ssl-mirror-intf edit <name_str> set name <string> end set scan-botnet-connections {disable | block | monitor} set dsri {enable | disable} end


151

Description



name Policy name. (Empty)






rtp-nat Enable/disable use of this policy for RTP NAT. disable

rtp-addr RTP NAT address name. (Empty)


send-deny-packet Enable/disable return of deny-packet. disable

firewall-session-dirty Packet session management. check-all



schedule-timeout Enable/disable schedule timeout. disable


utm-status Enable AV/web/IPS protection profile. disable





dnsfilter-profile DNS filter profile. (Empty)


152






voip-profile VoIP profile. (Empty)







capture-packet Enable/disable capture packets. disable


wanopt Enable/disable WAN optimization. disable

wanopt-detection WAN optimization auto-detection mode. active

wanopt-passive-opt WAN optimization passive mode options. Thisoption decides what IP address will be used toconnect server.

default

wanopt-profile WAN optimization profile. (Empty)

wanopt-peer WAN optimization peer. (Empty)

webcache Enable/disable web cache. disable

webcache-https Enable/disable web cache for HTTPS. disable

traffic-shaper Traffic shaper. (Empty)

traffic-shaper-reverse Traffic shaper. (Empty)


153

per-ip-shaper Per-IP shaper. (Empty)

nat Enable/disable policy NAT. disable

permit-any-host Enable/disable permit any host in. disable

permit-stun-host Enable/disable permit stun host in. disable

fixedport Enable/disable policy fixed port. disable

ippool Enable/disable policy IP pool. disable

poolname Policy IP pool names. (Empty)

session-ttl Session TTL. 0

vlan-cos-fwd VLAN forward direction user priority. 255

vlan-cos-rev VLAN reverse direction user priority. 255

inbound Enable/disable policy inbound. disable

outbound Enable/disable policy outbound. disable

natinbound Enable/disable policy NAT inbound. disable

natoutbound Enable/disable policy NAT outbound. disable

wccp Enable/disable Web Cache Coordination Protocol(WCCP).

disable

ntlm Enable/disable NTLM authentication. disable

ntlm-guest Enable/disable guest user for NTLMauthentication.

disable

ntlm-enabled-browsers User agent strings for NTLM enabled browsers. (Empty)

fsso Enable/disable Fortinet Single Sign-On. disable

wsso Enable/disable WiFi Single Sign-On. enable

rsso Enable/disable RADIUS Single Sign-On. disable

fsso-agent-for-ntlm Specify FSSO agent for NTLM authentication. (Empty)

groups User authentication groups. (Empty)


154

users User name. (Empty)

devices Devices or device groups. (Empty)

auth-path Enable/disable authentication-based routing. disable

disclaimer Enable/disable user authentication disclaimer. disable

vpntunnel Policy VPN tunnel. (Empty)

natip NAT address. 0.0.0.0 0.0.0.0

match-vip Enable/disable match DNATed packet. disable

diffserv-forward Enable/disable forward (original) traffic DiffServ. disable

diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable

diffservcode-forward Forward (original) traffic DiffServ code pointvalue.

000000

diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000

tcp-mss-sender TCP MSS value of sender. 0

tcp-mss-receiver TCP MSS value of receiver. 0




auth-cert HTTPS server certificate for policy authentication. (Empty)

auth-redirect-addr HTTP-to-HTTPS redirect address for firewallauthentication.

(Empty)

redirect-url URL redirection after disclaimer/authentication. (Empty)

identity-based-route Name of identity-based routing rule. (Empty)

block-notification Enable/disable block notification. disable

custom-log-fields Log custom fields. (Empty)



155



(Empty)



disable


timeout-send-rst Enable/disable sending of RST packet upon TCPsession expiration.

disable

captive-portal-exempt Enable/disable exemption of captive portal. disable

ssl-mirror Enable/disable SSL mirror. disable

ssl-mirror-intf Mirror interface name. (Empty)



disable



156

firewall/policy46CLI Syntax

config firewall policy46 edit <name_str> set permit-any-host {enable | disable} set policyid <integer> set uuid <uuid> set srcintf <string> set dstintf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} set status {enable | disable} set schedule <string> config service edit <name_str> set name <string> end set logtraffic {enable | disable} set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> set fixedport {enable | disable} set tcp-mss-sender <integer> set tcp-mss-receiver <integer> set comments <var-string> config tags edit <name_str> set name <string> end end


157

Description










status Policy status. enable



logtraffic Enable/disable traffic log. disable


traffic-shaper-reverse Reverse traffic shaper. (Empty)

per-ip-shaper Per IP traffic shaper. (Empty)







158


config firewall policy6 edit <name_str> set policyid <integer> set name <string> set uuid <uuid> config srcintf edit <name_str> set name <string> end config dstintf edit <name_str> set name <string> end config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny | ipsec | ssl-vpn} set firewall-session-dirty {check-all | check-new} set status {enable | disable} set vlan-cos-fwd <integer> set vlan-cos-rev <integer> set schedule <string> config service edit <name_str> set name <string> end set utm-status {enable | disable} set profile-type {single | group} set profile-group <string> set av-profile <string> set webfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string> set voip-profile <string> set icap-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> set logtraffic {all | utm | disable} set logtraffic-start {enable | disable}


159

set auto-asic-offload {enable | disable} set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> set nat {enable | disable} set fixedport {enable | disable} set ippool {enable | disable} config poolname edit <name_str> set name <string> end set inbound {enable | disable} set outbound {enable | disable} set natinbound {enable | disable} set natoutbound {enable | disable} set send-deny-packet {enable | disable} set vpntunnel <string> set diffserv-forward {enable | disable} set diffserv-reverse {enable | disable} set diffservcode-forward <user> set diffservcode-rev <user> set tcp-mss-sender <integer> set tcp-mss-receiver <integer> set comments <var-string> set label <string> set global-label <string> set rsso {enable | disable} config tags edit <name_str> set name <string> end set replacemsg-override-group <string> set srcaddr-negate {enable | disable} set dstaddr-negate {enable | disable} set service-negate {enable | disable} config groups edit <name_str> set name <string> end config users edit <name_str> set name <string> end config devices edit <name_str> set name <string> end set timeout-send-rst {enable | disable} set ssl-mirror {enable | disable} config ssl-mirror-intf edit <name_str> set name <string> end


160

end set dsri {enable | disable} end


161

Description



name Policy name. (Empty)









vlan-cos-fwd VLAN forward direction user priority. 255

vlan-cos-rev VLAN reverse direction user priority. 255



utm-status Enable AV/web/ips protection profile. disable









162











traffic-shaper-reverse Traffic shaper. (Empty)

per-ip-shaper Per-IP shaper. (Empty)

nat Enable/disable policy NAT. disable


ippool Enable/disable policy IP pool. disable


inbound Enable/disable policy inbound. disable

outbound Enable/disable policy outbound. disable

natinbound Enable/disable policy NAT inbound. disable

natoutbound Enable/disable policy NAT outbound. disable

send-deny-packet Enable/disable return of deny-packet. disable

vpntunnel Policy VPN tunnel. (Empty)

diffserv-forward Enable/disable forward (original) traffic DiffServ. disable

diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable


163

diffservcode-forward Forward (original) Traffic DiffServ code pointvalue.

000000

diffservcode-rev Reverse (reply) Traffic DiffServ code point value. 000000






rsso Enable/disable RADIUS Single Sign-On. disable




(Empty)



disable




devices Devices or device groups. (Empty)

timeout-send-rst Enable/disable sending of RST packet upon TCPsession expiration.

disable

ssl-mirror Enable/disable SSL mirror. disable

ssl-mirror-intf Mirror interface name. (Empty)



164


config firewall policy64 edit <name_str> set policyid <integer> set uuid <uuid> set srcintf <string> set dstintf <string> config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end set action {accept | deny} set status {enable | disable} set schedule <string> config service edit <name_str> set name <string> end set logtraffic {enable | disable} set permit-any-host {enable | disable} set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> set fixedport {enable | disable} set ippool {enable | disable} config poolname edit <name_str> set name <string> end set tcp-mss-sender <integer> set tcp-mss-receiver <integer> set comments <var-string> config tags edit <name_str> set name <string> end end


165

Description












logtraffic Enable/disable policy log traffic. disable




per-ip-shaper Per-IP traffic shaper. (Empty)


ippool Enable/disable policy64 IP pool. disable







166

firewall/profile-groupCLI Syntax

config firewall profile-group edit <name_str> set name <string> set av-profile <string> set webfilter-profile <string> set dnsfilter-profile <string> set spamfilter-profile <string> set dlp-sensor <string> set ips-sensor <string> set application-list <string> set casi-profile <string> set voip-profile <string> set icap-profile <string> set waf-profile <string> set profile-protocol-options <string> set ssl-ssh-profile <string> end


167

Description


name Profile group name. (Empty)















168

firewall/profile-protocol-optionsCLI Syntax

config firewall profile-protocol-options edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set oversize-log {disable | enable} set switching-protocols-log {disable | enable} config http edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {clientcomfort | servercomfort | oversize | no-content-summary | chunkedbypass} set comfort-interval <integer> set comfort-amount <integer> set range-block {disable | enable} set post-lang {jisx0201 | jisx0208 | jisx0212 | gb2312 | ksc5601-ex | euc-jp | sjis | iso2022-jp | iso2022-jp-1 | iso2022-jp-2 | euc-cn | ces-gbk | hz | ces-big5 | euc-kr | iso2022-jp-3 | iso8859-1 | tis620 | cp874 | cp1252 | cp1251} set fortinet-bar {enable | disable} set fortinet-bar-port <integer> set streaming-content-bypass {enable | disable} set switching-protocols {bypass | block} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} set block-page-status-code <integer> set retry-count <integer> end config ftp edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {clientcomfort | oversize | no-content-summary | splice | bypass-rest-command | bypass-mode-command} set comfort-interval <integer> set comfort-amount <integer> set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end config imap edit <name_str>


169

set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {fragmail | oversize | no-content-summary} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end config mapi edit <name_str> set ports <integer> set status {enable | disable} set options {fragmail | oversize | no-content-summary} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end config pop3 edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {fragmail | oversize | no-content-summary} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end config smtp edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {fragmail | oversize | no-content-summary | splice} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} set server-busy {enable | disable} end config nntp edit <name_str> set ports <integer> set status {enable | disable} set inspect-all {enable | disable} set options {oversize | no-content-summary | splice} set oversize-limit <integer> set uncompressed-oversize-limit <integer> set uncompressed-nest-limit <integer> set scan-bzip2 {enable | disable} end


170

end config dns edit <name_str> set ports <integer> set status {enable | disable} end config mail-signature edit <name_str> set status {disable | enable} set signature <string> end set rpc-over-http {enable | disable} end


171

Description


name Name. (Empty)



oversize-log Enable/disable log antivirus oversize file blocking. disable

switching-protocols-log Enable/disable log HTTP/HTTPS switchingprotocols.

disable

http HTTP. Details below

Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)comfort-interval 10comfort-amount 1range-block disablepost-lang (Empty)fortinet-bar disablefortinet-bar-port 8011streaming-content-bypass enableswitching-protocols bypassoversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enableblock-page-status-code 200retry-count 0

ftp FTP. Details below


172

Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)comfort-interval 10comfort-amount 1oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enable


Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enable

mapi MAPI Details below

Configuration Default Valueports (Empty)status enableoptions (Empty)oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enable



173



Configuration Default Valueports (Empty)status enableinspect-all disableoptions (Empty)oversize-limit 10uncompressed-oversize-limit 10uncompressed-nest-limit 12scan-bzip2 enableserver-busy disable

nntp NNTP. Details below


dns DNS. Details below

Configuration Default Valueports (Empty)status enable

mail-signature Mail signature. Details below


174

Configuration Default Valuestatus disablesignature (Empty)

rpc-over-http Enable/disable inspection of RPC over HTTP. enable


175

firewall/shaping-policyCLI Syntax

config firewall shaping-policy edit <name_str> set id <integer> set status {enable | disable} set ip-version {4 | 6} config srcaddr edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config srcaddr6 edit <name_str> set name <string> end config dstaddr6 edit <name_str> set name <string> end config service edit <name_str> set name <string> end config users edit <name_str> set name <string> end config groups edit <name_str> set name <string> end config application edit <name_str> set id <integer> end config app-category edit <name_str> set id <integer> end config url-category edit <name_str> set id <integer> end config dstintf edit <name_str>


176

set name <string> end set traffic-shaper <string> set traffic-shaper-reverse <string> set per-ip-shaper <string> end


177

Description


id Shaping policy ID. 0

status Enable/disable traffic shaping policy. enable

ip-version IP version. 4

srcaddr Source address. (Empty)

dstaddr Destination address. (Empty)

srcaddr6 IPv6 source address. (Empty)

dstaddr6 IPv6 destination address. (Empty)




application Application ID list. (Empty)

app-category Application category ID list. (Empty)

url-category URL category ID list. (Empty)

dstintf Destination interface list. (Empty)

traffic-shaper Forward traffic shaper. (Empty)


per-ip-shaper Per IP shaper. (Empty)


178

firewall/snifferCLI Syntax

config firewall sniffer edit <name_str> set id <integer> set status {enable | disable} set logtraffic {all | utm | disable} set ipv6 {enable | disable} set non-ip {enable | disable} set interface <string> set host <string> set port <string> set protocol <string> set vlan <string> set application-list-status {enable | disable} set application-list <string> set casi-profile-status {enable | disable} set casi-profile <string> set ips-sensor-status {enable | disable} set ips-sensor <string> set dsri {enable | disable} set av-profile-status {enable | disable} set av-profile <string> set webfilter-profile-status {enable | disable} set webfilter-profile <string> set spamfilter-profile-status {enable | disable} set spamfilter-profile <string> set dlp-sensor-status {enable | disable} set dlp-sensor <string> set ips-dos-status {enable | disable} config anomaly edit <name_str> set name <string> set status {disable | enable} set log {enable | disable} set action {pass | block | proxy} set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} set threshold <integer> set threshold(default) <integer> end set scan-botnet-connections {disable | block | monitor} set max-packet-count <integer> end


179

Description


id Sniffer ID. 0

status Enable/disable sniffer status. enable

logtraffic Enable/disable sniffer log traffic. utm

ipv6 Enable/disable sniffer for IPv6 packets. disable

non-ip Enable/disable sniffer for non-IP packets. disable


host Host list (IP or IP/mask or IP range). (Empty)

port Port list. (Empty)

protocol IP protocol list. (Empty)

vlan VLAN list. (Empty)










webfilter-profile-status Enable/disable web filter. disable




180




ips-dos-status Enable/disable IPS DoS anomaly detection. disable

anomaly Configure anomaly. (Empty)



disable

max-packet-count Maximum packet count. 4000


181

firewall/ssl-serverCLI Syntax

config firewall ssl-server edit <name_str> set name <string> set ip <ipv4-address-any> set port <integer> set ssl-mode {half | full} set add-header-x-forwarded-proto {enable | disable} set mapped-port <integer> set ssl-cert <string> set ssl-dh-bits {768 | 1024 | 1536 | 2048} set ssl-algorithm {high | medium | low} set ssl-client-renegotiation {allow | deny | secure} set ssl-min-version {ssl-3.0 | tls-1.0} set ssl-max-version {ssl-3.0 | tls-1.0} set ssl-send-empty-frags {enable | disable} set url-rewrite {enable | disable} end


182

Description


name Server name. (Empty)

ip Server IP address. 0.0.0.0

port Server service port. 0

ssl-mode SSL/TLS mode for encryption & decryption oftraffic.

full

add-header-x-forwarded-proto

Enable/disable add X-Forwarded-Proto header toforwarded requests.

enable

mapped-port Mapped server service port. 0

ssl-cert Name of certificate for SSL connections to thisserver.

(Empty)


2048

ssl-algorithm Relative strength of encryption algorithmsaccepted in negotiation.

high

ssl-client-renegotiation Allow/block client renegotiation by server. allow

ssl-min-version Lowest SSL/TLS version to negotiate. ssl-3.0

ssl-max-version Highest SSL/TLS version to negotiate. tls-1.0

ssl-send-empty-frags Enable/disable send empty fragments to avoidattack on CBC IV.

enable

url-rewrite Enable/disable rewrite URL. disable


183

firewall/ssl-ssh-profileCLI Syntax

config firewall ssl-ssh-profile edit <name_str> set name <string> set comment <var-string> config ssl edit <name_str> set inspect-all {disable | certificate-inspection | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config https edit <name_str> set ports <integer> set status {disable | certificate-inspection | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config ftps edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config imaps edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config pop3s edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore}


184

end config smtps edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set client-cert-request {bypass | inspect | block} set unsupported-ssl {bypass | inspect | block} set allow-invalid-server-cert {enable | disable} set untrusted-cert {allow | block | ignore} end config ssh edit <name_str> set ports <integer> set status {disable | deep-inspection | enable} set inspect-all {disable | deep-inspection | enable} set block {x11-filter | ssh-shell | exec | port-forward} set log {x11-filter | ssh-shell | exec | port-forward} end set whitelist {enable | disable} config ssl-exempt edit <name_str> set id <integer> set type {fortiguard-category | address | address6} set fortiguard-category <integer> set address <string> set address6 <string> end set server-cert-mode {re-sign | replace} set use-ssl-server {disable | enable} set caname <string> set untrusted-caname <string> set certname <string> set server-cert <string> config ssl-server edit <name_str> set id <integer> set ip <ipv4-address-any> set https-client-cert-request {bypass | inspect | block} set smtps-client-cert-request {bypass | inspect | block} set pop3s-client-cert-request {bypass | inspect | block} set imaps-client-cert-request {bypass | inspect | block} set ftps-client-cert-request {bypass | inspect | block} set ssl-other-client-cert-request {bypass | inspect | block} end set ssl-invalid-server-cert-log {disable | enable} set rpc-over-https {enable | disable} end


185

Description


name Name. (Empty)


ssl ssl Details below

Configuration Default Valueinspect-all disableclient-cert-request bypassunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow

https https Details below

Configuration Default Valueports (Empty)status deep-inspectionclient-cert-request bypassunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow

ftps ftps Details below

Configuration Default Valueports (Empty)status deep-inspectionclient-cert-request bypassunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow

imaps imaps Details below

Configuration Default Valueports (Empty)status deep-inspectionclient-cert-request inspectunsupported-ssl bypassallow-invalid-server-cert disableuntrusted-cert allow


186

pop3s pop3s Details below


smtps smtps Details below


ssh ssh Details below

Configuration Default Valueports (Empty)status deep-inspectioninspect-all disableblock (Empty)log (Empty)

whitelist Enable/disable exempt servers by FortiGuardwhitelist.

disable

ssl-exempt Servers to exempt from SSL inspection. (Empty)

server-cert-mode Re-sign or replace the server's certificate. re-sign

use-ssl-server Enable/disable to use SSL server table for SSLoffloading.

disable

caname CA certificate used by SSL Inspection. Fortinet_CA_SSL

untrusted-caname Untrusted CA certificate used by SSL Inspection. Fortinet_CA_Untrusted

certname Certificate containing the key to use when re-signing server certificates for SSL inspection.

Fortinet_SSL


187

server-cert Certificate used by SSL Inspection to replaceserver certificate.

Fortinet_SSL

ssl-server SSL servers. (Empty)

ssl-invalid-server-cert-log

Enable/disable SSL server certificate validationlogging.

disable

rpc-over-https Enable/disable inspection of RPC over HTTPS. enable


188

firewall/ttl-policyCLI Syntax

config firewall ttl-policy edit <name_str> set id <integer> set status {enable | disable} set action {accept | deny} set srcintf <string> config srcaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end set schedule <string> set ttl <user> end


189

Description


id ID. 0

status status enable

action Action. deny





ttl TTL range. (Empty)


190

firewall/vipCLI Syntax

config firewall vip edit <name_str> set name <string> set id <integer> set uuid <uuid> set comment <var-string> set type {static-nat | load-balance | server-load-balance | dns-translation | fqdn} set dns-mapping-ttl <integer> set ldb-method {static | round-robin | weighted | least-session | least-rtt | first-alive | http-host} config src-filter edit <name_str> set range <string> end set extip <user> config mappedip edit <name_str> set range <string> end set mapped-addr <string> set extintf <string> set arp-reply {disable | enable} set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip} set persistence {none | http-cookie | ssl-session-id} set nat-source-vip {disable | enable} set portforward {disable | enable} set protocol {tcp | udp | sctp | icmp} set extport <user> set mappedport <user> set gratuitous-arp-interval <integer> config srcintf-filter edit <name_str> set interface-name <string> end set portmapping-type {1-to-1 | m-to-n} config realservers edit <name_str> set id <integer> set ip <ipv4-address-any> set port <integer> set status {active | standby | disable} set weight <integer> set holddown-interval <integer> set healthcheck {disable | enable | vip} set http-host <string> set max-connections <integer>


191

set monitor <string> set client-ip <user> end set http-cookie-domain-from-host {disable | enable} set http-cookie-domain <string> set http-cookie-path <string> set http-cookie-generation <integer> set http-cookie-age <integer> set http-cookie-share {disable | same-ip} set https-cookie-secure {disable | enable} set http-multiplex {enable | disable} set http-ip-header {enable | disable} set http-ip-header-name <string> set outlook-web-access {disable | enable} set weblogic-server {disable | enable} set websphere-server {disable | enable} set ssl-mode {half | full} set ssl-certificate <string> set ssl-dh-bits {768 | 1024 | 1536 | 2048} set ssl-algorithm {high | medium | low | custom} config ssl-cipher-suites edit <name_str> set priority <integer> set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WITH-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITH-AES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256 | TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITH-CAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WITH-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 | TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5 | TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBC-SHA | TLS-RSA-WITH-DES-CBC-SHA}


192

SHA | TLS-RSA-WITH-DES-CBC-SHA} set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} end set ssl-pfs {require | deny | allow} set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} set ssl-send-empty-frags {enable | disable} set ssl-client-renegotiation {allow | deny | secure} set ssl-client-session-state-type {disable | time | count | both} set ssl-client-session-state-timeout <integer> set ssl-client-session-state-max <integer> set ssl-server-session-state-type {disable | time | count | both} set ssl-server-session-state-timeout <integer> set ssl-server-session-state-max <integer> set ssl-http-location-conversion {enable | disable} set ssl-http-match-host {enable | disable} set monitor <string> set max-embryonic-connections <integer> set color <integer> end


193

Description


name Virtual IP name. (Empty)

id Custom defined ID. 0



type VIP type: static NAT, load balance., server loadbalance

static-nat

dns-mapping-ttl DNS mapping TTL (Set to zero to use TTL inDNS response, default = 0).

0

ldb-method Load balance method. static

src-filter Source IP filter (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)

extip Start external IP - end external IP. 0.0.0.0

mappedip Mapped IP (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)

mapped-addr Mapped address. (Empty)

extintf External interface. (Empty)


server-type Server type. (Empty)

persistence Persistence. none

nat-source-vip Enable/disable force NAT as VIP when servergoes out.

disable

portforward Enable/disable port forward. disable

protocol Mapped port protocol. tcp

extport External service port. 0

mappedport Mapped service port. 0


194

gratuitous-arp-interval Interval between sending gratuitous ARPs(seconds, 0 to disable).

0

srcintf-filter Source interface filter. (Empty)

portmapping-type Port mapping type. 1-to-1

realservers Real servers. (Empty)

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain fromhost field in HTTP.

disable

http-cookie-domain HTTP cookie domain. (Empty)

http-cookie-path HTTP cookie path. (Empty)

http-cookie-generation Generation of HTTP cookie to be accepted.Changing invalidates all existing cookies.

0

http-cookie-age Number of minutes the web browser should keepcookie (0 = forever).

60

http-cookie-share Share HTTP cookies across different virtualservers.

same-ip

https-cookie-secure Enable/disable verification of cookie inserted intoHTTPS is marked as secure.

disable

http-multiplex Enable/disable multiplex HTTPrequests/responses over a single TCPconnection.

disable

http-ip-header Add additional HTTP header containing client'soriginal IP address.

disable

http-ip-header-name Name of HTTP header containing client's IPaddress (X-Forwarded-For is used if empty).

(Empty)

outlook-web-access Enable/disable adding HTTP header indicatingSSL offload for Outlook Web Access server.

disable

weblogic-server Enable/disable adding HTTP header indicatingSSL offload for WebLogic server.

disable

websphere-server Enable/disable adding HTTP header indicatingSSL offload for WebSphere server.

disable


195

ssl-mode SSL/TLS mode for encryption & decryption oftraffic.

half

ssl-certificate Name of Certificate to offer in every SSLconnection.

(Empty)


2048

ssl-algorithm Relative strength of encryption algorithmsaccepted in negotiation.

high

ssl-cipher-suites SSL/TLS cipher suites ordered by priority. (Empty)

ssl-pfs SSL Perfect Forward Secrecy. allow

ssl-min-version Lowest SSL/TLS version to negotiate. tls-1.0

ssl-max-version Highest SSL/TLS version to negotiate. tls-1.2

ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV(SSL 3.0 & TLS 1.0 only).

enable

ssl-client-renegotiation Allow/block client renegotiation by server. allow

ssl-client-session-state-type

Control Client to FortiGate SSL session statepreservation.

both

ssl-client-session-state-timeout

Number of minutes to keep client to FortiGateSSL session state.

30

ssl-client-session-state-max

Maximum number of client to FortiGate SSLsession states to keep.

1000

ssl-server-session-state-type

Control FortiGate to server SSL session statepreservation.

both

ssl-server-session-state-timeout

Number of minutes to keep FortiGate to ServerSSL session state.

60

ssl-server-session-state-max

Maximum number of FortiGate to Server SSLsession states to keep.

100

ssl-http-location-conversion

Enable/disable location conversion on HTTPresponse header.

disable


196

ssl-http-match-host Enable/disable HTTP host matching for locationconversion.

disable

monitor Health monitors. (Empty)

max-embryonic-connections

Maximum number of incomplete connections. 1000



197

firewall/vip46CLI Syntax

config firewall vip46 edit <name_str> set name <string> set id <integer> set uuid <uuid> set comment <var-string> config src-filter edit <name_str> set range <string> end set extip <user> set mappedip <user> set arp-reply {disable | enable} set portforward {disable | enable} set protocol {tcp | udp} set extport <user> set mappedport <user> set color <integer> end


198

Description


name VIP46 name. (Empty)

id Custom defined id. 0



src-filter Source IP filter (x.x.x.x/x). (Empty)

extip Start-external-IP [-end-external-IP]. 0.0.0.0

mappedip Start-mapped-IP [-end mapped-IP]. ::

arp-reply Enable ARP reply. enable

portforward Enable port forward. disable






199


config firewall vip6 edit <name_str> set name <string> set id <integer> set uuid <uuid> set comment <var-string> set type {static-nat} config src-filter edit <name_str> set range <string> end set extip <user> set mappedip <user> set arp-reply {disable | enable} set portforward {disable | enable} set protocol {tcp | udp | sctp} set extport <user> set mappedport <user> set color <integer> end


200

Description


name Virtual ip6 name. (Empty)

id Custom defined ID. 0



type VIP type: static NAT. static-nat

src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)

extip Start external IP - end external IP. ::

mappedip Start mapped IP -end mapped IP. ::


portforward Enable/disable port forward. disable






201


config firewall vip64 edit <name_str> set name <string> set id <integer> set uuid <uuid> set comment <var-string> config src-filter edit <name_str> set range <string> end set extip <user> set mappedip <user> set arp-reply {disable | enable} set portforward {disable | enable} set protocol {tcp | udp} set extport <user> set mappedport <user> set color <integer> end


202

Description


name VIP64 name. (Empty)

id Custom defined id. 0



src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)

extip Start-external-IP [-End-external-IP]. ::

mappedip Start-mapped-IP [-End-mapped-IP]. 0.0.0.0

arp-reply Enable ARP reply. enable

portforward Enable port forward. disable






203

firewall/vipgrpCLI Syntax

config firewall vipgrp edit <name_str> set name <string> set uuid <uuid> set interface <string> set color <integer> set comments <var-string> config member edit <name_str> set name <string> end end


204

Description


name VIP group name. (Empty)


interface interface (Empty)



member VIP group member. (Empty)


205

firewall/vipgrp46CLI Syntax

config firewall vipgrp46 edit <name_str> set name <string> set uuid <uuid> set color <integer> set comments <var-string> config member edit <name_str> set name <string> end end


206

Description


name VIP46 group name. (Empty)




member VIP46 group member. (Empty)


207




208

Description


name IPv6 VIP group name. (Empty)




member VIP group6 member. (Empty)


209




210

Description


name VIP64 group name. (Empty)




member VIP64 group member. (Empty)


211

ftp-proxy/explicitCLI Syntax

config ftp-proxy explicit edit <name_str> set status {enable | disable} set incoming-port <integer> set incoming-ip <ipv4-address-any> set outgoing-ip <ipv4-address-any> set sec-default-action {accept | deny} end


212

Description


status Enable/disable explicit ftp proxy. disable

incoming-port Accept incoming FTP requests on ports otherthan port 21.

21

incoming-ip accept incoming ftp requests from this ip. Aninterface must have this IP address.

0.0.0.0

outgoing-ip outgoing FTP requests will leave this ip. Aninterface must have this IP address.

(Empty)

sec-default-action Default action to allow or deny when no ftp-proxyfirewall policy exists.

deny


213

gui/consoleCLI Syntax

config gui console edit <name_str> set preferences <user> end


214

Description


preferences Preferences. "c2lkY2FyZQlGRkZGRkYJMDAwMDAwCW1vbm9zcGFjZQkxMHB0CTk5OTkJMAphZG1pbglGRkZGRkYJMDAwMDAwCW1vbm9zcGFjZQkxMHB0CTUwMAkwCg=="


215

icap/profileCLI Syntax

config icap profile edit <name_str> set replacemsg-group <string> set name <string> set request {disable | enable} set response {disable | enable} set streaming-content-bypass {disable | enable} set request-server <string> set response-server <string> set request-failure {error | bypass} set response-failure {error | bypass} set request-path <string> set response-path <string> set methods {delete | get | head | options | post | put | trace | other} end


216

Description



name ICAP profile name. (Empty)

request Enable/disable control of an HTTP requestpassing tolerance to ICAP server.

disable

response Enable/disable control of an HTTP responsepassing to ICAP server.

disable

streaming-content-bypass

Enable/disable control over streaming contentbeing sent to ICAP server or bypassed.

disable

request-server ICAP server to use for an HTTP request. (Empty)

response-server ICAP server to use for an HTTP response. (Empty)

request-failure Action to take if the ICAP server cannot becontacted when processing an HTTP request.

error

response-failure Action to take if the ICAP server cannot becontacted when processing an HTTP response.

error

request-path Path component of the ICAP URI that identifiesthe HTTP request processing service.

(Empty)

response-path Path component of the ICAP URI that identifiesthe HTTP response processing service.

(Empty)

methods The allowed HTTP methods that will be sent toICAP server for further processing.

delete get head optionspost put trace other


217

icap/serverCLI Syntax

config icap server edit <name_str> set name <string> set ip-version {4 | 6} set ip-address <ipv4-address-any> set ip6-address <ipv6-address> set port <integer> set max-connections <integer> end


218

Description



ip-version IP version. 4

ip-address IPv4 address of the ICAP server. 0.0.0.0

ip6-address IPv6 address of the ICAP server. ::

port ICAP server port. 1344

max-connections Maximum number of concurrent connections toICAP server.

100


219

ips/customCLI Syntax

config ips custom edit <name_str> set tag <string> set signature <string> set sig-name <string> set rule-id <integer> set severity <user> set location <user> set os <user> set application <user> set protocol <user> set status {disable | enable} set log {disable | enable} set log-packet {disable | enable} set action {pass | block} set comment <string> end


220

Description


tag Signature tag. (Empty)

signature Signature text. (Empty)

sig-name Signature name. (Empty)

rule-id Signature ID. 0

severity severity (Empty)

location Vulnerable location. (Empty)

os Vulnerable operating systems. (Empty)

application Vulnerable applications. (Empty)

protocol Vulnerable service. (Empty)

status Enable/disable status. enable

log Enable/disable logging. enable

log-packet Enable/disable packet logging. disable

action Action. pass



221

ips/dbinfoCLI Syntax

config ips dbinfo edit <name_str> set version <integer> end


222

Description


version Internal category version. 0


223

ips/decoderCLI Syntax

config ips decoder edit <name_str> set name <string> config parameter edit <name_str> set name <string> set value <string> end end


224

Description


name Decoder name. (Empty)

parameter IPS group parameters. (Empty)


225

ips/globalCLI Syntax

config ips global edit <name_str> set fail-open {enable | disable} set database {regular | extended} set traffic-submit {enable | disable} set anomaly-mode {periodical | continuous} set session-limit-mode {accurate | heuristic} set intelligent-mode {enable | disable} set socket-size <integer> set engine-count <integer> set algorithm {engine-pick | low | high | super} set sync-session-ttl {enable | disable} set np-accel-mode {none | basic} set ips-reserve-cpu {disable | enable} set cp-accel-mode {none | basic | advanced} set skype-client-public-ipaddr <var-string> set default-app-cat-mask <user> set deep-app-insp-timeout <integer> set deep-app-insp-db-limit <integer> set exclude-signatures {none | industrial} end


226

Description


fail-open Enable/disable IPS fail open option. enable

database IPS database selection. extended

traffic-submit Enable/disable submit attack characteristics toFortiGuard Service.

disable

anomaly-mode Blocking mode for rate-based anomaly. continuous

session-limit-mode Counter mode for session-limit anomaly. heuristic

intelligent-mode Enable/disable intelligent scan mode. enable

socket-size IPS socket buffer size. 128

engine-count Number of engines (0: use recommendedsetting).

0

algorithm Signature matching algorithm. engine-pick

sync-session-ttl Enable/disable use of kernel session TTL for IPSsessions.

disable

np-accel-mode Network Processor acceleration mode. basic

ips-reserve-cpu Enable/disable IPS daemon's use of CPUs otherthan CPU 0

disable

cp-accel-mode Content Processor acceleration mode. advanced

skype-client-public-ipaddr

Comma-separated client external IP address fordecrypting Skype protocol.

(Empty)

default-app-cat-mask Default enabled application category mask. 18446744073709551615

deep-app-insp-timeout Timeout for Deep application inspection (1 -2147483647 sec., 0 = use recommended setting).

0

deep-app-insp-db-limit Limit on number of entries in deep applicationinspection database (1 - 2147483647, 0 = userecommended setting)

0


227

exclude-signatures Excluded signatures. industrial


228

ips/ruleCLI Syntax

config ips rule edit <name_str> set name <string> set status {disable | enable} set log {disable | enable} set log-packet {disable | enable} set action {pass | block} set group <string> set severity {} set location {} set os <user> set application <user> set service <user> set rule-id <integer> set rev <integer> set date <integer> config metadata edit <name_str> set id <integer> set metaid <integer> set valueid <integer> end end


229

Description


name Rule name. (Empty)

status Enable/disable status. enable

log Enable/disable logging. enable

log-packet Enable/disable packet logging. disable

action Action. pass

group Group. (Empty)

severity Severity. (Empty)

location Vulnerable location. (Empty)

os Vulnerable operation systems. (Empty)

application Vulnerable applications. (Empty)

service Vulnerable service. (Empty)

rule-id Rule ID. 0

rev Revision. 0

date Date. 0

metadata Meta data. (Empty)


230

ips/rule-settingsCLI Syntax

config ips rule-settings edit <name_str> set id <integer> config tags edit <name_str> set name <string> end end


231

Description


id Rule ID. 0



232

ips/sensorCLI Syntax

config ips sensor edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set block-malicious-url {disable | enable} config entries edit <name_str> set id <integer> config rule edit <name_str> set id <integer> end set location <user> set severity <user> set protocol <user> set os <user> set application <user> config tags edit <name_str> set name <string> end set status {disable | enable | default} set log {disable | enable} set log-packet {disable | enable} set log-attack-context {disable | enable} set action {pass | block | reset | default} set rate-count <integer> set rate-duration <integer> set rate-mode {periodical | continuous} set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain} config exempt-ip edit <name_str> set id <integer> set src-ip <ipv4-classnet> set dst-ip <ipv4-classnet> end set quarantine {none | attacker | both | interface} set quarantine-expiry <user> set quarantine-log {disable | enable} end config filter edit <name_str> set name <string> set location <user> set severity <user> set protocol <user>


233

set os <user> set application <user> set status {disable | enable | default} set log {disable | enable} set log-packet {disable | enable} set action {pass | block | reset | default} set quarantine {none | attacker | both | interface} set quarantine-expiry <integer> set quarantine-log {disable | enable} end config override edit <name_str> set rule-id <integer> set status {disable | enable} set log {disable | enable} set log-packet {disable | enable} set action {pass | block | reset} set quarantine {none | attacker | both | interface} set quarantine-expiry <integer> set quarantine-log {disable | enable} config exempt-ip edit <name_str> set id <integer> set src-ip <ipv4-classnet> set dst-ip <ipv4-classnet> end end end


234

Description


name Sensor name. (Empty)



block-malicious-url Enable/disable malicious URL blocking. disable

entries IPS sensor filter. (Empty)

filter IPS sensor filter. (Empty)

override IPS override rule. (Empty)


235

ips/settingsCLI Syntax

config ips settings edit <name_str> set packet-log-history <integer> set packet-log-post-attack <integer> set packet-log-memory <integer> set ips-packet-quota <integer> end


236

Description


packet-log-history Number of packets to be recorded before alert (1- 255).

1

packet-log-post-attack Number of packets to be recorded after attack (0- 255).

0

packet-log-memory Maximum memory can be used by packet log (64- 8192 kB).

256

ips-packet-quota IPS packet quota. 0


237

log.disk/filterCLI Syntax

config log.disk filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set event {enable | disable} set system {enable | disable} set radius {enable | disable} set ipsec {enable | disable} set dhcp {enable | disable} set ppp {enable | disable} set admin {enable | disable} set ha {enable | disable} set auth {enable | disable} set pattern {enable | disable} set sslvpn-log-auth {enable | disable} set sslvpn-log-adm {enable | disable} set sslvpn-log-session {enable | disable} set vip-ssl {enable | disable} set ldb-monitor {enable | disable} set wan-opt {enable | disable} set wireless-activity {enable | disable} set cpu-memory-usage {enable | disable} set filter <string> set filter-type {include | exclude} end


238

Description


severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out trafficmessages.

enable

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

event Enable/disable log event messages. enable

system Enable/disable log system activity messages. enable

radius Enable/disable log RADIUS messages. enable

ipsec Enable/disable log IPsec negotiation messages. enable

dhcp Enable/disable log DHCP service messages. enable

ppp Enable/disable log L2TP/PPTP/PPPoEmessages.

enable

admin Enable/disable log admin login/logout messages. enable

ha Enable/disable log HA activity messages. enable

auth Enable/disable log firewall authenticationmessages.

enable

pattern Enable/disable log pattern update messages. enable


239

sslvpn-log-auth Enable/disable log SSL user authentication. enable

sslvpn-log-adm Enable/disable log SSL administration. enable

sslvpn-log-session Enable/disable log SSL session. enable

vip-ssl Enable/disable log VIP SSL messages. enable

ldb-monitor Enable/disable log VIP real server healthmonitoring messages.

enable

wan-opt Enable/disable log WAN optimization messages. enable

wireless-activity Enable/disable log wireless activity. enable

cpu-memory-usage Enable/disable log CPU & memory usage every 5minutes.

disable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include


240

log.disk/settingCLI Syntax

config log.disk setting edit <name_str> set status {enable | disable} set ips-archive {enable | disable} set max-log-file-size <integer> set max-policy-packet-capture-size <integer> set roll-schedule {daily | weekly} set roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set roll-time <user> set diskfull {overwrite | nolog} set log-quota <integer> set dlp-archive-quota <integer> set report-quota <integer> set maximum-log-age <integer> set upload {enable | disable} set upload-destination {ftp-server} set uploadip <ipv4-address> set uploadport <integer> set source-ip <ipv4-address> set uploaduser <string> set uploadpass <password> set uploaddir <string> set uploadtype {traffic | event | virus | webfilter | IPS | spamfilter | dlp-archive | anomaly | voip | dlp | app-ctrl | waf | netscan | gtp} set uploadzip {disable | enable} set uploadsched {disable | enable} set uploadtime <integer> set upload-delete-files {enable | disable} set upload-ssl-conn {default | high | low | disable} set full-first-warning-threshold <integer> set full-second-warning-threshold <integer> set full-final-warning-threshold <integer> end


241

Description


status Enable/disable local disk log. disable

ips-archive Enable/disable IPS packet archive. enable

max-log-file-size Maximum log file size in MB before rolling. 20

max-policy-packet-capture-size

Maximum size of policy sniffer in MB (0 =unlimited).

10

roll-schedule Frequency to check log file for rolling. daily

roll-day Days of week to roll logs. sunday

roll-time Time to roll logs (hh:mm). 00:00

diskfull Policy to apply when disk is full. overwrite

log-quota Disk log quota (MB). 0

dlp-archive-quota DLP archive quota (MB). 0

report-quota Report quota (MB). 0

maximum-log-age Delete log files older than (days). 7

upload Enable/disable upload of log files upon rolling. disable

upload-destination Server type. ftp-server

uploadip IP address of log uploading server. 0.0.0.0

uploadport Port of the log uploading server. 21

source-ip Source IP address of the disk log uploading. 0.0.0.0

uploaduser User account in the uploading server. (Empty)

uploadpass Password of the user account in the uploadingserver.

(Empty)

uploaddir Log file uploading remote directory. (Empty)


242

uploadtype Types of log files that need to be uploaded. traffic event viruswebfilter IPS spamfilterdlp-archive anomalyvoip dlp app-ctrl wafnetscan gtp

uploadzip Enable/disable compression of uploaded logs. disable

uploadsched Scheduled upload (disable = upload whenrolling).

disable

uploadtime Time of scheduled upload. 0

upload-delete-files Delete log files after uploading (default=enable). enable

upload-ssl-conn Enable/disable SSL communication whenuploading.

default

full-first-warning-threshold

Log full first warning threshold (1 - 98, default =75).

75

full-second-warning-threshold

Log full second warning threshold (2 - 99, default= 90).

90

full-final-warning-threshold

Log full final warning threshold (3 - 100, default =95).

95


243

log.fortianalyzer/filterCLI Syntax

config log.fortianalyzer filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


244

Description





enable












245

log.fortianalyzer/override-filterCLI Syntax

config log.fortianalyzer override-filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


246

Description





enable












247

log.fortianalyzer/override-settingCLI Syntax

config log.fortianalyzer override-setting edit <name_str> set override {enable | disable} set use-management-vdom {enable | disable} set status {enable | disable} set ips-archive {enable | disable} set server <string> set hmac-algorithm {sha256 | sha1} set enc-algorithm {default | high | low | disable} set conn-timeout <integer> set monitor-keepalive-period <integer> set monitor-failure-retry-period <integer> set mgmt-name <string> set faz-type <integer> set source-ip <string> set __change_ip <integer> set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set reliable {enable | disable} end


248

Description


override Enable/disable override FortiAnalyzer settings oruse the global settings.

disable

use-management-vdom

Enable/disable use of management VDOM IPaddress as source IP for logs sent toFortiAnalyzer.

disable

status Enable/disable FortiAnalyzer. disable


server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256

enc-algorithm Enable/disable sending of FortiAnalyzer log datawith SSL encryption.

high

conn-timeout FortiAnalyzer connection time-out in seconds (forstatus and log buffer).

10

monitor-keepalive-period

Time between OFTP keepalives in seconds (forstatus and log buffer).

5

monitor-failure-retry-period

Time between FortiAnalyzer connection retries inseconds (for status and log buffer).

5

mgmt-name Hidden management name of FortiAnalyzer. (Empty)

faz-type Hidden setting index of FortiAnalyzer. 4

source-ip Source IPv4 or IPv6 address used tocommunicate with FortiAnalyzer.

(Empty)

__change_ip Hidden attribute. 0

upload-option Enable/disable logging to hard disk and thenupload to FortiAnalyzer.

realtime

upload-interval Frequency to check log file for upload. daily

upload-day Days of week (month) to upload logs. (Empty)


249

upload-time Time to upload logs (hh:mm). 00:59

reliable Enable/disable reliable logging to FortiAnalyzer. disable


250

log.fortianalyzer/settingCLI Syntax

config log.fortianalyzer setting edit <name_str> set status {enable | disable} set ips-archive {enable | disable} set server <string> set hmac-algorithm {sha256 | sha1} set enc-algorithm {default | high | low | disable} set conn-timeout <integer> set monitor-keepalive-period <integer> set monitor-failure-retry-period <integer> set mgmt-name <string> set faz-type <integer> set source-ip <string> set __change_ip <integer> set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set reliable {enable | disable} end


251

Description







high


10



5



5

mgmt-name Hidden management name of FortiAnalyzer. FGh_Log1



(Empty)



realtime






252

log.fortianalyzer2/filterCLI Syntax

config log.fortianalyzer2 filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


253

Description





enable












254

log.fortianalyzer2/settingCLI Syntax

config log.fortianalyzer2 setting edit <name_str> set status {enable | disable} set ips-archive {enable | disable} set server <string> set hmac-algorithm {sha256 | sha1} set enc-algorithm {default | high | low | disable} set conn-timeout <integer> set monitor-keepalive-period <integer> set monitor-failure-retry-period <integer> set mgmt-name <string> set faz-type <integer> set source-ip <string> set __change_ip <integer> set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set reliable {enable | disable} end


255

Description







high


10



5



5




(Empty)



realtime






256

log.fortianalyzer3/filterCLI Syntax

config log.fortianalyzer3 filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


257

Description





enable











258

log.fortianalyzer3/settingCLI Syntax

config log.fortianalyzer3 setting edit <name_str> set status {enable | disable} set ips-archive {enable | disable} set server <string> set hmac-algorithm {sha256 | sha1} set enc-algorithm {default | high | low | disable} set conn-timeout <integer> set monitor-keepalive-period <integer> set monitor-failure-retry-period <integer> set mgmt-name <string> set faz-type <integer> set source-ip <string> set __change_ip <integer> set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set reliable {enable | disable} end


259

Description







high


10



5



5




(Empty)



realtime






260

log.fortiguard/filterCLI Syntax

config log.fortiguard filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


261

Description





enable












262

log.fortiguard/override-filterCLI Syntax

config log.fortiguard override-filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set dlp-archive {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


263

Description





enable












264

log.fortiguard/override-settingCLI Syntax

config log.fortiguard override-setting edit <name_str> set override {enable | disable} set status {enable | disable} set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> end


265

Description


override Enable/disable override FortiGuard settings oruse the global settings.

disable

status Enable FortiCloud. disable

upload-option Enable/disable logging to hard disk and thenupload to FortiCloud.

realtime


upload-day Days of week to roll logs. (Empty)

upload-time Time to roll logs (hh:mm). 00:00


266

log.fortiguard/settingCLI Syntax

config log.fortiguard setting edit <name_str> set status {enable | disable} set upload-option {store-and-upload | realtime} set upload-interval {daily | weekly | monthly} set upload-day <user> set upload-time <user> set enc-algorithm {default | high | low | disable} set source-ip <ipv4-address> end


267

Description


status Enable FortiCloud. disable

upload-option Enable/disable logging to hard disk and thenupload to FortiCloud.

realtime


upload-day Days of week to roll logs. (Empty)

upload-time Time to roll logs (hh:mm). 00:00

enc-algorithm Enable/disable sending of FortiCloud log datawith SSL encryption.

high

source-ip Source IP address used to connect FortiCloud. 0.0.0.0


268

log.memory/filterCLI Syntax

config log.memory filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set event {enable | disable} set system {enable | disable} set radius {enable | disable} set ipsec {enable | disable} set dhcp {enable | disable} set ppp {enable | disable} set admin {enable | disable} set ha {enable | disable} set auth {enable | disable} set pattern {enable | disable} set sslvpn-log-auth {enable | disable} set sslvpn-log-adm {enable | disable} set sslvpn-log-session {enable | disable} set vip-ssl {enable | disable} set ldb-monitor {enable | disable} set wan-opt {enable | disable} set wireless-activity {enable | disable} set cpu-memory-usage {enable | disable} set filter <string> set filter-type {include | exclude} end


269

Description





enable










radius Enable/disable log RADIUS messages. enable

ipsec Enable/disable log IPsec negotiation messages. enable

dhcp Enable/disable log DHCP service messages. enable

ppp Enable/disable log L2TP/PPTP/PPPoEmessages.

enable

admin Enable/disable log admin login/logout messages. enable

ha Enable/disable log HA activity messages. enable

auth Enable/disable log firewall authenticationmessages.

enable

pattern Enable/disable log pattern update messages. enable

sslvpn-log-auth Enable/disable log SSL user authentication. enable


270

sslvpn-log-adm Enable/disable log SSL administration. enable

sslvpn-log-session Enable/disable log SSL session. enable

vip-ssl Enable/disable log VIP SSL messages. enable

ldb-monitor Enable/disable log VIP real server healthmonitoring messages.

enable



cpu-memory-usage Enable/disable log CPU & memory usage every 5minutes.

disable




271

log.memory/global-settingCLI Syntax

config log.memory global-setting edit <name_str> set max-size <integer> set full-first-warning-threshold <integer> set full-second-warning-threshold <integer> set full-final-warning-threshold <integer> end


272

Description


max-size Maximum memory buffer size for log (byte). 163840

full-first-warning-threshold

Log full first warning threshold (1 - 98, default =75).

75

full-second-warning-threshold

Log full second warning threshold (2 - 99, default= 90).

90

full-final-warning-threshold

Log full final warning threshold (3 - 100, default =95).

95


273

log.memory/settingCLI Syntax

config log.memory setting edit <name_str> set status {enable | disable} set diskfull {overwrite} end


274

Description


status Enable/disable memory buffer log. enable

diskfull Action when memory is full. overwrite


275

log.syslogd/filterCLI Syntax

config log.syslogd filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


276

Description





enable











277

log.syslogd/override-filterCLI Syntax

config log.syslogd override-filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


278

Description





enable











279

log.syslogd/override-settingCLI Syntax

config log.syslogd override-setting edit <name_str> set override {enable | disable} set status {enable | disable} set server <string> set reliable {enable | disable} set port <integer> set csv {enable | disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} set source-ip <string> end


280

Description


override Enable/disable override syslog settings. disable

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)


281

log.syslogd/settingCLI Syntax

config log.syslogd setting edit <name_str> set status {enable | disable} set server <string> set reliable {enable | disable} set port <integer> set csv {enable | disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} set source-ip <string> end


282

Description










283

log.syslogd2/filterCLI Syntax

config log.syslogd2 filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


284

Description





enable











285

log.syslogd2/settingCLI Syntax

config log.syslogd2 setting edit <name_str> set status {enable | disable} set server <string> set reliable {enable | disable} set port <integer> set csv {enable | disable} set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} set source-ip <string> end


286

Description










287




288

Description





enable











289




290

Description










291




292

Description





enable











293




294

Description










295

log.webtrends/filterCLI Syntax

config log.webtrends filter edit <name_str> set severity {emergency | alert | critical | error | warning | notification | information | debug} set forward-traffic {enable | disable} set local-traffic {enable | disable} set multicast-traffic {enable | disable} set sniffer-traffic {enable | disable} set anomaly {enable | disable} set netscan-discovery {enable | disable} set netscan-vulnerability {enable | disable} set voip {enable | disable} set gtp {enable | disable} set filter <string> set filter-type {include | exclude} end


296

Description





enable











297

log.webtrends/settingCLI Syntax

config log.webtrends setting edit <name_str> set status {enable | disable} set server <string> end


298

Description


status Enable/disable WebTrends logging. disable

server Address of the remote WebTrends. (Empty)


299

log/custom-fieldCLI Syntax

config log custom-field edit <name_str> set id <string> set name <string> set value <string> end


300

Description


id ID. (Empty)

name Field name. (Empty)

value Field value. (Empty)


301

log/eventfilterCLI Syntax

config log eventfilter edit <name_str> set event {enable | disable} set system {enable | disable} set vpn {enable | disable} set user {enable | disable} set router {enable | disable} set wireless-activity {enable | disable} set wan-opt {enable | disable} set endpoint {enable | disable} set ha {enable | disable} set compliance-check {enable | disable} end


302

Description




vpn Enable/disable log VPN messages. enable

user Enable/disable log user activity messages. enable

router Enable/disable log router activity. enable



endpoint Enable/disable log for endpoint events. enable

ha Enable/disable log for ha events. enable

compliance-check Enable/disable log for PCI DSS compliancecheck.

enable


303

log/gui-displayCLI Syntax

config log gui-display edit <name_str> set resolve-hosts {enable | disable} set resolve-apps {enable | disable} set fortiview-unscanned-apps {enable | disable} set fortiview-local-traffic {enable | disable} set location {memory | disk | fortianalyzer | fortiguard} end


304

Description


resolve-hosts Resolve IP addresses to hostnames on the GUIusing reverse DNS lookup.

enable

resolve-apps Resolve unknown applications on the GUI usingremote application database.

enable

fortiview-unscanned-apps

Enable/disable inclusion of unscanned traffic inFortiView application charts.

disable

fortiview-local-traffic Enable/disable inclusion of local-in traffic inFortiView realtime charts.

disable

location GUI log location display. memory


305

log/settingCLI Syntax

config log setting edit <name_str> set resolve-ip {enable | disable} set resolve-port {enable | disable} set log-user-in-upper {enable | disable} set fwpolicy-implicit-log {enable | disable} set fwpolicy6-implicit-log {enable | disable} set log-invalid-packet {enable | disable} set local-in-allow {enable | disable} set local-in-deny-unicast {enable | disable} set local-in-deny-broadcast {enable | disable} set local-out {enable | disable} set daemon-log {enable | disable} set neighbor-event {enable | disable} set brief-traffic-format {enable | disable} set user-anonymize {enable | disable} set fortiview-weekly-data {enable | disable} end


306

Description


resolve-ip Add resolved domain name into traffic log ifpossible.

disable

resolve-port Add resolved service name into traffic log ifpossible.

enable

log-user-in-upper Enable/disable collect log with user-in-upper. disable

fwpolicy-implicit-log Enable/disable collect firewall implicit policy log. disable

fwpolicy6-implicit-log Enable/disable collect firewall implicit policy6 log. disable

log-invalid-packet Enable/disable collect invalid packet traffic log. disable

local-in-allow Enable/disable collect local-in-allow log. disable

local-in-deny-unicast Enable/disable collect local-in-deny-unicast log. disable

local-in-deny-broadcast Enable/disable collect local-in-deny-broadcastlog.

disable

local-out Enable/disable collect local-out log. disable

daemon-log Enable/disable collect daemon log. disable

neighbor-event Enable/disable collect neighbor event log. disable

brief-traffic-format Enable/disable use of brief format for traffic log. disable

user-anonymize Enable/disable anonymize log user name. disable

fortiview-weekly-data Enable/disable FortiView weekly data. disable


307

log/threat-weightCLI Syntax

config log threat-weight edit <name_str> set status {enable | disable} config level edit <name_str> set low <integer> set medium <integer> set high <integer> set critical <integer> end set blocked-connection {disable | low | medium | high | critical} set failed-connection {disable | low | medium | high | critical} set malware-detected {disable | low | medium | high | critical} set url-block-detected {disable | low | medium | high | critical} set botnet-connection-detected {disable | low | medium | high | critical} config ips edit <name_str> set info-severity {disable | low | medium | high | critical} set low-severity {disable | low | medium | high | critical} set medium-severity {disable | low | medium | high | critical} set high-severity {disable | low | medium | high | critical} set critical-severity {disable | low | medium | high | critical} end config web edit <name_str> set id <integer> set category <integer> set level {disable | low | medium | high | critical} end config geolocation edit <name_str> set id <integer> set country <string> set level {disable | low | medium | high | critical} end config application edit <name_str> set id <integer> set category <integer> set level {disable | low | medium | high | critical} end end


308

Description


status Enable/disable threat weight status. enable

level Level to score mapping. Details below

Configuration Default Valuelow 5medium 10high 30critical 50

blocked-connection Score level for blocked connections for threatweight.

high

failed-connection Score level for failed connections for threatweight.

low

malware-detected Score level for detected malware for threatweight.

critical

url-block-detected Score level for URL blocking for threat weight. high

botnet-connection-detected

Score level for detected botnet connection forthreat weight.

critical

ips IPS reputation settings. Details below

Configuration Default Valueinfo-severity disablelow-severity lowmedium-severity mediumhigh-severity highcritical-severity critical

web Web-based threat weight settings. (Empty)

geolocation Geolocation-based threat weight settings. (Empty)

application Application-control based threat weight settings. (Empty)


309

netscan/assetsCLI Syntax

config netscan assets edit <name_str> set asset-id <integer> set name <string> set scheduled {disable | enable} set addr-type {ip | range} set start-ip <ipv4-address-any> set end-ip <ipv4-address-any> set auth-windows {disable | enable} set auth-unix {disable | enable} set win-username <string> set win-password <password> set unix-username <string> set unix-password <password> end


310

Description


asset-id Asset ID. 0

name Name of this asset. (Empty)

scheduled Enable/disable include asset in scheduledvulnerability scan.

disable

addr-type IP address or range. ip

start-ip IP address of asset or start of asset range. 0.0.0.0

end-ip End of asset range. 0.0.0.0

auth-windows Enable/disable authenticate on Windows hosts. disable

auth-unix Enable/disable authenticate on UNIX hosts. disable

win-username User name for Windows hosts. (Empty)

win-password Password for Windows hosts. (Empty)

unix-username User name for Unix hosts. (Empty)

unix-password Password for Unix hosts. (Empty)


311

netscan/settingsCLI Syntax

config netscan settings edit <name_str> set scan-mode {quick | standard | full} set scheduled-pause {disable | enable} set time <user> set pause-from <user> set pause-to <user> set recurrence {daily | weekly | monthly} set day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set day-of-month <integer> set tcp-ports <user> set udp-ports <user> set tcp-scan {auto | enable | disable} set udp-scan {auto | enable | disable} set service-detection {auto | enable | disable} set os-detection {auto | enable | disable} end


312

Description


scan-mode Level of vulnerability scanning to perform onports.

quick

scheduled-pause Enable/disable set time during which scanningshould pause.

disable

time Time of day to start the scan. 00:00

pause-from Time of day to pause scanning. 00:00

pause-to Time of day to resume scanning. 00:00

recurrence Frequency at which the scans should recur. weekly

day-of-week Day of the week on which to run the scan. sunday

day-of-month Day of the month on which to run the scan. 1

tcp-ports TCP ports scanned. (Empty)

udp-ports UDP ports scanned. (Empty)

tcp-scan Enable/disable TCP port scan. auto

udp-scan Enable/disable UDP port scan. auto

service-detection Enable/disable service detection. auto

os-detection Enable/disable OS detection. auto


313

report/chartCLI Syntax

config report chart edit <name_str> set name <string> set policy <integer> set type {graph | table} set period {last24h | last7d} config drill-down-charts edit <name_str> set id <integer> set chart-name <string> set status {enable | disable} end set comments <string> set dataset <string> set category {misc | traffic | event | virus | webfilter | attack | spam | dlp | app-ctrl | vulnerability} set favorite {no | yes} set graph-type {none | bar | pie | line | flow} set style {auto | manual} set dimension {2D | 3D} config x-series edit <name_str> set databind <string> set caption <string> set caption-font-size <integer> set font-size <integer> set label-angle {45-degree | vertical | horizontal} set is-category {yes | no} set scale-unit {minute | hour | day | month | year} set scale-step <integer> set scale-direction {decrease | increase} set scale-format {YYYY-MM-DD-HH-MM | YYYY-MM-DD HH | YYYY-MM-DD | YYYY-MM | YYYY | HH-MM | MM-DD} set unit <string> end config y-series edit <name_str> set databind <string> set caption <string> set caption-font-size <integer> set font-size <integer> set label-angle {45-degree | vertical | horizontal} set group <string> set unit <string> set extra-y {enable | disable} set extra-databind <string> set y-legend <string>


314

set extra-y-legend <string> end config category-series edit <name_str> set databind <string> set font-size <integer> end config value-series edit <name_str> set databind <string> end set title <string> set title-font-size <integer> set background <string> set color-palette <string> set legend {enable | disable} set legend-font-size <integer> config column edit <name_str> set id <integer> set header-value <string> set detail-value <string> set footer-value <string> set detail-unit <string> set footer-unit <string> config mapping edit <name_str> set id <integer> set op {none | greater | greater-equal | less | less-equal | equal | between} set value-type {integer | string} set value1 <string> set value2 <string> set displayname <string> end end end


315

Description


name Chart Widget Name (Empty)

policy Used by monitor policy. 0

type Chart type. graph

period Time period. last24h

drill-down-charts Drill down charts. (Empty)


dataset Bind dataset to chart. (Empty)

category Category. misc

favorite Favorite. no

graph-type Graph type. none

style Style. auto

dimension Dimension. 3D

x-series X-series of chart. Details below

Configuration Default Valuedatabind (Empty)caption (Empty)caption-font-size 0font-size 0label-angle 45-degreeis-category yesscale-unit dayscale-step 1scale-direction decreasescale-format YYYY-MM-DD-HH-MMunit (Empty)

y-series Y-series of chart. Details below


316

Configuration Default Valuedatabind (Empty)caption (Empty)caption-font-size 0font-size 0label-angle horizontalgroup (Empty)unit (Empty)extra-y disableextra-databind (Empty)y-legend (Empty)extra-y-legend (Empty)

category-series Category series of pie chart. Details below

Configuration Default Valuedatabind (Empty)font-size 0

value-series Value series of pie chart. Details below

Configuration Default Valuedatabind (Empty)

title Chart title. (Empty)

title-font-size Font size of chart title. 0

background Chart background. (Empty)

color-palette Color palette (system will pick color automaticallyby default).

(Empty)

legend Enable/Disable Legend area. enable

legend-font-size Font size of legend area. 0

column Table column definition. (Empty)


317

report/datasetCLI Syntax

config report dataset edit <name_str> set name <string> set policy <integer> set query <string> config field edit <name_str> set id <integer> set type {text | integer | double} set name <string> set displayname <string> end config parameters edit <name_str> set id <integer> set display-name <string> set field <string> set data-type {text | integer | double | long-integer | date-time} end end


318

Description


name Name. (Empty)

policy Used by monitor policy. 0

query SQL query statement. (Empty)

field Fields. (Empty)

parameters Parameters. (Empty)


319

report/layoutCLI Syntax

config report layout edit <name_str> set name <string> set title <string> set subtitle <string> set description <string> set style-theme <string> set options {include-table-of-content | auto-numbering-heading | view-chart-as-heading | show-html-navbar-before-heading | dummy-option} set format {html | pdf} set schedule-type {demand | daily | weekly} set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set time <user> set cutoff-option {run-time | custom} set cutoff-time <user> set email-send {enable | disable} set email-recipients <string> set max-pdf-report <integer> config page edit <name_str> set paper {a4 | letter} set column-break-before {heading1 | heading2 | heading3} set page-break-before {heading1 | heading2 | heading3} set options {header-on-first-page | footer-on-first-page} config header edit <name_str> set style <string> config header-item edit <name_str> set id <integer> set description <string> set type {text | image} set style <string> set content <string> set img-src <string> end end config footer edit <name_str> set style <string> config footer-item edit <name_str> set id <integer> set description <string> set type {text | image} set style <string> set content <string>


320

set img-src <string> end end end config body-item edit <name_str> set id <integer> set description <string> set type {text | image | chart | misc} set style <string> set top-n <integer> set hide {enable | disable} config parameters edit <name_str> set id <integer> set name <string> set value <string> end set text-component {text | heading1 | heading2 | heading3} set content <string> set img-src <string> set list-component {bullet | numbered} config list edit <name_str> set id <integer> set content <string> end set chart <string> set chart-options {include-no-data | hide-title | show-caption} set drill-down-items <string> set drill-down-types <string> set table-column-widths <string> set table-caption-style <string> set table-head-style <string> set table-odd-row-style <string> set table-even-row-style <string> set misc-component {hline | page-break | column-break | section-start} set column <integer> set title <string> end end


321

Description


name Report layout name. (Empty)

title Report title. (Empty)

subtitle Report subtitle. (Empty)


style-theme Report style theme. (Empty)

options Report layout options. include-table-of-contentauto-numbering-heading view-chart-as-heading

format Report format. html

schedule-type Report schedule type. daily

day Schedule days of week to generate report. sunday

time Schedule time to generate report [hh:mm]. 00:00

cutoff-option Cutoff-option is either run-time or custom. run-time

cutoff-time Custom cutoff time to generate report [hh:mm]. 00:00

email-send Enable/disable sending emails after reports aregenerated.

disable

email-recipients Email recipients for generated reports. (Empty)

max-pdf-report Maximum number of PDF reports to keep at onetime (oldest report is overwritten).

31

page Configure report page. Details below


322

Configuration Default Valuepaper a4column-break-before (Empty)page-break-before (Empty)options (Empty)header {"style":"","header-item":[]}footer {"style":"","footer-item":[]}

body-item Configure report body item. (Empty)


323

report/settingCLI Syntax

config report setting edit <name_str> set pdf-report {enable | disable} set fortiview {enable | disable} set report-source {forward-traffic | sniffer-traffic} set web-browsing-threshold <integer> end


324

Description


pdf-report Enable/disable PDF report. enable

fortiview Enable/disable historical FortiView. enable

report-source Report log source. forward-traffic

web-browsing-threshold

Web browsing time calculation threshold (3 - 15min).

3


325

report/styleCLI Syntax

config report style edit <name_str> set name <string> set options {font | text | color | align | size | margin | border | padding | column} set font-family {Verdana | Arial | Helvetica | Courier | Times} set font-style {normal | italic} set font-weight {normal | bold} set font-size <string> set line-height <string> set fg-color <string> set bg-color <string> set align {left | center | right | justify} set width <string> set height <string> set margin-top <string> set margin-right <string> set margin-bottom <string> set margin-left <string> set border-top <user> set border-right <user> set border-bottom <user> set border-left <user> set padding-top <string> set padding-right <string> set padding-bottom <string> set padding-left <string> set column-span {none | all} set column-gap <string> end


326

Description


name Report style name. (Empty)

options Report style options. (Empty)

font-family Font family. (Empty)

font-style Font style. normal

font-weight Font weight. normal

font-size Font size. (Empty)

line-height Text line height. (Empty)

fg-color Foreground color. (Empty)

bg-color Background color. (Empty)

align Alignment. (Empty)

width Width. (Empty)

height Height. (Empty)

margin-top Margin top. (Empty)

margin-right Margin right. (Empty)

margin-bottom Margin bottom. (Empty)

margin-left Margin left. (Empty)

border-top Border top. " none "

border-right Border right. " none "

border-bottom Border bottom. " none "

border-left Border left. " none "

padding-top Padding top. (Empty)

padding-right Padding right. (Empty)


327

padding-bottom Padding bottom. (Empty)

padding-left Padding left. (Empty)

column-span Column span. none

column-gap Column gap. (Empty)


328

report/themeCLI Syntax

config report theme edit <name_str> set name <string> set page-orient {portrait | landscape} set column-count {1 | 2 | 3} set default-html-style <string> set default-pdf-style <string> set page-style <string> set page-header-style <string> set page-footer-style <string> set report-title-style <string> set report-subtitle-style <string> set toc-title-style <string> set toc-heading1-style <string> set toc-heading2-style <string> set toc-heading3-style <string> set toc-heading4-style <string> set heading1-style <string> set heading2-style <string> set heading3-style <string> set heading4-style <string> set normal-text-style <string> set bullet-list-style <string> set numbered-list-style <string> set image-style <string> set hline-style <string> set graph-chart-style <string> set table-chart-style <string> set table-chart-caption-style <string> set table-chart-head-style <string> set table-chart-odd-row-style <string> set table-chart-even-row-style <string> end


329

Description


name Report theme name. (Empty)

page-orient Report page orientation. portrait

column-count Report page column count. 1

default-html-style Default HTML report style. (Empty)

default-pdf-style Default PDF report style. (Empty)

page-style Report page style. (Empty)

page-header-style Report page header style. (Empty)

page-footer-style Report page footer style. (Empty)

report-title-style Report title style. (Empty)

report-subtitle-style Report subtitle style. (Empty)

toc-title-style Table of contents title style. (Empty)

toc-heading1-style Table of contents heading style. (Empty)




heading1-style Report heading style. (Empty)




normal-text-style Normal text style. (Empty)

bullet-list-style Bullet list style. (Empty)

numbered-list-style Numbered list style. (Empty)


330

image-style Image style. (Empty)

hline-style Horizontal line style. (Empty)

graph-chart-style Graph chart style. (Empty)

table-chart-style Table chart style. (Empty)

table-chart-caption-style

Table chart caption style. (Empty)

table-chart-head-style Table chart head row style. (Empty)

table-chart-odd-row-style

Table chart odd row style. (Empty)

table-chart-even-row-style

Table chart even row style. (Empty)


331

router/access-listCLI Syntax

config router access-list edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set prefix <user> set wildcard <user> set exact-match {enable | disable} set flags <integer> end end


332

Description


name Name. (Empty)


rule Rule. (Empty)


333

router/access-list6CLI Syntax

config router access-list6 edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set prefix6 <user> set exact-match {enable | disable} set flags <integer> end end


334

Description


name Name. (Empty)


rule Rule. (Empty)


335

router/aspath-listCLI Syntax

config router aspath-list edit <name_str> set name <string> config rule edit <name_str> set id <integer> set action {deny | permit} set regexp <string> end end


336

Description


name AS path list name. (Empty)

rule AS path list rule. (Empty)


337

router/auth-pathCLI Syntax

config router auth-path edit <name_str> set name <string> set device <string> set gateway <ipv4-address> end


338

Description


name Name of the entry. (Empty)

device Output interface. (Empty)

gateway Gateway IP address. 0.0.0.0


339

router/bfdCLI Syntax

config router bfd edit <name_str> config neighbor edit <name_str> set ip <ipv4-address> set interface <string> end end


340

Description


neighbor neighbor (Empty)


341

router/bgpCLI Syntax

config router bgp edit <name_str> set as <integer> set router-id <ipv4-address-any> set keepalive-timer <integer> set holdtime-timer <integer> set always-compare-med {enable | disable} set bestpath-as-path-ignore {enable | disable} set bestpath-cmp-confed-aspath {enable | disable} set bestpath-cmp-routerid {enable | disable} set bestpath-med-confed {enable | disable} set bestpath-med-missing-as-worst {enable | disable} set client-to-client-reflection {enable | disable} set dampening {enable | disable} set deterministic-med {enable | disable} set ebgp-multipath {enable | disable} set ibgp-multipath {enable | disable} set enforce-first-as {enable | disable} set fast-external-failover {enable | disable} set log-neighbour-changes {enable | disable} set network-import-check {enable | disable} set ignore-optional-capability {enable | disable} set cluster-id <ipv4-address-any> set confederation-identifier <integer> config confederation-peers edit <name_str> set peer <string> end set dampening-route-map <string> set dampening-reachability-half-life <integer> set dampening-reuse <integer> set dampening-suppress <integer> set dampening-max-suppress-time <integer> set dampening-unreachability-half-life <integer> set default-local-preference <integer> set scan-time <integer> set distance-external <integer> set distance-internal <integer> set distance-local <integer> set synchronization {enable | disable} set graceful-restart {enable | disable} set graceful-restart-time <integer> set graceful-stalepath-time <integer> set graceful-update-delay <integer> config aggregate-address edit <name_str> set id <integer>


342

set prefix <ipv4-classnet-any> set as-set {enable | disable} set summary-only {enable | disable} end config aggregate-address6 edit <name_str> set id <integer> set prefix6 <ipv6-prefix> set as-set {enable | disable} set summary-only {enable | disable} end config neighbor edit <name_str> set ip <string> set advertisement-interval <integer> set allowas-in-enable {enable | disable} set allowas-in-enable6 {enable | disable} set allowas-in <integer> set allowas-in6 <integer> set attribute-unchanged {as-path | med | next-hop} set attribute-unchanged6 {as-path | med | next-hop} set activate {enable | disable} set activate6 {enable | disable} set bfd {enable | disable} set capability-dynamic {enable | disable} set capability-orf {none | receive | send | both} set capability-orf6 {none | receive | send | both} set capability-graceful-restart {enable | disable} set capability-graceful-restart6 {enable | disable} set capability-route-refresh {enable | disable} set capability-default-originate {enable | disable} set capability-default-originate6 {enable | disable} set dont-capability-negotiate {enable | disable} set ebgp-enforce-multihop {enable | disable} set next-hop-self {enable | disable} set next-hop-self6 {enable | disable} set override-capability {enable | disable} set passive {enable | disable} set remove-private-as {enable | disable} set remove-private-as6 {enable | disable} set route-reflector-client {enable | disable} set route-reflector-client6 {enable | disable} set route-server-client {enable | disable} set route-server-client6 {enable | disable} set shutdown {enable | disable} set soft-reconfiguration {enable | disable} set soft-reconfiguration6 {enable | disable} set as-override {enable | disable} set as-override6 {enable | disable} set strict-capability-match {enable | disable} set default-originate-routemap <string> set default-originate-routemap6 <string> set description <string>


343

set description <string> set distribute-list-in <string> set distribute-list-in6 <string> set distribute-list-out <string> set distribute-list-out6 <string> set ebgp-multihop-ttl <integer> set filter-list-in <string> set filter-list-in6 <string> set filter-list-out <string> set filter-list-out6 <string> set interface <string> set maximum-prefix <integer> set maximum-prefix6 <integer> set maximum-prefix-threshold <integer> set maximum-prefix-threshold6 <integer> set maximum-prefix-warning-only {enable | disable} set maximum-prefix-warning-only6 {enable | disable} set prefix-list-in <string> set prefix-list-in6 <string> set prefix-list-out <string> set prefix-list-out6 <string> set remote-as <integer> set retain-stale-time <integer> set route-map-in <string> set route-map-in6 <string> set route-map-out <string> set route-map-out6 <string> set send-community {standard | extended | both | disable} set send-community6 {standard | extended | both | disable} set keep-alive-timer <integer> set holdtime-timer <integer> set connect-timer <integer> set unsuppress-map <string> set unsuppress-map6 <string> set update-source <string> set weight <integer> set restart-time <integer> set password <password> config conditional-advertise edit <name_str> set advertise-routemap <string> set condition-routemap <string> set condition-type {exist | non-exist} end end config neighbor-group edit <name_str> set name <string> set advertisement-interval <integer> set allowas-in-enable {enable | disable} set allowas-in-enable6 {enable | disable} set allowas-in <integer> set allowas-in6 <integer>


344

set allowas-in6 <integer> set attribute-unchanged {as-path | med | next-hop} set attribute-unchanged6 {as-path | med | next-hop} set activate {enable | disable} set activate6 {enable | disable} set bfd {enable | disable} set capability-dynamic {enable | disable} set capability-orf {none | receive | send | both} set capability-orf6 {none | receive | send | both} set capability-graceful-restart {enable | disable} set capability-graceful-restart6 {enable | disable} set capability-route-refresh {enable | disable} set capability-default-originate {enable | disable} set capability-default-originate6 {enable | disable} set dont-capability-negotiate {enable | disable} set ebgp-enforce-multihop {enable | disable} set next-hop-self {enable | disable} set next-hop-self6 {enable | disable} set override-capability {enable | disable} set passive {enable | disable} set remove-private-as {enable | disable} set remove-private-as6 {enable | disable} set route-reflector-client {enable | disable} set route-reflector-client6 {enable | disable} set route-server-client {enable | disable} set route-server-client6 {enable | disable} set shutdown {enable | disable} set soft-reconfiguration {enable | disable} set soft-reconfiguration6 {enable | disable} set as-override {enable | disable} set as-override6 {enable | disable} set strict-capability-match {enable | disable} set default-originate-routemap <string> set default-originate-routemap6 <string> set description <string> set distribute-list-in <string> set distribute-list-in6 <string> set distribute-list-out <string> set distribute-list-out6 <string> set ebgp-multihop-ttl <integer> set filter-list-in <string> set filter-list-in6 <string> set filter-list-out <string> set filter-list-out6 <string> set interface <string> set maximum-prefix <integer> set maximum-prefix6 <integer> set maximum-prefix-threshold <integer> set maximum-prefix-threshold6 <integer> set maximum-prefix-warning-only {enable | disable} set maximum-prefix-warning-only6 {enable | disable} set prefix-list-in <string> set prefix-list-in6 <string>


345

set prefix-list-in6 <string> set prefix-list-out <string> set prefix-list-out6 <string> set remote-as <integer> set retain-stale-time <integer> set route-map-in <string> set route-map-in6 <string> set route-map-out <string> set route-map-out6 <string> set send-community {standard | extended | both | disable} set send-community6 {standard | extended | both | disable} set keep-alive-timer <integer> set holdtime-timer <integer> set connect-timer <integer> set unsuppress-map <string> set unsuppress-map6 <string> set update-source <string> set weight <integer> set restart-time <integer> end config neighbor-range edit <name_str> set id <integer> set prefix <ipv4-classnet> set max-neighbor-num <integer> set neighbor-group <string> end config network edit <name_str> set id <integer> set prefix <ipv4-classnet> set backdoor {enable | disable} set route-map <string> end config network6 edit <name_str> set id <integer> set prefix6 <ipv6-network> set backdoor {enable | disable} set route-map <string> end config redistribute edit <name_str> set name <string> set status {enable | disable} set route-map <string> end config redistribute6 edit <name_str> set name <string> set status {enable | disable} set route-map <string> end


346

end config admin-distance edit <name_str> set id <integer> set neighbour-prefix <ipv4-classnet> set route-list <string> set distance <integer> end end


347

Description


as Router AS number. 0

router-id Router ID. 0.0.0.0

keepalive-timer Frequency to send keep alive requests. 60

holdtime-timer Number of seconds to mark peer as dead. 180

always-compare-med Enable/disable always compare MED. disable

bestpath-as-path-ignore

Enable/disable ignore AS path. disable

bestpath-cmp-confed-aspath

Enable/disable compare federation AS pathlength.

disable

bestpath-cmp-routerid Enable/disable compare router ID for identicalEBGP paths.

disable

bestpath-med-confed Enable/disable compare MED amongconfederation paths.

disable

bestpath-med-missing-as-worst

Enable/disable treat missing MED as leastpreferred.

disable

client-to-client-reflection

Enable/disable client-to-client route reflection. enable

dampening Enable/disable route-flap dampening. disable

deterministic-med Enable/disable enforce deterministic comparisonof MED.

disable

ebgp-multipath Enable/disable EBGP multi-path. disable

ibgp-multipath Enable/disable IBGP multi-path. disable

enforce-first-as Enable/disable enforce first AS for EBGP routes. enable

fast-external-failover Enable/disable reset peer BGP session if linkgoes down.

enable

log-neighbour-changes Enable logging of BGP neighbour's changes enable


348

network-import-check Enable/disable ensure BGP network route existsin IGP.

enable

ignore-optional-capability

Don't send unknown optional capabilitynotification message

enable

cluster-id Route reflector cluster ID. 0.0.0.0

confederation-identifier Confederation identifier. 0

confederation-peers Confederation peers. (Empty)

dampening-route-map Criteria for dampening. (Empty)

dampening-reachability-half-life

Reachability half-life time for penalty (min). 15

dampening-reuse Threshold to reuse routes. 750

dampening-suppress Threshold to suppress routes. 2000

dampening-max-suppress-time

Maximum minutes a route can be suppressed. 60

dampening-unreachability-half-life

Unreachability half-life time for penalty (min). 15

default-local-preference

Default local preference. 100

scan-time Background scanner interval (sec). 60

distance-external Distance for routes external to the AS. 20

distance-internal Distance for routes internal to the AS. 200

distance-local Distance for routes local to the AS. 200

synchronization Enable/disable only advertise routes from iBGP ifroutes present in an IGP.

disable

graceful-restart Enable/disable BGP graceful restart capabilities. disable

graceful-restart-time Time needed for neighbors to restart (sec). 120

graceful-stalepath-time Time to hold stale paths of restarting neighbor(sec).

360


349

graceful-update-delay Route advertisement/selection delay after restart(sec).

120

aggregate-address BGP aggregate address table. (Empty)

aggregate-address6 BGP IPv6 aggregate address table. (Empty)

neighbor BGP neighbor table. (Empty)

neighbor-group BGP neighbor group table. (Empty)

neighbor-range BGP neighbor range table. (Empty)

network BGP network table. (Empty)

network6 BGP IPv6 network table. (Empty)

redistribute BGP IPv4 redistribute table. (Empty)

redistribute6 BGP IPv6 redistribute table. (Empty)

admin-distance Administrative distance modifications. (Empty)


350

router/community-listCLI Syntax

config router community-list edit <name_str> set name <string> set type {standard | expanded} config rule edit <name_str> set id <integer> set action {deny | permit} set regexp <string> set match <string> end end


351

Description


name Community list name. (Empty)

type Community list type. standard

rule Community list rule. (Empty)


352

router/isisCLI Syntax

config router isis edit <name_str> set is-type {level-1-2 | level-1 | level-2-only} set auth-mode-l1 {password | md5} set auth-mode-l2 {password | md5} set auth-password-l1 <password> set auth-password-l2 <password> set auth-keychain-l1 <string> set auth-keychain-l2 <string> set auth-sendonly-l1 {enable | disable} set auth-sendonly-l2 {enable | disable} set ignore-lsp-errors {enable | disable} set lsp-gen-interval-l1 <integer> set lsp-gen-interval-l2 <integer> set lsp-refresh-interval <integer> set max-lsp-lifetime <integer> set spf-interval-exp-l1 <user> set spf-interval-exp-l2 <user> set dynamic-hostname {enable | disable} set adjacency-check {enable | disable} set overload-bit {enable | disable} set overload-bit-suppress {external | interlevel} set overload-bit-on-startup <integer> set default-originate {enable | disable} set metric-style {narrow | narrow-transition | narrow-transition-l1 | narrow-transition-l2 | wide | wide-l1 | wide-l2 | wide-transition | wide-transition-l1 | wide-transition-l2 | transition | transition-l1 | transition-l2} set redistribute-l1 {enable | disable} set redistribute-l1-list <string> set redistribute-l2 {enable | disable} set redistribute-l2-list <string> config isis-net edit <name_str> set id <integer> set net <user> end config isis-interface edit <name_str> set name <string> set status {enable | disable} set network-type {broadcast | point-to-point} set circuit-type {level-1-2 | level-1 | level-2} set csnp-interval-l1 <integer> set csnp-interval-l2 <integer> set hello-interval-l1 <integer> set hello-interval-l2 <integer> set hello-multiplier-l1 <integer>


353

set hello-multiplier-l2 <integer> set hello-padding {enable | disable} set lsp-interval <integer> set lsp-retransmit-interval <integer> set metric-l1 <integer> set metric-l2 <integer> set wide-metric-l1 <integer> set wide-metric-l2 <integer> set auth-password-l1 <password> set auth-password-l2 <password> set auth-keychain-l1 <string> set auth-keychain-l2 <string> set auth-send-only-l1 {enable | disable} set auth-send-only-l2 {enable | disable} set auth-mode-l1 {md5 | password} set auth-mode-l2 {md5 | password} set priority-l1 <integer> set priority-l2 <integer> set mesh-group {enable | disable} set mesh-group-id <integer> end config summary-address edit <name_str> set id <integer> set prefix <ipv4-classnet-any> set level {level-1-2 | level-1 | level-2} end config redistribute edit <name_str> set protocol <string> set status {enable | disable} set metric <integer> set metric-type {external | internal} set level {level-1-2 | level-1 | level-2} set routemap <string> end end


354

Description


is-type IS type. level-1-2

auth-mode-l1 Level 1 authentication mode. password

auth-mode-l2 Level 2 authentication mode. password

auth-password-l1 Authentication password for level 1 PDUs. (Empty)

auth-password-l2 Authentication password for level 2 PDUs. (Empty)

auth-keychain-l1 Authentication key-chain for level 1 PDUs. (Empty)

auth-keychain-l2 Authentication key-chain for level 2 PDUs. (Empty)

auth-sendonly-l1 Enable/disable level 1 authentication send-only. disable

auth-sendonly-l2 Enable/disable level 2 authentication send-only. disable

ignore-lsp-errors Enable/disable ignoring of LSP errors with badchecksums.

disable

lsp-gen-interval-l1 Minimum interval for level 1 LSP regenerating. 30

lsp-gen-interval-l2 Minimum interval for level 2 LSP regenerating. 30

lsp-refresh-interval LSP refresh time in seconds. 900

max-lsp-lifetime Maximum LSP lifetime in seconds. 1200

spf-interval-exp-l1 Level 1 SPF calculation delay. 500 50000

spf-interval-exp-l2 Level 2 SPF calculation delay. 500 50000

dynamic-hostname Enable/disable dynamic hostname. disable

adjacency-check Enable/disable adjacency check. disable

overload-bit Enable/disable signal other routers not to use usin SPF.

disable

overload-bit-suppress Suppress overload-bit for the specific prefixes. (Empty)

overload-bit-on-startup Overload-bit only temporarily after reboot. 0


355

default-originate Enable/disable control distribution of defaultinformation.

disable

metric-style Use old-style (ISO 10589) or new-style packetformats

narrow

redistribute-l1 Enable/disable redistribute level 1 routes intolevel 2.

disable

redistribute-l1-list Access-list for redistribute l1 to l2. (Empty)

redistribute-l2 Enable/disable redistribute level 2 routes intolevel 1.

disable

redistribute-l2-list Access-list for redistribute l2 to l1. (Empty)

isis-net IS-IS net configuration. (Empty)

isis-interface IS-IS interface configuration. (Empty)

summary-address IS-IS summary addresses. (Empty)

redistribute IS-IS redistribute protocols. (Empty)


356

router/key-chainCLI Syntax

config router key-chain edit <name_str> set name <string> config key edit <name_str> set id <integer> set accept-lifetime <user> set send-lifetime <user> set key-string <string> end end


357

Description


name Key-chain name. (Empty)

key Key. (Empty)


358

router/multicastCLI Syntax

config router multicast edit <name_str> set route-threshold <integer> set route-limit <integer> set igmp-state-limit <integer> set multicast-routing {enable | disable} config pim-sm-global edit <name_str> set message-interval <integer> set join-prune-holdtime <integer> set accept-register-list <string> set bsr-candidate {enable | disable} set bsr-interface <string> set bsr-priority <integer> set bsr-hash <integer> set bsr-allow-quick-refresh {enable | disable} set cisco-register-checksum {enable | disable} set cisco-register-checksum-group <string> set cisco-crp-prefix {enable | disable} set cisco-ignore-rp-set-priority {enable | disable} set register-rp-reachability {enable | disable} set register-source {disable | interface | ip-address} set register-source-interface <string> set register-source-ip <ipv4-address> set register-supression <integer> set null-register-retries <integer> set rp-register-keepalive <integer> set spt-threshold {enable | disable} set spt-threshold-group <string> set ssm {enable | disable} set ssm-range <string> set register-rate-limit <integer> config rp-address edit <name_str> set id <integer> set ip-address <ipv4-address> set group <string> end end config interface edit <name_str> set name <string> set ttl-threshold <integer> set pim-mode {sparse-mode | dense-mode} set passive {enable | disable} set bfd {enable | disable} set neighbour-filter <string>


359

set hello-interval <integer> set hello-holdtime <integer> set cisco-exclude-genid {enable | disable} set dr-priority <integer> set propagation-delay <integer> set state-refresh-interval <integer> set rp-candidate {enable | disable} set rp-candidate-group <string> set rp-candidate-priority <integer> set rp-candidate-interval <integer> set multicast-flow <string> set static-group <string> config join-group edit <name_str> set address <ipv4-address-any> end config igmp edit <name_str> set access-group <string> set version {3 | 2 | 1} set immediate-leave-group <string> set last-member-query-interval <integer> set last-member-query-count <integer> set query-max-response-time <integer> set query-interval <integer> set query-timeout <integer> set router-alert-check {enable | disable} end end end


360

Description


route-threshold Generate warnings when number of multicastroutes exceeds this number.

2147483647

route-limit Maximum number of multicast routes. 2147483647

igmp-state-limit Maximum IGMP memberships (system wide). 3200

multicast-routing Enable/disable multicast routing. disable

pim-sm-global PIM sparse-mode global settings. Details below

Configuration Default Valuemessage-interval 60join-prune-holdtime 210accept-register-list (Empty)bsr-candidate disablebsr-interface (Empty)bsr-priority 0bsr-hash 10bsr-allow-quick-refresh disablecisco-register-checksum disablecisco-register-checksum-group (Empty)cisco-crp-prefix disablecisco-ignore-rp-set-priority disableregister-rp-reachability enableregister-source disableregister-source-interface (Empty)register-source-ip 0.0.0.0register-supression 60null-register-retries 1rp-register-keepalive 185spt-threshold enablespt-threshold-group (Empty)ssm disablessm-range (Empty)register-rate-limit 0rp-address (Empty)

interface PIM interfaces. (Empty)


361

router/multicast-flowCLI Syntax

config router multicast-flow edit <name_str> set name <string> set comments <string> config flows edit <name_str> set id <integer> set group-addr <ipv4-address-any> set source-addr <ipv4-address-any> end end


362

Description


name Name. (Empty)


flows Multicast-flow entries. (Empty)


363

router/multicast6CLI Syntax

config router multicast6 edit <name_str> set multicast-routing {enable | disable} config interface edit <name_str> set name <string> set hello-interval <integer> set hello-holdtime <integer> end config pim-sm-global edit <name_str> set register-rate-limit <integer> config rp-address edit <name_str> set id <integer> set ip6-address <ipv6-address> end end end


364

Description


multicast-routing Enable/disable multicast routing. disable

interface PIM interfaces. (Empty)

pim-sm-global PIM sparse-mode global settings. Details below

Configuration Default Valueregister-rate-limit 0rp-address (Empty)


365

router/ospfCLI Syntax

config router ospf edit <name_str> set abr-type {cisco | ibm | shortcut | standard} set auto-cost-ref-bandwidth <integer> set distance-external <integer> set distance-inter-area <integer> set distance-intra-area <integer> set database-overflow {enable | disable} set database-overflow-max-lsas <integer> set database-overflow-time-to-recover <integer> set default-information-originate {enable | always | disable} set default-information-metric <integer> set default-information-metric-type {1 | 2} set default-information-route-map <string> set default-metric <integer> set distance <integer> set rfc1583-compatible {enable | disable} set router-id <ipv4-address-any> set spf-timers <user> set bfd {enable | disable} set log-neighbour-changes {enable | disable} set distribute-list-in <string> set distribute-route-map-in <string> set restart-mode {none | lls | graceful-restart} set restart-period <integer> config area edit <name_str> set id <ipv4-address-any> set shortcut {disable | enable | default} set authentication {none | text | md5} set default-cost <integer> set nssa-translator-role {candidate | never | always} set stub-type {no-summary | summary} set type {regular | nssa | stub} set nssa-default-information-originate {enable | always | disable} set nssa-default-information-originate-metric <integer> set nssa-default-information-originate-metric-type {1 | 2} set nssa-redistribution {enable | disable} config range edit <name_str> set id <integer> set prefix <ipv4-classnet-any> set advertise {disable | enable} set substitute <ipv4-classnet-any> set substitute-status {enable | disable} end config virtual-link


366

edit <name_str> set name <string> set authentication {none | text | md5} set authentication-key <password> set md5-key <user> set dead-interval <integer> set hello-interval <integer> set retransmit-interval <integer> set transmit-delay <integer> set peer <ipv4-address-any> end config filter-list edit <name_str> set id <integer> set list <string> set direction {in | out} end end config ospf-interface edit <name_str> set name <string> set interface <string> set ip <ipv4-address> set authentication {none | text | md5} set authentication-key <password> set md5-key <user> set prefix-length <integer> set retransmit-interval <integer> set transmit-delay <integer> set cost <integer> set priority <integer> set dead-interval <integer> set hello-interval <integer> set hello-multiplier <integer> set database-filter-out {enable | disable} set mtu <integer> set mtu-ignore {enable | disable} set network-type {broadcast | non-broadcast | point-to-point | point-to-multipoint | point-to-multipoint-non-broadcast} set bfd {global | enable | disable} set status {disable | enable} set resync-timeout <integer> end config network edit <name_str> set id <integer> set prefix <ipv4-classnet> set area <ipv4-address-any> end config neighbor edit <name_str> set id <integer> set ip <ipv4-address>


367

set ip <ipv4-address> set poll-interval <integer> set cost <integer> set priority <integer> end config passive-interface edit <name_str> set name <string> end config summary-address edit <name_str> set id <integer> set prefix <ipv4-classnet> set tag <integer> set advertise {disable | enable} end config distribute-list edit <name_str> set id <integer> set access-list <string> set protocol {connected | static | rip} end config redistribute edit <name_str> set name <string> set status {enable | disable} set metric <integer> set routemap <string> set metric-type {1 | 2} set tag <integer> end end


368

Description


abr-type Area border router type. standard

auto-cost-ref-bandwidth Reference bandwidth in terms of megabits persecond.

1000

distance-external Administrative external distance. 110

distance-inter-area Administrative inter-area distance. 110

distance-intra-area Administrative intra-area distance. 110

database-overflow Enable/disable database overflow. disable

database-overflow-max-lsas

Database overflow maximum LSAs. 10000

database-overflow-time-to-recover

Database overflow time to recover (sec). 300

default-information-originate

Enable/disable generation of default route. disable

default-information-metric

Default information metric. 10

default-information-metric-type

Default information metric type. 2

default-information-route-map

Default information route map. (Empty)

default-metric Default metric of redistribute routes. 10

distance Distance of the route. 110

rfc1583-compatible Enable/disable RFC1583 compatibility. disable

router-id Router ID. 0.0.0.0

spf-timers SPF calculation frequency. 5 10

bfd Bidirectional Forwarding Detection (BFD). disable


369

log-neighbour-changes Enable logging of OSPF neighbour's changes enable

distribute-list-in Filter incoming routes. (Empty)

distribute-route-map-in Filter incoming external routes by route-map. (Empty)

restart-mode OSPF restart mode (graceful or LLS). none

restart-period Graceful restart period. 120

area OSPF area configuration. (Empty)

ospf-interface OSPF interface configuration. (Empty)

network OSPF network configuration. (Empty)

neighbor OSPF neighbor configuration are used whenOSPF runs on non-broadcast media

(Empty)

passive-interface Passive interface configuration. (Empty)

summary-address IP address summary configuration. (Empty)

distribute-list Distribute list configuration. (Empty)

redistribute Redistribute configuration. (Empty)


370

router/ospf6CLI Syntax

config router ospf6 edit <name_str> set abr-type {cisco | ibm | standard} set auto-cost-ref-bandwidth <integer> set default-information-originate {enable | always | disable} set log-neighbour-changes {enable | disable} set default-information-metric <integer> set default-information-metric-type {1 | 2} set default-information-route-map <string> set default-metric <integer> set router-id <ipv4-address-any> set spf-timers <user> config area edit <name_str> set id <ipv4-address-any> set default-cost <integer> set nssa-translator-role {candidate | never | always} set stub-type {no-summary | summary} set type {regular | nssa | stub} set nssa-default-information-originate {enable | disable} set nssa-default-information-originate-metric <integer> set nssa-default-information-originate-metric-type {1 | 2} set nssa-redistribution {enable | disable} config range edit <name_str> set id <integer> set prefix6 <ipv6-network> set advertise {disable | enable} end config virtual-link edit <name_str> set name <string> set dead-interval <integer> set hello-interval <integer> set retransmit-interval <integer> set transmit-delay <integer> set peer <ipv4-address-any> end end config ospf6-interface edit <name_str> set name <string> set area-id <ipv4-address-any> set interface <string> set retransmit-interval <integer> set transmit-delay <integer> set cost <integer>


371

set priority <integer> set dead-interval <integer> set hello-interval <integer> set status {disable | enable} set network-type {broadcast | non-broadcast | point-to-point | point-to-multipoint | point-to-multipoint-non-broadcast} config neighbor edit <name_str> set ip6 <ipv6-address> set poll-interval <integer> set cost <integer> set priority <integer> end end config passive-interface edit <name_str> set name <string> end config redistribute edit <name_str> set name <string> set status {enable | disable} set metric <integer> set routemap <string> set metric-type {1 | 2} end config summary-address edit <name_str> set id <integer> set prefix6 <ipv6-network> set advertise {disable | enable} set tag <integer> end end


372

Description


abr-type Area border router type. standard

auto-cost-ref-bandwidth Reference bandwidth in terms of megabits persecond.

1000



log-neighbour-changes Enable logging of OSPFv3 neighbour's changes enable

default-information-metric

Default information metric. 10

default-information-metric-type

Default information metric type. 2

default-information-route-map

Default information route map. (Empty)

default-metric Default metric of redistribute routes. 20

router-id A.B.C.D, in IPv4 address format. 0.0.0.0

spf-timers SPF calculation frequency. 5 10

area OSPF6 area configuration. (Empty)

ospf6-interface OSPF6 interface configuration. (Empty)



summary-address IPv6 address summary configuration. (Empty)


373

router/policyCLI Syntax

config router policy edit <name_str> set seq-num <integer> config input-device edit <name_str> set name <string> end config src edit <name_str> set subnet <string> end config srcaddr edit <name_str> set name <string> end set src-negate {enable | disable} config dst edit <name_str> set subnet <string> end config dstaddr edit <name_str> set name <string> end set dst-negate {enable | disable} set action {deny | permit} set protocol <integer> set start-port <integer> set end-port <integer> set start-source-port <integer> set end-source-port <integer> set gateway <ipv4-address> set output-device <string> set tos <user> set tos-mask <user> set comments <var-string> end


374

Description


seq-num Sequence number. 0

input-device Incoming interface name. (Empty)

src Source IP and mask (x.x.x.x/x). (Empty)


src-negate Enable/disable negated source address match. disable

dst Destination IP and mask (x.x.x.x/x). (Empty)


dst-negate Enable/disable negated destination addressmatch.

disable

action Action of the policy route. permit


start-port Start destination port number. 1

end-port End destination port number. 65535

start-source-port Start source port number. 1

end-source-port End source port number. 65535

gateway IP address of gateway. 0.0.0.0

output-device Outgoing interface name. (Empty)

tos Type of service bit pattern. 0x00

tos-mask Type of service evaluated bits. 0x00



375

router/policy6CLI Syntax

config router policy6 edit <name_str> set seq-num <integer> set input-device <string> set src <ipv6-network> set dst <ipv6-network> set protocol <integer> set start-port <integer> set end-port <integer> set gateway <ipv6-address> set output-device <string> set tos <user> set tos-mask <user> set comments <var-string> end


376

Description



input-device Incoming interface name. (Empty)

src Source IPv6 prefix. ::/0

dst Destination IPv6 prefix. ::/0




gateway IPv6 address of gateway. ::

output-device Outgoing interface name. (Empty)

tos Terms of service bit pattern. 0x00

tos-mask Terms of service evaluated bits. 0x00



377

router/prefix-listCLI Syntax

config router prefix-list edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set prefix <user> set ge <integer> set le <integer> set flags <integer> end end


378

Description


name Name. (Empty)


rule Rule. (Empty)


379

router/prefix-list6CLI Syntax

config router prefix-list6 edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set prefix6 <user> set ge <integer> set le <integer> set flags <integer> end end


380

Description


name Name. (Empty)


rule Rule. (Empty)


381

router/ripCLI Syntax

config router rip edit <name_str> set default-information-originate {enable | disable} set default-metric <integer> set max-out-metric <integer> set recv-buffer-size <integer> config distance edit <name_str> set id <integer> set prefix <ipv4-classnet-any> set distance <integer> set access-list <string> end config distribute-list edit <name_str> set id <integer> set status {enable | disable} set direction {in | out} set listname <string> set interface <string> end config neighbor edit <name_str> set id <integer> set ip <ipv4-address> end config network edit <name_str> set id <integer> set prefix <ipv4-classnet> end config offset-list edit <name_str> set id <integer> set status {enable | disable} set direction {in | out} set access-list <string> set offset <integer> set interface <string> end config passive-interface edit <name_str> set name <string> end config redistribute edit <name_str> set name <string>


382

set status {enable | disable} set metric <integer> set routemap <string> set flags <integer> end set update-timer <integer> set timeout-timer <integer> set garbage-timer <integer> set version {1 | 2} config interface edit <name_str> set name <string> set auth-keychain <string> set auth-mode {none | text | md5} set auth-string <password> set receive-version {1 | 2} set send-version {1 | 2} set send-version2-broadcast {disable | enable} set split-horizon-status {enable | disable} set split-horizon {poisoned | regular} set flags <integer> end end


383

Description




default-metric Default metric. 1

max-out-metric Maximum metric allowed to output(0 means 'notset').

0

recv-buffer-size Receiving buffer size. 655360

distance distance (Empty)

distribute-list Distribute list. (Empty)


network network (Empty)

offset-list Offset list. (Empty)



update-timer Update timer. 30

timeout-timer Timeout timer. 180

garbage-timer Garbage timer. 120

version RIP version. 2

interface RIP interface configuration. (Empty)


384

router/ripngCLI Syntax

config router ripng edit <name_str> set default-information-originate {enable | disable} set default-metric <integer> set max-out-metric <integer> config distance edit <name_str> set id <integer> set distance <integer> set prefix6 <ipv6-prefix> set access-list6 <string> end config distribute-list edit <name_str> set id <integer> set status {enable | disable} set direction {in | out} set listname <string> set interface <string> end config neighbor edit <name_str> set id <integer> set ip6 <ipv6-address> set interface <string> end config network edit <name_str> set id <integer> set prefix <ipv6-prefix> end config aggregate-address edit <name_str> set id <integer> set prefix6 <ipv6-prefix> end config offset-list edit <name_str> set id <integer> set status {enable | disable} set direction {in | out} set access-list6 <string> set offset <integer> set interface <string> end config passive-interface edit <name_str>


385

set name <string> end config redistribute edit <name_str> set name <string> set status {enable | disable} set metric <integer> set routemap <string> set flags <integer> end set update-timer <integer> set timeout-timer <integer> set garbage-timer <integer> config interface edit <name_str> set name <string> set split-horizon-status {enable | disable} set split-horizon {poisoned | regular} set flags <integer> end end


386

Description




default-metric Default metric. 1

max-out-metric Maximum metric allowed to output(0 means 'notset').

0

distance distance (Empty)

distribute-list Distribute list. (Empty)


network Network. (Empty)

aggregate-address Aggregate address. (Empty)

offset-list Offset list. (Empty)



update-timer Update timer. 30

timeout-timer Timeout timer. 180

garbage-timer Garbage timer. 120

interface RIPng interface configuration. (Empty)


387

router/route-mapCLI Syntax

config router route-map edit <name_str> set name <string> set comments <string> config rule edit <name_str> set id <integer> set action {permit | deny} set match-as-path <string> set match-community <string> set match-community-exact {enable | disable} set match-origin {none | egp | igp | incomplete} set match-interface <string> set match-ip-address <string> set match-ip6-address <string> set match-ip-nexthop <string> set match-ip6-nexthop <string> set match-metric <integer> set match-route-type {1 | 2} set match-tag <integer> set set-aggregator-as <integer> set set-aggregator-ip <ipv4-address-any> set set-aspath-action {prepend | replace} config set-aspath edit <name_str> set as <string> end set set-atomic-aggregate {enable | disable} set set-community-delete <string> config set-community edit <name_str> set community <string> end set set-community-additive {enable | disable} set set-dampening-reachability-half-life <integer> set set-dampening-reuse <integer> set set-dampening-suppress <integer> set set-dampening-max-suppress <integer> set set-dampening-unreachability-half-life <integer> config set-extcommunity-rt edit <name_str> set community <string> end config set-extcommunity-soo edit <name_str> set community <string> end


388

set set-ip-nexthop <ipv4-address> set set-ip6-nexthop <ipv6-address> set set-ip6-nexthop-local <ipv6-address> set set-local-preference <integer> set set-metric <integer> set set-metric-type {1 | 2} set set-originator-id <ipv4-address-any> set set-origin {none | egp | igp | incomplete} set set-tag <integer> set set-weight <integer> set set-flags <integer> set match-flags <integer> end end


389

Description


name Name. (Empty)


rule Rule. (Empty)


390

router/settingCLI Syntax

config router setting edit <name_str> set show-filter <string> set hostname <string> end


391

Description


show-filter Prefix-list as filter for showing routes. (Empty)

hostname Hostname for this virtual domain router. (Empty)


392

router/staticCLI Syntax

config router static edit <name_str> set seq-num <integer> set dst <ipv4-classnet> set gateway <ipv4-address> set distance <integer> set weight <integer> set priority <integer> set device <string> set comment <var-string> set blackhole {enable | disable} set dynamic-gateway {enable | disable} set virtual-wan-link {enable | disable} set dstaddr <string> set internet-service <integer> set internet-service-custom <string> end


393

Description


seq-num Entry number. 0

dst Destination IP and mask for this route. 0.0.0.0 0.0.0.0

gateway Gateway IP for this route. 0.0.0.0

distance Administrative distance (1 - 255). 10

weight Administrative weight (0 - 255). 0

priority Administrative priority (0 - 4294967295). 0

device Enable/disable gateway out interface. (Empty)


blackhole Enable/disable black hole. disable

dynamic-gateway Enable use of dynamic gateway retrieved from aDHCP or PPP server.

disable

virtual-wan-link Enable/disable egress through the virtual-wan-link.

disable

dstaddr Name of firewall address or address group. (Empty)

internet-service Application ID in the Internet service database. 0

internet-service-custom Application name in the Internet service customdatabase.

(Empty)


394

router/static6CLI Syntax

config router static6 edit <name_str> set seq-num <integer> set dst <ipv6-network> set gateway <ipv6-address> set device <string> set devindex <integer> set distance <integer> set priority <integer> set comment <var-string> set blackhole {enable | disable} end


395

Description



dst Destination IPv6 prefix for this route. ::/0

gateway Gateway IPv6 address for this route. ::

device Gateway out interface or tunnel. (Empty)

devindex Device index (0 - 4294967295). 0


priority Administrative priority (0 - 4294967295). 0


blackhole Enable/disable black hole. disable


396

spamfilter/bwlCLI Syntax

config spamfilter bwl edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set type {ip | email} set action {reject | spam | clear} set addr-type {ipv4 | ipv6} set ip4-subnet <ipv4-classnet> set ip6-subnet <ipv6-network> set pattern-type {wildcard | regexp} set email-pattern <string> end end


397

Description


id ID. 0



entries Anti-spam black/white list entries. (Empty)


398

spamfilter/bwordCLI Syntax

config spamfilter bword edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set pattern <string> set pattern-type {wildcard | regexp} set action {spam | clear} set where {subject | body | all} set language {western | simch | trach | japanese | korean | french | thai | spanish} set score <integer> end end


399

Description


id ID. 0



entries Spam filter banned word. (Empty)


400

spamfilter/dnsblCLI Syntax

config spamfilter dnsbl edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set server <string> set action {reject | spam} end end


401

Description


id ID. 0



entries Spam filter DNSBL and ORBL server. (Empty)


402

spamfilter/fortishieldCLI Syntax

config spamfilter fortishield edit <name_str> set spam-submit-srv <string> set spam-submit-force {enable | disable} set spam-submit-txt2htm {enable | disable} end


403

Description


spam-submit-srv Hostname of the spam submission server. www.nospammer.net

spam-submit-force Enable/disable force insertion of a new mimeentity for the submission text.

enable

spam-submit-txt2htm Enable/disable conversion of text email to HTMLemail.

enable


404

spamfilter/iptrustCLI Syntax

config spamfilter iptrust edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set addr-type {ipv4 | ipv6} set ip4-subnet <ipv4-classnet> set ip6-subnet <ipv6-network> end end


405

Description


id ID. 0



entries Spam filter trusted IP addresses. (Empty)


406

spamfilter/mheaderCLI Syntax

config spamfilter mheader edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set status {enable | disable} set id <integer> set fieldname <string> set fieldbody <string> set pattern-type {wildcard | regexp} set action {spam | clear} end end


407

Description


id ID. 0



entries Spam filter mime header content. (Empty)


408

spamfilter/optionsCLI Syntax

config spamfilter options edit <name_str> set dns-timeout <integer> end


409

Description


dns-timeout DNS query time out (1 - 30 sec). 7


410

spamfilter/profileCLI Syntax

config spamfilter profile edit <name_str> set name <string> set comment <var-string> set flow-based {enable | disable} set replacemsg-group <string> set spam-log {enable | disable} set spam-filtering {enable | disable} set external {enable | disable} set options {bannedword | spambwl | spamfsip | spamfssubmit | spamfschksum | spamfsurl | spamhelodns | spamraddrdns | spamrbl | spamhdrcheck | spamfsphish} config imap edit <name_str> set log {enable | disable} set action {pass | tag} set tag-type {subject | header | spaminfo} set tag-msg <string> end config pop3 edit <name_str> set log {enable | disable} set action {pass | tag} set tag-type {subject | header | spaminfo} set tag-msg <string> end config smtp edit <name_str> set log {enable | disable} set action {pass | tag | discard} set tag-type {subject | header | spaminfo} set tag-msg <string> set hdrip {enable | disable} set local-override {enable | disable} end config mapi edit <name_str> set log {enable | disable} set action {pass | discard} end config msn-hotmail edit <name_str> set log {enable | disable} end config yahoo-mail edit <name_str> set log {enable | disable} end


411

config gmail edit <name_str> set log {enable | disable} end set spam-bword-threshold <integer> set spam-bword-table <integer> set spam-bwl-table <integer> set spam-mheader-table <integer> set spam-rbl-table <integer> set spam-iptrust-table <integer> end


412

Description




flow-based Enable/disable flow-based spam filtering. disable


spam-log Enable/disable spam logging for email filtering. enable

spam-filtering Enable/disable spam filtering. disable

external Enable/disable external Email inspection. disable

options Options. (Empty)


Configuration Default Valuelog disableaction tagtag-type subject spaminfotag-msg Spam


Configuration Default Valuelog disableaction tagtag-type subject spaminfotag-msg Spam


Configuration Default Valuelog disableaction discardtag-type subject spaminfotag-msg Spamhdrip disablelocal-override disable

mapi MAPI. Details below


413

Configuration Default Valuelog disableaction discard

msn-hotmail MSN Hotmail. Details below

Configuration Default Valuelog disable

yahoo-mail Yahoo! Mail. Details below


gmail Gmail. Details below


spam-bword-threshold Spam banned word threshold. 10

spam-bword-table Anti-spam banned word table ID. 0

spam-bwl-table Anti-spam black/white list table ID. 0

spam-mheader-table Anti-spam MIME header table ID. 0

spam-rbl-table Anti-spam DNSBL table ID. 0

spam-iptrust-table Anti-spam IP trust table ID. 0


414

system.autoupdate/push-updateCLI Syntax

config system.autoupdate push-update edit <name_str> set status {enable | disable} set override {enable | disable} set address <ipv4-address-any> set port <integer> end


415

Description


status Enable/disable push updates. disable

override Enable/disable push update override server. disable

address Push update override server. 0.0.0.0

port Push update override port. 9443


416

system.autoupdate/scheduleCLI Syntax

config system.autoupdate schedule edit <name_str> set status {enable | disable} set frequency {every | daily | weekly} set time <user> set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday} end


417

Description


status Enable/disable scheduled updates. enable

frequency Update frequency. every

time Update time. 02:60

day Update day. Monday


418

system.autoupdate/tunnelingCLI Syntax

config system.autoupdate tunneling edit <name_str> set status {enable | disable} set address <string> set port <integer> set username <string> set password <password> end


419

Description


status Enable/disable web proxy tunnelling. disable

address Web proxy IP address or FQDN. (Empty)

port Web proxy port. 0

username Web proxy username. (Empty)

password Web proxy password. (Empty)


420

system.dhcp/serverCLI Syntax

config system.dhcp server edit <name_str> set id <integer> set status {disable | enable} set lease-time <integer> set mac-acl-default-action {assign | block} set forticlient-on-net-status {disable | enable} set dns-service {local | default | specify} set dns-server1 <ipv4-address> set dns-server2 <ipv4-address> set dns-server3 <ipv4-address> set wifi-ac1 <ipv4-address> set wifi-ac2 <ipv4-address> set wifi-ac3 <ipv4-address> set ntp-service {local | default | specify} set ntp-server1 <ipv4-address> set ntp-server2 <ipv4-address> set ntp-server3 <ipv4-address> set domain <string> set wins-server1 <ipv4-address> set wins-server2 <ipv4-address> set default-gateway <ipv4-address> set next-server <ipv4-address> set netmask <ipv4-netmask> set interface <string> config ip-range edit <name_str> set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end set timezone-option {disable | default | specify} set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 | 26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 | 40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00 | 82 | 73 | 86 | 76} set tftp-server <string> set filename <string> set option1 <user> set option2 <user> set option3 <user> set option4 <user> set option5 <user> set option6 <user> set server-type {regular | ipsec}


421

set ip-mode {range | usrgrp} set conflicted-ip-timeout <integer> set ipsec-lease-hold <integer> set auto-configuration {disable | enable} set ddns-update {disable | enable} set ddns-server-ip <ipv4-address> set ddns-zone <string> set ddns-auth {disable | tsig} set ddns-keyname <string> set ddns-key <user> set ddns-ttl <integer> set vci-match {disable | enable} config vci-string edit <name_str> set vci-string <string> end config exclude-range edit <name_str> set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end config reserved-address edit <name_str> set id <integer> set ip <ipv4-address> set mac <mac-address> set action {assign | block | reserved} set description <var-string> end end


422

Description


id ID. 0

status Enable/disable use this DHCP configuration. enable

lease-time Lease time in seconds. 604800

mac-acl-default-action MAC access control default action. assign

forticlient-on-net-status Sending FortiGate serial number as a DHCPoption.

enable

dns-service DNS service option. specify

dns-server1 DNS server 1. 0.0.0.0



wifi-ac1 WiFi AC 1. 0.0.0.0



ntp-service NTP service option. specify

ntp-server1 NTP server 1. 0.0.0.0



domain Domain name. (Empty)

wins-server1 WINS server 1. 0.0.0.0


default-gateway Enable/disable default gateway. 0.0.0.0

next-server Next bootstrap server. 0.0.0.0

netmask Netmask. 0.0.0.0


423


ip-range DHCP IP range configuration. (Empty)

timezone-option Time zone settings. disable

timezone Time zone. 00

tftp-server Hostname or IP address of the TFTP server. (Empty)

filename Boot file name. (Empty)

option1 Option 1. 0

option2 Option 2. 0

option3 Option 3. 0

option4 Option 4. 0

option5 Option 5. 0

option6 Option 6. 0

server-type Type of DHCP service to provide. regular

ip-mode Method used to assign client IP. range

conflicted-ip-timeout Time conflicted IP is removed from the range(seconds).

1800

ipsec-lease-hold DHCP over IPsec leases expire this manyseconds after tunnel down (0 to disable forced-expiry).

60

auto-configuration Enable/disable auto configuration. enable

ddns-update Enable/disable DDNS update for DHCP. disable

ddns-server-ip DDNS server IP. 0.0.0.0

ddns-zone Zone of your domain name (ex. DDNS.com). (Empty)

ddns-auth DDNS authentication mode. disable

ddns-keyname DDNS update key name. (Empty)


424

ddns-key DDNS update key (base 64 encoding). 'ENCAuAHaUUdY1NOrENeFjxC6TXsIjntkrMvREwMTLVsKksjKKAeHgnmgOYHVJsx1EMp4FsdxXlBMGI9fs0Gob4fjHviV670NU8ypyB+szhnVal5VB5J/EQgo1R2WKM='

ddns-ttl TTL. 300

vci-match Enable/disable VCI matching. disable

vci-string VCI strings. (Empty)

exclude-range DHCP exclude range configuration. (Empty)

reserved-address DHCP reserved IP address. (Empty)


425

system.dhcp6/serverCLI Syntax

config system.dhcp6 server edit <name_str> set id <integer> set status {disable | enable} set rapid-commit {disable | enable} set lease-time <integer> set dns-service {delegated | default | specify} set dns-server1 <ipv6-address> set dns-server2 <ipv6-address> set dns-server3 <ipv6-address> set domain <string> set subnet <ipv6-prefix> set interface <string> set option1 <user> set option2 <user> set option3 <user> set upstream-interface <string> set ip-mode {range | delegated} config ip-range edit <name_str> set id <integer> set start-ip <ipv6-address> set end-ip <ipv6-address> end end


426

Description


id ID. 0

status Enable/disable use this DHCP configuration. enable

rapid-commit Enable/disable allow/disallow rapid commit. disable

lease-time Lease time in seconds. 604800

dns-service DNS service option. specify

dns-server1 DNS server 1. ::




subnet Subnet or subnet-id if the IP mode is delegated. ::/0


option1 Option 1. 0

option2 Option 2. 0

option3 Option 3. 0

upstream-interface Interface name from where delegated informationis provided.

(Empty)

ip-mode Method used to assign client IP. range

ip-range DHCP IP range configuration. (Empty)


427

system.replacemsg/adminCLI Syntax

config system.replacemsg admin edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


428

Description


msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none


429

system.replacemsg/alertmailCLI Syntax

config system.replacemsg alertmail edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


430

Description







431

system.replacemsg/authCLI Syntax

config system.replacemsg auth edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


432

Description







433

system.replacemsg/device-detection-portalCLI Syntax

config system.replacemsg device-detection-portal edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


434

Description







435

system.replacemsg/ecCLI Syntax

config system.replacemsg ec edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


436

Description







437

system.replacemsg/fortiguard-wfCLI Syntax

config system.replacemsg fortiguard-wf edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


438

Description







439

system.replacemsg/ftpCLI Syntax

config system.replacemsg ftp edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


440

Description







441

system.replacemsg/httpCLI Syntax

config system.replacemsg http edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


442

Description







443

system.replacemsg/mailCLI Syntax

config system.replacemsg mail edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


444

Description







445

system.replacemsg/nac-quarCLI Syntax

config system.replacemsg nac-quar edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


446

Description







447

system.replacemsg/nntpCLI Syntax

config system.replacemsg nntp edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


448

Description







449

system.replacemsg/spamCLI Syntax

config system.replacemsg spam edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


450

Description







451

system.replacemsg/sslvpnCLI Syntax

config system.replacemsg sslvpn edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


452

Description







453

system.replacemsg/traffic-quotaCLI Syntax

config system.replacemsg traffic-quota edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


454

Description







455

system.replacemsg/utmCLI Syntax

config system.replacemsg utm edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


456

Description







457

system.replacemsg/webproxyCLI Syntax

config system.replacemsg webproxy edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


458

Description







459

system.snmp/communityCLI Syntax

config system.snmp community edit <name_str> set id <integer> set name <string> set status {enable | disable} config hosts edit <name_str> set id <integer> set source-ip <ipv4-address> set ip <user> set interface <string> set ha-direct {enable | disable} set host-type {any | query | trap} end config hosts6 edit <name_str> set id <integer> set source-ipv6 <ipv6-address> set ipv6 <ipv6-prefix> set ha-direct {enable | disable} set interface <string> set host-type {any | query | trap} end set query-v1-status {enable | disable} set query-v1-port <integer> set query-v2c-status {enable | disable} set query-v2c-port <integer> set trap-v1-status {enable | disable} set trap-v1-lport <integer> set trap-v1-rport <integer> set trap-v2c-status {enable | disable} set trap-v2c-lport <integer> set trap-v2c-rport <integer> set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down | ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backward-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-bypass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temperature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | wc-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-server-down | device-new} end


460

Description


id Community ID. 0

name Community name. (Empty)

status Enable/disable this community. enable

hosts Allow hosts configuration. (Empty)

hosts6 Allow hosts configuration for IPv6. (Empty)

query-v1-status Enable/disable SNMP v1 query. enable

query-v1-port SNMP v1 query port. 161

query-v2c-status Enable/disable SNMP v2c query. enable

query-v2c-port SNMP v2c query port. 161

trap-v1-status Enable/disable SNMP v1 trap. enable

trap-v1-lport SNMP v1 trap local port. 162

trap-v1-rport SNMP v1 trap remote port. 162

trap-v2c-status Enable/disable SNMP v2c trap. enable

trap-v2c-lport SNMP v2c trap local port. 162

trap-v2c-rport SNMP v2c trap remote port. 162


461

events SNMP trap events. cpu-high mem-low log-full intf-ip vpn-tun-upvpn-tun-down ha-switch ha-hb-failureips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypassav-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open temperature-highvoltage-alert power-supply-failure faz-disconnect fan-failurewc-ap-up wc-ap-downfswctl-session-upfswctl-session-download-balance-real-server-down


462

system.snmp/sysinfoCLI Syntax

config system.snmp sysinfo edit <name_str> set status {enable | disable} set engine-id <string> set description <string> set contact-info <string> set location <string> set trap-high-cpu-threshold <integer> set trap-low-memory-threshold <integer> set trap-log-full-threshold <integer> end


463

Description


status Enable/disable SNMP. disable

engine-id Local SNMP engineID string (maximum 24characters).

(Empty)

description System description. (Empty)

contact-info Contact information. (Empty)

location System location. (Empty)

trap-high-cpu-threshold CPU usage when trap is sent. 80

trap-low-memory-threshold

Memory usage when trap is sent. 80

trap-log-full-threshold Log disk usage when trap is sent. 90


464

system.snmp/userCLI Syntax

config system.snmp user edit <name_str> set name <string> set status {enable | disable} set trap-status {enable | disable} set trap-lport <integer> set trap-rport <integer> set queries {enable | disable} set query-port <integer> set notify-hosts <ipv4-address> set notify-hosts6 <ipv6-address> set source-ip <ipv4-address> set source-ipv6 <ipv6-address> set ha-direct {enable | disable} set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down | ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backward-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-bypass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temperature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | wc-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-server-down | device-new} set security-level {no-auth-no-priv | auth-no-priv | auth-priv} set auth-proto {md5 | sha} set auth-pwd <password> set priv-proto {aes | des | aes256 | aes256cisco} set priv-pwd <password> end


465

Description


name SNMP user name. (Empty)

status Enable/disable this user. enable

trap-status Enable/disable traps for this user. enable

trap-lport SNMPv3 trap local port. 162

trap-rport SNMPv3 trap remote port. 162

queries Enable/disable queries for this user. enable

query-port SNMPv3 query port. 161

notify-hosts Hosts to send notifications (traps) to. (Empty)

notify-hosts6 IPv6 hosts to send notifications (traps) to. (Empty)

source-ip Source IP for SNMP trap. 0.0.0.0

source-ipv6 Source IPv6 for SNMP trap. ::

ha-direct Enable/disable direct management of HA clustermembers.

disable


466

events SNMP notifications (traps) to send. cpu-high mem-low log-full intf-ip vpn-tun-upvpn-tun-down ha-switch ha-hb-failureips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-conf-change av-conserve av-bypassav-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open temperature-highvoltage-alert power-supply-failure faz-disconnect fan-failurewc-ap-up wc-ap-downfswctl-session-upfswctl-session-download-balance-real-server-down

security-level Security level for message authentication andencryption.

no-auth-no-priv

auth-proto Authentication protocol. sha

auth-pwd Password for authentication protocol. (Empty)

priv-proto Privacy (encryption) protocol. aes

priv-pwd Password for privacy (encryption) protocol. (Empty)


467

system/accprofileCLI Syntax


468

config system accprofile edit <name_str> set name <string> set scope {vdom | global} set comments <var-string> set mntgrp {none | read | read-write} set admingrp {none | read | read-write} set updategrp {none | read | read-write} set authgrp {none | read | read-write} set sysgrp {none | read | read-write} set netgrp {none | read | read-write} set loggrp {none | read | read-write | custom | w | r | rw} set routegrp {none | read | read-write} set fwgrp {none | read | read-write | custom | w | r | rw} set vpngrp {none | read | read-write} set utmgrp {none | read | read-write | custom | w | r | rw} set wanoptgrp {none | read | read-write} set endpoint-control-grp {none | read | read-write} set wifi {none | read | read-write} config fwgrp-permission edit <name_str> set policy {none | read | read-write} set address {none | read | read-write} set service {none | read | read-write} set schedule {none | read | read-write} set packet-capture {none | read | read-write} set others {none | read | read-write} end config loggrp-permission edit <name_str> set config {none | read | read-write} set data-access {none | read | read-write} set report-access {none | read | read-write} set threat-weight {none | read | read-write} end config utmgrp-permission edit <name_str> set antivirus {none | read | read-write} set ips {none | read | read-write} set webfilter {none | read | read-write} set spamfilter {none | read | read-write} set data-loss-prevention {none | read | read-write} set application-control {none | read | read-write} set icap {none | read | read-write} set casi {none | read | read-write} set voip {none | read | read-write} set waf {none | read | read-write} set dnsfilter {none | read | read-write} end end


469

Description



scope Global or single VDOM access restriction. vdom


mntgrp Maintenance. none

admingrp Administrator Users. none

updategrp FortiGuard Update. none

authgrp User & Device. none

sysgrp System Configuration. none

netgrp Network Configuration. none

loggrp Log & Report. none

routegrp Router Configuration. none

fwgrp Firewall Configuration. none

vpngrp VPN Configuration. none

utmgrp Security Profile Configuration. none

wanoptgrp WAN Opt & Cache. none

endpoint-control-grp Endpoint Security. none

wifi Wireless controller. none

fwgrp-permission Custom firewall permission. Details below

Configuration Default Valuepolicy noneaddress noneservice noneschedule nonepacket-capture noneothers none


470

loggrp-permission Custom Log & Report permission. Details below

Configuration Default Valueconfig nonedata-access nonereport-access nonethreat-weight none

utmgrp-permission Custom UTM permission. Details below

Configuration Default Valueantivirus noneips nonewebfilter nonespamfilter nonedata-loss-prevention noneapplication-control noneicap nonecasi nonevoip nonewaf nonednsfilter none


471

system/adminCLI Syntax

config system admin edit <name_str> set name <string> set wildcard {enable | disable} set remote-auth {enable | disable} set remote-group <string> set password <password-2> set peer-auth {enable | disable} set peer-group <string> set trusthost1 <ipv4-classnet> set trusthost2 <ipv4-classnet> set trusthost3 <ipv4-classnet> set trusthost4 <ipv4-classnet> set trusthost5 <ipv4-classnet> set trusthost6 <ipv4-classnet> set trusthost7 <ipv4-classnet> set trusthost8 <ipv4-classnet> set trusthost9 <ipv4-classnet> set trusthost10 <ipv4-classnet> set ip6-trusthost1 <ipv6-prefix> set ip6-trusthost2 <ipv6-prefix> set ip6-trusthost3 <ipv6-prefix> set ip6-trusthost4 <ipv6-prefix> set ip6-trusthost5 <ipv6-prefix> set ip6-trusthost6 <ipv6-prefix> set ip6-trusthost7 <ipv6-prefix> set ip6-trusthost8 <ipv6-prefix> set ip6-trusthost9 <ipv6-prefix> set ip6-trusthost10 <ipv6-prefix> set accprofile <string> set allow-remove-admin-session {enable | disable} set comments <var-string> set hidden <integer> config vdom edit <name_str> set name <string> end set is-admin <integer> set ssh-public-key1 <user> set ssh-public-key2 <user> set ssh-public-key3 <user> set ssh-certificate <string> set schedule <string> set accprofile-override {enable | disable} set radius-vdom-override {enable | disable} set password-expire <user> set force-password-change {enable | disable}


472

config dashboard edit <name_str> set id <integer> set widget-type {sysinfo | licinfo | sysop | sysres | alert | jsconsole | raid | tr-history | analytics | usb-modem} set name <string> set column <integer> set refresh-interval <integer> set time-period <integer> set chart-color <integer> set top-n <integer> set sort-by {bytes | msg-counts | packets | bandwidth | sessions} set report-by {source | destination | application | dlp-rule | dlp-sensor | policy | protocol | web-category | web-domain | all | profile} set ip-version {ipboth | ipv4 | ipv6} set resolve-host {enable | disable} set resolve-service {enable | disable} set aggregate-hosts {enable | disable} set resolve-apps {enable | disable} set display-format {chart | table | line} set view-type {real-time | historical} set cpu-display-type {average | each} set interface <string> set dst-interface <string> set tr-history-period1 <integer> set tr-history-period2 <integer> set tr-history-period3 <integer> set vdom <string> set refresh {enable | disable} set status {close | open} set protocols <integer> set show-system-restart {enable | disable} set show-conserve-mode {enable | disable} set show-firmware-change {enable | disable} set show-fds-update {enable | disable} set show-device-update {enable | disable} set show-fds-quota {enable | disable} set show-disk-failure {enable | disable} set show-power-supply {enable | disable} set show-admin-auth {enable | disable} set show-fgd-alert {enable | disable} set show-fcc-license {enable | disable} set show-policy-overflow {enable | disable} end set two-factor {disable | fortitoken | email | sms} set fortitoken <string> set email-to <string> set sms-server {fortiguard | custom} set sms-custom-server <string> set sms-phone <string> set guest-auth {disable | enable} config guest-usergroups edit <name_str>


473

edit <name_str> set name <string> end set guest-lang <string> set history0 <password-2> set history1 <password-2> config login-time edit <name_str> set usr-name <string> set last-login <datetime> set last-failed-login <datetime> end end


474

Description


name User name. (Empty)

wildcard Enable/disable wildcard RADIUS authentication. disable

remote-auth Enable/disable remote authentication. disable

remote-group User group name used for remote auth. (Empty)

password Admin user password. ENC XXUp2ozpdysrQ

peer-auth Enable/disable peer authentication. disable

peer-group Peer group name. (Empty)

trusthost1 Admin user trust host IP, default 0.0.0.0 0.0.0.0for all.

0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0


475

ip6-trusthost1 Admin user IPv6 trust host IP, default ::/0 for all. ::/0










accprofile Admin user access profile. (Empty)

allow-remove-admin-session

Enable/disable allow admin session to beremoved by privileged admin users.

enable


hidden Admin user hidden attribute. 0

vdom Virtual domains. (Empty)

is-admin Is user admin. 0

ssh-public-key1 SSH public key1. (Empty)



ssh-certificate SSH certificate. (Empty)


accprofile-override Enable/disable allow access profile to beoverridden from remote auth server.

disable

radius-vdom-override Enable/disable allow VDOM to be overriddenfrom RADIUS.

disable


476

password-expire Password expire time. 0000-00-00 00:00:00

force-password-change Enable/disable force password change on nextlogin.

disable

dashboard GUI custom dashboard. (Empty)

two-factor Enable/disable two-factor authentication. disable

fortitoken Two-factor recipient's FortiToken serial number. (Empty)

email-to Two-factor recipient's email address. (Empty)

sms-server Send SMS through FortiGuard or other externalserver.

fortiguard

sms-custom-server Two-factor recipient's SMS server. (Empty)

sms-phone Two-factor recipient's mobile phone number. (Empty)

guest-auth Enable/disable guest authentication. disable

guest-usergroups Select guest user groups. (Empty)

guest-lang Guest management portal language. (Empty)

history0 history0 ENC

history1 history1 ENC

login-time Record user login time. (Empty)


477

system/alarmCLI Syntax

config system alarm edit <name_str> set status {enable | disable} set audible {enable | disable} set sequence <integer> config groups edit <name_str> set id <integer> set period <integer> set admin-auth-failure-threshold <integer> set admin-auth-lockout-threshold <integer> set user-auth-failure-threshold <integer> set user-auth-lockout-threshold <integer> set replay-attempt-threshold <integer> set self-test-failure-threshold <integer> set log-full-warning-threshold <integer> set encryption-failure-threshold <integer> set decryption-failure-threshold <integer> config fw-policy-violations edit <name_str> set id <integer> set threshold <integer> set src-ip <ipv4-address> set dst-ip <ipv4-address> set src-port <integer> set dst-port <integer> end set fw-policy-id <integer> set fw-policy-id-threshold <integer> end end


478

Description


status Enable/disable alarm. disable

audible Enable/disable audible alarm. disable

sequence Sequence ID of alarms. 0

groups Alarm groups. (Empty)


479

system/arp-tableCLI Syntax

config system arp-table edit <name_str> set id <integer> set interface <string> set ip <ipv4-address> set mac <mac-address> end


480

Description


id Unique integer ID of the entry. 0



mac MAC address. 00:00:00:00:00:00


481

system/auto-installCLI Syntax

config system auto-install edit <name_str> set auto-install-config {enable | disable} set auto-install-image {enable | disable} set default-config-file <string> set default-image-file <string> end


482

Description


auto-install-config Enable/disable auto install the config in USB disk. disable

auto-install-image Enable/disable auto install the image in USB disk. disable

default-config-file Default config file name in USB disk. fgt_system.conf

default-image-file Default image file name in USB disk. image.out


483

system/auto-scriptCLI Syntax

config system auto-script edit <name_str> set name <string> set interval <integer> set repeat <integer> set start {manual | auto} set script <var-string> end


484

Description


name Auto script name. (Empty)

interval Repeat interval in seconds. 0

repeat Number of times to repeat this script (0 = infinite). 1

start Script starting mode. manual

script List of FortiOS CLI commands to repeat. (Empty)


485

system/central-managementCLI Syntax

config system central-management edit <name_str> set mode {normal | backup} set type {fortimanager | fortiguard | none} set schedule-config-restore {enable | disable} set schedule-script-restore {enable | disable} set allow-push-configuration {enable | disable} set allow-pushd-firmware {enable | disable} set allow-remote-firmware-upgrade {enable | disable} set allow-monitor {enable | disable} set serial-number <user> set fmg <string> set fmg-source-ip <ipv4-address> set fmg-source-ip6 <ipv6-address> set vdom <string> config server-list edit <name_str> set id <integer> set server-type {update | rating} set addr-type {ipv4 | ipv6} set server-address <ipv4-address> set server-address6 <ipv6-address> end set include-default-servers {enable | disable} set enc-algorithm {default | high | low} end


486

Description


mode Normal/backup management mode. normal

type Type of management server. none

schedule-config-restore Enable/disable scheduled configuration restore. enable

schedule-script-restore Enable/disable scheduled script restore. enable

allow-push-configuration

Enable/disable push configuration. enable

allow-pushd-firmware Enable/disable push firmware. enable

allow-remote-firmware-upgrade

Enable/disable remote firmware upgrade. enable

allow-monitor Enable/disable remote monitoring of device. enable

serial-number Serial number. (Empty)

fmg Address of FortiManager (IP or FQDN name). (Empty)

fmg-source-ip Source IPv4 address to use when connecting toFortiManager.

0.0.0.0

fmg-source-ip6 Source IPv6 address to use when connecting toFortiManager.

::

vdom Virtual domain name. root

server-list FortiGuard override server list. (Empty)

include-default-servers Enable/disable inclusion of public FortiGuardservers in the override server list.

enable

enc-algorithm Use SSL encryption. high


487

system/cluster-syncCLI Syntax

config system cluster-sync edit <name_str> set sync-id <integer> set peervd <string> set peerip <ipv4-address> config syncvd edit <name_str> set name <string> end config session-sync-filter edit <name_str> set srcintf <string> set dstintf <string> set srcaddr <ipv4-classnet-any> set dstaddr <ipv4-classnet-any> set srcaddr6 <ipv6-network> set dstaddr6 <ipv6-network> config custom-service edit <name_str> set id <integer> set src-port-range <user> set dst-port-range <user> end end end


488

Description


sync-id Sync ID. 0

peervd Peer connecting VDOM. root

peerip Peer connecting IP. 0.0.0.0

syncvd VDOM of which sessions need to be synced. (Empty)

session-sync-filter Session sync filter. Details below

Configuration Default Valuesrcintf (Empty)dstintf (Empty)srcaddr 0.0.0.0 0.0.0.0dstaddr 0.0.0.0 0.0.0.0srcaddr6 ::/0dstaddr6 ::/0custom-service (Empty)


489

system/consoleCLI Syntax

config system console edit <name_str> set mode {batch | line} set baudrate {9600 | 19200 | 38400 | 57600 | 115200} set output {standard | more} set login {enable | disable} set fortiexplorer {enable | disable} end


490

Description


mode Console mode. line

baudrate Console baud rate. 9600

output Console output mode. more

login Enable/disable serial console and FortiExplorer. enable

fortiexplorer Enable/disable access for FortiExplorer. enable


491

system/custom-languageCLI Syntax

config system custom-language edit <name_str> set name <string> set filename <string> set comments <var-string> end


492

Description


name Name. (Empty)

filename Custom language file path. (Empty)



493

system/ddnsCLI Syntax

config system ddns edit <name_str> set ddnsid <integer> set ddns-server {dyndns.org | dyns.net | ods.org | tzo.com | vavic.com | dipdns.net | now.net.cn | dhs.org | easydns.com | genericDDNS | FortiGuardDDNS} set ddns-server-ip <ipv4-address> set ddns-zone <string> set ddns-ttl <integer> set ddns-auth {disable | tsig} set ddns-keyname <string> set ddns-key <user> set ddns-domain <string> set ddns-username <string> set ddns-sn <string> set ddns-password <password> set use-public-ip {disable | enable} set bound-ip <ipv4-address> config monitor-interface edit <name_str> set interface-name <string> end end


494

Description


ddnsid DDNS ID. 0

ddns-server DDNS server. (Empty)

ddns-server-ip Generic DDNS server IP. 0.0.0.0

ddns-zone Zone of your domain name (ex. DDNS.com). (Empty)

ddns-ttl TTL. 300

ddns-auth DDNS authentication mode. disable

ddns-keyname DDNS update key name. (Empty)

ddns-key DDNS update key (base 64 encoding). 'ENCL97VaR0bKQoAAeh+O+39Q85hAnL3Fl7t4UL1eLfgKdgTSHZUCAnVYM1U9oVgGyVRfy6HlPmrFFsS9nlLExpJmd1pwYrf7jCCjr0lx5+1WNFyP50Fgz7fsLe43Lc='

ddns-domain Your domain name (ex. yourname.DDNS.com). (Empty)

ddns-username DDNS user name. (Empty)

ddns-sn DDNS Serial Number. (Empty)

ddns-password DDNS password. (Empty)

use-public-ip Enable/disable use of public IP address. disable

bound-ip Bound IP address. 0.0.0.0

monitor-interface Monitored interface. (Empty)


495

system/dedicated-mgmtCLI Syntax

config system dedicated-mgmt edit <name_str> set status {enable | disable} set interface <string> set default-gateway <ipv4-address> set dhcp-server {enable | disable} set dhcp-netmask <ipv4-netmask> set dhcp-start-ip <ipv4-address> set dhcp-end-ip <ipv4-address> end


496

Description


status Enable/disable dedicated management. disable

interface Dedicated management interface. (Empty)

default-gateway Default gateway for dedicated managementinterface.

0.0.0.0

dhcp-server Enable/disable DHCP server on managementinterface.

disable

dhcp-netmask DHCP netmask. 0.0.0.0

dhcp-start-ip DHCP start IP for dedicated management. 0.0.0.0

dhcp-end-ip DHCP end IP for dedicated management. 0.0.0.0


497

system/dnsCLI Syntax

config system dns edit <name_str> set primary <ipv4-address> set secondary <ipv4-address> set domain <string> set ip6-primary <ipv6-address> set ip6-secondary <ipv6-address> set dns-cache-limit <integer> set dns-cache-ttl <integer> set cache-notfound-responses {disable | enable} set source-ip <ipv4-address> end


498

Description


primary Primary DNS IP. 0.0.0.0

secondary Secondary DNS IP. 0.0.0.0

domain Local domain name. (Empty)

ip6-primary IPv6 primary DNS IP. ::

ip6-secondary IPv6 secondary DNS IP. ::

dns-cache-limit Maximum number of entries in DNS cache. 5000

dns-cache-ttl TTL in DNS cache. 1800

cache-notfound-responses

Enable/disable cache NOTFOUND responsesfrom DNS server.

disable

source-ip Source IP for communications to DNS server. 0.0.0.0


499

system/dns-databaseCLI Syntax

config system dns-database edit <name_str> set name <string> set status {enable | disable} set domain <string> set allow-transfer <user> set type {master | slave} set view {shadow | public} set ip-master <ipv4-address-any> set primary-name <string> set contact <string> set ttl <integer> set authoritative {enable | disable} set forwarder <user> set source-ip <ipv4-address> config dns-entry edit <name_str> set id <integer> set status {enable | disable} set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6} set ttl <integer> set preference <integer> set ip <ipv4-address-any> set ipv6 <ipv6-address> set hostname <string> set canonical-name <string> end end


500

Description


name Zone name. (Empty)

status Enable/disable DNS zone status. enable


allow-transfer DNS zone transfer IP address list. (Empty)

type Zone type ('master' to manage entries directly,'slave' to import entries from outside).

master

view Zone view ('public' to serve public clients,'shadow' to serve internal clients).

shadow

ip-master IP address of master DNS server to importentries of this zone.

0.0.0.0

primary-name Domain name of the default DNS server for thiszone.

dns

contact Email address of the administrator for this zone.You can specify only the username (e.g. admin)or full email address (e.g. [email protected])When using simple username, the domain of theemail will be this zone.

hostmaster

ttl Default time-to-live value in units of seconds forthe entries of this zone (0 - 2147483647).

86400

authoritative Enable/disable authoritative zone. enable

forwarder DNS zone forwarder IP address list. (Empty)

source-ip Source IP for forwarding to DNS server. 0.0.0.0

dns-entry DNS entry. (Empty)


501

system/dns-serverCLI Syntax

config system dns-server edit <name_str> set name <string> set mode {recursive | non-recursive | forward-only} set dnsfilter-profile <string> end


502

Description


name DNS server name. (Empty)

mode DNS server mode. recursive



503

system/dscp-based-priorityCLI Syntax

config system dscp-based-priority edit <name_str> set id <integer> set ds <integer> set priority {low | medium | high} end


504

Description


id Item ID. 0

ds DSCP(DiffServ) DS value (0 - 63). 0

priority DSCP based priority level. high


505

system/email-serverCLI Syntax

config system email-server edit <name_str> set type {custom} set reply-to <string> set server <string> set port <integer> set source-ip <ipv4-address> set source-ip6 <ipv6-address> set authenticate {enable | disable} set validate-server {enable | disable} set username <string> set password <password> set security {none | starttls | smtps} end


506

Description


type Use FortiGuard Message service or customserver.

custom

reply-to Reply-To email address. (Empty)

server SMTP server IP address or hostname. (Empty)

port SMTP server port. 25

source-ip SMTP server source IP. 0.0.0.0

source-ip6 SMTP server source IPv6. ::

authenticate Enable/disable authentication. disable

validate-server Enable/disable validation of server certificate. disable

username SMTP server user name for authentication. (Empty)

password SMTP server user password for authentication. (Empty)

security Connection security. none


507

system/fips-ccCLI Syntax

config system fips-cc edit <name_str> set status {enable | disable} set entropy-token {enable | disable | dynamic} set error-flag {error-mode | exit-ready} set error-cause {none | memory | disk | syslog} set self-test-period <integer> set key-generation-self-test {enable | disable} end


508

Description


status Enable/disable FIPS-CC mode. disable

entropy-token Enable/disable/dynamic entropy token. dynamic

error-flag Hidden CC error flag. (Empty)

error-cause Hidden CC error cause. none

self-test-period Self test period. 1440

key-generation-self-test Enable/disable self tests after key generation. disable


509

system/fmCLI Syntax

config system fm edit <name_str> set status {enable | disable} set id <string> set ip <ipv4-address> set vdom <string> set auto-backup {enable | disable} set scheduled-config-restore {enable | disable} set ipsec {enable | disable} end


510

Description


status Enable/disable FM. disable

id ID. (Empty)


vdom VDOM. root

auto-backup Enable/disable automatic backup. disable

scheduled-config-restore

Enable/disable scheduled configuration restore. disable

ipsec Enable/disable IPsec. disable


511

system/fortiguardCLI Syntax

config system fortiguard edit <name_str> set port {53 | 8888 | 80} set service-account-id <string> set load-balance-servers <integer> set antispam-force-off {enable | disable} set antispam-cache {enable | disable} set antispam-cache-ttl <integer> set antispam-cache-mpercent <integer> set antispam-license <integer> set antispam-expiration <integer> set antispam-timeout <integer> set avquery-force-off {} set avquery-cache {} set avquery-cache-ttl <integer> set avquery-cache-mpercent <integer> set avquery-license <integer> set avquery-timeout <integer> set webfilter-force-off {enable | disable} set webfilter-cache {enable | disable} set webfilter-cache-ttl <integer> set webfilter-license <integer> set webfilter-expiration <integer> set webfilter-timeout <integer> set sdns-server-ip <user> set sdns-server-port <integer> set source-ip <ipv4-address> set source-ip6 <ipv6-address> set ddns-server-ip <ipv4-address> set ddns-server-port <integer> end


512

Description


port Port used to communicate with the FortiGuardservers.

53

service-account-id Service account ID. (Empty)

load-balance-servers Number of servers to alternate between as firstFortiGuard option.

1

antispam-force-off Enable/disable forcibly disable the service. disable

antispam-cache Enable/disable FortiGuard antispam cache. enable

antispam-cache-ttl Time-to-live for cache entries in seconds (300 -86400).

1800

antispam-cache-mpercent

Maximum percent of memory the cache isallowed to use (1-15%).

2

antispam-license License type. 4294967295

antispam-expiration License expiration. 0

antispam-timeout Query time out (1 - 30 seconds). 7

avquery-force-off avquery-force-off

avquery-cache avquery-cache

avquery-cache-ttl avquery-cache-ttl

avquery-cache-mpercent

avquery-cache-mpercent

avquery-license avquery-license

avquery-timeout avquery-timeout

webfilter-force-off Enable/disable forcibly disable the service. disable

webfilter-cache Enable/disable FortiGuard webfilter cache. enable

webfilter-cache-ttl Time-to-live for cache entries in seconds (300 -86400).

3600


513

webfilter-license License type. 4294967295

webfilter-expiration License expiration. 0

webfilter-timeout Query time out (1 - 30 seconds). 15

sdns-server-ip IP address of the FortiDNS server. (Empty)

sdns-server-port Port used to communicate with the FortiDNSservers.

53

source-ip Source IPv4 address used to communicate withthe FortiGuard service.

0.0.0.0

source-ip6 Source IPv6 address used to communicate withthe FortiGuard service.

::

ddns-server-ip IP address of the FortiDDNS server. 0.0.0.0

ddns-server-port Port used to communicate with the FortiDDNSservers.

443


514

system/fortimanagerCLI Syntax

config system fortimanager edit <name_str> set ip <ipv4-address-any> set vdom <string> set ipsec {enable | disable} set central-management {enable | disable} set central-mgmt-auto-backup {enable | disable} set central-mgmt-schedule-config-restore {enable | disable} set central-mgmt-schedule-script-restore {enable | disable} end


515

Description



vdom Virtual domain name. root

ipsec Enable/disable FortiManager IPsec tunnel. disable

central-management Enable/disable FortiManager centralmanagement.

disable

central-mgmt-auto-backup

Enable/disable central management auto backup. disable

central-mgmt-schedule-config-restore

Enable/disable central management scheduleconfig restore.

disable

central-mgmt-schedule-script-restore

Enable/disable central management schedulescript restore.

disable


516

system/fortisandboxCLI Syntax

config system fortisandbox edit <name_str> set status {enable | disable} set server <ipv4-address-any> set source-ip <ipv4-address> set enc-algorithm {default | high | low | disable} set email <string> end


517

Description


status Enable/disable FortiSandbox. disable

server Server IP. 0.0.0.0

source-ip Source IP for communications to FortiSandbox. 0.0.0.0

enc-algorithm Enable/disable sending of FortiSandbox data withSSL encryption.

default

email Notifier email address. (Empty)


518

system/fsso-pollingCLI Syntax

config system fsso-polling edit <name_str> set status {enable | disable} set listening-port <integer> set authentication {enable | disable} set auth-password <password> end


519

Description


status Enable/disable FSSO Polling Mode status. enable

listening-port Listening port to accept clients. 8000

authentication Enable/disable FSSO Agent Authenticationstatus.

disable

auth-password Password to connect to FSSO Agent. (Empty)


520

system/geoip-overrideCLI Syntax

config system geoip-override edit <name_str> set name <string> set description <string> set country-id <string> config ip-range edit <name_str> set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end end


521

Description


name Location name. (Empty)


country-id Country ID. (Empty)

ip-range IP range. (Empty)


522

system/globalCLI Syntax

config system global edit <name_str> set language {english | french | spanish | portuguese | japanese | trach | simch | korean} set gui-ipv6 {enable | disable} set gui-certificates {enable | disable} set gui-custom-language {enable | disable} set gui-wireless-opensecurity {enable | disable} set gui-display-hostname {enable | disable} set gui-lines-per-page <integer> set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3} set admin-https-banned-cipher {rc4 | low} set admintimeout <integer> set admin-console-timeout <integer> set admin-concurrent {enable | disable} set admin-lockout-threshold <integer> set admin-lockout-duration <integer> set refresh <integer> set interval <integer> set failtime <integer> set daily-restart {enable | disable} set restart-time <user> set radius-port <integer> set admin-login-max <integer> set remoteauthtimeout <integer> set ldapconntimeout <integer> set batch-cmdb {enable | disable} set max-dlpstat-memory <integer> set dst {enable | disable} set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 | 26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 | 40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00 | 82 | 73 | 86 | 76} set ntpserver <string> set ntpsync {enable | disable} set syncinterval <integer> set traffic-priority {tos | dscp} set traffic-priority-level {low | medium | high} set anti-replay {disable | loose | strict} set send-pmtu-icmp {enable | disable} set honor-df {enable | disable} set split-port <user> set revision-image-auto-backup {enable | disable} set revision-backup-on-logout {enable | disable} set management-vdom <string>


523

set hostname <string> set strong-crypto {enable | disable} set ssh-cbc-cipher {enable | disable} set ssh-hmac-md5 {enable | disable} set snat-route-change {enable | disable} set cli-audit-log {enable | disable} set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192} set fds-statistics {enable | disable} set fds-statistics-period <integer> set multicast-forward {enable | disable} set mc-ttl-notchange {enable | disable} set asymroute {enable | disable} set tcp-option {enable | disable} set phase1-rekey {enable | disable} set lldp-transmission {enable | disable} set explicit-proxy-auth-timeout <integer> set sys-perf-log-interval <integer> set check-protocol-header {loose | strict} set vip-arp-range {unlimited | restricted} set optimize {antivirus | session-setup | throughput} set reset-sessionless-tcp {enable | disable} set allow-traffic-redirect {enable | disable} set strict-dirty-session-check {enable | disable} set tcp-halfclose-timer <integer> set tcp-halfopen-timer <integer> set tcp-timewait-timer <integer> set udp-idle-timer <integer> set block-session-timer <integer> set ip-src-port-range <user> set pre-login-banner {enable | disable} set post-login-banner {disable | enable} set tftp {enable | disable} set av-failopen {pass | idledrop | off | one-shot} set av-failopen-session {enable | disable} set check-reset-range {strict | disable} set vdom-admin {enable | disable} set admin-port <integer> set admin-sport <integer> set admin-https-redirect {enable | disable} set admin-ssh-password {enable | disable} set admin-ssh-port <integer> set admin-ssh-grace-time <integer> set admin-ssh-v1 {enable | disable} set admin-telnet-port <integer> set admin-maintainer {enable | disable} set admin-server-cert <string> set user-server-cert <string> set admin-https-pki-required {enable | disable} set wifi-certificate <string> set wifi-ca-certificate <string> set auth-http-port <integer> set auth-https-port <integer> set auth-keepalive {enable | disable}


524

set auth-keepalive {enable | disable} set policy-auth-concurrent <integer> set auth-cert <string> set clt-cert-req {enable | disable} set endpoint-control-portal-port <integer> set endpoint-control-fds-access {enable | disable} set tp-mc-skip-policy {enable | disable} set cfg-save {automatic | manual | revert} set cfg-revert-timeout <integer> set reboot-upon-config-restore {enable | disable} set admin-scp {enable | disable} set registration-notification {enable | disable} set service-expire-notification {enable | disable} set wireless-controller {enable | disable} set wireless-controller-port <integer> set fortiextender-data-port <integer> set fortiextender {enable | disable} set switch-controller {disable | enable} set switch-controller-reserved-network <ipv4-classnet> set proxy-worker-count <integer> set scanunit-count <integer> set ssl-worker-count <integer> set proxy-kxp-hardware-acceleration {disable | enable} set proxy-cipher-hardware-acceleration {disable | enable} set fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attack | new-antivirus-db | new-attack-db} set ipsec-hmac-offload {enable | disable} set ipv6-accept-dad <integer> set csr-ca-attribute {enable | disable} set wimax-4g-usb {enable | disable} set cert-chain-max <integer> set sslvpn-max-worker-count <integer> set sslvpn-kxp-hardware-acceleration {enable | disable} set sslvpn-cipher-hardware-acceleration {enable | disable} set sslvpn-plugin-version-check {enable | disable} set two-factor-email-expiry <integer> set two-factor-sms-expiry <integer> set two-factor-ftm-expiry <integer> set per-user-bwl {enable | disable} set virtual-server-count <integer> set virtual-server-hardware-acceleration {disable | enable} set wad-worker-count <integer> set login-timestamp {enable | disable} set miglogd-children <integer> set special-file-23-support {disable | enable} set log-uuid {disable | policy-only | extended} set arp-max-entry <integer> set ips-affinity <string> set av-affinity <string> set miglog-affinity <string> set ndp-max-entry <integer> set br-fdb-max-entry <integer> set ipsec-asic-offload {enable | disable}


525

set ipsec-asic-offload {enable | disable} set device-idle-timeout <integer> set compliance-check {enable | disable} set compliance-check-time <time> set gui-device-latitude <string> set gui-device-longitude <string> set private-data-encryption {disable | enable} set auto-auth-extension-device {enable | disable} set gui-theme {green | red | blue | melongene} end


526

Description


language GUI display language. english

gui-ipv6 Enable/disable IPv6 settings in GUI. disable

gui-certificates Enable/disable certificates configuration in GUI. enable

gui-custom-language Enable/disable custom languages in GUI. disable

gui-wireless-opensecurity

Enable/disable wireless open security option inGUI.

disable

gui-display-hostname Enable/disable display of hostname on GUI loginpage.

disable

gui-lines-per-page Number of lines to display per page for webadministration.

50

admin-https-ssl-versions

Allowed SSL/TLS versions for webadministration.

tlsv1-1 tlsv1-2

admin-https-banned-cipher

Banned ciphers for web administration. rc4 low

admintimeout Idle time-out for firewall administration. 5

admin-console-timeout Idle time-out for console. 0

admin-concurrent Enable/disable admin concurrent login. enable

admin-lockout-threshold

Lockout threshold for firewall administration. 3

admin-lockout-duration Lockout duration (sec) for firewall administration. 60

refresh Statistics refresh interval in GUI. 0

interval Dead gateway detection interval. 5

failtime Fail-time for server lost. 5

daily-restart Enable/disable firewall daily reboot. disable

restart-time Daily restart time (hh:mm). 00:00


527

radius-port RADIUS service port number. 1812

admin-login-max Maximum number admin users logged in at onetime (1 - 100).

100

remoteauthtimeout Remote authentication (RADIUS/LDAP) time-out. 5

ldapconntimeout LDAP connection time-out (0 - 4294967295milliseconds).

500

batch-cmdb Enable/disable batch mode to execute in CMDBserver.

enable

max-dlpstat-memory Maximum DLP stat memory (0 - 4294967295).

dst Enable/disable daylight saving time. enable

timezone Time zone. 00

ntpserver IP address/hostname of NTP Server. (Empty)

ntpsync Enable/disable synchronization with NTP Server. disable

syncinterval NTP synchronization interval. 0

traffic-priority Traffic priority type. tos

traffic-priority-level Default TOS/DSCP priority level. medium

anti-replay Anti-replay control. strict

send-pmtu-icmp Enable/disable sending of PMTU ICMPdestination unreachable packet.

enable

honor-df Enable/disable honoring Don't-Fragment flag. enable

split-port Split port(s) to multiple 10Gbps ports. none

revision-image-auto-backup

Enable/disable revision image backupautomatically when upgrading image.

disable

revision-backup-on-logout

Enable/disable revision config backupautomatically when logout.

disable

management-vdom Management virtual domain name. root

hostname Firewall hostname. (Empty)


528

strong-crypto Enable/disable strong crypto for HTTPS/SSHaccess.

enable

ssh-cbc-cipher Enable/disable CBC cipher for SSH access. enable

ssh-hmac-md5 Enable/disable HMAC-MD5 for SSH access. enable

snat-route-change Enable/disable SNAT route change. disable

cli-audit-log Enable/disable CLI audit log. disable

dh-params Minimum size of Diffie-Hellman prime forHTTPS/SSH.

2048

fds-statistics Enable/disable FortiGuard statistics. enable

fds-statistics-period FortiGuard statistics update period (1 - 1440 min,default = 60 min).

60

multicast-forward Enable/disable multicast forwarding. enable

mc-ttl-notchange Enable/disable no modification of multicast TTL. disable

asymroute Enable/disable asymmetric route. disable

tcp-option Enable/disable TCP option. enable

phase1-rekey Enable/disable phase1 rekey. enable

lldp-transmission Enable/disable Link Layer Discovery Protocol(LLDP) transmission.

disable

explicit-proxy-auth-timeout

Authentication timeout (sec) for idle sessions inexplicit web proxy.

300

sys-perf-log-interval The interval of performance statistics logging. 5

check-protocol-header Level of checking protocol header. loose

vip-arp-range Control ARP behavior for VIP ranges. restricted

optimize Firmware optimization option. antivirus

reset-sessionless-tcp Enable/disable reset session-less TCP. disable

allow-traffic-redirect Enable/disable allow traffic redirect. enable


529

strict-dirty-session-check

Enable/disable strict dirty-session check. enable

tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, default =120).

120

tcp-halfopen-timer TCP half open timeout (1 - 86400 sec, default =10).

10

tcp-timewait-timer TCP time wait timeout (0 - 300 sec, default = 1). 1

udp-idle-timer UDP idle timeout (1 - 86400 sec, default = 180). 180

block-session-timer Block-session timeout (1-300 sec, default = 30sec).

30

ip-src-port-range IP source port range for firewall originated traffic. 1024-25000

pre-login-banner Enable/disable pre-login-banner. disable

post-login-banner Enable/disable post-login-banner. disable

tftp Enable/disable TFTP. enable

av-failopen AV fail open option. pass

av-failopen-session Enable/disable AV fail open session option. disable

check-reset-range Drop RST packets if out-of-window. disable

vdom-admin Enable/disable multiple VDOMs mode. disable

admin-port Admin access HTTP port (1 - 65535). 80

admin-sport Admin access HTTPS port (1 - 65535). 443

admin-https-redirect Enable/disable redirection of HTTP admin trafficto HTTPS.

enable

admin-ssh-password Enable/disable password authentication for SSHadmin access.

enable

admin-ssh-port Admin access SSH port (1 - 65535). 22

admin-ssh-grace-time Admin access login grace time (10 - 3600 sec). 120

admin-ssh-v1 Enable/disable SSH v1 compatibility. disable


530

admin-telnet-port Admin access TELNET port (1 - 65535). 23

admin-maintainer Enable/disable login of maintainer user. enable

admin-server-cert Admin HTTPS server certificate. Fortinet_Factory

user-server-cert User HTTPS server certificate. Fortinet_Factory

admin-https-pki-required

Enable/disable require HTTPS login page whenPKI is enabled.

disable

wifi-certificate WiFi certificate for WPA. Fortinet_Wifi

wifi-ca-certificate WiFi CA certificate for WPA. PositiveSSL_CA

auth-http-port Authentication HTTP port (1 - 65535). 1000

auth-https-port Authentication HTTPS port (1 - 65535). 1003

auth-keepalive Enable/disable use of keep alive to extendauthentication.

disable

policy-auth-concurrent Concurrent user to pass firewall authentication. 0

auth-cert HTTPS server certificate for policy authentication. Fortinet_Factory

clt-cert-req Enable/disable require client certificate for GUIlogin.

disable

endpoint-control-portal-port

Endpoint control portal port (1 - 65535). 8009

endpoint-control-fds-access

Enable/disable access to FortiGuard servers fornon-compliant endpoints.

enable

tp-mc-skip-policy Enable/disable skip policy check and allowmulticast through.

disable

cfg-save Configuration file save mode for changes madeusing the CLI.

automatic

cfg-revert-timeout Time-out for reverting to the last savedconfiguration.

600

reboot-upon-config-restore

Enable/disable reboot of system upon restoringconfiguration.

enable


531

admin-scp Enable/disable allow system configurationdownload by SCP.

disable

registration-notification Enable/disable allow license registrationnotification.

enable

service-expire-notification

Enable/disable service expiration notification. enable

wireless-controller Enable/disable wireless controller. enable

wireless-controller-port Local wireless controller port (1024 - 49150). 5246

fortiextender-data-port Fortiextender controller data port (1024 - 49150). 25246

fortiextender Enable/disable FortiExtender controller. disable

switch-controller Enable/disable switch controller feature. disable

switch-controller-reserved-network

Reserved network for switch-controller. 169.254.254.0255.255.254.0

proxy-worker-count Proxy worker count. 16

scanunit-count Scanunit count. 39

ssl-worker-count SSL worker count (0 - 4294967295).

proxy-kxp-hardware-acceleration

Enable/disable use of content processor toencrypt or decrypt traffic.

enable

proxy-cipher-hardware-acceleration


enable

fgd-alert-subscription FortiGuard alert subscription. (Empty)

ipsec-hmac-offload Enable/disable offload HMAC to hardware forIPsec VPN.

enable

ipv6-accept-dad Enable/disable acceptance of IPv6 DAD(Duplicate Address Detection). 0: Disable DAD; 1:Enable DAD (default); 2: Enable DAD, anddisable IPv6 operation if MAC-based duplicatelink-local address has been found.

1

csr-ca-attribute Enable/disable CSR CA attribute. enable


532

wimax-4g-usb Enable/disable WiMAX USB device. disable

cert-chain-max Maximum depth for certificate chain. 8

sslvpn-max-worker-count

Maximum number of worker processes for SSL-VPN.

39

sslvpn-kxp-hardware-acceleration

Enable/disable KXP SSL-VPN hardwareacceleration.

disable

sslvpn-cipher-hardware-acceleration

Enable/disable SSL-VPN cipher hardwareacceleration.

disable

sslvpn-plugin-version-check

Enable/disable SSL-VPN automatic checking ofbrowser plug-in version.

enable

two-factor-email-expiry Expiration time for email token (30 - 300 sec,default = 60 sec).

60

two-factor-sms-expiry Expiration time for SMS token (30 - 300 sec,default = 60 sec).

60

two-factor-ftm-expiry Expiration time for FortiToken mobile provision (1- 168 hr, default = 72 hr).

72

per-user-bwl Enable/disable per-user black/white list filter. disable

virtual-server-count Number of concurrent virtual server workers. 20

virtual-server-hardware-acceleration


enable

wad-worker-count Number of concurrent WAD workers. 20

login-timestamp Enable/disable login time recording. disable

miglogd-children Number of miglog children. 0

special-file-23-support Enable/disable support for special file 23. disable

log-uuid Universally Unique Identifier (UUID) log option. policy-only

arp-max-entry Maximum number of ARP table entries (set to131,072 or higher).

131072


533

ips-affinity Affinity setting for IPS (64-bit hexadecimal valuein the format of xxxxxxxxxxxxxxxx; allowed CPUsmust be less than total number of IPS enginedaemons).

0

av-affinity Affinity setting for AV scanning (64-bithexadecimal value in the format ofxxxxxxxxxxxxxxxx).

0

miglog-affinity Affinity setting for logging (64-bit hexadecimalvalue in the format of xxxxxxxxxxxxxxxx).

0

ndp-max-entry Maximum number of NDP table entries (set to65,536 or higher; if set to 0, kernel holds 65,536entries).

0

br-fdb-max-entry Maximum number of bridge forwarding databaseentries (set to 8192 or higher).

8192

ipsec-asic-offload Enable/disable ASIC offload for IPsec VPN. enable

device-idle-timeout Device idle timeout (30 - 31536000 sec, default =300 sec).

300

compliance-check Enable/disable global PCI DSS compliancecheck.

enable

compliance-check-time PCI DSS compliance check time. 00:00:00

gui-device-latitude Physical device latitude coordinate. (Empty)

gui-device-longitude Physical device longitude coordinate. (Empty)

private-data-encryption Enable/disable private data encryption using anAES 128-bit key.

disable

auto-auth-extension-device

Enable/disable automatic authorization ofdedicated Fortinet extension device globally.

enable

gui-theme Color scheme to use for the administration GUI. green


534

system/gre-tunnelCLI Syntax

config system gre-tunnel edit <name_str> set name <string> set interface <string> set remote-gw <ipv4-address> set local-gw <ipv4-address-any> set sequence-number-transmission {disable | enable} set sequence-number-reception {disable | enable} set checksum-transmission {disable | enable} set checksum-reception {disable | enable} set key-outbound <integer> set key-inbound <integer> set auto-asic-offload {enable | disable} set keepalive-interval <integer> set keepalive-failtimes <integer> end


535

Description


name Tunnel name. (Empty)


remote-gw IP address of the remote gateway. 0.0.0.0

local-gw IP address of the local gateway. 0.0.0.0

sequence-number-transmission

Enable/disable inclusion of sequence number intransmitted GRE packets.

disable

sequence-number-reception

Enable/disable validation of sequence number inreceived GRE packets.

disable

checksum-transmission Enable/disable inclusion of checksum intransmitted GRE packets.

disable

checksum-reception Enable/disable validation of checksum inreceived GRE packets.

disable

key-outbound Include this key in transmitted GRE packets (0 -4294967295).

0

key-inbound Require received GRE packets contain this key (0- 4294967295).

0

auto-asic-offload Enable/disable tunnel ASIC offloading. enable

keepalive-interval Keepalive message interval (0 - 32767, 0 =disabled).

0

keepalive-failtimes Number of consecutive unreturned keepalivemessages before GRE connection is considereddown (1 - 255).

10


536

system/haCLI Syntax

config system ha edit <name_str> set group-id <integer> set group-name <string> set mode {standalone | a-a | a-p} set password <password> set key <password> set hbdev <user> set session-sync-dev <user> set route-ttl <integer> set route-wait <integer> set route-hold <integer> set load-balance-all {enable | disable} set sync-config {enable | disable} set encryption {enable | disable} set authentication {enable | disable} set hb-interval <integer> set hb-lost-threshold <integer> set helo-holddown <integer> set gratuitous-arps {enable | disable} set arps <integer> set arps-interval <integer> set session-pickup {enable | disable} set session-pickup-connectionless {enable | disable} set session-pickup-expectation {enable | disable} set session-pickup-nat {enable | disable} set session-pickup-delay {enable | disable} set session-sync-daemon-number <integer> set link-failed-signal {enable | disable} set uninterruptible-upgrade {enable | disable} set standalone-mgmt-vdom {enable | disable} set ha-mgmt-status {enable | disable} set ha-mgmt-interface <string> set ha-mgmt-interface-gateway <ipv4-address> set ha-mgmt-interface-gateway6 <ipv6-address> set ha-eth-type <string> set hc-eth-type <string> set l2ep-eth-type <string> set ha-uptime-diff-margin <integer> set standalone-config-sync {enable | disable} set vcluster2 {enable | disable} set vcluster-id <integer> set override {enable | disable} set priority <integer> set override-wait-time <integer> set schedule {none | hub | leastconnection | round-robin | weight-round-robin | random | ip | ipport}


537

set weight <user> set cpu-threshold <user> set memory-threshold <user> set http-proxy-threshold <user> set ftp-proxy-threshold <user> set imap-proxy-threshold <user> set nntp-proxy-threshold <user> set pop3-proxy-threshold <user> set smtp-proxy-threshold <user> set monitor <user> set pingserver-monitor-interface <user> set pingserver-failover-threshold <integer> set pingserver-slave-force-reset {enable | disable} set pingserver-flip-timeout <integer> set vdom <user> config secondary-vcluster edit <name_str> set vcluster-id <integer> set override {enable | disable} set priority <integer> set override-wait-time <integer> set monitor <user> set pingserver-monitor-interface <user> set pingserver-failover-threshold <integer> set pingserver-slave-force-reset {enable | disable} set vdom <user> end set ha-direct {enable | disable} end


538

Description


group-id Group ID (0 - 255). 0

group-name Group name. (Empty)

mode Mode. standalone

password password (Empty)

key key (Empty)

hbdev Heartbeat interfaces. "mgmt1" 50

session-sync-dev Session sync interfaces. (Empty)

route-ttl HA route TTL on master (5 - 3600 sec). 10

route-wait Route update wait time (0 - 3600 sec). 0

route-hold Wait time between route updates (0 - 3600 sec). 10

load-balance-all Enable/disable load balance. disable

sync-config Enable/disable configuration synchronization. enable

encryption Enable/disable HA message encryption. disable

authentication Enable/disable HA message authentication. disable

hb-interval Configure heartbeat interval (1 - 20 (100*ms)). 2

hb-lost-threshold Lost heartbeat threshold (1 - 60). 6

helo-holddown Configure hello state hold-down time (5 - 300sec).

20

gratuitous-arps Enable/disable gratuitous ARPs. enable

arps Configure number of gratuitous ARPs (1 - 60). 5

arps-interval Configure gratuitous ARPs interval (1 - 20 sec). 8

session-pickup Enable/disable session pickup. disable


539

session-pickup-connectionless

Enable/disable pickup non-TCP sessions. disable

session-pickup-expectation

Enable/disable pickup expectation sessions. disable

session-pickup-nat Enable/disable pickup of NATed sessions. disable

session-pickup-delay Enable/disable delay session sync by 30seconds.

disable

session-sync-daemon-number

Session sync daemon process number. 1

link-failed-signal Enable/disable link failed signal. disable

uninterruptible-upgrade Enable/disable uninterruptible HA upgrade. enable

standalone-mgmt-vdom Enable/disable standalone management VDOM. disable

ha-mgmt-status Enable/disable HA management interfacereservation.

disable

ha-mgmt-interface Reserved interface of HA management. (Empty)

ha-mgmt-interface-gateway

Gateway for reserved interface of HAmanagement.

0.0.0.0

ha-mgmt-interface-gateway6

IPv6 gateway for reserved interface of HAmanagement.

::

ha-eth-type HA Ethernet type (4-digit hex). 8890

hc-eth-type HC Ethernet type (4-digit hex). 8891

l2ep-eth-type L2EP Ethernet type (4-digit hex). 8893

ha-uptime-diff-margin HA uptime difference margin (sec). 300

standalone-config-sync Enable/disable standalone config sync. disable

vcluster2 Enable/disable secondary virtual cluster. disable

vcluster-id Cluster ID. 0

override Enable/disable master HA unit overriding. disable


540

priority Priority value (0 - 255). 128

override-wait-time Override wait time (0 - 3600 sec). 0

schedule Schedule. round-robin

weight Weight for weight-round-robin schedule. 40

cpu-threshold CPU threshold weight. 5 0 0

memory-threshold Memory threshold weight. 5 0 0

http-proxy-threshold HTTP proxy threshold. 5 0 0

ftp-proxy-threshold FTP proxy threshold. 5 0 0

imap-proxy-threshold IMAP proxy threshold. 5 0 0

nntp-proxy-threshold NNTP proxy threshold. 5 0 0

pop3-proxy-threshold POP3 proxy threshold. 5 0 0

smtp-proxy-threshold SMTP proxy threshold. 5 0 0

monitor Interfaces to monitor. (Empty)

pingserver-monitor-interface

Monitor interfaces that has PING server enabled. (Empty)

pingserver-failover-threshold

Threshold at which HA failover occurs upon PINGserver failure (0 - 50).

0

pingserver-slave-force-reset

Enable/disable force reset of slave after PINGserver failure.

enable

pingserver-flip-timeout Minutes to wait before HA failover flip-flop. 60

vdom VDOM members. (Empty)

secondary-vcluster Secondary virtual cluster. Details below


541

Configuration Default Valuevcluster-id 1override enablepriority 128override-wait-time 0monitor (Empty)pingserver-monitor-interface (Empty)pingserver-failover-threshold 0pingserver-slave-force-reset enablevdom (Empty)

ha-direct Enable/disable sending of messages (logs,SNMP, RADIUS) directly from ha-mgmt interface.

disable


542

system/ha-monitorCLI Syntax

config system ha-monitor edit <name_str> set monitor-vlan {enable | disable} set vlan-hb-interval <integer> set vlan-hb-lost-threshold <integer> end


543

Description


monitor-vlan Enable/disable monitor VLAN interfaces. disable

vlan-hb-interval Configure heartbeat interval (seconds). 5

vlan-hb-lost-threshold VLAN lost heartbeat threshold (1 - 60). 3


544

system/interfaceCLI Syntax

config system interface edit <name_str> set name <string> set vdom <string> set cli-conn-status <integer> set mode {static | dhcp | pppoe} set distance <integer> set priority <integer> set dhcp-relay-service {disable | enable} set dhcp-relay-ip <user> set dhcp-relay-type {regular | ipsec} set ip <ipv4-classnet-host> set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | radius-acct | probe-response | capwap} set gwdetect {enable | disable} set ping-serv-status <integer> set detectserver <user> set detectprotocol {ping | tcp-echo | udp-echo} set ha-priority <integer> set fail-detect {enable | disable} set fail-detect-option {detectserver | link-down} set fail-alert-method {link-failed-signal | link-down} set fail-action-on-extender {soft-restart | hard-restart | reboot} config fail-alert-interfaces edit <name_str> set name <string> end set dhcp-client-identifier <string> set ipunnumbered <ipv4-address> set username <string> set pppoe-unnumbered-negotiate {enable | disable} set password <password> set idle-timeout <integer> set detected-peer-mtu <integer> set disc-retry-timeout <integer> set padt-retry-timeout <integer> set service-name <string> set ac-name <string> set lcp-echo-interval <integer> set lcp-max-echo-fails <integer> set defaultgw {enable | disable} set dns-server-override {enable | disable} set auth-type {auto | pap | chap | mschapv1 | mschapv2} set pptp-client {enable | disable} set pptp-user <string> set pptp-password <password> set pptp-server-ip <ipv4-address>


545

set pptp-auth-type {auto | pap | chap | mschapv1 | mschapv2} set pptp-timeout <integer> set arpforward {enable | disable} set ndiscforward {enable | disable} set broadcast-forward {enable | disable} set bfd {global | enable | disable} set bfd-desired-min-tx <integer> set bfd-detect-mult <integer> set bfd-required-min-rx <integer> set l2forward {enable | disable} set icmp-redirect {enable | disable} set vlanforward {enable | disable} set stpforward {enable | disable} set stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | rpl-nothing} set ips-sniffer-mode {enable | disable} set ident-accept {enable | disable} set ipmac {enable | disable} set subst {enable | disable} set macaddr <mac-address> set substitute-dst-mac <mac-address> set speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half | 1000auto | 10000full | 10000auto | 40000full} set status {up | down} set netbios-forward {disable | enable} set wins-ip <ipv4-address> set type {physical | vlan | aggregate | redundant | fortilink | tunnel | vdom-link | loopback | switch | hard-switch | vap-switch | wl-mesh | fext-wan | hdlc | switch-vlan} set dedicated-to {none | management} set trust-ip-1 <ipv4-classnet-any> set trust-ip-2 <ipv4-classnet-any> set trust-ip-3 <ipv4-classnet-any> set trust-ip6-1 <ipv6-prefix> set trust-ip6-2 <ipv6-prefix> set trust-ip6-3 <ipv6-prefix> set mtu-override {enable | disable} set mtu <integer> set wccp {enable | disable} set nst {enable | disable} set netflow-sampler {disable | tx | rx | both} set sflow-sampler {enable | disable} set drop-overlapped-fragment {enable | disable} set drop-fragment {enable | disable} set scan-botnet-connections {disable | block | monitor} set sample-rate <integer> set polling-interval <integer> set sample-direction {tx | rx | both} set explicit-web-proxy {enable | disable} set explicit-ftp-proxy {enable | disable} set tcp-mss <integer> set mediatype {serdes-sfp | sgmii-sfp | serdes-copper-sfp} set fp-anomaly {pass_winnuke | pass_tcpland | pass_udpland | pass_icmpland | pass_ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas


546

ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pass_iptimestamp | pass_ipunknown_option | pass_ipunknown_prot | pass_icmp_frag | pass_tcp_no_flag | pass_tcp_fin_noack | drop_winnuke | drop_tcpland | drop_udpland | drop_icmpland | drop_ipland | drop_iprr | drop_ipssrr | drop_iplsrr | drop_ipstream | drop_ipsecurity | drop_iptimestamp | drop_ipunknown_option | drop_ipunknown_prot | drop_icmp_frag | drop_tcp_no_flag | drop_tcp_fin_noack} set inbandwidth <integer> set outbandwidth <integer> set spillover-threshold <integer> set ingress-spillover-threshold <integer> set weight <integer> set interface <string> set external {enable | disable} set vlanid <integer> set forward-domain <integer> set remote-ip <ipv4-address-any> config member edit <name_str> set interface-name <string> end set lacp-mode {static | passive | active} set lacp-ha-slave {enable | disable} set lacp-speed {slow | fast} set min-links <integer> set min-links-down {operational | administrative} set algorithm {L2 | L3 | L4} set link-up-delay <integer> set priority-override {enable | disable} set aggregate <string> set redundant-interface <string> set fortilink <string> set managed-device <string> set devindex <integer> set vindex <integer> set switch <string> set description <var-string> set alias <string> set security-mode {none | captive-portal | 802.1X} set security-mac-auth-bypass {enable | disable} set security-external-web <string> set replacemsg-override-group <string> set security-redirect-url <string> set security-exempt-list <string> config security-groups edit <name_str> set name <string> end set device-identification {enable | disable} set device-user-identification {enable | disable} set device-identification-active-scan {enable | disable} set device-access-list <string> set device-netscan {disable | enable} set lldp-transmission {enable | disable | vdom}


547

set lldp-transmission {enable | disable | vdom} set listen-forticlient-connection {enable | disable} set broadcast-forticlient-discovery {enable | disable} set endpoint-compliance {enable | disable} set estimated-upstream-bandwidth <integer> set estimated-downstream-bandwidth <integer> set vrrp-virtual-mac {enable | disable} config vrrp edit <name_str> set vrid <integer> set vrgrp <integer> set vrip <ipv4-address-any> set priority <integer> set adv-interval <integer> set start-time <integer> set preempt {enable | disable} set vrdst <ipv4-address-any> set status {enable | disable} end set role {lan | wan | dmz | undefined} set snmp-index <integer> set secondary-IP {enable | disable} config secondaryip edit <name_str> set id <integer> set ip <ipv4-classnet-host> set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | radius-acct | probe-response | capwap} set gwdetect {enable | disable} set ping-serv-status <integer> set detectserver <user> set detectprotocol {ping | tcp-echo | udp-echo} set ha-priority <integer> end set auto-auth-extension-device {enable | disable} set ap-discover {enable | disable} config ipv6 edit <name_str> set ip6-mode {static | dhcp | pppoe | delegated} set ip6-dns-server-override {enable | disable} set ip6-address <ipv6-prefix> config ip6-extra-addr edit <name_str> set prefix <ipv6-prefix> end set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap} set ip6-send-adv {enable | disable} set ip6-manage-flag {enable | disable} set ip6-other-flag {enable | disable} set ip6-max-interval <integer> set ip6-min-interval <integer> set ip6-link-mtu <integer>


548

set ip6-link-mtu <integer> set ip6-reachable-time <integer> set ip6-retrans-time <integer> set ip6-default-life <integer> set ip6-hop-limit <integer> set autoconf {enable | disable} set ip6-upstream-interface <string> set ip6-subnet <ipv6-prefix> config ip6-prefix-list edit <name_str> set prefix <ipv6-network> set autonomous-flag {enable | disable} set onlink-flag {enable | disable} set valid-life-time <integer> set preferred-life-time <integer> end config ip6-delegated-prefix-list edit <name_str> set prefix-id <integer> set upstream-interface <string> set autonomous-flag {enable | disable} set onlink-flag {enable | disable} set subnet <ipv6-network> end set dhcp6-relay-service {disable | enable} set dhcp6-relay-type {regular} set dhcp6-relay-ip <user> set dhcp6-client-options {rapid | iapd | iana | dns | dnsname} set dhcp6-prefix-delegation {enable | disable} end end


549

Description


name Name. (Empty)

vdom Virtual domain name. (Empty)

cli-conn-status CLI connection status. 0

mode Addressing mode (static, DHCP, PPPoE). static

distance Distance of learned routes. 5

priority Priority of learned routes. 0

dhcp-relay-service Enable/disable use DHCP relay service. disable

dhcp-relay-ip DHCP relay IP address. (Empty)

dhcp-relay-type DHCP relay type. regular

ip IP address of interface. 0.0.0.0 0.0.0.0

allowaccess Allow management access to the interface. (Empty)

gwdetect Enable/disable detect gateway alive for first. disable

ping-serv-status PING server status. 0

detectserver Gateway's ping server for this IP. (Empty)

detectprotocol Protocols used to detect the server. ping

ha-priority HA election priority for the PING server. 1

fail-detect Enable/disable interface failed option status. disable

fail-detect-option Interface fail detect option. link-down

fail-alert-method Interface fail alert. link-down

fail-action-on-extender Action on extender when interface fail . soft-restart

fail-alert-interfaces Physical interfaces that will be alerted. (Empty)

dhcp-client-identifier DHCP client identifier. (Empty)


550

ipunnumbered PPPoE unnumbered IP. 0.0.0.0

username User name. (Empty)

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation. enable

password Password (Empty)

idle-timeout PPPoE auto disconnect after idle timeoutseconds.

0

detected-peer-mtu MTU of detected peer (0 - 4294967295). 0

disc-retry-timeout PPPoE discovery init timeout value in sec. 1

padt-retry-timeout PPPoE terminate timeout value in sec. 1

service-name PPPoE service name. (Empty)

ac-name PPPoE AC name. (Empty)

lcp-echo-interval PPPoE LCP echo interval (sec). 5

lcp-max-echo-fails Maximum missed LCP echo messages beforedisconnect.

3

defaultgw Enable/disable default gateway. enable

dns-server-override Enable/disable use DNS acquired by DHCP orPPPoE.

enable

auth-type PPP authentication type to use. auto

pptp-client Enable/disable PPTP client. disable

pptp-user PPTP user name. (Empty)

pptp-password PPTP password. (Empty)

pptp-server-ip PPTP server IP address. 0.0.0.0

pptp-auth-type PPTP authentication type. auto

pptp-timeout Idle timer in minutes (0 for disabled). 0

arpforward Enable/disable ARP forwarding. enable


551

ndiscforward Enable/disable NDISC forwarding. enable

broadcast-forward Enable/disable broadcast forwarding. disable

bfd Bidirectional Forwarding Detection (BFD). global

bfd-desired-min-tx BFD desired minimal transmit interval. 250

bfd-detect-mult BFD detection multiplier. 3

bfd-required-min-rx BFD required minimal receive interval. 250

l2forward Enable/disable l2 forwarding. disable

icmp-redirect Enable/disable ICMP redirect. enable

vlanforward Enable/disable VLAN forwarding. disable

stpforward Enable/disable STP forwarding. disable

stpforward-mode Configure STP forwarding mode. rpl-all-ext-id

ips-sniffer-mode Enable/disable IPS sniffer mode. disable

ident-accept Enable/disable accept ident protocol. disable

ipmac Enable/disable IP/MAC binding status. disable

subst Enable/disable substitute MAC. disable

macaddr MAC address. 00:00:00:00:00:00

substitute-dst-mac Substitute destination MAC address. 00:00:00:00:00:00

speed Speed auto

status Interface status. up

netbios-forward Enable/disable NETBIOS forwarding. disable

wins-ip WINS server IP. 0.0.0.0

type Interface type. vlan

dedicated-to Configure interface for single purpose. none

trust-ip-1 Trusted host for dedicated management traffic(0.0.0.0/24 for all hosts).

0.0.0.0 0.0.0.0


552


0.0.0.0 0.0.0.0


0.0.0.0 0.0.0.0

trust-ip6-1 Trusted IPv6 host for dedicated managementtraffic (::/0 for all hosts).

::/0


::/0


::/0

mtu-override Enable/disable use custom MTU. disable

mtu Maximum transportation unit. 1500

wccp Enable/disable WCCP protocol on this interface. disable

nst Enable/disable NST protocol on this interface. disable

netflow-sampler NetFlow measurement status. disable

sflow-sampler Enable/disable sFlow protocol. disable

drop-overlapped-fragment

Enable/disable drop overlapped fragmentpackets.

disable

drop-fragment Enable/disable drop fragment packets. disable



disable

sample-rate sFlow sampler sample rate. 2000

polling-interval sFlow sampler counter polling interval. 20

sample-direction sFlow sample direction. both

explicit-web-proxy Enable/disable explicit Web proxy. disable

explicit-ftp-proxy Enable/disable explicit FTP proxy. disable

tcp-mss Maximum sending TCP packet size. 0


553

mediatype Select SFP media interface type serdes-sfp

fp-anomaly Pass or drop different types of anomalies usingFastpath

(Empty)

inbandwidth Bandwidth limit for incoming traffic (0 - 16776000kbps).

0

outbandwidth Bandwidth limit for outgoing traffic (0 - 16776000kbps).

0

spillover-threshold Egress Spillover threshold (0 - 16776000 kbps). 0

ingress-spillover-threshold

Ingress Spillover threshold (0 - 16776000 kbps). 0

weight Default weight for static routes (if route has noweight configured).

0


external Enable/disable identifying interface as connectedto external side.

disable

vlanid VLAN ID. 0

forward-domain TP mode forward domain. 0

remote-ip Remote IP address of tunnel. 0.0.0.0

member Physical interfaces that belong to theaggregate/redundant interface.

(Empty)

lacp-mode LACP mode. active

lacp-ha-slave LACP HA slave. enable

lacp-speed LACP speed. slow

min-links Minimum number of aggregated ports that mustbe up.

1

min-links-down Action to take when there are less than min-linksactive members.

operational

algorithm Frame distribution algorithm. L4


554

link-up-delay Number of milliseconds to wait beforeconsidering a link is up.

50

priority-override Enable/disable fail back to higher priority portonce recovered.

enable

aggregate Aggregate interface. (Empty)

redundant-interface Redundant interface. (Empty)

fortilink FortiLink interface. (Empty)

managed-device FortiLink interface managed device. (Empty)

devindex Device Index. 0

vindex Switch control interface VLAN ID. 0

switch Contained in switch. (Empty)


alias Alias. (Empty)

security-mode Security mode. none

security-mac-auth-bypass

Enable/disable MAC authentication bypass. disable

security-external-web URL of external authentication web server. (Empty)


Specify replacement message override group. (Empty)

security-redirect-url URL redirection after disclaimer/authentication. (Empty)

security-exempt-list Name of security-exempt-list. (Empty)

security-groups Group name. (Empty)

device-identification Enable/disable passive gathering of identityinformation about source hosts on this interface.

disable

device-user-identification

Enable/disable passive gathering of user identityinformation about source hosts on this interface.

enable


555

device-identification-active-scan

Enable/disable active gathering of identityinformation about source hosts on this interface.

enable

device-access-list Device access list. (Empty)

device-netscan Enable/disable inclusion of devices detected onthis interface in network vulnerability scans.

disable


vdom

listen-forticlient-connection

Enable/disable listen for FortiClient connections. disable

broadcast-forticlient-discovery

Enable/disable broadcast FortiClient discoverymessages.

disable

endpoint-compliance Enable/disable endpoint complianceenforcement.

disable

estimated-upstream-bandwidth

Estimated maximum upstream bandwidth (kbps).Used to estimate link utilization.

0

estimated-downstream-bandwidth

Estimated maximum downstream bandwidth(kbps). Used to estimate link utilization.

0

vrrp-virtual-mac Enable/disable use of virtual MAC for VRRP. disable

vrrp VRRP configuration. (Empty)

role Interface role. undefined

snmp-index Permanent SNMP Index of the interface. 0

secondary-IP Enable/disable secondary IP. disable

secondaryip Second IP address of interface. (Empty)

auto-auth-extension-device

Enable/disable automatic authorization ofdedicated Fortinet extension device on thisinterface.

disable

ap-discover Enable/disable automatic registration of unknownFortiAP devices.

enable

ipv6 IPv6 of interface. Details below


556

Configuration Default Valueip6-mode staticip6-dns-server-override enableip6-address ::/0ip6-extra-addr (Empty)ip6-allowaccess (Empty)ip6-send-adv disableip6-manage-flag disableip6-other-flag disableip6-max-interval 600ip6-min-interval 198ip6-link-mtu 0ip6-reachable-time 0ip6-retrans-time 0ip6-default-life 1800ip6-hop-limit 0autoconf disableip6-upstream-interface (Empty)ip6-subnet ::/0ip6-prefix-list (Empty)ip6-delegated-prefix-list (Empty)dhcp6-relay-service disabledhcp6-relay-type regulardhcp6-relay-ip (Empty)dhcp6-client-options dnsdhcp6-prefix-delegation disable


557

system/ipip-tunnelCLI Syntax

config system ipip-tunnel edit <name_str> set name <string> set interface <string> set remote-gw <ipv4-address> set local-gw <ipv4-address-any> set auto-asic-offload {enable | disable} end


558

Description


name IPIP Tunnel name. (Empty)


remote-gw IP address of the remote gateway. 0.0.0.0

local-gw Enable/disable IP address of the local gateway. 0.0.0.0



559

system/ips-urlfilter-dnsCLI Syntax

config system ips-urlfilter-dns edit <name_str> set address <ipv4-address> set status {enable | disable} end


560

Description


address DNS server IP address. 0.0.0.0

status Enable/disable this server for queries. enable


561

system/ipv6-neighbor-cacheCLI Syntax

config system ipv6-neighbor-cache edit <name_str> set id <integer> set interface <string> set ipv6 <ipv6-address> set mac <mac-address> end


562

Description




ipv6 IPv6 address. ::

mac MAC address. 00:00:00:00:00:00


563

system/ipv6-tunnelCLI Syntax

config system ipv6-tunnel edit <name_str> set name <string> set source <ipv6-address> set destination <ipv6-address> set interface <string> set auto-asic-offload {enable | disable} end


564

Description



source Local IPv6 address of tunnel. ::

destination Remote IPv6 address of tunnel. ::




565

system/link-monitorCLI Syntax

config system link-monitor edit <name_str> set name <string> set srcintf <string> config server edit <name_str> set address <string> end set protocol {ping | tcp-echo | udp-echo | http | twamp} set port <integer> set gateway-ip <ipv4-address-any> set source-ip <ipv4-address-any> set http-get <string> set http-match <string> set interval <integer> set timeout <integer> set failtime <integer> set recoverytime <integer> set security-mode {none | authentication} set password <password> set packet-size <integer> set ha-priority <integer> set update-cascade-interface {enable | disable} set update-static-route {enable | disable} set status {enable | disable} end


566

Description


name Link monitor name. (Empty)

srcintf Interface where the monitor traffic is sent. (Empty)

server Server address(es). (Empty)

protocol Protocols used to detect the server. ping

port Port number to poll. 80

gateway-ip Gateway IP used to PING the server. 0.0.0.0

source-ip Source IP used in packet to the server. 0.0.0.0

http-get HTTP GET URL string. /

http-match Response value from detected server in http-get. (Empty)

interval Detection interval. 5

timeout Detect request timeout. 1

failtime Number of retry attempts before bringing serverdown.

5

recoverytime Number of retry attempts before bringing serverup.

5

security-mode Twamp controller security mode. none

password Twamp controller password in authenticationmode

(Empty)

packet-size Packet size of a twamp test session, 64

ha-priority HA election priority (1 - 50). 1

update-cascade-interface

Enable/disable update cascade interface. enable

update-static-route Enable/disable update static route. enable

status Enable/disable Link monitor administrative status. enable


567

system/mac-address-tableCLI Syntax

config system mac-address-table edit <name_str> set mac <mac-address> set interface <string> set reply-substitute <mac-address> end


568

Description


mac MAC address. 00:00:00:00:00:00


reply-substitute New MAC for reply traffic. 00:00:00:00:00:00


569

system/management-tunnelCLI Syntax

config system management-tunnel edit <name_str> set status {enable | disable} set allow-config-restore {enable | disable} set allow-push-configuration {enable | disable} set allow-push-firmware {enable | disable} set allow-collect-statistics {enable | disable} set authorized-manager-only {enable | disable} set serial-number <user> end


570

Description


status Enable/disable FGFM tunnel. enable

allow-config-restore Enable/disable allow config restore. enable

allow-push-configuration

Enable/disable push configuration. enable

allow-push-firmware Enable/disable push firmware. enable

allow-collect-statistics Enable/disable collection of run time statistics. enable

authorized-manager-only

Enable/disable restriction of authorized manageronly.

enable



571

system/mobile-tunnelCLI Syntax

config system mobile-tunnel edit <name_str> set name <string> set status {disable | enable} set roaming-interface <string> set home-agent <ipv4-address> set home-address <ipv4-address> set renew-interval <integer> set lifetime <integer> set reg-interval <integer> set reg-retry <integer> set n-mhae-spi <integer> set n-mhae-key-type {ascii | base64} set n-mhae-key <user> set hash-algorithm {hmac-md5} set tunnel-mode {gre} config network edit <name_str> set id <integer> set interface <string> set prefix <ipv4-classnet> end end


572

Description



status Enable/disable this mobile tunnel. enable

roaming-interface Roaming interface name. (Empty)

home-agent IP address of the NEMO HA. 0.0.0.0

home-address Home IP address. 0.0.0.0

renew-interval Time before lifetime expiraton to send NMMO HAre-registration.

60

lifetime NMMO HA registration request lifetime. 65535

reg-interval NMMO HA registration interval. 5

reg-retry NMMO HA registration maximal retries. 3

n-mhae-spi NEMO authentication spi. 256

n-mhae-key-type NEMO authentication key type. ascii

n-mhae-key NEMO authentication key. 'ENCAQAAAMfMADGjaE1uXnMNcglZAOU1olJLaQTpy1cUY+iM/eyN61pZcd9q4u4lzUZ7Ar7ptVwgtfiB3PJBXT+jqecFU7Fl7T9EREz21rRkr3XeQA6OfVhpJuk3/ZQ='

hash-algorithm Hash Algorithm. hmac-md5

tunnel-mode NEMO tunnnel mode. gre

network NEMO network configuration. (Empty)


573

system/nat64CLI Syntax

config system nat64 edit <name_str> set status {enable | disable} set nat64-prefix <ipv6-prefix> set always-synthesize-aaaa-record {enable | disable} set generate-ipv6-fragment-header {enable | disable} end


574

Description


status Enable/disable NAT64. disable

nat64-prefix NAT64 prefix must be ::/96. 64:ff9b::/96

always-synthesize-aaaa-record

Enable/disable AAAA record synthesis. enable

generate-ipv6-fragment-header

Enable/disable IPv6 fragment header generation. disable


575

system/netflowCLI Syntax

config system netflow edit <name_str> set collector-ip <ipv4-address> set collector-port <integer> set source-ip <ipv4-address> set active-flow-timeout <integer> set inactive-flow-timeout <integer> set template-tx-timeout <integer> set template-tx-counter <integer> end


576

Description


collector-ip Collector IP. 0.0.0.0

collector-port NetFlow collector port. 2055

source-ip Source IP for NetFlow agent. 0.0.0.0

active-flow-timeout Timeout to report active flows (min). 30

inactive-flow-timeout Timeout for periodic report of finished flows (sec). 15

template-tx-timeout Timeout for periodic template flowsettransmission (min).

30

template-tx-counter Counter of flowset records before resending atemplate flowset record.

20


577

system/network-visibilityCLI Syntax

config system network-visibility edit <name_str> set destination-visibility {disable | enable} set source-location {disable | enable} set destination-hostname-visibility {disable | enable} set hostname-ttl <integer> set hostname-limit <integer> set destination-location {disable | enable} end


578

Description


destination-visibility Enable/disable logging of destination visibility. enable

source-location Enable/disable logging of source geographicallocation visibility.

enable

destination-hostname-visibility

Enable/disable logging of destination hostnamevisibility.

enable

hostname-ttl TTL of hostname table entries. 86400

hostname-limit Limit of hostname table entries. 5000

destination-location Enable/disable logging of destinationgeographical location visibility.

enable


579

system/ntpCLI Syntax

config system ntp edit <name_str> set ntpsync {enable | disable} set type {fortiguard | custom} set syncinterval <integer> config ntpserver edit <name_str> set id <integer> set server <string> set ntpv3 {enable | disable} set authentication {enable | disable} set key <password> set key-id <integer> end set source-ip <ipv4-address> set server-mode {enable | disable} config interface edit <name_str> set interface-name <string> end end


580

Description


ntpsync Enable/disable synchronization with NTP Server. disable

type FortiGuard or custom NTP Server. fortiguard

syncinterval NTP synchronization interval. 1

ntpserver NTP Server. (Empty)

source-ip Source IP for communications to NTP server. 0.0.0.0

server-mode Enable/disable NTP Server Mode. disable

interface List of interfaces with NTP server mode enabled. (Empty)


581

system/object-tagCLI Syntax

config system object-tag edit <name_str> set name <string> end


582

Description


name Tag name. (Empty)


583

system/password-policyCLI Syntax

config system password-policy edit <name_str> set status {enable | disable} set apply-to {admin-password | ipsec-preshared-key} set minimum-length <integer> set min-lower-case-letter <integer> set min-upper-case-letter <integer> set min-non-alphanumeric <integer> set min-number <integer> set change-4-characters {enable | disable} set expire-status {enable | disable} set expire-day <integer> set reuse-password {enable | disable} end


584

Description


status Enable/disable password policy. disable

apply-to Apply password policy to. admin-password

minimum-length Minimum password length. 8

min-lower-case-letter Minimum number of lowercase characters inpassword.

0

min-upper-case-letter Minimum number of uppercase characters inpassword.

0

min-non-alphanumeric Minimum number of non-alphanumericcharacters in password.

0

min-number Minimum number of numeric characters inpassword.

0

change-4-characters Enable/disable changing at least 4 characters fornew password.

disable

expire-status Enable/disable password expiration. disable

expire-day Number of days after which admin users'password will expire.

90

reuse-password Enable/disable reuse of password. enable


585

system/probe-responseCLI Syntax

config system probe-response edit <name_str> set port <integer> set http-probe-value <string> set ttl-mode {reinit | decrease | retain} set mode {none | http-probe | twamp} set security-mode {none | authentication} set password <password> set timeout <integer> end


586

Description


port Port number to response. 8008

http-probe-value Value to respond to the monitoring server. OK

ttl-mode Mode for TWAMP packet TTL modification. retain

mode SLA response mode. none

security-mode Twamp respondor security mode. none

password Twamp respondor password in authenticationmode

(Empty)

timeout An inactivity timer for a twamp test session. 300


587

system/proxy-arpCLI Syntax

config system proxy-arp edit <name_str> set id <integer> set interface <string> set ip <ipv4-address> set end-ip <ipv4-address> end


588

Description



interface Interface acting proxy-ARP. (Empty)

ip IP address or start IP to be proxied. 0.0.0.0

end-ip End IP of IP range to be proxied. 0.0.0.0


589

system/replacemsg-groupCLI Syntax

config system replacemsg-group edit <name_str> set name <string> set comment <var-string> set group-type {default | utm | auth | ec} config mail edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config http edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config webproxy edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config ftp edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config nntp edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config fortiguard-wf edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end


590

config spam edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config alertmail edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config admin edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config auth edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config sslvpn edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config ec edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config device-detection-portal edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config nac-quar edit <name_str> set msg-type <string> set buffer <var-string>


591

set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config traffic-quota edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config utm edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end config custom-message edit <name_str> set msg-type <string> set buffer <var-string> set header {none | http | 8bit} set format {none | text | html | wml} end end


592

Description


name Group name. (Empty)


group-type Group type. default

mail Replacement message table entries. (Empty)

http Replacement message table entries. (Empty)

webproxy Replacement message table entries. (Empty)

ftp Replacement message table entries. (Empty)

nntp Replacement message table entries. (Empty)

fortiguard-wf Replacement message table entries. (Empty)

spam Replacement message table entries. (Empty)

alertmail Replacement message table entries. (Empty)

admin Replacement message table entries. (Empty)

auth Replacement message table entries. (Empty)

sslvpn Replacement message table entries. (Empty)

ec Replacement message table entries. (Empty)

device-detection-portal Replacement message table entries. (Empty)

nac-quar Replacement message table entries. (Empty)

traffic-quota Replacement message table entries. (Empty)

utm Replacement message table entries. (Empty)

custom-message Replacement message table entries. (Empty)


593

system/replacemsg-imageCLI Syntax

config system replacemsg-image edit <name_str> set name <string> set image-type {gif | jpg | tiff | png} set image-base64 <var-string> end


594

Description


name Image name. (Empty)

image-type Image type. (Empty)

image-base64 Image data. (null)


595

system/resource-limitsCLI Syntax

config system resource-limits edit <name_str> set session <integer> set ipsec-phase1 <integer> set ipsec-phase2 <integer> set dialup-tunnel <integer> set firewall-policy <integer> set firewall-address <integer> set firewall-addrgrp <integer> set custom-service <integer> set service-group <integer> set onetime-schedule <integer> set recurring-schedule <integer> set user <integer> set user-group <integer> set sslvpn <integer> set proxy <integer> set log-disk-quota <integer> end


596

Description


session Maximum number of sessions. 0

ipsec-phase1 Maximum number of VPN IPsec phase1 tunnels. 0

ipsec-phase2 Maximum number of VPN IPsec phase2 tunnels. 0

dialup-tunnel Maximum number of dial-up tunnels. 0

firewall-policy Maximum number of firewall policies. 0

firewall-address Maximum number of firewall addresses. 0

firewall-addrgrp Maximum number of firewall address groups. 0

custom-service Maximum number of firewall custom services. 0

service-group Maximum number of firewall service groups. 0

onetime-schedule Maximum number of firewall one-time schedules. 0

recurring-schedule Maximum number of firewall recurring schedules. 0

user Maximum number of local users. 0

user-group Maximum number of user groups. 0

sslvpn Maximum number of SSL-VPN. 0

proxy Maximum number of concurrent explicit proxyusers.

0

log-disk-quota Log disk quota in MB. 0


597

system/session-helperCLI Syntax

config system session-helper edit <name_str> set id <integer> set name {ftp | tftp | ras | h323 | h245O | h245I | tns | mms | sip | pptp | rtsp | dns-udp | dns-tcp | pmap | rsh | dcerpc | mgcp | gtp-c | gtp-u | gtp-b} set protocol <integer> set port <integer> end


598

Description


id Session helper ID. 0

name Helper name. (Empty)


port Protocol port. 0


599

system/session-ttlCLI Syntax

config system session-ttl edit <name_str> set default <user> config port edit <name_str> set id <integer> set protocol <integer> set start-port <integer> set end-port <integer> set timeout <user> end end


600

Description


default Default timeout. 3600

port Session TTL port. (Empty)


601

system/settingsCLI Syntax

config system settings edit <name_str> set comments <var-string> set opmode {nat | transparent} set inspection-mode {proxy | flow} set http-external-dest {fortiweb | forticache} set firewall-session-dirty {check-all | check-new | check-policy-option} set manageip <user> set gateway <ipv4-address> set ip <ipv4-classnet-host> set manageip6 <ipv6-prefix> set gateway6 <ipv6-address> set ip6 <ipv6-prefix> set device <string> set bfd {enable | disable} set bfd-desired-min-tx <integer> set bfd-required-min-rx <integer> set bfd-detect-mult <integer> set bfd-dont-enforce-src-port {enable | disable} set utf8-spam-tagging {enable | disable} set wccp-cache-engine {enable | disable} set vpn-stats-log {ipsec | pptp | l2tp | ssl} set vpn-stats-period <integer> set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-based} set mac-ttl <integer> set fw-session-hairpin {enable | disable} set snat-hairpin-traffic {enable | disable} set dhcp-proxy {enable | disable} set dhcp-server-ip <user> set dhcp6-server-ip <user> set central-nat {enable | disable} config gui-default-policy-columns edit <name_str> set name <string> end set lldp-transmission {enable | disable | global} set asymroute {enable | disable} set asymroute-icmp {enable | disable} set tcp-session-without-syn {enable | disable} set ses-denied-traffic {enable | disable} set strict-src-check {enable | disable} set asymroute6 {enable | disable} set asymroute6-icmp {enable | disable} set sip-helper {enable | disable} set sip-nat-trace {enable | disable} set status {enable | disable}


602

set sip-tcp-port <integer> set sip-udp-port <integer> set sip-ssl-port <integer> set sccp-port <integer> set multicast-forward {enable | disable} set multicast-ttl-notchange {enable | disable} set multicast-skip-policy {enable | disable} set allow-subnet-overlap {enable | disable} set deny-tcp-with-icmp {enable | disable} set ecmp-max-paths <integer> set discovered-device-timeout <integer> set email-portal-check-dns {disable | enable} set default-voip-alg-mode {proxy-based | kernel-helper-based} set gui-icap {enable | disable} set gui-nat46-64 {enable | disable} set gui-implicit-policy {enable | disable} set gui-dns-database {enable | disable} set gui-load-balance {enable | disable} set gui-multicast-policy {enable | disable} set gui-dos-policy {enable | disable} set gui-object-colors {enable | disable} set gui-replacement-message-groups {enable | disable} set gui-voip-profile {enable | disable} set gui-ap-profile {enable | disable} set gui-dynamic-profile-display {enable | disable} set gui-ipsec-manual-key {enable | disable} set gui-local-in-policy {enable | disable} set gui-local-reports {enable | disable} set gui-wanopt-cache {enable | disable} set gui-explicit-proxy {enable | disable} set gui-dynamic-routing {enable | disable} set gui-dlp {enable | disable} set gui-sslvpn-personal-bookmarks {enable | disable} set gui-sslvpn-realms {enable | disable} set gui-policy-based-ipsec {enable | disable} set gui-threat-weight {enable | disable} set gui-multiple-utm-profiles {enable | disable} set gui-spamfilter {enable | disable} set gui-application-control {enable | disable} set gui-casi {enable | disable} set gui-ips {enable | disable} set gui-endpoint-control {enable | disable} set gui-dhcp-advanced {enable | disable} set gui-vpn {enable | disable} set gui-wireless-controller {enable | disable} set gui-switch-controller {enable | disable} set gui-fortiap-split-tunneling {enable | disable} set gui-webfilter-advanced {enable | disable} set gui-traffic-shaping {enable | disable} set gui-wan-load-balancing {enable | disable} set gui-antivirus {enable | disable} set gui-webfilter {enable | disable} set gui-dnsfilter {enable | disable}


603

set gui-dnsfilter {enable | disable} set gui-waf-profile {enable | disable} set gui-fortiextender-controller {enable | disable} set gui-advanced-policy {enable | disable} set gui-allow-unnamed-policy {enable | disable} set gui-email-collection {enable | disable} set gui-domain-ip-reputation {enable | disable} set compliance-check {enable | disable} set ike-session-resume {enable | disable} set ike-quick-crash-detect {enable | disable} end


604

Description


comments VDOM comments. (Empty)

opmode Firewall operation mode. nat

inspection-mode Inspection mode. proxy

http-external-dest HTTP service external inspection destination. fortiweb


manageip IP address and netmask. (Empty)

gateway Default gateway IP address. 0.0.0.0

ip IP address and netmask. 0.0.0.0 0.0.0.0

manageip6 Management IPv6 address prefix for transparentmode.

::/0

gateway6 Default gateway IPv6 address. ::

ip6 IPv6 address prefix for NAT mode. ::/0

device Interface. (Empty)

bfd Enable/disable Bi-directional ForwardingDetection (BFD) on all interfaces.

disable

bfd-desired-min-tx BFD desired minimal transmit interval. 250

bfd-required-min-rx BFD required minimal receive interval. 250

bfd-detect-mult BFD detection multiplier. 3

bfd-dont-enforce-src-port

Enable/disable verify source port of BFD Packets. disable

utf8-spam-tagging Convert spam tags to UTF-8 for better non-ASCIIcharacter support.

enable

wccp-cache-engine Enable/disable WCCP cache engine. disable

vpn-stats-log Enable/disable periodic VPN log statistics. ipsec pptp l2tp ssl


605

vpn-stats-period Period to send VPN log statistics (sec). 600

v4-ecmp-mode IPv4 ECMP mode. source-ip-based

mac-ttl Bridge MAC address expiration time (sec). 300

fw-session-hairpin Check every cross. disable

snat-hairpin-traffic Enable/disable SNAT hairpin traffic. enable

dhcp-proxy Enable/disable DHCP Proxy. disable

dhcp-server-ip DHCP Server IP address. (Empty)

dhcp6-server-ip DHCPv6 server IP address. (Empty)

central-nat Enable/disable central NAT. disable

gui-default-policy-columns

Default columns to display for firewall policy liston GUI.

(Empty)


global

asymroute Enable/disable asymmetric route. disable

asymroute-icmp Enable/disable asymmetric ICMP route. disable

tcp-session-without-syn Enable/disable creation of TCP session withoutSYN flag.

disable

ses-denied-traffic Enable/disable insertion of denied traffic intosession table.

disable

strict-src-check Enable/disable strict source verification. disable

asymroute6 Enable/disable asymmetric IPv6 route. disable

asymroute6-icmp Enable/disable asymmetric ICMPv6 route. disable

sip-helper Enable/disable helper to add dynamic SIP firewallallow rule.

enable

sip-nat-trace Enable/disable adding original IP if NATed. enable

status Enable/disable this VDOM. enable


606

sip-tcp-port TCP port the SIP proxy will monitor for SIP traffic. 5060

sip-udp-port UDP port the SIP proxy will monitor for SIP traffic. 5060

sip-ssl-port TCP SSL port the SIP proxy will monitor for SIPtraffic.

5061

sccp-port TCP port the SCCP proxy will monitor for SCCPtraffic.

2000

multicast-forward Enable/disable multicast forwarding. enable

multicast-ttl-notchange Enable/disable modification of multicast TTL. disable

multicast-skip-policy Enable/disable skip policy check and allowmulticast through.

disable

allow-subnet-overlap Enable/disable allow one interface subnet overlapwith other interfaces.

disable

deny-tcp-with-icmp Enable/disable deny TCP with ICMP. disable

ecmp-max-paths Maximum number of ECMP next-hops. 10

discovered-device-timeout

Discard discovered devices after N days ofinactivity.

28

email-portal-check-dns Enable/disable DNS to validate domain namesused in the email address collection captiveportal.

enable

default-voip-alg-mode Default ALG mode for VoIP traffic (when no VoIPprofile on firewall policy).

proxy-based

gui-icap Enable/disable ICAP settings in GUI. disable

gui-nat46-64 Enable/disable NAT46 and NAT64 settings inGUI.

disable

gui-implicit-policy Enable/disable implicit firewall policies in GUI. enable

gui-dns-database Enable/disable DNS database in GUI. disable

gui-load-balance Enable/disable load balance in GUI. disable

gui-multicast-policy Enable/disable multicast firewall policies in GUI. disable


607

gui-dos-policy Enable/disable DoS policy display in GUI. enable

gui-object-colors Enable/disable object colors in GUI. enable

gui-replacement-message-groups

Enable/disable replacement message groups inGUI.

disable

gui-voip-profile Enable/disable VoIP profiles in GUI. disable

gui-ap-profile Enable/disable AP profiles in GUI. enable

gui-dynamic-profile-display

Enable/disable dynamic profiles in GUI. disable

gui-ipsec-manual-key Enable/disable IPsec manual Key configuration inGUI.

disable

gui-local-in-policy Enable/disable Local-In policies in GUI. disable

gui-local-reports Enable/disable local reports in the GUI. disable

gui-wanopt-cache Enable/disable WAN Opt & Cache configurationin GUI.

disable

gui-explicit-proxy Enable/disable explicit proxy configuration in GUI. disable

gui-dynamic-routing Enable/disable dynamic routing menus in GUI. enable

gui-dlp Enable/disable DLP settings in GUI. disable

gui-sslvpn-personal-bookmarks

Enable/disable SSL-VPN personal bookmarkmanagement in GUI.

disable

gui-sslvpn-realms Enable/disable SSL-VPN custom login pages inGUI.

disable

gui-policy-based-ipsec Enable/disable policy-based IPsec VPN. disable

gui-threat-weight Enable/disable threat weight feature in GUI. enable

gui-multiple-utm-profiles

Enable/disable multiple UTM profiles in GUI. enable

gui-spamfilter Enable/disable spamfilter profiles in GUI. disable

gui-application-control Enable/disable application control profiles in GUI. enable


608

gui-casi Enable/disable CASI profiles in GUI. enable

gui-ips Enable/disable IPS sensors in GUI. enable

gui-endpoint-control Enable/disable endpoint control in GUI. enable

gui-dhcp-advanced Enable/disable advanced DHCP configuration inGUI.

enable

gui-vpn Enable/disable VPN tunnels in GUI. enable

gui-wireless-controller Enable/disable wireless controller in GUI. enable

gui-switch-controller Enable/disable switch controller in GUI. enable

gui-fortiap-split-tunneling

Enable/disable FortiAP split tunneling in GUI. disable

gui-webfilter-advanced Enable/disable advanced web filter configurationin GUI.

disable

gui-traffic-shaping Enable/disable traffic shaping in GUI. enable

gui-wan-load-balancing Enable/disable WAN link load balancing in GUI. enable

gui-antivirus Enable/disable AntiVirus profile display in GUI. enable

gui-webfilter Enable/disable WebFilter profile display in GUI. enable

gui-dnsfilter Enable/disable DNS Filter profile display in GUI. enable

gui-waf-profile Enable/disable Web Application Firewall Profiledisplay in GUI.

disable

gui-fortiextender-controller

Enable/disable FortiExtender controller in GUI. disable

gui-advanced-policy Enable/disable advanced policy configuration inGUI.

disable

gui-allow-unnamed-policy

Enable/disable relaxation of requirement forpolicy to have a name when created in GUI.

disable

gui-email-collection Enable/disable email collection feature. disable

gui-domain-ip-reputation

Enable/disable Domain and IP Reputationfeature.

disable


609

compliance-check Enable/disable PCI DSS compliance check. disable

ike-session-resume Enable/disable IKEv2 session resumption (RFC5723).

disable

ike-quick-crash-detect Enable/disable IKEv2 quick crash detection (RFC6290).

disable


610

system/sflowCLI Syntax

config system sflow edit <name_str> set collector-ip <ipv4-address> set collector-port <integer> set source-ip <ipv4-address> end


611

Description



collector-port sFlow collector port. 6343

source-ip Source IP for sFlow agent. 0.0.0.0


612

system/sit-tunnelCLI Syntax

config system sit-tunnel edit <name_str> set name <string> set source <ipv4-address> set destination <ipv4-address> set ip6 <ipv6-prefix> set interface <string> set auto-asic-offload {enable | disable} end


613

Description



source Source IP address of tunnel. 0.0.0.0

destination Destination IP address of tunnel. 0.0.0.0

ip6 IPv6 address of tunnel. ::/0




614

system/sms-serverCLI Syntax

config system sms-server edit <name_str> set name <string> set mail-server <string> end


615

Description


name Name of SMS server. (Empty)

mail-server Email-to-SMS server domain name. (Empty)


616

system/storageCLI Syntax

config system storage edit <name_str> set name <string> set partition <string> set media-type <string> set device <string> set size <integer> end


617

Description


name Storage name. default_n

partition Label of underlying partition. <unknown>

media-type Media of underlying disk. ?

device Partition device. ?

size Partition size. 0


618

system/switch-interfaceCLI Syntax

config system switch-interface edit <name_str> set name <string> set vdom <string> set span-dest-port <string> config span-source-port edit <name_str> set interface-name <string> end config member edit <name_str> set interface-name <string> end set type {switch | hub} set intra-switch-policy {implicit | explicit} set span {disable | enable} set span-direction {rx | tx | both} end


619

Description


name Interface name. (Empty)

vdom VDOM. (Empty)

span-dest-port Span destination port. (Empty)

span-source-port Span source ports. (Empty)

member Interfaces compose the virtual switch. (Empty)

type Type. switch

intra-switch-policy Enable/disable policies between the members ofthe switch interface.

implicit

span Enable/disable span port. disable

span-direction SPAN direction. both


620

system/tos-based-priorityCLI Syntax

config system tos-based-priority edit <name_str> set id <integer> set tos <integer> set priority {low | medium | high} end


621

Description


id Item ID. 0

tos IP ToS value (0 - 15). 0

priority ToS based priority level. high


622

system/vdomCLI Syntax

config system vdom edit <name_str> set name <string> set vcluster-id <integer> set temporary <integer> end


623

Description


name VDOM name. (Empty)

vcluster-id Virtual cluster ID (0 - 4294967295). 0

temporary Temporary. 0


624

system/vdom-dnsCLI Syntax

config system vdom-dns edit <name_str> set vdom-dns {enable | disable} set primary <ipv4-address> set secondary <ipv4-address> set ip6-primary <ipv6-address> set ip6-secondary <ipv6-address> set source-ip <ipv4-address> end


625

Description


vdom-dns Enable/disable DNS per VDOM. disable

primary VDOM primary DNS IP. 0.0.0.0

secondary VDOM secondary DNS IP. 0.0.0.0

ip6-primary VDOM IPv6 primary DNS IP. ::

ip6-secondary VDOM IPv6 Secondary DNS IP. ::

source-ip Source IP for communications to DNS server. 0.0.0.0


626

system/vdom-linkCLI Syntax

config system vdom-link edit <name_str> set name <string> set vcluster {vcluster1 | vcluster2} set type {ppp | ethernet} end


627

Description


name VDOM link name. (Empty)

vcluster Virtual cluster. vcluster1

type Type. ppp


628

system/vdom-netflowCLI Syntax

config system vdom-netflow edit <name_str> set vdom-netflow {enable | disable} set collector-ip <ipv4-address> set collector-port <integer> set source-ip <ipv4-address> end


629

Description


vdom-netflow Enable/disable NetFlow per VDOM. disable


collector-port NetFlow collector port. 2055

source-ip Source IP for NetFlow agent. 0.0.0.0


630

system/vdom-propertyCLI Syntax

config system vdom-property edit <name_str> set name <string> set description <string> set snmp-index <integer> set session <user> set ipsec-phase1 <user> set ipsec-phase2 <user> set dialup-tunnel <user> set firewall-policy <user> set firewall-address <user> set firewall-addrgrp <user> set custom-service <user> set service-group <user> set onetime-schedule <user> set recurring-schedule <user> set user <user> set user-group <user> set sslvpn <user> set proxy <user> set log-disk-quota <user> end


631

Description


name VDOM name. (Empty)


snmp-index Permanent SNMP Index of the virtual domain. 0

session Maximum number (guaranteed number) ofsessions.

0 0

ipsec-phase1 Maximum number (guaranteed number) of VPNIPsec phase1 tunnels.

0 0

ipsec-phase2 Maximum number (guaranteed number) of VPNIPsec phase2 tunnels.

0 0

dialup-tunnel Maximum number (guaranteed number) of dial-up tunnels.

0 0

firewall-policy Maximum number (guaranteed number) offirewall policies.

0 0

firewall-address Maximum number (guaranteed number) offirewall addresses.

0 0

firewall-addrgrp Maximum number (guaranteed number) offirewall address groups.

0 0

custom-service Maximum number (guaranteed number) offirewall custom services.

0 0

service-group Maximum number (guaranteed number) offirewall service groups.

0 0

onetime-schedule Maximum number (guaranteed number) offirewall one-time schedules.

0 0

recurring-schedule Maximum number (guaranteed number) offirewall recurring schedules.

0 0

user Maximum number (guaranteed number) of localusers.

0 0


632

user-group Maximum number (guaranteed number) of usergroups.

0 0

sslvpn Maximum number (guaranteed number) of SSL-VPN.

0 0

proxy Maximum number (guaranteed number) ofconcurrent proxy users.

0 0

log-disk-quota Log disk quota in MB. 0 0


633

system/vdom-radius-serverCLI Syntax

config system vdom-radius-server edit <name_str> set name <string> set status {enable | disable} set radius-server-vdom <string> end


634

Description


name Name of virtual domain for server settings. (Empty)

status Enable/disable or disable the entry. disable

radius-server-vdom Virtual domain of dynamic profile radius server touse for dynamic profile traffic in the current vdom.

(Empty)


635

system/vdom-sflowCLI Syntax

config system vdom-sflow edit <name_str> set vdom-sflow {enable | disable} set collector-ip <ipv4-address> set collector-port <integer> set source-ip <ipv4-address> end


636

Description


vdom-sflow Enable/disable sFlow per VDOM. disable


collector-port sFlow collector port. 6343

source-ip Source IP for sFlow agent. 0.0.0.0


637

system/virtual-wan-linkCLI Syntax

config system virtual-wan-link edit <name_str> set status {disable | enable} set load-balance-mode {source-ip-based | weight-based | usage-based | source-dest-ip-based | measured-volume-based} set fail-detect {enable | disable} config fail-alert-interfaces edit <name_str> set name <string> end config members edit <name_str> set seq-num <integer> set interface <string> set gateway <ipv4-address> set weight <integer> set priority <integer> set spillover-threshold <integer> set ingress-spillover-threshold <integer> set volume-ratio <integer> set status {disable | enable} end config health-check edit <name_str> set name <string> set server <string> set protocol {ping | tcp-echo | udp-echo | http | twamp} set port <integer> set security-mode {none | authentication} set password <password> set packet-size <integer> set http-get <string> set http-match <string> set interval <integer> set timeout <integer> set failtime <integer> set recoverytime <integer> set update-cascade-interface {enable | disable} set update-static-route {enable | disable} set threshold-warning-packetloss <integer> set threshold-alert-packetloss <integer> set threshold-warning-latency <integer> set threshold-alert-latency <integer> set threshold-warning-jitter <integer> set threshold-alert-jitter <integer> end config service


638

edit <name_str> set name <string> set mode {auto | manual | priority} set quality-link <integer> set member <integer> set tos <user> set tos-mask <user> set protocol <integer> set start-port <integer> set end-port <integer> config dst edit <name_str> set name <string> end config src edit <name_str> set name <string> end config users edit <name_str> set name <string> end config groups edit <name_str> set name <string> end set internet-service {enable | disable} config internet-service-custom edit <name_str> set name <string> end config internet-service-id edit <name_str> set id <integer> end set health-check <string> set link-cost-factor {latency | jitter | packet-loss} config priority-members edit <name_str> set seq-num <integer> end end end


639

Description


status Enable/disable using the virtual-wan-link settings. disable

load-balance-mode Load balance mode among virtual WAN linkmembers.

source-ip-based

fail-detect Enable/disable fail detection. disable

fail-alert-interfaces Physical interfaces that will be alerted. (Empty)

members Members belong to the virtual-wan-link. (Empty)

health-check Health check. (Empty)

service Service to be distributed. (Empty)


640

system/virtual-wire-pairCLI Syntax

config system virtual-wire-pair edit <name_str> set name <string> config member edit <name_str> set interface-name <string> end set wildcard-vlan {enable | disable} end


641

Description


name virtual-wire-pair name. (Empty)

member Interfaces belong to the port pair. (Empty)

wildcard-vlan Enable/disable wildcard VLAN. disable


642

system/wccpCLI Syntax

config system wccp edit <name_str> set service-id <string> set router-id <ipv4-address> set cache-id <ipv4-address> set group-address <ipv4-address-multicast> set server-list <user> set router-list <user> set ports-defined {source | destination} set ports <user> set authentication {enable | disable} set password <password> set forward-method {GRE | L2 | any} set cache-engine-method {GRE | L2} set service-type {auto | standard | dynamic} set primary-hash {src-ip | dst-ip | src-port | dst-port} set priority <integer> set protocol <integer> set assignment-weight <integer> set assignment-bucket-format {wccp-v2 | cisco-implementation} set return-method {GRE | L2 | any} set assignment-method {HASH | MASK | any} end


643

Description


service-id Service ID. (Empty)

router-id IP address which is known by all web cacheservers.

0.0.0.0

cache-id IP address which is known by all routers. 0.0.0.0

group-address IP multicast address. 0.0.0.0

server-list Addresses of potential cache servers. (Empty)

router-list Addresses of potential routers. (Empty)

ports-defined Match method. (Empty)

ports Service ports. (Empty)

authentication Enable/disable MD5 authentication. disable

password Password of MD5 authentication. (Empty)

forward-method Method traffic is forwarded to cache servers. GRE

cache-engine-method Method traffic is forwarded to route or returned tocache engine.

GRE

service-type Service type auto/standard/dynamic. auto

primary-hash Hash method. dst-ip

priority Service priority. 0

protocol Service protocol. 0

assignment-weight Cache server hash weight. 0

assignment-bucket-format

Hash table bucket format. cisco-implementation

return-method Method traffic is returned back to firewall. GRE

assignment-method Assignment method preference. HASH


644

system/zoneCLI Syntax

config system zone edit <name_str> set name <string> set intrazone {allow | deny} config interface edit <name_str> set interface-name <string> end end


645

Description


name Zone name. (Empty)

intrazone Intra-zone traffic. deny

interface Interfaces belong to the zone. (Empty)


646

user/adgrpCLI Syntax

config user adgrp edit <name_str> set name <string> set server-name <string> set polling-id <integer> end


647

Description


name Name. (Empty)

server-name FSSO agent name. (Empty)

polling-id FSSO polling ID. 0


648

user/deviceCLI Syntax

config user device edit <name_str> set alias <string> set mac <mac-address> set user <string> set master-device <string> set comment <var-string> set avatar <var-string> set type {ipad | iphone | gaming-console | blackberry-phone | blackberry-playbook | linux-pc | mac | windows-pc | android-phone | android-tablet | media-streaming | windows-phone | windows-tablet | fortinet-device | ip-phone | router-nat-device | printer | other-network-device} end


649

Description


alias Device alias. (Empty)

mac Device MAC address(es). 00:00:00:00:00:00

user User name. (Empty)

master-device Master device (optional). (Empty)


avatar Image file for avatar (maximum 4K base64encoded).

(Empty)

type Device type. other-network-device


650

user/device-access-listCLI Syntax

config user device-access-list edit <name_str> set name <string> set default-action {accept | deny} config device-list edit <name_str> set id <integer> set device <string> set action {accept | deny} end end


651

Description


name Device access list name. (Empty)

default-action Allow or block unknown devices. accept

device-list Device list. (Empty)


652

user/device-categoryCLI Syntax

config user device-category edit <name_str> set name <string> set desc <var-string> set comment <var-string> end


653

Description


name Device category name. (Empty)

desc Device category description. (Empty)



654

user/device-groupCLI Syntax

config user device-group edit <name_str> set name <string> config member edit <name_str> set name <string> end set comment <var-string> end


655

Description


name Device group name. (Empty)

member Device group member. (Empty)



656

user/fortitokenCLI Syntax

config user fortitoken edit <name_str> set serial-number <string> set status {active | lock} set seed <string> set comments <var-string> set license <string> set activation-code <string> set activation-expire <integer> end


657

Description



status Status active

seed Token seed. (Empty)


license Mobile token license. (Empty)

activation-code Mobile token user activation-code. (Empty)

activation-expire Mobile token user activation-code expire time. 0


658

user/fssoCLI Syntax

config user fsso edit <name_str> set name <string> set server <string> set port <integer> set password <password> set server2 <string> set port2 <integer> set password2 <password> set server3 <string> set port3 <integer> set password3 <password> set server4 <string> set port4 <integer> set password4 <password> set server5 <string> set port5 <integer> set password5 <password> set ldap-server <string> set source-ip <ipv4-address> end


659

Description


name Name. (Empty)

server Address of the 1st FSSO agent. (Empty)

port Port of the 1st FSSO agent. 8000

password Password of the 1st FSSO agent. (Empty)

server2 Address of the 2nd FSSO agent. (Empty)

port2 Port of the 2nd FSSO agent. 8000

password2 Password of the 2nd FSSO agent. (Empty)

server3 Address of the 3rd FSSO agent. (Empty)

port3 Port of the 3rd FSSO agent. 8000

password3 Password of the 3rd FSSO agent. (Empty)

server4 Address of the 4th FSSO agent. (Empty)

port4 Port of the 4th FSSO agent. 8000

password4 Password of the 4th FSSO agent. (Empty)

server5 Address of the 5th FSSO agent. (Empty)

port5 Port of the 5th FSSO agent. 8000

password5 Password of the 5th FSSO agent. (Empty)

ldap-server LDAP server to get group information. (Empty)

source-ip Source IP for communications to FSSO agent. 0.0.0.0


660

user/fsso-pollingCLI Syntax

config user fsso-polling edit <name_str> set id <integer> set status {enable | disable} set server <string> set default-domain <string> set port <integer> set user <string> set password <password> set ldap-server <string> set logon-history <integer> set polling-frequency <integer> config adgrp edit <name_str> set name <string> end end


661

Description


id Active Directory server ID. 0

status Enable/disable poll Active Directory status. enable

server Active Directory server name/IP address. (Empty)

default-domain Default domain in this server. (Empty)

port Port of the Active Directory server. 0

user Active Directory server user account. (Empty)

password Password to connect to Active Directory server. (Empty)

ldap-server LDAP Server NAME for group name and users. (Empty)

logon-history hours to keep as an active logon. 0 meanskeeping forever

8

polling-frequency Polling frequency (1 - 30 s). 10

adgrp LDAP Group Info. (Empty)


662

user/groupCLI Syntax


663

config user group edit <name_str> set name <string> set group-type {firewall | sslvpn | fsso-service | directory-service | active-directory | rsso | guest} set authtimeout <integer> set auth-concurrent-override {enable | disable} set auth-concurrent-value <integer> set http-digest-realm <string> set sso-attribute-value <string> config member edit <name_str> set name <string> end config match edit <name_str> set id <integer> set server-name <string> set group-name <string> end set user-id {email | auto-generate | specify} set password {auto-generate | specify | disable} set user-name {disable | enable} set sponsor {optional | mandatory | disabled} set company {optional | mandatory | disabled} set email {disable | enable} set mobile-phone {disable | enable} set sms-server {fortiguard | custom} set sms-custom-server <string> set expire-type {immediately | first-successful-login} set expire <integer> set max-accounts <integer> set multiple-guest-add {disable | enable} config guest edit <name_str> set user-id <string> set name <string> set group <string> set password <password> set mobile-phone <string> set sponsor <string> set company <string> set email <string> set expiration <user> set comment <var-string> end end


664

Description


name Group name. (Empty)

group-type Type of user group. firewall

authtimeout Authentication timeout. 0

auth-concurrent-override

Enable/disable concurrent authenticationoverride.

disable

auth-concurrent-value Maximum number of concurrent authenticatedconnections per user (0 - 100).

0

http-digest-realm Realm attribute for MD5-digest authentication. (Empty)

sso-attribute-value Single Sign On Attribute Value. (Empty)

member Group members. (Empty)

match Group matches. (Empty)

user-id User ID. email

password Password. auto-generate

user-name Enable/disable user name. disable

sponsor Sponsor. optional

company Company. optional

email Enable/disable email address. enable

mobile-phone Enable/disable mobile phone. disable


fortiguard

sms-custom-server SMS server. (Empty)

expire-type Point at which expiration count down begins. immediately

expire Expiration (1 - 31536000 sec). 14400


665

max-accounts Maximum number of guest accounts that can becreated for this group (0 = unlimited).

0

multiple-guest-add Enable/disable addition of multiple guests. disable

guest Guest User. (Empty)


666

user/ldapCLI Syntax

config user ldap edit <name_str> set name <string> set server <string> set secondary-server <string> set tertiary-server <string> set source-ip <ipv4-address> set cnid <string> set dn <string> set type {simple | anonymous | regular} set username <string> set password <password> set group-member-check {user-attr | group-object} set group-object-filter <string> set secure {disable | starttls | ldaps} set ca-cert <string> set port <integer> set password-expiry-warning {enable | disable} set password-renewal {enable | disable} set member-attr <string> set search-type {nested} end


667

Description


name LDAP server entry name. (Empty)

server {<name_str|ip_str>} LDAP server CN domainname or IP.

(Empty)

secondary-server {<name_str|ip_str>} secondary LDAP server CNdomain name or IP.

(Empty)

tertiary-server {<name_str|ip_str>} tertiary LDAP server CNdomain name or IP.

(Empty)

source-ip Source IP for communications to LDAP server. 0.0.0.0

cnid Common Name Identifier (default = "cn"). cn

dn Distinguished Name. (Empty)

type Type of LDAP binding. simple

username Username (full DN) for initial binding. (Empty)

password Password for initial binding. (Empty)

group-member-check Group-member checking options. user-attr

group-object-filter Filter used for group searching. (&(objectcategory=group)(member=*))

secure SSL connection. disable

ca-cert CA certificate name. (Empty)

port Port number of the LDAP server (default = 389). 389

password-expiry-warning

Enable/disable password expiry warnings. disable

password-renewal Enable/disable online password renewal. disable

member-attr Name of attribute from which to get groupmembership.

memberOf


668

search-type Search type. (Empty)


669

user/localCLI Syntax

config user local edit <name_str> set name <string> set status {enable | disable} set type {password | radius | tacacs+ | ldap} set passwd <password> set ldap-server <string> set radius-server <string> set tacacs+-server <string> set two-factor {disable | fortitoken | email | sms} set fortitoken <string> set email-to <string> set sms-server {fortiguard | custom} set sms-custom-server <string> set sms-phone <string> set passwd-policy <string> set passwd-time <user> set authtimeout <integer> set workstation <string> set auth-concurrent-override {enable | disable} set auth-concurrent-value <integer> end


670

Description


name User name. (Empty)

status Enable/disable user. enable

type Authentication type. (Empty)

passwd User password. (Empty)

ldap-server LDAP server name. (Empty)

radius-server RADIUS server name. (Empty)

tacacs+-server TACACS+ server name. (Empty)

two-factor Enable/disable two-factor authentication. disable

fortitoken Two-factor recipient's FortiToken serial number. (Empty)

email-to Two-factor recipient's email address. (Empty)


fortiguard

sms-custom-server Two-factor recipient's SMS server. (Empty)

sms-phone Two-factor recipient's mobile phone number. (Empty)

passwd-policy Password policy. (Empty)

passwd-time Password last update time. 0000-00-00 00:00:00

authtimeout Authentication timeout. 0

workstation Name of remote user workstation. (Empty)

auth-concurrent-override

Enable/disable concurrent authenticationoverride.

disable

auth-concurrent-value Maximum number of concurrent authenticatedconnections per user.

0


671

user/password-policyCLI Syntax

config user password-policy edit <name_str> set name <string> set expire-days <integer> set warn-days <integer> end


672

Description


name Password policy name. (Empty)

expire-days Number of days password will expire. 180

warn-days Number of days to warn before passwordexpires.

15


673

user/peerCLI Syntax

config user peer edit <name_str> set name <string> set mandatory-ca-verify {enable | disable} set ca <string> set subject <string> set cn <string> set cn-type {string | email | FQDN | ipv4 | ipv6} set ldap-server <string> set ldap-username <string> set ldap-password <password> set ldap-mode {password | principal-name} set ocsp-override-server <string> set two-factor {enable | disable} set passwd <password> end


674

Description


name Peer name. (Empty)

mandatory-ca-verify Enable/disable mandatory CA verify. disable

ca Peer certificate CA (CA name in local). (Empty)

subject Peer certificate name constraints. (Empty)

cn Peer certificate common name. (Empty)

cn-type Peer certificate common name type. string

ldap-server LDAP server for access rights check. (Empty)

ldap-username Username for LDAP server bind. (Empty)

ldap-password Password for LDAP server bind. (Empty)

ldap-mode Peer LDAP mode. password

ocsp-override-server OSCP server. (Empty)

two-factor Enable/disable 2-factor authentication (certificate+ password).

disable

passwd User password. (Empty)


675

user/peergrpCLI Syntax

config user peergrp edit <name_str> set name <string> config member edit <name_str> set name <string> end end


676

Description


name Peer group name. (Empty)

member Peer group members. (Empty)


677

user/pop3CLI Syntax

config user pop3 edit <name_str> set name <string> set server <string> set port <integer> set secure {none | starttls | pop3s} end


678

Description


name POP3 server entry name. (Empty)

server {<name_str|ip_str>} server domain name or IP. (Empty)

port POP3 service port number. 0

secure SSL connection. starttls


679

user/radiusCLI Syntax

config user radius edit <name_str> set name <string> set server <string> set secret <password> set secondary-server <string> set secondary-secret <password> set tertiary-server <string> set tertiary-secret <password> set timeout <integer> set all-usergroup {disable | enable} set use-management-vdom {enable | disable} set nas-ip <ipv4-address> set acct-interim-interval <integer> set radius-coa {enable | disable} set radius-port <integer> set h3c-compatibility {enable | disable} set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap} set source-ip <ipv4-address> set username-case-sensitive {enable | disable} set password-renewal {enable | disable} set rsso {enable | disable} set rsso-radius-server-port <integer> set rsso-radius-response {enable | disable} set rsso-validate-request-secret {enable | disable} set rsso-secret <password> set rsso-endpoint-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port} set rsso-endpoint-block-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Sess


680

ion-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port} set sso-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port} set sso-attribute-key <string> set sso-attribute-value-override {enable | disable} set rsso-context-timeout <integer> set rsso-log-period <integer> set rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | accounting-event | endpoint-block | radiusd-other | none} set rsso-flush-ip-session {enable | disable} config accounting-server edit <name_str> set id <integer> set status {enable | disable} set server <string> set secret <password> set port <integer> set source-ip <ipv4-address> end end


681

Description


name RADIUS server entry name. (Empty)

server {<name_str|ip_str>} primary server CN domainname or IP.

(Empty)

secret Secret key to access the primary server. (Empty)

secondary-server {<name_str|ip_str>} secondary RADIUS CNdomain name or IP.

(Empty)

secondary-secret Secret key to access the secondary server. (Empty)

tertiary-server {<name_str|ip_str>} tertiary RADIUS CN domainname or IP.

(Empty)

tertiary-secret Secret key to access the tertiary server. (Empty)

timeout Authentication time-out. 5

all-usergroup Enable/disable automatically include this RADIUSserver to all user groups.

disable

use-management-vdom

Enable/disable using management VDOM tosend requests.

disable

nas-ip NAS IP address and called station ID. 0.0.0.0

acct-interim-interval Number of seconds between each accoutinginterim update message (600 - 86400 sec).

0

radius-coa Enable/Disable RADIUS CoA. disable

radius-port RADIUS service port number. 0

h3c-compatibility Enable/disable H3C compatibility. disable

auth-type Authentication Protocol. auto

source-ip Source IP for communications to RADIUS server. 0.0.0.0

username-case-sensitive

Enable/disable username case sensitive. disable


682

password-renewal Enable/disable password renewal. disable

rsso Enable/disable RADIUS based single sign onfeature.

disable

rsso-radius-server-port UDP port to listen on for RADIUS accountingpackets.

1813

rsso-radius-response Enable/disable sending RADIUS responsepackets.

disable

rsso-validate-request-secret

Enable/disable validating RADIUS request sharedsecret.

disable

rsso-secret RADIUS shared secret for responses / validatingrequests.

(Empty)

rsso-endpoint-attribute RADIUS Attribute used to hold End Point name. Calling-Station-Id

rsso-endpoint-block-attribute

RADIUS Attribute used to hold endpoint to block. (Empty)

sso-attribute RADIUS Attribute used to match the single signon group value.

Class

sso-attribute-key Key prefix for single-sign-on group value in thesso-attribute.

(Empty)

sso-attribute-value-override

Enable/disable override old attribute value withnew value for the same endpoint.

enable

rsso-context-timeout Timeout value for RADIUS server databaseentries (0 = infinite).

28800

rsso-log-period Minimum time period to use for event logs. 0

rsso-log-flags Events to log. protocol-error profile-missing accounting-stop-missedaccounting-eventendpoint-block radiusd-other

rsso-flush-ip-session Enable/disable flush user IP sessions on RADIUSaccounting stop.

disable


683

accounting-server Additional accounting servers. (Empty)


684

user/security-exempt-listCLI Syntax

config user security-exempt-list edit <name_str> set name <string> set description <string> config rule edit <name_str> set id <integer> config srcaddr edit <name_str> set name <string> end config devices edit <name_str> set name <string> end config dstaddr edit <name_str> set name <string> end config service edit <name_str> set name <string> end end end


685

Description


name Name of the exempt list. (Empty)


rule Exempt rules. (Empty)


686

user/settingCLI Syntax

config user setting edit <name_str> set auth-type {http | https | ftp | telnet} set auth-cert <string> set auth-ca-cert <string> set auth-secure-http {enable | disable} set auth-http-basic {enable | disable} set auth-multi-group {enable | disable} set auth-timeout <integer> set auth-timeout-type {idle-timeout | hard-timeout | new-session} set auth-portal-timeout <integer> set radius-ses-timeout-act {hard-timeout | ignore-timeout} set auth-blackout-time <integer> set auth-invalid-max <integer> set auth-lockout-threshold <integer> set auth-lockout-duration <integer> config auth-ports edit <name_str> set id <integer> set type {http | https | ftp | telnet} set port <integer> end end


687

Description


auth-type Allowed firewall policy authentication methods. http https ftp telnet

auth-cert HTTPS server certificate for policy authentication. (Empty)

auth-ca-cert HTTPS CA certificate for policy authentication. (Empty)

auth-secure-http Enable/disable use of HTTPS for HTTPauthentication.

disable

auth-http-basic Enable/disable use of HTTP BASIC for HTTPauthentication.

disable

auth-multi-group Enable/disable retrieval of groups to which a userbelongs.

enable

auth-timeout Firewall user authentication time-out. 5

auth-timeout-type Authenticated policy expiration behavior. idle-timeout

auth-portal-timeout Firewall captive portal authentication time-out (1 -30 min, default - 3).

3

radius-ses-timeout-act RADIUS session timeout behavior. hard-timeout

auth-blackout-time Authentication blackout time (0 - 3600 s). 0

auth-invalid-max Number of invalid auth tries allowed beforeblackout.

5

auth-lockout-threshold Maximum number of failed login attempts beforelockout (1 - 10).

3

auth-lockout-duration Lockout period in seconds after too many loginfailures.

0

auth-ports Authentication port table. (Empty)


688

user/tacacs+CLI Syntax

config user tacacs+ edit <name_str> set name <string> set server <string> set secondary-server <string> set tertiary-server <string> set port <integer> set key <password> set secondary-key <password> set tertiary-key <password> set authen-type {mschap | chap | pap | ascii | auto} set authorization {enable | disable} set source-ip <ipv4-address> end


689

Description


name TACACS+ server entry name. (Empty)

server {<name_str|ip_str>} server CN domain name orIP.

(Empty)

secondary-server {<name_str|ip_str>} secondary server CN domainname or IP.

(Empty)

tertiary-server {<name_str|ip_str>} tertiary server CN domainname or IP.

(Empty)

port Port number of the TACACS+ server. 49

key Key to access the server. (Empty)

secondary-key Key to access the secondary server. (Empty)

tertiary-key Key to access the tertiary server. (Empty)

authen-type Authentication type to use. auto

authorization Enable/disable TACACS+ authorization. disable

source-ip source IP for communications to TACACS+server.

0.0.0.0


690

voip/profileCLI Syntax

config voip profile edit <name_str> set name <string> set comment <var-string> config sip edit <name_str> set status {disable | enable} set rtp {disable | enable} set open-register-pinhole {disable | enable} set open-contact-pinhole {disable | enable} set strict-register {disable | enable} set register-rate <integer> set invite-rate <integer> set max-dialogs <integer> set max-line-length <integer> set block-long-lines {disable | enable} set block-unknown {disable | enable} set call-keepalive <integer> set block-ack {disable | enable} set block-bye {disable | enable} set block-cancel {disable | enable} set block-info {disable | enable} set block-invite {disable | enable} set block-message {disable | enable} set block-notify {disable | enable} set block-options {disable | enable} set block-prack {disable | enable} set block-publish {disable | enable} set block-refer {disable | enable} set block-register {disable | enable} set block-subscribe {disable | enable} set block-update {disable | enable} set register-contact-trace {disable | enable} set open-via-pinhole {disable | enable} set open-record-route-pinhole {disable | enable} set rfc2543-branch {disable | enable} set log-violations {disable | enable} set log-call-summary {disable | enable} set nat-trace {disable | enable} set subscribe-rate <integer> set message-rate <integer> set notify-rate <integer> set refer-rate <integer> set update-rate <integer> set options-rate <integer> set ack-rate <integer> set prack-rate <integer>


691

set info-rate <integer> set publish-rate <integer> set bye-rate <integer> set cancel-rate <integer> set preserve-override {disable | enable} set no-sdp-fixup {disable | enable} set contact-fixup {disable | enable} set max-idle-dialogs <integer> set block-geo-red-options {disable | enable} set hosted-nat-traversal {disable | enable} set hnt-restrict-source-ip {disable | enable} set max-body-length <integer> set unknown-header {discard | pass | respond} set malformed-request-line {discard | pass | respond} set malformed-header-via {discard | pass | respond} set malformed-header-from {discard | pass | respond} set malformed-header-to {discard | pass | respond} set malformed-header-call-id {discard | pass | respond} set malformed-header-cseq {discard | pass | respond} set malformed-header-rack {discard | pass | respond} set malformed-header-rseq {discard | pass | respond} set malformed-header-contact {discard | pass | respond} set malformed-header-record-route {discard | pass | respond} set malformed-header-route {discard | pass | respond} set malformed-header-expires {discard | pass | respond} set malformed-header-content-type {discard | pass | respond} set malformed-header-content-length {discard | pass | respond} set malformed-header-max-forwards {discard | pass | respond} set malformed-header-allow {discard | pass | respond} set malformed-header-p-asserted-identity {discard | pass | respond} set malformed-header-sdp-v {discard | pass | respond} set malformed-header-sdp-o {discard | pass | respond} set malformed-header-sdp-s {discard | pass | respond} set malformed-header-sdp-i {discard | pass | respond} set malformed-header-sdp-c {discard | pass | respond} set malformed-header-sdp-b {discard | pass | respond} set malformed-header-sdp-z {discard | pass | respond} set malformed-header-sdp-k {discard | pass | respond} set malformed-header-sdp-a {discard | pass | respond} set malformed-header-sdp-t {discard | pass | respond} set malformed-header-sdp-r {discard | pass | respond} set malformed-header-sdp-m {discard | pass | respond} set provisional-invite-expiry-time <integer> set ips-rtp {disable | enable} set ssl-mode {off | full} set ssl-send-empty-frags {enable | disable} set ssl-client-renegotiation {allow | deny | secure} set ssl-algorithm {high | medium | low} set ssl-pfs {require | deny | allow} set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2} set ssl-client-certificate <string> set ssl-server-certificate <string>


692

set ssl-server-certificate <string> set ssl-auth-client <string> set ssl-auth-server <string> end config sccp edit <name_str> set status {disable | enable} set block-mcast {disable | enable} set verify-header {disable | enable} set log-call-summary {disable | enable} set log-violations {disable | enable} set max-calls <integer> end end


693

Description




sip SIP. Details below

Configuration Default Valuestatus enablertp enableopen-register-pinhole enableopen-contact-pinhole enablestrict-register disableregister-rate 0invite-rate 0max-dialogs 0max-line-length 998block-long-lines enableblock-unknown enablecall-keepalive 0block-ack disableblock-bye disableblock-cancel disableblock-info disableblock-invite disableblock-message disableblock-notify disableblock-options disableblock-prack disableblock-publish disableblock-refer disableblock-register disableblock-subscribe disableblock-update disableregister-contact-trace disableopen-via-pinhole disableopen-record-route-pinhole enablerfc2543-branch disablelog-violations disablelog-call-summary enablenat-trace enablesubscribe-rate 0


694

message-rate 0notify-rate 0refer-rate 0update-rate 0options-rate 0ack-rate 0prack-rate 0info-rate 0publish-rate 0bye-rate 0cancel-rate 0preserve-override disableno-sdp-fixup disablecontact-fixup enablemax-idle-dialogs 0block-geo-red-options disablehosted-nat-traversal disablehnt-restrict-source-ip disablemax-body-length 0unknown-header passmalformed-request-line passmalformed-header-via passmalformed-header-from passmalformed-header-to passmalformed-header-call-id passmalformed-header-cseq passmalformed-header-rack passmalformed-header-rseq passmalformed-header-contact passmalformed-header-record-route passmalformed-header-route passmalformed-header-expires passmalformed-header-content-type passmalformed-header-content-length passmalformed-header-max-forwards passmalformed-header-allow passmalformed-header-p-asserted-identity passmalformed-header-sdp-v passmalformed-header-sdp-o passmalformed-header-sdp-s passmalformed-header-sdp-i passmalformed-header-sdp-c passmalformed-header-sdp-b passmalformed-header-sdp-z pass


695

malformed-header-sdp-k passmalformed-header-sdp-a passmalformed-header-sdp-t passmalformed-header-sdp-r passmalformed-header-sdp-m passprovisional-invite-expiry-time 210ips-rtp enablessl-mode offssl-send-empty-frags enablessl-client-renegotiation allowssl-algorithm highssl-pfs allowssl-min-version tls-1.0ssl-max-version tls-1.2ssl-client-certificate (Empty)ssl-server-certificate (Empty)ssl-auth-client (Empty)ssl-auth-server (Empty)

sccp SCCP. Details below

Configuration Default Valuestatus enableblock-mcast disableverify-header disablelog-call-summary disablelog-violations disablemax-calls 0


696

vpn.certificate/caCLI Syntax

config vpn.certificate ca edit <name_str> set name <string> set ca <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} set trusted {enable | disable} set scep-url <string> set auto-update-days <integer> set auto-update-days-warning <integer> set source-ip <ipv4-address> end


697

Description


name Name. (Empty)

ca CA certificate. (Empty)

range CA certificate range. vdom

source CA certificate source. user

trusted Enable/disable trusted CA. enable


auto-update-days Days to auto-update before expired, 0=disabled. 0

auto-update-days-warning

Days to send update before auto-update(0=disabled).

0



698

vpn.certificate/crlCLI Syntax

config vpn.certificate crl edit <name_str> set name <string> set crl <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} set update-vdom <string> set ldap-server <string> set ldap-username <string> set ldap-password <password> set http-url <string> set scep-url <string> set scep-cert <string> set update-interval <integer> set source-ip <ipv4-address> end


699

Description


name Name. (Empty)

crl Certificate Revocation List. (Empty)

range CRL range. vdom

source CRL source. user

update-vdom Virtual domain for CRL update. root

ldap-server LDAP server. (Empty)

ldap-username Login name for LDAP server. (Empty)

ldap-password Login password for LDAP server. (Empty)

http-url URL of HTTP server for CRL update. (Empty)

scep-url URL of CA server for CRL update via SCEP. (Empty)

scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL

update-interval Second between updates, 0=disabled. 0

source-ip Source IP for communications to CA(HTTP/SCEP) server.

0.0.0.0


700

vpn.certificate/localCLI Syntax

config vpn.certificate local edit <name_str> set name <string> set password <password> set comments <string> set private-key <user> set certificate <user> set csr <user> set state <user> set scep-url <string> set range {global | vdom} set source {factory | user | bundle | fortiguard} set auto-regenerate-days <integer> set auto-regenerate-days-warning <integer> set scep-password <password> set ca-identifier <string> set name-encoding {printable | utf8} set source-ip <ipv4-address> set ike-localid <string> set ike-localid-type {asn1dn | fqdn} end


701

Description


name Name. (Empty)

password Password. (Empty)


private-key Private key. (Empty)

certificate Certificate. (Empty)

csr Certificate Signing Request. (Empty)

state Certificate Signing Request State. (Empty)


range Certificate range. vdom

source Certificate source. user

auto-regenerate-days Days to auto-regenerate before expired,0=disabled.

0

auto-regenerate-days-warning

Days to send warning before auto-regeneration,0=disabled.

0

scep-password SCEP server challenge password for auto-regeneration.

(Empty)

ca-identifier CA identifier of the CA server for signing viaSCEP.

(Empty)

name-encoding Name encoding for auto-regeneration. printable


ike-localid IKE local ID. (Empty)

ike-localid-type IKE local ID type. asn1dn


702

vpn.certificate/ocsp-serverCLI Syntax

config vpn.certificate ocsp-server edit <name_str> set name <string> set url <string> set cert <string> set secondary-url <string> set secondary-cert <string> set unavail-action {revoke | ignore} set source-ip <ipv4-address> end


703

Description


name OCSP server entry name. (Empty)

url URL to OCSP server. (Empty)

cert OCSP server certificate. (Empty)

secondary-url URL to secondary OCSP server. (Empty)

secondary-cert Secondary OCSP server certificate. (Empty)

unavail-action Action when server is unavailable. revoke

source-ip Enable/disable source IP for communications toOCSP server.

0.0.0.0


704

vpn.certificate/remoteCLI Syntax

config vpn.certificate remote edit <name_str> set name <string> set remote <user> set range {global | vdom} set source {factory | user | bundle | fortiguard} end


705

Description


name Name. (Empty)

remote Remote certificate. (Empty)

range Remote certificate range. vdom

source Remote certificate source. user


706

vpn.certificate/settingCLI Syntax

config vpn.certificate setting edit <name_str> set ocsp-status {enable | disable} set ocsp-default-server <string> set check-ca-cert {enable | disable} set strict-crl-check {enable | disable} set strict-ocsp-check {enable | disable} end


707

Description


ocsp-status OCSP status. disable

ocsp-default-server Default OCSP server. (Empty)

check-ca-cert Enable/disable check CA certificate. enable

strict-crl-check Enable/disable check CRL in strict mode. disable

strict-ocsp-check Enable/disable check OCSP in strict mode. disable


708

vpn.ipsec/concentratorCLI Syntax

config vpn.ipsec concentrator edit <name_str> set name <string> set src-check {disable | enable} config member edit <name_str> set name <string> end end


709

Description


name Concentrator name. (Empty)

src-check Enable/disable use of source selector whenchoosing appropriate tunnel.

disable

member Concentrator members. (Empty)


710

vpn.ipsec/forticlientCLI Syntax

config vpn.ipsec forticlient edit <name_str> set realm <string> set usergroupname <string> set phase2name <string> set status {enable | disable} end


711

Description


realm FortiClient realm name. (Empty)

usergroupname User group name. (Empty)

phase2name Tunnel (phase2) name. (Empty)

status Enable/disable realm status. enable


712

vpn.ipsec/manualkeyCLI Syntax

config vpn.ipsec manualkey edit <name_str> set name <string> set interface <string> set remote-gw <ipv4-address> set local-gw <ipv4-address-any> set authentication {null | md5 | sha1 | sha256 | sha384 | sha512} set encryption {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 | aria256 | seed} set authkey <user> set enckey <user> set localspi <user> set remotespi <user> set npu-offload {enable | disable} end


713

Description


name IPsec tunnel name. (Empty)


remote-gw Peer gateway. 0.0.0.0

local-gw Local gateway. 0.0.0.0

authentication Authentication algorithm. null

encryption Encryption algorithm. null

authkey Authentication key. -

enckey Encryption key. -

localspi Local SPI. 0x100

remotespi Remote SPI. 0x100

npu-offload Enable/disable offloading NPU. enable


714

vpn.ipsec/manualkey-interfaceCLI Syntax

config vpn.ipsec manualkey-interface edit <name_str> set name <string> set interface <string> set ip-version {4 | 6} set addr-type {4 | 6} set remote-gw <ipv4-address> set remote-gw6 <ipv6-address> set local-gw <ipv4-address-any> set local-gw6 <ipv6-address> set auth-alg {null | md5 | sha1 | sha256 | sha384 | sha512} set enc-alg {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 | aria256 | seed} set auth-key <user> set enc-key <user> set local-spi <user> set remote-spi <user> set npu-offload {enable | disable} end


715

Description




ip-version IP version to use for VPN interface. 4

addr-type IP version to use for IP packets. 4

remote-gw Remote IPv4 address of VPN gateway. 0.0.0.0

remote-gw6 Remote IPv6 address of VPN gateway. ::

local-gw Local IPv4 address of VPN gateway. 0.0.0.0

local-gw6 Local IPv6 address of VPN gateway. ::

auth-alg Authentication algorithm. null

enc-alg Encryption algorithm. null

auth-key Authentication key. -

enc-key Encryption key. -

local-spi Local SPI. 0x100

remote-spi Remote SPI. 0x100



716

vpn.ipsec/phase1CLI Syntax

config vpn.ipsec phase1 edit <name_str> set name <string> set type {static | dynamic | ddns} set interface <string> set ike-version {1 | 2} set remote-gw <ipv4-address> set local-gw <ipv4-address> set remotegw-ddns <string> set keylife <integer> config certificate edit <name_str> set name <string> end set authmethod {psk | rsa-signature | signature} set mode {aggressive | main} set peertype {any | one | dialup | peer | peergrp} set peerid <string> set usrgrp <string> set peer <string> set peergrp <string> set autoconfig {disable | client | gateway} set mode-cfg {disable | enable} set assign-ip {disable | enable} set mode-cfg-ip-version {4 | 6} set assign-ip-from {range | usrgrp | dhcp} set ipv4-start-ip <ipv4-address> set ipv4-end-ip <ipv4-address> set ipv4-netmask <ipv4-netmask> set dns-mode {manual | auto} set ipv4-dns-server1 <ipv4-address> set ipv4-dns-server2 <ipv4-address> set ipv4-dns-server3 <ipv4-address> set ipv4-wins-server1 <ipv4-address> set ipv4-wins-server2 <ipv4-address> config ipv4-exclude-range edit <name_str> set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end set ipv4-split-include <string> set split-include-service <string> set ipv6-start-ip <ipv6-address> set ipv6-end-ip <ipv6-address> set ipv6-prefix <integer> set ipv6-dns-server1 <ipv6-address>


717

set ipv6-dns-server2 <ipv6-address> set ipv6-dns-server3 <ipv6-address> config ipv6-exclude-range edit <name_str> set id <integer> set start-ip <ipv6-address> set end-ip <ipv6-address> end set ipv6-split-include <string> set unity-support {disable | enable} set domain <string> set banner <var-string> set include-local-lan {disable | enable} set save-password {disable | enable} set client-auto-negotiate {disable | enable} set client-keep-alive {disable | enable} config backup-gateway edit <name_str> set address <string> end set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria192-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512} set add-route {disable | enable} set exchange-interface-ip {enable | disable} set add-gw-route {enable | disable} set psksecret <password> set keepalive <integer> set distance <integer> set priority <integer> set localid <string> set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn} set auto-negotiate {enable | disable} set negotiate-timeout <integer> set fragmentation {enable | disable} set dpd {disable | on-idle | on-demand} set dpd-retrycount <integer> set dpd-retryinterval <user> set forticlient-enforcement {enable | disable} set comments <var-string> set npu-offload {enable | disable} set send-cert-chain {enable | disable} set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21} set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256} set eap {enable | disable} set eap-identity {use-id-payload | send-request} set acct-verify {enable | disable} set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu


718

set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialup-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup-cisco-fw} set xauthtype {disable | client | pap | chap | auto} set reauth {disable | enable} set authusr <string> set authpasswd <password> set authusrgrp <string> set mesh-selector-type {disable | subnet | host} set idle-timeout {enable | disable} set idle-timeoutinterval <integer> set ha-sync-esp-seqno {enable | disable} set nattraversal {enable | disable | forced} set esn {require | allow | disable} end


719

Description


name IPsec remote gateway name. (Empty)

type Remote gateway type (static, dialup, or DDNS). static

interface Local outgoing interface. (Empty)

ike-version IKE protocol version (IKEv1 or IKEv2). 1

remote-gw Remote VPN gateway. 0.0.0.0

local-gw Local VPN gateway. 0.0.0.0

remotegw-ddns Domain name of remote gateway (eg.name.DDNS.com).

(Empty)

keylife Phase1 keylife. 86400

certificate Certificate name for signature. (Empty)

authmethod Authentication method. psk

mode Mode. main

peertype Peer type. any

peerid Peer ID. (Empty)

usrgrp User group. (Empty)

peer Accept this peer certificate. (Empty)

peergrp Accept this peer certificate group. (Empty)

autoconfig Auto-configuration type.

mode-cfg Enable/disable configuration method. disable

assign-ip Enable/disable assignment of IP to IPsecinterface via configuration method.

enable

mode-cfg-ip-version IP addressing to use for configuration method. 4

assign-ip-from Method by which the IP address will be assigned. range


720

ipv4-start-ip Start of IPv4 range. 0.0.0.0

ipv4-end-ip End of IPv4 range. 0.0.0.0

ipv4-netmask IPv4 Netmask. 255.255.255.255

dns-mode DNS server mode. manual

ipv4-dns-server1 IPv4 DNS server 1. 0.0.0.0



ipv4-wins-server1 WINS server 1. 0.0.0.0


ipv4-exclude-range Configuration Method IPv4 exclude ranges. (Empty)

ipv4-split-include IPv4 split-include subnets. (Empty)

split-include-service Split-include services. (Empty)

ipv6-start-ip Start of IPv6 range. ::

ipv6-end-ip End of IPv6 range. ::

ipv6-prefix IPv6 prefix. 128

ipv6-dns-server1 IPv6 DNS server 1. ::



ipv6-exclude-range Configuration method IPv6 exclude ranges. (Empty)


unity-support Enable/disable support for Cisco UNITYConfiguration Method extensions.

enable

domain Instruct unity clients about the default DNSdomain.

(Empty)

banner Message that unity client should display afterconnecting.

(Empty)


721

include-local-lan Enable/disable allow local LAN access on unityclients.

disable

save-password Enable/disable saving XAuth username andpassword on VPN clients.

disable

client-auto-negotiate Enable/disable allowing the VPN client to bring upthe tunnel when there is no traffic.

disable

client-keep-alive Enable/disable allowing the VPN client to keepthe tunnel up when there is no traffic.

disable

backup-gateway Instruct unity clients about the backup gatewayaddress(es).

(Empty)

proposal Phase1 proposal. aes128-sha256aes256-sha256 3des-sha256 aes128-sha1aes256-sha1 3des-sha1

add-route Enable/disable control addition of a route to peerdestination selector.

disable

exchange-interface-ip Enable/disable exchange of IPsec interface IPaddress.

disable

add-gw-route Enable/disable automatically add a route to theremote gateway.

disable

psksecret Pre-shared secret for PSK authentication. (Empty)

keepalive NAT-T keep alive interval. 10

distance Distance for routes added by IKE (1 - 255). 15

priority Priority for routes added by IKE (0 -4294967295).

0

localid Local ID. (Empty)

localid-type Local ID type. auto

auto-negotiate Enable/disable automatic initiation of IKE SAnegotiation.

enable


722

negotiate-timeout IKE SA negotiation timeout in seconds. 30

fragmentation Enable/disable fragment IKE message on re-transmission.

enable

dpd Dead Peer Detection mode. on-demand

dpd-retrycount Number of DPD retry attempts. 3

dpd-retryinterval DPD retry interval. 20

forticlient-enforcement Enable/disable FortiClient enforcement. disable



send-cert-chain Enable/disable sending certificate chain. enable

dhgrp DH group. 14 5

suite-b Use Suite-B. disable

eap Enable/disable IKEv2 EAP authentication. disable

eap-identity IKEv2 EAP peer identity type. use-id-payload

acct-verify Enable/disable verification of RADIUS accountingrecord.

disable

wizard-type GUI VPN Wizard Type. custom

xauthtype XAuth type. disable

reauth Enable/disable re-authentication upon IKE SAlifetime expiration.

disable

authusr XAuth user name. (Empty)

authpasswd XAuth password (max 35 characters). (Empty)

authusrgrp Authentication user group. (Empty)

mesh-selector-type Add selectors containing subsets of theconfiguration depending on traffic.

disable

idle-timeout Enable/disable IPsec tunnel idle timeout. disable


723

idle-timeoutinterval IPsec tunnel idle timeout in minutes (10 - 43200). 15

ha-sync-esp-seqno Enable/disable sequence number jump ahead forIPsec HA.

enable

nattraversal Enable/disable NAT traversal. enable

esn Extended sequence number (ESN) negotiation. disable


724

vpn.ipsec/phase1-interfaceCLI Syntax

config vpn.ipsec phase1-interface edit <name_str> set name <string> set type {static | dynamic | ddns} set interface <string> set ip-version {4 | 6} set ike-version {1 | 2} set local-gw <ipv4-address> set local-gw6 <ipv6-address> set remote-gw <ipv4-address> set remote-gw6 <ipv6-address> set remotegw-ddns <string> set keylife <integer> config certificate edit <name_str> set name <string> end set authmethod {psk | rsa-signature | signature} set mode {aggressive | main} set peertype {any | one | dialup | peer | peergrp} set peerid <string> set default-gw <ipv4-address> set default-gw-priority <integer> set usrgrp <string> set peer <string> set peergrp <string> set monitor <string> set monitor-hold-down-type {immediate | delay | time} set monitor-hold-down-delay <integer> set monitor-hold-down-weekday {everyday | sunday | monday | tuesday | wednesday | thursday | friday | saturday} set monitor-hold-down-time <user> set mode-cfg {disable | enable} set assign-ip {disable | enable} set mode-cfg-ip-version {4 | 6} set assign-ip-from {range | usrgrp | dhcp} set ipv4-start-ip <ipv4-address> set ipv4-end-ip <ipv4-address> set ipv4-netmask <ipv4-netmask> set dns-mode {manual | auto} set ipv4-dns-server1 <ipv4-address> set ipv4-dns-server2 <ipv4-address> set ipv4-dns-server3 <ipv4-address> set ipv4-wins-server1 <ipv4-address> set ipv4-wins-server2 <ipv4-address> config ipv4-exclude-range edit <name_str>


725

set id <integer> set start-ip <ipv4-address> set end-ip <ipv4-address> end set ipv4-split-include <string> set split-include-service <string> set ipv6-start-ip <ipv6-address> set ipv6-end-ip <ipv6-address> set ipv6-prefix <integer> set ipv6-dns-server1 <ipv6-address> set ipv6-dns-server2 <ipv6-address> set ipv6-dns-server3 <ipv6-address> config ipv6-exclude-range edit <name_str> set id <integer> set start-ip <ipv6-address> set end-ip <ipv6-address> end set ipv6-split-include <string> set unity-support {disable | enable} set domain <string> set banner <var-string> set include-local-lan {disable | enable} set save-password {disable | enable} set client-auto-negotiate {disable | enable} set client-keep-alive {disable | enable} config backup-gateway edit <name_str> set address <string> end set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria192-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512} set add-route {disable | enable} set exchange-interface-ip {enable | disable} set add-gw-route {enable | disable} set psksecret <password> set keepalive <integer> set distance <integer> set priority <integer> set localid <string> set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn} set auto-negotiate {enable | disable} set negotiate-timeout <integer> set fragmentation {enable | disable} set dpd {disable | on-idle | on-demand} set dpd-retrycount <integer> set dpd-retryinterval <user>


726

set dpd-retryinterval <user> set forticlient-enforcement {enable | disable} set comments <var-string> set npu-offload {enable | disable} set send-cert-chain {enable | disable} set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21} set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256} set eap {enable | disable} set eap-identity {use-id-payload | send-request} set acct-verify {enable | disable} set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialup-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup-cisco-fw} set xauthtype {disable | client | pap | chap | auto} set reauth {disable | enable} set authusr <string> set authpasswd <password> set authusrgrp <string> set mesh-selector-type {disable | subnet | host} set idle-timeout {enable | disable} set idle-timeoutinterval <integer> set ha-sync-esp-seqno {enable | disable} set auto-discovery-sender {enable | disable} set auto-discovery-receiver {enable | disable} set auto-discovery-forwarder {enable | disable} set auto-discovery-psk {enable | disable} set encapsulation {none | gre | vxlan} set encapsulation-address {ike | ipv4 | ipv6} set encap-local-gw4 <ipv4-address> set encap-local-gw6 <ipv6-address> set encap-remote-gw4 <ipv4-address> set encap-remote-gw6 <ipv6-address> set nattraversal {enable | disable | forced} set esn {require | allow | disable} end


727

Description


name IPsec remote gateway name. (Empty)

type Remote gateway type (static, dialup, or DDNS). static

interface Local outgoing interface. (Empty)

ip-version IP version to use for VPN interface. 4

ike-version IKE protocol version (IKEv1 or IKEv2). 1

local-gw Local IPv4 address of VPN. 0.0.0.0

local-gw6 Local IPv6 address of VPN. ::

remote-gw Remote IPv4 address of VPN gateway. 0.0.0.0

remote-gw6 Remote IPv6 address of VPN. ::

remotegw-ddns Domain name of remote gateway (eg.name.DDNS.com).

(Empty)

keylife Phase1 keylife. 86400

certificate Certificate name for signature. (Empty)

authmethod Authentication method. psk

mode Mode. main

peertype Peer type. any

peerid Peer ID. (Empty)

default-gw IPv4 address of default route gateway to use fortraffic exiting the interface.

0.0.0.0

default-gw-priority Priority for default gateway route. 0


peer Accept this peer certificate. (Empty)

peergrp Accept this peer certificate group. (Empty)


728

monitor IPsec interface to backup. (Empty)

monitor-hold-down-type Control recovery time when primary re-establishes.

immediate

monitor-hold-down-delay

Number of seconds to wait before recovery onceprimary re-establishes.

0

monitor-hold-down-weekday

Day of the week to recover once primary re-establishes.

sunday

monitor-hold-down-time Time of day to recover once primary re-establishes.

00:00

mode-cfg Enable/disable configuration method. disable

assign-ip Enable/disable assignment of IP to IPsecinterface via configuration method.

enable

mode-cfg-ip-version IP addressing to use for configuration method. 4

assign-ip-from Method by which the IP address will be assigned. range

ipv4-start-ip Start of IPv4 range. 0.0.0.0

ipv4-end-ip End of IPv4 range. 0.0.0.0

ipv4-netmask IPv4 Netmask. 255.255.255.255

dns-mode DNS server mode. manual






ipv4-exclude-range Configuration Method IPv4 exclude ranges. (Empty)


split-include-service Split-include services. (Empty)


729

ipv6-start-ip Start of IPv6 range. ::

ipv6-end-ip End of IPv6 range. ::

ipv6-prefix IPv6 prefix. 128




ipv6-exclude-range Configuration method IPv6 exclude ranges. (Empty)


unity-support Enable/disable support for Cisco UNITYConfiguration Method extensions.

enable

domain Instruct unity clients about the default DNSdomain.

(Empty)

banner Message that unity client should display afterconnecting.

(Empty)

include-local-lan Enable/disable allow local LAN access on unityclients.

disable

save-password Enable/disable saving XAuth username andpassword on VPN clients.

disable

client-auto-negotiate Enable/disable allowing the VPN client to bring upthe tunnel when there is no traffic.

disable

client-keep-alive Enable/disable allowing the VPN client to keepthe tunnel up when there is no traffic.

disable

backup-gateway Instruct unity clients about the backup gatewayaddress(es).

(Empty)

proposal Phase1 proposal. aes128-sha256aes256-sha256 3des-sha256 aes128-sha1aes256-sha1 3des-sha1


730

add-route Enable/disable control addition of a route to peerdestination selector.

enable

exchange-interface-ip Enable/disable exchange of IPsec interface IPaddress.

disable

add-gw-route Enable/disable automatically add a route to theremote gateway.

disable

psksecret Pre-shared secret for PSK authentication. (Empty)

keepalive NAT-T keep alive interval. 10

distance Distance for routes added by IKE (1 - 255). 15

priority Priority for routes added by IKE (0 -4294967295).

0

localid Local ID. (Empty)

localid-type Local ID type. auto

auto-negotiate Enable/disable automatic initiation of IKE SAnegotiation.

enable

negotiate-timeout IKE SA negotiation timeout in seconds. 30

fragmentation Enable/disable fragment IKE message on re-transmission.

enable

dpd Dead Peer Detection mode. on-demand

dpd-retrycount Number of DPD retry attempts. 3

dpd-retryinterval DPD retry interval. 20

forticlient-enforcement Enable/disable FortiClient enforcement. disable



send-cert-chain Enable/disable sending certificate chain. enable

dhgrp DH group. 14 5

suite-b Use Suite-B. disable


731

eap Enable/disable IKEv2 EAP authentication. disable

eap-identity IKEv2 EAP peer identity type. use-id-payload

acct-verify Enable/disable verification of RADIUS accountingrecord.

disable

wizard-type GUI VPN Wizard Type. custom

xauthtype XAuth type. disable

reauth Enable/disable re-authentication upon IKE SAlifetime expiration.

disable

authusr XAuth user name. (Empty)

authpasswd XAuth password (max 35 characters). (Empty)

authusrgrp Authentication user group. (Empty)

mesh-selector-type Add selectors containing subsets of theconfiguration depending on traffic.

disable

idle-timeout Enable/disable IPsec tunnel idle timeout. disable

idle-timeoutinterval IPsec tunnel idle timeout in minutes (10 - 43200). 15

ha-sync-esp-seqno Enable/disable sequence number jump ahead forIPsec HA.

enable

auto-discovery-sender Enable/disable sending auto-discovery short-cutmessages.

disable

auto-discovery-receiver Enable/disable accepting auto-discovery short-cutmessages.

disable

auto-discovery-forwarder

Enable/disable forwarding auto-discovery short-cut messages.

disable

auto-discovery-psk Enable/disable use of pre-shared secrets forauthentication of auto-discovery tunnels.

disable

encapsulation Enable/disable GRE/VXLAN encapsulation. none

encapsulation-address Source for GRE/VXLAN tunnel address. ike

encap-local-gw4 Local IPv4 address of GRE/VXLAN tunnel. 0.0.0.0


732

encap-local-gw6 Local IPv6 address of GRE/VXLAN tunnel. ::

encap-remote-gw4 Remote IPv4 address of GRE/VXLAN tunnel. 0.0.0.0

encap-remote-gw6 Remote IPv6 address of GRE/VXLAN tunnel. ::

nattraversal Enable/disable NAT traversal. enable

esn Extended sequence number (ESN) negotiation. disable


733

vpn.ipsec/phase2CLI Syntax

config vpn.ipsec phase2 edit <name_str> set name <string> set phase1name <string> set dhcp-ipsec {enable | disable} set use-natip {enable | disable} set selector-match {exact | subset | auto} set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-md5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 | aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null | aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-null | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | aria128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512} set pfs {enable | disable} set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21} set replay {enable | disable} set keepalive {enable | disable} set auto-negotiate {enable | disable} set add-route {phase1 | enable | disable} set keylifeseconds <integer> set keylifekbs <integer> set keylife-type {seconds | kbs | both} set single-source {enable | disable} set route-overlap {use-old | use-new | allow} set encapsulation {tunnel-mode | transport-mode} set l2tp {enable | disable} set comments <var-string> set protocol <integer> set src-name <string> set src-name6 <string> set src-addr-type {subnet | range | ip | name} set src-start-ip <ipv4-address-any> set src-start-ip6 <ipv6-address> set src-end-ip <ipv4-address-any> set src-end-ip6 <ipv6-address> set src-subnet <ipv4-classnet-any> set src-subnet6 <ipv6-prefix> set src-port <integer> set dst-name <string> set dst-name6 <string> set dst-addr-type {subnet | range | ip | name} set dst-start-ip <ipv4-address-any>


734

set dst-start-ip6 <ipv6-address> set dst-end-ip <ipv4-address-any> set dst-end-ip6 <ipv6-address> set dst-subnet <ipv4-classnet-any> set dst-subnet6 <ipv6-prefix> set dst-port <integer> end


735

Description



phase1name IKE phase1 name. (Empty)

dhcp-ipsec Enable/disable DHCP-IPsec. disable

use-natip Enable/disable source NAT selector fix-up. enable

selector-match Match type to use when comparing selectors. auto

proposal Phase2 proposal. aes128-sha1 aes256-sha1 3des-sha1aes128-sha256aes256-sha256 3des-sha256

pfs Enable/disable PFS feature. enable

dhgrp Phase2 DH group. 14 5

replay Enable/disable replay detection. enable

keepalive Enable/disable keep alive. disable

auto-negotiate Enable/disable IPsec SA auto-negotiation. disable

add-route Enable/disable automatic route addition. phase1

keylifeseconds Phase2 keylife in time. 43200

keylifekbs Phase2 keylife in traffic (kbps). 5120

keylife-type Keylife type. seconds

single-source Enable/disable single source IP restriction. disable

route-overlap Action for overlapping routes. use-new

encapsulation ESP encapsulation mode. tunnel-mode

l2tp Enable/disable L2TP over IPsec. disable



736

protocol Quick mode protocol selector (1 - 255 or 0 for all). 0

src-name Local proxy ID name. (Empty)

src-name6 Local proxy ID name. (Empty)

src-addr-type Local proxy ID type. subnet

src-start-ip Local proxy ID start. 0.0.0.0

src-start-ip6 Local proxy ID IPv6 start. ::

src-end-ip Local proxy ID end. 0.0.0.0

src-end-ip6 Local proxy ID IPv6 end. ::

src-subnet Local proxy ID subnet. 0.0.0.0 0.0.0.0

src-subnet6 Local proxy ID IPv6 subnet. ::/0

src-port Quick mode source port (1 - 65535 or 0 for all). 0

dst-name Remote proxy ID name. (Empty)

dst-name6 Remote proxy ID name. (Empty)

dst-addr-type Remote proxy ID type. subnet

dst-start-ip Remote proxy ID IPv4 start. 0.0.0.0

dst-start-ip6 Remote proxy ID IPv6 start. ::

dst-end-ip Remote proxy ID IPv4 end. 0.0.0.0

dst-end-ip6 Remote proxy ID IPv6 end. ::

dst-subnet Remote proxy ID IPv4 subnet. 0.0.0.0 0.0.0.0

dst-subnet6 Remote proxy ID IPv6 subnet. ::/0

dst-port Quick mode destination port (1 - 65535 or 0 forall).

0


737

vpn.ipsec/phase2-interfaceCLI Syntax

config vpn.ipsec phase2-interface edit <name_str> set name <string> set phase1name <string> set dhcp-ipsec {enable | disable} set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-md5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 | aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null | aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-null | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | aria128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512} set pfs {enable | disable} set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21} set replay {enable | disable} set keepalive {enable | disable} set auto-negotiate {enable | disable} set add-route {phase1 | enable | disable} set auto-discovery-sender {phase1 | enable | disable} set auto-discovery-forwarder {phase1 | enable | disable} set keylifeseconds <integer> set keylifekbs <integer> set keylife-type {seconds | kbs | both} set single-source {enable | disable} set route-overlap {use-old | use-new | allow} set encapsulation {tunnel-mode | transport-mode} set l2tp {enable | disable} set comments <var-string> set protocol <integer> set src-name <string> set src-name6 <string> set src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6} set src-start-ip <ipv4-address-any> set src-start-ip6 <ipv6-address> set src-end-ip <ipv4-address-any> set src-end-ip6 <ipv6-address> set src-subnet <ipv4-classnet-any> set src-subnet6 <ipv6-prefix> set src-port <integer> set dst-name <string> set dst-name6 <string> set dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6} set dst-start-ip <ipv4-address-any>


738

set dst-start-ip6 <ipv6-address> set dst-end-ip <ipv4-address-any> set dst-end-ip6 <ipv6-address> set dst-subnet <ipv4-classnet-any> set dst-subnet6 <ipv6-prefix> set dst-port <integer> end


739

Description



phase1name IKE phase1 name. (Empty)

dhcp-ipsec Enable/disable DHCP-IPsec. disable

proposal Phase2 proposal. aes128-sha1 aes256-sha1 3des-sha1aes128-sha256aes256-sha256 3des-sha256

pfs Enable/disable PFS feature. enable

dhgrp Phase2 DH group. 14 5

replay Enable/disable replay detection. enable

keepalive Enable/disable keep alive. disable

auto-negotiate Enable/disable IPsec SA auto-negotiation. disable

add-route Enable/disable automatic route addition. phase1

auto-discovery-sender Enable/disable sending short-cut messages. phase1

auto-discovery-forwarder

Enable/disable forwarding short-cut messages. phase1

keylifeseconds Phase2 keylife in time. 43200

keylifekbs Phase2 keylife in traffic (kbps). 5120

keylife-type Keylife type. seconds

single-source Enable/disable single source IP restriction. disable

route-overlap Action for overlapping routes. use-new

encapsulation ESP encapsulation mode. tunnel-mode

l2tp Enable/disable L2TP over IPsec. disable



740

protocol Quick mode protocol selector (1 - 255 or 0 for all). 0

src-name Local proxy ID name. (Empty)

src-name6 Local proxy ID name. (Empty)

src-addr-type Local proxy ID type. subnet

src-start-ip Local proxy ID start. 0.0.0.0

src-start-ip6 Local proxy ID IPv6 start. ::

src-end-ip Local proxy ID end. 0.0.0.0

src-end-ip6 Local proxy ID IPv6 end. ::

src-subnet Local proxy ID subnet. 0.0.0.0 0.0.0.0

src-subnet6 Local proxy ID IPv6 subnet. ::/0

src-port Quick mode source port (1 - 65535 or 0 for all). 0

dst-name Remote proxy ID name. (Empty)

dst-name6 Remote proxy ID name. (Empty)

dst-addr-type Remote proxy ID type. subnet

dst-start-ip Remote proxy ID IPv4 start. 0.0.0.0

dst-start-ip6 Remote proxy ID IPv6 start. ::

dst-end-ip Remote proxy ID IPv4 end. 0.0.0.0

dst-end-ip6 Remote proxy ID IPv6 end. ::

dst-subnet Remote proxy ID IPv4 subnet. 0.0.0.0 0.0.0.0

dst-subnet6 Remote proxy ID IPv6 subnet. ::/0

dst-port Quick mode destination port (1 - 65535 or 0 forall).

0


741

vpn.ssl.web/host-check-softwareCLI Syntax

config vpn.ssl.web host-check-software edit <name_str> set name <string> set type {av | fw} set version <string> set guid <user> config check-item-list edit <name_str> set id <integer> set action {require | deny} set type {file | registry | process} set target <string> set version <string> config md5s edit <name_str> set id <string> end end end


742

Description


name Name. (Empty)

type Type. av

version Version. (Empty)

guid Globally unique ID. "00000000-0000-0000-0000-000000000000"

check-item-list Check item list. (Empty)


743

vpn.ssl.web/portalCLI Syntax

config vpn.ssl.web portal edit <name_str> set name <string> set tunnel-mode {enable | disable} set ip-mode {range | user-group} set auto-connect {enable | disable} set keep-alive {enable | disable} set save-password {enable | disable} config ip-pools edit <name_str> set name <string> end set exclusive-routing {enable | disable} set service-restriction {enable | disable} set split-tunneling {enable | disable} config split-tunneling-routing-address edit <name_str> set name <string> end set dns-server1 <ipv4-address> set dns-server2 <ipv4-address> set wins-server1 <ipv4-address> set wins-server2 <ipv4-address> set ipv6-tunnel-mode {enable | disable} config ipv6-pools edit <name_str> set name <string> end set ipv6-exclusive-routing {enable | disable} set ipv6-service-restriction {enable | disable} set ipv6-split-tunneling {enable | disable} config ipv6-split-tunneling-routing-address edit <name_str> set name <string> end set ipv6-dns-server1 <ipv6-address> set ipv6-dns-server2 <ipv6-address> set ipv6-wins-server1 <ipv6-address> set ipv6-wins-server2 <ipv6-address> set web-mode {enable | disable} set display-bookmark {enable | disable} set user-bookmark {enable | disable} set user-group-bookmark {enable | disable} config bookmark-group edit <name_str> set name <string> config bookmarks


744

edit <name_str> set name <string> set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | telnet | vnc | web} set url <var-string> set host <var-string> set folder <var-string> set additional-params <var-string> set listening-port <integer> set remote-port <integer> set show-status-window {enable | disable} set description <var-string> set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwerty | sv-se-qwerty | failsafe} set port <integer> set logon-user <var-string> set logon-password <password> set sso {disable | static | auto} config form-data edit <name_str> set name <string> set value <var-string> end set sso-credential {sslvpn-login | alternative} set sso-username <var-string> set sso-password <password> end end set display-connection-tools {enable | disable} set display-history {enable | disable} set display-status {enable | disable} set heading <string> set redir-url <var-string> set theme {blue | green | red | melongene} set custom-lang <string> set host-check {none | av | fw | av-fw | custom} set host-check-interval <integer> config host-check-policy edit <name_str> set name <string> end set limit-user-logins {enable | disable} set mac-addr-check {enable | disable} set mac-addr-action {allow | deny} config mac-addr-check-rule edit <name_str> set name <string> set mac-addr-mask <integer> config mac-addr-list edit <name_str> set addr <mac-address> end end


745

end set os-check {enable | disable} config os-check-list edit <name_str> set name <string> set action {deny | allow | check-up-to-date} set tolerance <integer> set latest-patch-level <user> end set virtual-desktop {enable | disable} set virtual-desktop-app-list <string> set virtual-desktop-clipboard-share {enable | disable} set virtual-desktop-desktop-switch {enable | disable} set virtual-desktop-logout-when-browser-close {enable | disable} set virtual-desktop-network-share-access {enable | disable} set virtual-desktop-printing {enable | disable} set virtual-desktop-removable-media-access {enable | disable} set skip-check-for-unsupported-os {enable | disable} set skip-check-for-unsupported-browser {enable | disable} end


746

Description


name Portal name. (Empty)

tunnel-mode Enable/disable SSL VPN tunnel mode. disable

ip-mode IP mode is range or by user group. range

auto-connect Enable/disable automatic connect by client whensystem is up.

disable

keep-alive Enable/disable automatic re-connect by client. disable

save-password Enable/disable save of user password by client. disable

ip-pools Tunnel IP pools. (Empty)

exclusive-routing Enable/disable all traffic go through tunnel only. disable

service-restriction Enable/disable tunnel service restriction. disable

split-tunneling Enable/disable split tunneling. enable

split-tunneling-routing-address

Split tunnelling address range for client routing. (Empty)





ipv6-tunnel-mode Enable/disable SSL VPN IPV6 tunnel mode. disable

ipv6-pools Tunnel IP pools. (Empty)

ipv6-exclusive-routing Enable/disable all IPv6 traffic go through tunnelonly.

disable

ipv6-service-restriction Enable/disable IPv6 tunnel service restriction. disable

ipv6-split-tunneling Enable/disable IPv6 split tunneling. enable


747

ipv6-split-tunneling-routing-address

IPv6 split tunnelling address range for clientrouting.

(Empty)



ipv6-wins-server1 IPv6 WINS server 1. ::


web-mode Enable/disable SSL VPN web mode. disable

display-bookmark Enable/disable displaying of bookmark widget. enable

user-bookmark Enable/disable user defined bookmark. enable

user-group-bookmark Enable/disable user group defined bookmark. enable

bookmark-group Portal bookmark group. (Empty)

display-connection-tools

Enable/disable displaying of connection toolswidget.

enable

display-history Enable/disable displaying of user login historywidget.

enable

display-status Enable/disable display of status widget. enable

heading Portal heading message. SSL-VPN Portal

redir-url Client login redirect URL. (Empty)

theme Color scheme for the portal. blue

custom-lang Custom portal language. (Empty)

host-check Configure host check settings. none

host-check-interval Periodic host check interval. 0

host-check-policy Host check policy. (Empty)

limit-user-logins Enable/disable allow users to have only oneactive SSL VPN connection at a time.

disable

mac-addr-check Client MAC address check. disable


748

mac-addr-action Client MAC address action. allow

mac-addr-check-rule Client MAC address check rule. (Empty)

os-check Enable/disable SSL VPN OS check. disable

os-check-list SSL VPN OS checks. (Empty)

virtual-desktop Enable/disable SSL VPN virtual desktop. disable

virtual-desktop-app-list Virtual desktop application list. (Empty)

virtual-desktop-clipboard-share

Enable/disable sharing of clipboard in virtualdesktop.

disable

virtual-desktop-desktop-switch

Enable/disable switch to virtual desktop. enable

virtual-desktop-logout-when-browser-close

Enable/disable logout when browser is close invirtual desktop.

disable

virtual-desktop-network-share-access

Enable/disable network share access in virtualdesktop.

disable

virtual-desktop-printing Enable/disable printing in virtual desktop. disable

virtual-desktop-removable-media-access

Enable/disable access to removable media invirtual desktop.

disable

skip-check-for-unsupported-os

Skip check for unsupported OS. enable

skip-check-for-unsupported-browser

Skip check for unsupported browsers. enable


749

vpn.ssl.web/realmCLI Syntax

config vpn.ssl.web realm edit <name_str> set url-path <string> set max-concurrent-user <integer> set login-page <var-string> set virtual-host <var-string> end


750

Description


url-path URL path to access SSL-VPN login page. (Empty)

max-concurrent-user Maximum concurrent users (0 - 65535, 0 forunlimited).

0

login-page Replacement HTML for SSL-VPN login page. (Empty)

virtual-host Virtual host name for realm. (Empty)


751

vpn.ssl.web/user-bookmarkCLI Syntax

config vpn.ssl.web user-bookmark edit <name_str> set name <string> set custom-lang <string> config bookmarks edit <name_str> set name <string> set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | telnet | vnc | web} set url <var-string> set host <var-string> set folder <var-string> set additional-params <var-string> set listening-port <integer> set remote-port <integer> set show-status-window {enable | disable} set description <var-string> set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwerty | sv-se-qwerty | failsafe} set port <integer> set logon-user <var-string> set logon-password <password> set sso {disable | static | auto} config form-data edit <name_str> set name <string> set value <var-string> end set sso-credential {sslvpn-login | alternative} set sso-username <var-string> set sso-password <password> end end


752

Description


name User and group name. (Empty)

custom-lang Personal language. (Empty)

bookmarks Bookmark table. (Empty)


753

vpn.ssl.web/virtual-desktop-app-listCLI Syntax

config vpn.ssl.web virtual-desktop-app-list edit <name_str> set name <string> set action {allow | block} config apps edit <name_str> set name <string> config md5s edit <name_str> set id <string> end end end


754

Description


name Application list name. (Empty)

action Action. allow

apps Applications. (Empty)


755

vpn.ssl/settingsCLI Syntax

config vpn.ssl settings edit <name_str> set reqclientcert {enable | disable} set sslv2 {enable | disable} set sslv3 {enable | disable} set tlsv1-0 {enable | disable} set tlsv1-1 {enable | disable} set tlsv1-2 {enable | disable} set ssl-big-buffer {enable | disable} set ssl-insert-empty-fragment {enable | disable} set https-redirect {enable | disable} set ssl-client-renegotiation {disable | enable} set force-two-factor-auth {enable | disable} set unsafe-legacy-renegotiation {enable | disable} set servercert <string> set algorithm {default | high | low} set idle-timeout <integer> set auth-timeout <integer> config tunnel-ip-pools edit <name_str> set name <string> end config tunnel-ipv6-pools edit <name_str> set name <string> end set dns-suffix <var-string> set dns-server1 <ipv4-address> set dns-server2 <ipv4-address> set wins-server1 <ipv4-address> set wins-server2 <ipv4-address> set ipv6-dns-server1 <ipv6-address> set ipv6-dns-server2 <ipv6-address> set ipv6-wins-server1 <ipv6-address> set ipv6-wins-server2 <ipv6-address> set route-source-interface {enable | disable} set url-obscuration {enable | disable} set http-compression {enable | disable} set http-only-cookie {enable | disable} set deflate-compression-level <integer> set deflate-min-data-size <integer> set port <integer> set port-precedence {enable | disable} set auto-tunnel-static-route {enable | disable} set header-x-forwarded-for {pass | add | remove} config source-interface edit <name_str>


756

set name <string> end config source-address edit <name_str> set name <string> end set source-address-negate {enable | disable} config source-address6 edit <name_str> set name <string> end set source-address6-negate {enable | disable} set default-portal <string> config authentication-rule edit <name_str> set id <integer> config source-interface edit <name_str> set name <string> end config source-address edit <name_str> set name <string> end set source-address-negate {enable | disable} config source-address6 edit <name_str> set name <string> end set source-address6-negate {enable | disable} config users edit <name_str> set name <string> end config groups edit <name_str> set name <string> end set portal <string> set realm <string> set client-cert {enable | disable} set cipher {any | high | medium} set auth {any | local | radius | tacacs+ | ldap} end set dtls-tunnel {enable | disable} set check-referer {enable | disable} end


757

Description


reqclientcert Enable/disable require client certificate. disable

sslv2 Enable/disable SSLv2. disable

sslv3 Enable/disable SSLv3. disable

tlsv1-0 Enable/disable TLSv1.0. disable

tlsv1-1 Enable/disable TLSv1.1. enable

tlsv1-2 Enable/disable TLSv1.2. enable

ssl-big-buffer Enable/disable big SSLv3 buffer. disable

ssl-insert-empty-fragment

Enable/disable insertion of empty fragment. enable

https-redirect Enable/disable redirect of port 80 to SSL-VPNport.

disable

ssl-client-renegotiation Allow/block client renegotiation by server. disable

force-two-factor-auth Enable/disable force two-factor authentication. disable

unsafe-legacy-renegotiation

Enable/disable unsafe legacy re-negotiation. disable

servercert Server certificate. Fortinet_Factory

algorithm Allow algorithms. high

idle-timeout SSL VPN disconnects if idle for specified time. 300

auth-timeout Forced re-authentication after timeout. 28800

tunnel-ip-pools Tunnel IP pools. (Empty)

tunnel-ipv6-pools Tunnel IPv6 pools. (Empty)

dns-suffix DNS suffix. (Empty)




758







route-source-interface Enable/disable bind client side outgoing interface. disable

url-obscuration Enable/disable URL obscuration. disable

http-compression Enable/disable support HTTP compression. disable

http-only-cookie Enable/disable support HTTP only cookie. enable

deflate-compression-level

Compression level (0~9). 6

deflate-min-data-size Minimum size to start compression (200 - 65535). 300

port SSL VPN access HTTPS port (1 - 65535). 10443

port-precedence Enable/disable SSLVPN port precedence overadmin GUI HTTPS port.

enable

auto-tunnel-static-route Enable/disable auto create static route for tunnelIP addresses.

enable

header-x-forwarded-for Action when HTTP x-forwarded-for header toforwarded requests.

add

source-interface SSL VPN source interface of incoming traffic. (Empty)

source-address Source address of incoming traffic. (Empty)

source-address-negate Enable/disable negated source address match. disable

source-address6 IPv6 source address of incoming traffic. (Empty)

source-address6-negate

Enable/disable negated source IPv6 addressmatch.

disable


759

default-portal Default SSL VPN portal. (Empty)

authentication-rule Authentication rule for SSL VPN. (Empty)

dtls-tunnel Enable/disable DTLS tunnel. enable

check-referer Enable/disable verification of referer field in HTTPrequest header.

disable


760

vpn/l2tpCLI Syntax

config vpn l2tp edit <name_str> set eip <ipv4-address> set sip <ipv4-address> set status {enable | disable} set usrgrp <string> end


761

Description


eip End IP. 0.0.0.0

sip Start IP. 0.0.0.0

status Enable/disable FortiGate as a L2TP gateway. disable



762

vpn/pptpCLI Syntax

config vpn pptp edit <name_str> set status {enable | disable} set ip-mode {range | usrgrp} set eip <ipv4-address> set sip <ipv4-address> set local-ip <ipv4-address> set usrgrp <string> end


763

Description


status Enable/disable FortiGate as a PPTP gateway. disable

ip-mode IP assignment mode for PPTP client. range

eip End IP. 0.0.0.0

sip Start IP. 0.0.0.0

local-ip Local IP to be used for peer's remote IP. 0.0.0.0



764

waf/main-classCLI Syntax

config waf main-class edit <name_str> set name <string> set id <integer> end


765

Description


name Main signature class name. (Empty)

id Main signature class ID. 0


766

waf/profileCLI Syntax

config waf profile edit <name_str> set name <string> set external {disable | enable} config signature edit <name_str> config main-class edit <name_str> set id <integer> set status {enable | disable} set action {allow | block | erase} set log {enable | disable} set severity {high | medium | low} end config disabled-sub-class edit <name_str> set id <integer> end config disabled-signature edit <name_str> set id <integer> end set credit-card-detection-threshold <integer> config custom-signature edit <name_str> set name <string> set status {enable | disable} set action {allow | block | erase} set log {enable | disable} set severity {high | medium | low} set direction {request | response} set case-sensitivity {disable | enable} set pattern <string> set target {arg | arg-name | req-body | req-cookie | req-cookie-name | req-filename | req-header | req-header-name | req-raw-uri | req-uri | resp-body | resp-hdr | resp-status} end end config constraint edit <name_str> config header-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low}


767

end config content-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config param-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config line-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config url-param-length edit <name_str> set status {enable | disable} set length <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config version edit <name_str> set status {enable | disable} set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config method edit <name_str> set status {enable | disable} set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config hostname edit <name_str> set status {enable | disable} set action {allow | block} set log {enable | disable} set severity {high | medium | low}


768

set severity {high | medium | low} end config malformed edit <name_str> set status {enable | disable} set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config max-cookie edit <name_str> set status {enable | disable} set max-cookie <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config max-header-line edit <name_str> set status {enable | disable} set max-header-line <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config max-url-param edit <name_str> set status {enable | disable} set max-url-param <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config max-range-segment edit <name_str> set status {enable | disable} set max-range-segment <integer> set action {allow | block} set log {enable | disable} set severity {high | medium | low} end config exception edit <name_str> set id <integer> set pattern <string> set regex {enable | disable} set address <string> set header-length {enable | disable} set content-length {enable | disable} set param-length {enable | disable} set line-length {enable | disable} set url-param-length {enable | disable} set version {enable | disable}


769

set version {enable | disable} set method {enable | disable} set hostname {enable | disable} set malformed {enable | disable} set max-cookie {enable | disable} set max-header-line {enable | disable} set max-url-param {enable | disable} set max-range-segment {enable | disable} end end config method edit <name_str> set status {enable | disable} set log {enable | disable} set severity {high | medium | low} set default-allowed-methods {get | post | put | head | connect | trace | options | delete | others} config method-policy edit <name_str> set id <integer> set pattern <string> set regex {enable | disable} set address <string> set allowed-methods {get | post | put | head | connect | trace | options | delete | others} end end config address-list edit <name_str> set status {enable | disable} set blocked-log {enable | disable} set severity {high | medium | low} config trusted-address edit <name_str> set name <string> end config blocked-address edit <name_str> set name <string> end end config url-access edit <name_str> set id <integer> set address <string> set action {bypass | permit | block} set log {enable | disable} set severity {high | medium | low} config access-pattern edit <name_str> set id <integer> set srcaddr <string> set pattern <string>


770

set pattern <string> set regex {enable | disable} set negate {enable | disable} end end set comment <var-string> end


771

Description


name WAF Profile name. (Empty)

external Disable/Enable external HTTP Inspection. disable

signature WAF signatures. Details below

Configuration Default Valuemain-class (Empty)disabled-sub-class (Empty)disabled-signature (Empty)credit-card-detection-threshold 3custom-signature (Empty)

constraint WAF HTTP protocol restrictions. Details below


772

Configuration Default Value

header-length {"status":"disable","length":8192,"action":"allow","log":"disable","severity":"medium"}

content-length {"status":"disable","length":67108864,"action":"allow","log":"disable","severity":"medium"}

param-length {"status":"disable","length":8192,"action":"allow","log":"disable","severity":"medium"}

line-length {"status":"disable","length":1024,"action":"allow","log":"disable","severity":"medium"}

url-param-length {"status":"disable","length":8192,"action":"allow","log":"disable","severity":"medium"}

version {"status":"disable","action":"allow","log":"disable","severity":"medium"}

method {"status":"disable","action":"allow","log":"disable","severity":"medium"}

hostname {"status":"disable","action":"allow","log":"disable","severity":"medium"}

malformed {"status":"disable","action":"allow","log":"disable","severity":"medium"}

max-cookie {"status":"disable","max-cookie":16,"action":"allow","log":"disable","severity":"medium"}

max-header-line {"status":"disable","max-header-line":32,"action":"allow","log":"disable","severity":"medium"}

max-url-param {"status":"disable","max-url-param":16,"action":"allow","log":"disable","severity":"medium"}

max-range-segment {"status":"disable","max-range-segment":5,"action":"allow","log":"disable","severity":"medium"}

exception (Empty)

method Method restriction. Details below

Configuration Default Valuestatus disablelog disableseverity mediumdefault-allowed-methods (Empty)method-policy (Empty)

address-list Black address list and white address list. Details below


773

Configuration Default Valuestatus disableblocked-log disableseverity mediumtrusted-address (Empty)blocked-address (Empty)

url-access URL access list (Empty)



774

waf/signatureCLI Syntax

config waf signature edit <name_str> set desc <string> set id <integer> end


775

Description


desc Signature description. (Empty)

id Signature ID. 0


776

waf/sub-classCLI Syntax

config waf sub-class edit <name_str> set name <string> set id <integer> end


777

Description


name Signature subclass name. (Empty)

id Signature subclass ID. 0


778

wanopt/auth-groupCLI Syntax

config wanopt auth-group edit <name_str> set name <string> set auth-method {cert | psk} set psk <password> set cert <string> set peer-accept {any | defined | one} set peer <string> end


779

Description


name Auth-group name. (Empty)

auth-method Group authentication method. cert

psk Pre-shared secret for PSK authentication. (Empty)

cert Name of certificate to identify this host. (Empty)

peer-accept Peer acceptance method. any

peer Peer host ID. (Empty)


780

wanopt/peerCLI Syntax

config wanopt peer edit <name_str> set peer-host-id <string> set ip <ipv4-address-any> end


781

Description


peer-host-id Peer host ID. (Empty)

ip Peer IP address. 0.0.0.0


782

wanopt/profileCLI Syntax

config wanopt profile edit <name_str> set name <string> set transparent {enable | disable} set comments <var-string> set auth-group <string> config http edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set prefer-chunking {dynamic | fix} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable} set port <integer> set ssl {enable | disable} set ssl-port <integer> set unknown-http-version {reject | tunnel | best-effort} set tunnel-non-http {enable | disable} end config cifs edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set prefer-chunking {dynamic | fix} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable} set port <integer> end config mapi edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable} set port <integer> end config ftp edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set prefer-chunking {dynamic | fix} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable}


783

set port <integer> end config tcp edit <name_str> set status {enable | disable} set secure-tunnel {enable | disable} set byte-caching {enable | disable} set byte-caching-opt {mem-only | mem-disk} set tunnel-sharing {private | shared | express-shared} set log-traffic {enable | disable} set port <user> set ssl {enable | disable} set ssl-port <integer> end end


784

Description



transparent Enable/disable transparent mode. enable


auth-group Peer authentication group. (Empty)

http HTTP protocol settings. Details below

Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching enableprefer-chunking fixtunnel-sharing privatelog-traffic enableport 80ssl disablessl-port 443unknown-http-version tunneltunnel-non-http disable

cifs CIFS protocol settings. Details below

Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching enableprefer-chunking fixtunnel-sharing privatelog-traffic enableport 445

mapi MAPI protocol settings. Details below


785

Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching enabletunnel-sharing privatelog-traffic enableport 135

ftp FTP protocol settings. Details below

Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching enableprefer-chunking fixtunnel-sharing privatelog-traffic enableport 21

tcp TCP protocol settings. Details below

Configuration Default Valuestatus disablesecure-tunnel disablebyte-caching disablebyte-caching-opt mem-onlytunnel-sharing privatelog-traffic enableport 1-65535ssl disablessl-port 443 990 995 465 993


786

wanopt/settingsCLI Syntax

config wanopt settings edit <name_str> set host-id <string> set tunnel-ssl-algorithm {high | medium | low} set auto-detect-algorithm {simple | diff-req-resp} end


787

Description


host-id Host identity. default-id

tunnel-ssl-algorithm Relative strength of encryption algorithmsaccepted in tunnel negotiation.

high

auto-detect-algorithm Auto detection algorithms used in tunnelnegotiation.

simple


788

wanopt/storageCLI Syntax

config wanopt storage edit <name_str> set name <string> set size <integer> set webcache-storage-percentage <integer> set webcache-storage-size <user> set wan-optimization-cache-storage-size <user> end


789

Description


name Storage name. (Empty)

size Maximum total size of files within the storage(MB).

1024

webcache-storage-percentage

Percentage of storage available for Web cache.The rest is used for WAN optimization

50

webcache-storage-size Web cache storage size. (Empty)

wan-optimization-cache-storage-size

WAN optimization cache storage size. (Empty)


790

wanopt/webcacheCLI Syntax

config wanopt webcache edit <name_str> set max-object-size <integer> set neg-resp-time <integer> set fresh-factor <integer> set max-ttl <integer> set min-ttl <integer> set default-ttl <integer> set ignore-ims {enable | disable} set ignore-conditional {enable | disable} set ignore-pnc {enable | disable} set ignore-ie-reload {enable | disable} set cache-expired {enable | disable} set cache-cookie {enable | disable} set reval-pnc {enable | disable} set always-revalidate {enable | disable} set cache-by-default {enable | disable} set host-validate {enable | disable} set external {enable | disable} end


791

Description


max-object-size Maximum cacheable object size in kB, themaximum is 2147483 (2GB).

512000

neg-resp-time Duration of negative responses cache. 0

fresh-factor Fresh factor percentage (1 - 100 percent). 100

max-ttl Maximum TTL in minutes (default = 7200 (5days); maximum = 5256000 (100 years)).

7200

min-ttl Minimum TTL in minutes (default = 5; maximum= 5256000 (100 years)).

5

default-ttl Default TTL minutes (default = 1440 (1 day);maximum = 5256000 (100 years)).

1440

ignore-ims Enable/disable ignore if-modified-since. disable

ignore-conditional Enable/disable ignore HTTP 1.1 conditionals. disable

ignore-pnc Enable/disable ignore pragma-no-cache. disable

ignore-ie-reload Enable/disable ignore IE reload. enable

cache-expired Enable/disable cache expired objects. disable

cache-cookie Enable/disable caching of HTTP response withSet-Cookie header.

disable

reval-pnc Enable/disable re-validation of pragma-no-cache. disable

always-revalidate Enable/disable re-validation of requested cachedobject with content server before serving it toclient.

disable

cache-by-default Enable/disable caching of content lacking explicitcaching policy from server.

disable

host-validate Enable/disable validating "Host:" with originalserver IP.

disable

external Enable/disable external cache. disable


792

web-proxy/debug-urlCLI Syntax

config web-proxy debug-url edit <name_str> set name <string> set url-pattern <string> set status {enable | disable} set exact {enable | disable} end


793

Description


name Debug URL name. (Empty)

url-pattern URL exemption pattern. (Empty)

status Enable/disable this URL exemption. enable

exact Enable/disable match exact path. enable


794

web-proxy/explicitCLI Syntax

config web-proxy explicit edit <name_str> set status {enable | disable} set ftp-over-http {enable | disable} set socks {enable | disable} set http-incoming-port <integer> set https-incoming-port <integer> set ftp-incoming-port <integer> set socks-incoming-port <integer> set incoming-ip <ipv4-address-any> set outgoing-ip <ipv4-address-any> set ipv6-status {enable | disable} set incoming-ip6 <ipv6-address> set outgoing-ip6 <ipv6-address> set strict-guest {enable | disable} set pref-dns-result {ipv4 | ipv6} set unknown-http-version {reject | best-effort} set realm <string> set sec-default-action {accept | deny} set https-replacement-message {enable | disable} set message-upon-server-error {enable | disable} set pac-file-server-status {enable | disable} set pac-file-server-port <integer> set pac-file-name <string> set pac-file-data <user> set pac-file-url <user> set ssl-algorithm {high | medium | low} end


795

Description


status Enable/disable explicit Web proxy. disable

ftp-over-http Enable/disable FTP-over-HTTP. disable

socks Enable/disable SOCKS proxy. disable

http-incoming-port Accept incoming HTTP requests on ports otherthan port 80.

8080

https-incoming-port Accept incoming HTTPS requests on this port. 0

ftp-incoming-port Accept incoming FTP-over-HTTP requests on thisport.

0

socks-incoming-port Accept incoming SOCKS proxy requests on thisport.

0

incoming-ip Accept incoming HTTP requests from this IP. Aninterface must have this IP address.

0.0.0.0

outgoing-ip Outgoing HTTP requests will leave this IP. Aninterface must have this IP address.

(Empty)

ipv6-status Enable/disable IPv6 destination in policy. disable

incoming-ip6 Accept incoming HTTP requests from this IP. Aninterface must have this IP address.

::

outgoing-ip6 Outgoing HTTP requests will leave this IP. Aninterface must have this IP address.

(Empty)

strict-guest Enable/disable strict guest user check in explicitproxy.

disable

pref-dns-result IPv4 or IPv6 DNS result preference. ipv4

unknown-http-version Unknown HTTP version handling. reject

realm Authentication realm. default

sec-default-action Default action to allow or deny when no web-proxy firewall policy exists.

deny


796

https-replacement-message

Default action to enable or disable returnreplacement message for HTTPS requests.

enable

message-upon-server-error

Enable/disable return of replacement messageupon server error detection.

enable

pac-file-server-status Enable/disable PAC file server. disable

pac-file-server-port PAC file server listening port. 0

pac-file-name PAC file name. proxy.pac

pac-file-data PAC file contents. (Empty)

pac-file-url PAC file access URL. (Empty)

ssl-algorithm Relative strength of encryption algorithmsaccepted in HTTPS deep-scan.

high


797

web-proxy/forward-serverCLI Syntax

config web-proxy forward-server edit <name_str> set name <string> set ip <ipv4-address-any> set fqdn <string> set addr-type {ip | fqdn} set port <integer> set healthcheck {disable | enable} set monitor <string> set server-down-option {block | pass} set comment <string> end


798

Description



ip Forward server IP. 0.0.0.0

fqdn Forward server FQDN. (Empty)

addr-type Address type. ip

port Forward server port. 3128

healthcheck Enable/disable forward server health checking. disable

monitor Forward health checking URL. http://www.google.com

server-down-option Action when forward server is down. block



799

web-proxy/forward-server-groupCLI Syntax

config web-proxy forward-server-group edit <name_str> set name <string> set affinity {enable | disable} set ldb-method {weighted | least-session} set group-down-option {block | pass} config server-list edit <name_str> set name <string> set weight <integer> end end


800

Description


name Forward server group name. (Empty)

affinity Enable/disable affinity. enable

ldb-method Load balance method. weighted

group-down-option Action when group is down. block

server-list Forward server list. (Empty)


801

web-proxy/globalCLI Syntax

config web-proxy global edit <name_str> set proxy-fqdn <string> set max-request-length <integer> set max-message-length <integer> set strict-web-check {enable | disable} set forward-proxy-auth {enable | disable} set tunnel-non-http {enable | disable} set unknown-http-version {reject | tunnel | best-effort} set forward-server-affinity-timeout <integer> set max-waf-body-cache-length <integer> set webproxy-profile <string> end


802

Description


proxy-fqdn Proxy FQDN. default.fqdn

max-request-length Maximum length of HTTP request line (1kB units(1024 Bytes)).

4

max-message-length Maximum length of HTTP message not includingbody (1kB units (1024 Bytes)).

32

strict-web-check Enable/disable strict web check. disable

forward-proxy-auth Enable/disable forward proxy authentication. disable

tunnel-non-http Enable/disable non-HTTP tunnel. enable

unknown-http-version Unknown HTTP version handling. best-effort

forward-server-affinity-timeout

Timeout of the forward server affinity (6 - 60 min,default = 30 min).

30

max-waf-body-cache-length

Maximum length of HTTP message (1kB units(1024 Bytes)) processed by Web ApplicationFirewall.

100

webproxy-profile Web proxy profile using when none matchedpolicy.

(Empty)


803

web-proxy/profileCLI Syntax

config web-proxy profile edit <name_str> set name <string> set header-client-ip {pass | add | remove} set header-via-request {pass | add | remove} set header-via-response {pass | add | remove} set header-x-forwarded-for {pass | add | remove} set header-front-end-https {pass | add | remove} config headers edit <name_str> set id <integer> set name <string> set action {add-to-request | add-to-response | remove-from-request | remove-from-response} set content <string> end end


804

Description



header-client-ip Action when HTTP client-IP header to forwardedrequests.

pass

header-via-request Action when HTTP via header to forwardedrequests.

pass

header-via-response Action when HTTP via header to forwardedresponses.

pass

header-x-forwarded-for Action when HTTP x-forwarded-for header toforwarded requests.

pass

header-front-end-https Action when HTTP front-end-HTTPS header toforwarded requests.

pass

headers Configure HTTP forwarded requests headers. (Empty)


805

web-proxy/url-matchCLI Syntax

config web-proxy url-match edit <name_str> set name <string> set status {enable | disable} set url-pattern <string> set forward-server <string> set cache-exemption {enable | disable} set comment <var-string> end


806

Description


name Configure URL name. (Empty)

status Enable/disable per URL pattern web proxyforwarding and cache exemptions.

enable

url-pattern URL pattern. (Empty)

forward-server Forward server name. (Empty)

cache-exemption Enable/disable cache exemption for this URLpattern.

disable



807

webfilter/contentCLI Syntax

config webfilter content edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set name <string> set pattern-type {wildcard | regexp} set status {enable | disable} set lang {western | simch | trach | japanese | korean | french | thai | spanish | cyrillic} set score <integer> set action {block | exempt} end end


808

Description


id ID. 0



entries Configure web filter banned word. (Empty)


809

webfilter/content-headerCLI Syntax

config webfilter content-header edit <name_str> set id <integer> set name <string> set comment <var-string> config entries edit <name_str> set pattern <string> set action {block | allow | exempt} set category <user> end end


810

Description


id ID. 0



entries Configure content types used by web filter. (Empty)


811

webfilter/cookie-ovrdCLI Syntax

config webfilter cookie-ovrd edit <name_str> set auth-epoch <integer> set redir-host <string> set redir-port <integer> set cookie-name <string> end


812

Description


auth-epoch Current authentication epoch - changing thisvalue will invalidate all currently issued overridecookies.

0

redir-host Domain name or IP of host that will be used tovalidate override authentication cookies.

(Empty)

redir-port TCP port that will be used on "redir-host" tovalidate override authentication cookies.

20080

cookie-name Name to use for override authentication cookies. wfovrdZnkHSb2CESh


813

webfilter/fortiguardCLI Syntax

config webfilter fortiguard edit <name_str> set cache-mode {ttl | db-ver} set cache-prefix-match {enable | disable} set cache-mem-percent <integer> set ovrd-auth-port-http <integer> set ovrd-auth-port-https <integer> set ovrd-auth-port-warning <integer> set ovrd-auth-https {enable | disable} set warn-auth-https {enable | disable} set close-ports {enable | disable} set request-packet-size-limit <integer> set ovrd-auth-port <integer> end


814

Description


cache-mode Cache entry expiration mode. ttl

cache-prefix-match Enable/disable prefix matching in the cache. enable

cache-mem-percent Maximum percentage of available memoryallocated to caching (1 - 15%).

2

ovrd-auth-port-http Port to use for FortiGuard Web Filter HTTPoverride authentication

8008

ovrd-auth-port-https Port to use for FortiGuard Web Filter HTTPSoverride authentication.

8010

ovrd-auth-port-warning Port to use for FortiGuard Web Filter Warningoverride authentication.

8020

ovrd-auth-https Enable/disable use of HTTPS for overrideauthentication.

enable

warn-auth-https Enable/disable use of HTTPS for warning andauthentication.

enable

close-ports Close ports used for HTTP/HTTPS overrideauthentication and disable user overrides.

disable

request-packet-size-limit

Limit size of URL request packets sent toFortiGuard server (0 for default).

0

ovrd-auth-port Port to use for FortiGuard Web Filter overrideauthentication.

8008


815

webfilter/ftgd-local-catCLI Syntax

config webfilter ftgd-local-cat edit <name_str> set id <integer> set desc <string> end


816

Description


id Local category ID. 0

desc Local category description. (Empty)


817

webfilter/ftgd-local-ratingCLI Syntax

config webfilter ftgd-local-rating edit <name_str> set url <string> set status {enable | disable} set rating <user> end


818

Description


url URL to rate locally. (Empty)

status Enable/disable local rating. enable

rating Local rating.


819

webfilter/ftgd-warningCLI Syntax

config webfilter ftgd-warning edit <name_str> set id <integer> set status {enable | disable} set scope {user | user-group | ip | ip6} set ip <ipv4-address> set user <string> set user-group <string> set old-profile <string> set expires <user> set rating <integer> end


820

Description


id Specify the override rule ID. 0

status Enable/disable override rule. disable

scope Specify the scope of the override rule. user

ip Specify the IP address for which the overrideapplies.

0.0.0.0

user Specify the username for which the overrideapplies.

(Empty)

user-group Specify the user group for which the overrideapplies.

(Empty)

old-profile Specify the web-filter profile for which theoverride applies.

(Empty)

expires Specify when the override expires. 1969/12/31 16:00:00

rating Ratings associated with the overridden filter. 0


821

webfilter/ips-urlfilter-cache-settingCLI Syntax

config webfilter ips-urlfilter-cache-setting edit <name_str> set dns-retry-interval <integer> set extended-ttl <integer> end


822

Description


dns-retry-interval Retry interval. Refresh DNS faster than TTL tocapture multiple IPs for hosts. 0 means use DNSserver's TTL only.

0

extended-ttl Extend time to live beyond reported by DNS. 0means use DNS server's TTL

0


823

webfilter/ips-urlfilter-settingCLI Syntax

config webfilter ips-urlfilter-setting edit <name_str> set device <string> set distance <integer> set gateway <ipv4-address> end


824

Description


device Enable/disable gateway out interface. (Empty)


gateway Gateway IP for this route. 0.0.0.0


825

webfilter/overrideCLI Syntax

config webfilter override edit <name_str> set id <integer> set status {enable | disable} set scope {user | user-group | ip | ip6} set ip <ipv4-address> set user <string> set user-group <string> set old-profile <string> set new-profile <string> set ip6 <ipv6-address> set expires <user> set initiator <string> end


826

Description






0.0.0.0


(Empty)


(Empty)


(Empty)

new-profile Specify the new web-filter profile to applyoverride.

(Empty)

ip6 Specify the IPv6 address for which the overrideapplies.

::


initiator Initiating user of override (not settable). (Empty)


827

webfilter/override-userCLI Syntax

config webfilter override-user edit <name_str> set id <integer> set status {enable | disable} set scope {user | user-group | ip | ip6} set ip <ipv4-address> set user <string> set user-group <string> set old-profile <string> set new-profile <string> set ip6 <ipv6-address> set expires <user> set initiator <string> end


828

Description






0.0.0.0


(Empty)


(Empty)


(Empty)

new-profile Specify the new web-filter profile to applyoverride.

(Empty)

ip6 Specify the IPv6 address for which the overrideapplies.

::


initiator Initiating user of override (not settable). (Empty)


829

webfilter/profileCLI Syntax

config webfilter profile edit <name_str> set name <string> set comment <var-string> set replacemsg-group <string> set inspection-mode {proxy | flow-based | dns} set options {rangeblock | activexfilter | cookiefilter | javafilter | block-invalid-url | jscript | js | vbs | unknown | intrinsic | wf-referer | wf-cookie | https-url-scan | per-user-bwl} set https-replacemsg {enable | disable} set ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override | contenttype-check-override} set post-action {normal | comfort | block} config override edit <name_str> set ovrd-cookie {allow | deny} set ovrd-scope {user | user-group | ip | browser | ask} set profile-type {list | radius} set ovrd-dur-mode {constant | ask} set ovrd-dur <user> set profile-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port} config ovrd-user-group edit <name_str> set name <string> end config profile edit <name_str> set name <string> end end config web edit <name_str> set bword-threshold <integer> set bword-table <integer> set urlfilter-table <integer> set content-header-list <integer> set blacklist {enable | disable}


830

set whitelist {exempt-av | exempt-webcontent | exempt-activex-java-cookie | exempt-dlp | exempt-rangeblock | extended-log-others} set safe-search {url | header} set youtube-edu-filter-id <string> set log-search {enable | disable} config keyword-match edit <name_str> set pattern <string> end end config ftgd-wf edit <name_str> set options {error-allow | http-err-detail | rate-image-urls | rate-server-ip | redir-block | connect-request-bypass | ftgd-disable} set category-override <user> set exempt-quota <user> set ovrd <user> config filters edit <name_str> set id <integer> set category <integer> set action {block | authenticate | monitor | warning} set warn-duration <user> config auth-usr-grp edit <name_str> set name <string> end set log {enable | disable} set override-replacemsg <string> set warning-prompt {per-domain | per-category} set warning-duration-type {session | timeout} end config quota edit <name_str> set id <integer> set category <user> set type {time | traffic} set unit {B | KB | MB | GB} set value <integer> set duration <user> set override-replacemsg <string> end set max-quota-timeout <integer> set rate-image-urls {disable | enable} set rate-javascript-urls {disable | enable} set rate-css-urls {disable | enable} set rate-crl-urls {disable | enable} end set wisp {enable | disable} set log-all-url {enable | disable} set web-content-log {enable | disable} set web-filter-activex-log {enable | disable} set web-filter-command-block-log {enable | disable}


831

set web-filter-command-block-log {enable | disable} set web-filter-cookie-log {enable | disable} set web-filter-applet-log {enable | disable} set web-filter-jscript-log {enable | disable} set web-filter-js-log {enable | disable} set web-filter-vbs-log {enable | disable} set web-filter-unknown-log {enable | disable} set web-filter-referer-log {enable | disable} set web-filter-cookie-removal-log {enable | disable} set web-url-log {enable | disable} set web-invalid-domain-log {enable | disable} set web-ftgd-err-log {enable | disable} set web-ftgd-quota-usage {enable | disable} end


832

Description





inspection-mode Web filtering inspection mode. proxy

options Options. (Empty)

https-replacemsg Enable replacement message display for non-deep SSL inspection.

enable

ovrd-perm Override permit option. (Empty)

post-action Action for HTTP POST requests. normal

override Web Filter override settings. Details below

Configuration Default Valueovrd-cookie denyovrd-scope userprofile-type listovrd-dur-mode constantovrd-dur 15mprofile-attribute Login-LAT-Serviceovrd-user-group (Empty)profile (Empty)

web Web settings. Details below

Configuration Default Valuebword-threshold 10bword-table 0urlfilter-table 0content-header-list 0blacklist disablewhitelist (Empty)safe-search (Empty)youtube-edu-filter-id (Empty)log-search disablekeyword-match (Empty)


833

ftgd-wf FortiGuard Web Filter settings. Details below

Configuration Default Valueoptions ftgd-disablecategory-overrideexempt-quota 17ovrdfilters (Empty)quota (Empty)max-quota-timeout 300rate-image-urls enablerate-javascript-urls enablerate-css-urls enablerate-crl-urls enable

wisp Enable/disable web proxy WISP. disable

log-all-url Enable/disable log all URLs visited. disable

web-content-log Enable/disable logging for web filter contentblocking.

enable

web-filter-activex-log Enable/disable logging for web script filtering onActiveX.

enable

web-filter-command-block-log

Enable/disable logging for web filtering oncommand blocking.

enable

web-filter-cookie-log Enable/disable logging for web script filtering oncookies.

enable

web-filter-applet-log Enable/disable logging for web script filtering onJava applets.

enable

web-filter-jscript-log Enable/disable logging for web script filtering onJScripts.

enable

web-filter-js-log Enable/disable logging for web script filtering onJava scripts.

enable

web-filter-vbs-log Enable/disable logging for web script filtering onVB scripts.

enable

web-filter-unknown-log Enable/disable logging for web script filtering onunknown scripts.

enable


834

web-filter-referer-log Enable/disable logging of web filter referrer block. enable

web-filter-cookie-removal-log

Enable/disable logging of web filter cookie block. enable

web-url-log Enable/disable logging for URL filtering. enable

web-invalid-domain-log Enable/disable logging for web filtering of invaliddomain name.

enable

web-ftgd-err-log Enable/disable logging for FortiGuard Web Filterrating errors.

enable

web-ftgd-quota-usage Enable/disable logging for FortiGuard Web Filterquota usage each day.

enable


835

webfilter/search-engineCLI Syntax

config webfilter search-engine edit <name_str> set name <string> set hostname <string> set url <string> set query <string> set safesearch {disable | url | header} set charset {utf-8 | gb2312} set safesearch-str <string> end


836

Description


name Search engine name. (Empty)

hostname Hostname regular expression. (Empty)

url URL regular expression. (Empty)

query Query string (must end with an equals character). (Empty)

safesearch Safe search enable. disable

charset Search engine charset. utf-8

safesearch-str Safe search parameter. (Empty)


837

webfilter/urlfilterCLI Syntax

config webfilter urlfilter edit <name_str> set id <integer> set name <string> set comment <var-string> set one-arm-ips-urlfilter {enable | disable} set ip-addr-block {enable | disable} config entries edit <name_str> set id <integer> set url <string> set type {simple | regex | wildcard} set action {exempt | block | allow | monitor} set status {enable | disable} set exempt {av | filepattern | web-content | activex-java-cookie | dlp | fortiguard | range-block | pass | all} set web-proxy-profile <string> set referrer-host <string> end end


838

Description


id ID. 0



one-arm-ips-urlfilter Enable/disable DNS resolver for one-arm IPSURL filter operation.

disable

ip-addr-block Enable/disable block URLs when hostnameappears as an IP address.

disable

entries Web filter/URL filter. (Empty)


839

wireless-controller/ap-statusCLI Syntax

config wireless-controller ap-status edit <name_str> set id <integer> set bssid <mac-address> set ssid <string> set status {rogue | accepted | suppressed} end


840

Description


id AP ID. 0

bssid AP's BSSID. 00:00:00:00:00:00

ssid AP's SSID. (Empty)

status AP status. rogue


841

wireless-controller/globalCLI Syntax

config wireless-controller global edit <name_str> set name <string> set location <string> set max-retransmit <integer> set data-ethernet-II {enable | disable} set mesh-eth-type <integer> set discovery-mc-addr <ipv4-address-multicast> set max-clients <integer> set rogue-scan-mac-adjacency <integer> set ap-log-server {enable | disable} set ap-log-server-ip <ipv4-address> set ap-log-server-port <integer> end


842

Description


name Name. (Empty)

location Location. (Empty)

max-retransmit Maximum # of retransmissions for tunnel packet. 3

data-ethernet-II Enable/disable ethernet frame type with 802.3data tunnel mode.

disable

mesh-eth-type Ethernet type for wireless backhaul tunnel packet. 8755

discovery-mc-addr Discovery multicast address. 224.0.1.140

max-clients Maximum number of stations supported by theAC.

0

rogue-scan-mac-adjacency

Range of numerical difference between AP'sEthernet MAC and AP's BSSID, given theidentical OUI (default = 7).

7

ap-log-server Enable/disable AP log server. disable

ap-log-server-ip AP log server IP address. 0.0.0.0

ap-log-server-port AP log server port. 0


843

wireless-controller/settingCLI Syntax

config wireless-controller setting edit <name_str> set account-id <string> set country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | BZ | BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG | SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN | ID | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU | MO | MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA | PG | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA | ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY | UZ | VE | VN | YE | ZW | JP | AU | CA} end


844

Description


account-id FortiCloud customer account ID. (Empty)

country Country. US


845

wireless-controller/timersCLI Syntax

config wireless-controller timers edit <name_str> set echo-interval <integer> set discovery-interval <integer> set client-idle-timeout <integer> set rogue-ap-log <integer> set fake-ap-log <integer> set darrp-optimize <integer> set darrp-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday} config darrp-time edit <name_str> set time <string> end set sta-stats-interval <integer> set vap-stats-interval <integer> set radio-stats-interval <integer> set sta-capability-interval <integer> set sta-locate-timer <integer> end


846

Description


echo-interval Interval before WTP sends Echo Request afterjoining AC (1 - 255, default = 30 sec).

30

discovery-interval Interval between Discovery Request (2 - 180 sec,default = 5 sec).

5

client-idle-timeout Wireless station idle timeout (0 no client-idlecheck, 20 - 3600 sec, default = 300 sec).

300

rogue-ap-log Rogue AP periodic log reporting interval (default= 0 min).

0

fake-ap-log Fake AP periodic log reporting interval (default =1 min).

1

darrp-optimize DARRP optimization interval (default = 1800 sec). 1800

darrp-day Weekday on which DARRP optimization isexecuted.

(Empty)

darrp-time Time at which DARRP optimization is executed(Up to 8 time points).

(Empty)

sta-stats-interval WTP interval for which station statistics are sent(1 - 255, default = 1 sec).

1

vap-stats-interval WTP interval for which vap statistics are sent (1 -255, default = 15 sec).

15

radio-stats-interval WTP interval for which radio statistics are sent (1- 255, default = 15 sec).

15

sta-capability-interval WTP interval for which station capabilityinformation is sent (1 - 255, default = 30 sec).

30

sta-locate-timer Interval at which the WTP flushes the stationpresence (default = 1800 sec).

1800


847

wireless-controller/vapCLI Syntax

config wireless-controller vap edit <name_str> set name <string> set vdom <string> set fast-roaming {enable | disable} set external-fast-roaming {enable | disable} set mesh-backhaul {enable | disable} set max-clients <integer> set max-clients-ap <integer> set ssid <string> set broadcast-ssid {enable | disable} set security-obsolete-option {enable | disable} set security {open | captive-portal | wep64 | wep128 | wpa-personal | wpa-personal+captive-portal | wpa-enterprise | wpa-only-personal | wpa-only-personal+captive-portal | wpa-only-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa2-only-enterprise} set pmf {disable | enable | optional} set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer> set okc {disable | enable} set tkip-counter-measure {enable | disable} set external-web <string> set radius-mac-auth {enable | disable} set radius-mac-auth-server <string> set auth {psk | radius | usergroup} set encrypt {TKIP | AES | TKIP-AES} set keyindex <integer> set key <password> set passphrase <password> set radius-server <string> set acct-interim-interval <integer> config usergroup edit <name_str> set name <string> end set portal-message-override-group <string> config portal-message-overrides edit <name_str> set auth-disclaimer-page <string> set auth-reject-page <string> set auth-login-page <string> set auth-login-failed-page <string> end set portal-type {auth | auth+disclaimer | disclaimer | email-collect} config selected-usergroups edit <name_str> set name <string>


848

end set security-exempt-list <string> set security-redirect-url <string> set intra-vap-privacy {enable | disable} set schedule <string> set local-standalone {enable | disable} set local-standalone-nat {enable | disable} set ip <ipv4-classnet-host> set local-bridging {enable | disable} set split-tunneling {enable | disable} set local-authentication {enable | disable} set local-switching {enable | disable} set vlanid <integer> set vlan-auto {enable | disable} set dynamic-vlan {enable | disable} set alias <string> set multicast-rate {0 | 6000 | 12000 | 24000} set multicast-enhance {enable | disable} set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arp-unknown | arp-reply | arp-poison | netbios-ns | netbios-ds | ipv6 | all-other-mc | all-other-bc} set me-disable-thresh <integer> set probe-resp-suppression {enable | disable} set probe-resp-threshold <string> set vlan-pooling {wtp-group | round-robin | hash | disable} config vlan-pool edit <name_str> set id <integer> set wtp-group <string> end set ptk-rekey {enable | disable} set ptk-rekey-intv <integer> set gtk-rekey {enable | disable} set gtk-rekey-intv <integer> set eap-reauth {enable | disable} set eap-reauth-intv <integer> set rates-11a {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 6 | 6-basic | 9 | 9-basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic | 48 | 48-basic | 54 | 54-basic} set rates-11bg {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 6 | 6-basic | 9 | 9-basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic | 48 | 48-basic | 54 | 54-basic} set rates-11n-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1 | mcs7/1 | mcs8/2 | mcs9/2 | mcs10/2 | mcs11/2 | mcs12/2 | mcs13/2 | mcs14/2 | mcs15/2} set rates-11n-ss34 {mcs16/3 | mcs17/3 | mcs18/3 | mcs19/3 | mcs20/3 | mcs21/3 | mcs22/3 | mcs23/3 | mcs24/4 | mcs25/4 | mcs26/4 | mcs27/4 | mcs28/4 | mcs29/4 | mcs30/4 | mcs31/4} set rates-11ac-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1 | mcs7/1 | mcs8/1 | mcs9/1 | mcs0/2 | mcs1/2 | mcs2/2 | mcs3/2 | mcs4/2 | mcs5/2 | mcs6/2 | mcs7/2 | mcs8/2 | mcs9/2} set rates-11ac-ss34 {mcs0/3 | mcs1/3 | mcs2/3 | mcs3/3 | mcs4/3 | mcs5/3 | mcs6/3 | mcs7/3 | mcs8/3 | mcs9/3 | mcs0/4 | mcs1/4 | mcs2/4 | mcs3/4 | mcs4/4 | mcs5/4 | mcs6/4 | mcs7/4 | mcs8/4 | mcs9/4}


849

6/4 | mcs7/4 | mcs8/4 | mcs9/4} set mac-filter {enable | disable} set mac-filter-policy-other {allow | deny} config mac-filter-list edit <name_str> set id <integer> set mac <mac-address> set mac-filter-policy {allow | deny} end end


850

Description


name Virtual AP name. (Empty)

vdom Owning VDOM. (Empty)

fast-roaming Enable/disable fast roaming. enable

external-fast-roaming Enable/disable fast roaming with external non-managed AP.

disable

mesh-backhaul Enable/disable mesh backhaul. disable

max-clients Maximum number of STAs supported by theVAP.

0

max-clients-ap Maximum number of STAs supported by the VAP(per AP radio).

0

ssid IEEE 802.11 Service Set Identifier. fortinet

broadcast-ssid Enable/disable SSID broadcast in the beacon. enable

security-obsolete-option

Enable/disable obsolete security options. disable

security Wireless access security of SSID. wpa2-only-personal

pmf Protected Management Frames (PMF) support. disable

pmf-assoc-comeback-timeout

Protected Management Frames (PMF) comebackmaximum timeout (1-20 sec).

1

pmf-sa-query-retry-timeout

Protected Management Frames (PMF) SA queryretry timeout interval (1 - 5 in 100s of msec).

2

okc Enable/disable Opportunistic Key Caching (OKC). enable

tkip-counter-measure Enable/disable TKIP counter measure. enable

external-web URL of external authentication web server. (Empty)

radius-mac-auth Enable/disable RADIUS-based MACauthentication.

disable


851

radius-mac-auth-server RADIUS-based MAC authentication server. (Empty)

auth Authentication protocol. psk

encrypt Data encryption. AES

keyindex WEP key index (1 - 4). 1

key WEP Key. (Empty)

passphrase Pre-shared key for WPA. (Empty)

radius-server WiFi RADIUS server. (Empty)

acct-interim-interval WiFi RADIUS accounting interim interval (60 -86400 sec, default = 0).

0

usergroup Selected user group. (Empty)

portal-message-override-group

Specify captive portal replacement messageoverride group.

(Empty)

portal-message-overrides

Individual message overrides. Details below

Configuration Default Valueauth-disclaimer-page (Empty)auth-reject-page (Empty)auth-login-page (Empty)auth-login-failed-page (Empty)

portal-type Captive portal type. auth

selected-usergroups Selected user group. (Empty)

security-exempt-list Security exempt list name. (Empty)

security-redirect-url URL redirection after disclaimer/authentication. (Empty)

intra-vap-privacy Enable/disable intra-SSID privacy. disable

schedule VAP schedule name. (Empty)

local-standalone Enable/disable AP local standalone. disable

local-standalone-nat Enable/disable AP local standalone NAT mode. disable


852

ip IP address and subnet mask for the localstandalone NAT subnet.

0.0.0.0 0.0.0.0

local-bridging Enable/disable FortiAP local VAP-to-Ethernetbridge.

disable

split-tunneling Enable/disable split tunneling. disable

local-authentication Enable/disable AP local authentication. disable

local-switching Enable/disable FortiAP local VAP trafficswitching.

enable

vlanid Optional VLAN ID. 0

vlan-auto Enable/disable automatic management of SSIDVLAN interface.

disable

dynamic-vlan Enable/disable dynamic VLAN assignment. disable

alias Alias. (Empty)

multicast-rate Multicast rate (kbps). 0

multicast-enhance Enable/disable multicast enhancement. disable

broadcast-suppression Suppress broadcast frames from WiFi clients. dhcp-up arp-known

me-disable-thresh Threshold of number of multicast clients todisable multicast enhancement.

32

probe-resp-suppression

Enable/disable probe response suppression. disable

probe-resp-threshold Threshold at which FortiAP responds to proberequests (signal level must be no lower than thisvalue).

-80

vlan-pooling Enable/disable VLAN pooling. disable

vlan-pool VLAN pool. (Empty)

ptk-rekey Enable/disable PTK rekey for WPA-Enterprisesecurity.

disable

ptk-rekey-intv PTK rekey interval interval (1800 - 864000 sec,default = 86400).

86400


853

gtk-rekey Enable/disable GTK rekey for WPA security. disable

gtk-rekey-intv GTK rekey interval interval (1800 - 864000 sec,default = 86400).

86400

eap-reauth Enable/disable EAP re-authentication for WPA-Enterprise security.

disable

eap-reauth-intv EAP re-authentication interval (1800 - 864000sec, default = 86400).

86400

rates-11a Configure allowed data rates for 802.11a. (Empty)

rates-11bg Configure allowed data rates for 802.11b/g. (Empty)

rates-11n-ss12 Configure allowed data rates for 802.11n with 1 or2 spatial streams.

(Empty)

rates-11n-ss34 Configure allowed data rates for 802.11n with 3 or4 spatial streams.

(Empty)

rates-11ac-ss12 Configure allowed data rates for 802.11ac with 1or 2 spatial streams.

(Empty)

rates-11ac-ss34 Configure allowed data rates for 802.11ac with 3or 4 spatial streams.

(Empty)

mac-filter Enable/disable MAC filter status. disable

mac-filter-policy-other Deny or allow STAs whose MAC addresses arenot in the filter list.

allow

mac-filter-list MAC filter list. (Empty)


854

wireless-controller/vap-groupCLI Syntax

config wireless-controller vap-group edit <name_str> set name <string> set comment <var-string> config vaps edit <name_str> set name <string> end end


855

Description


name Group Name (Empty)


vaps Selected list of SSIDs to be included in the group. (Empty)


856

wireless-controller/wids-profileCLI Syntax

config wireless-controller wids-profile edit <name_str> set name <string> set comment <string> set ap-scan {disable | enable} set ap-bgscan-period <integer> set ap-bgscan-intv <integer> set ap-bgscan-duration <integer> set ap-bgscan-idle <integer> set ap-bgscan-report-intv <integer> set ap-bgscan-disable-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday} set ap-bgscan-disable-start <user> set ap-bgscan-disable-end <user> set ap-fgscan-report-intv <integer> set ap-scan-passive {enable | disable} set rogue-scan {enable | disable} set ap-auto-suppress {enable | disable} set wireless-bridge {enable | disable} set deauth-broadcast {enable | disable} set null-ssid-probe-resp {enable | disable} set long-duration-attack {enable | disable} set long-duration-thresh <integer> set invalid-mac-oui {enable | disable} set weak-wep-iv {enable | disable} set auth-frame-flood {enable | disable} set auth-flood-time <integer> set auth-flood-thresh <integer> set assoc-frame-flood {enable | disable} set assoc-flood-time <integer> set assoc-flood-thresh <integer> set spoofed-deauth {enable | disable} set asleap-attack {enable | disable} set eapol-start-flood {enable | disable} set eapol-start-thresh <integer> set eapol-start-intv <integer> set eapol-logoff-flood {enable | disable} set eapol-logoff-thresh <integer> set eapol-logoff-intv <integer> set eapol-succ-flood {enable | disable} set eapol-succ-thresh <integer> set eapol-succ-intv <integer> set eapol-fail-flood {enable | disable} set eapol-fail-thresh <integer> set eapol-fail-intv <integer> set eapol-pre-succ-flood {enable | disable} set eapol-pre-succ-thresh <integer>


857

set eapol-pre-succ-intv <integer> set eapol-pre-fail-flood {enable | disable} set eapol-pre-fail-thresh <integer> set eapol-pre-fail-intv <integer> set deauth-unknown-src-thresh <integer> end


858

Description


name WIDS profile name. (Empty)


ap-scan Enable/disable AP scan. disable

ap-bgscan-period Interval between two rounds of scanning (60 -3600 sec).

600

ap-bgscan-intv Interval between two scanning channels (1 - 600sec).

1

ap-bgscan-duration Listening time on a scanning channel (10 - 1000msec).

20

ap-bgscan-idle Channel idle time before scanning channel (0 -1000 msec).

0

ap-bgscan-report-intv Interval between two background scan reports(15 - 600 sec).

30

ap-bgscan-disable-day Weekday on which background scan is disabled. (Empty)

ap-bgscan-disable-start Start time at which background scan is disabled. 00:00

ap-bgscan-disable-end End time at which background scan is disabled. 00:00

ap-fgscan-report-intv Interval between two foreground scan reports (15- 600 sec)

15

ap-scan-passive Enable/disable passive scan on all channels. disable

rogue-scan Enable/disable rogue AP on-wire scan. disable

ap-auto-suppress Enable/disable on-wire rogue AP auto-suppress. disable

wireless-bridge Enable/disable wireless bridge detection. disable

deauth-broadcast Enable/disable broadcasting de-authenticationdetection.

disable

null-ssid-probe-resp Enable/disable null SSID probe responsedetection.

disable


859

long-duration-attack Enable/disable long duration attack detectionbased on user configured threshold.

disable

long-duration-thresh Threshold value (usec) for long duration attackdetection.

8200

invalid-mac-oui Enable/disable invalid MAC OUI detection. disable

weak-wep-iv Enable/disable weak WEP IV (InitializationVector) detection.

disable

auth-frame-flood Enable/disable authentication frame floodingdetection.

disable

auth-flood-time Number of seconds after which an STA isconsidered not connected.

10

auth-flood-thresh The threshold value for authentication flooding. 30

assoc-frame-flood Enable/disable association frame floodingdetection.

disable

assoc-flood-time Number of seconds after which an STA isconsidered not connected.

10

assoc-flood-thresh The threshold value for association flooding. 30

spoofed-deauth Enable/disable spoofed de-authenticationdetection.

disable

asleap-attack Enable/disable asleap attack detection. disable

eapol-start-flood Enable/disable EAPOL-Start flooding (to AP)detection.

disable

eapol-start-thresh The threshold value for EAPOL-Start flooding inspecified interval.

10

eapol-start-intv The detection interval for EAPOL-Start flooding insec.

1

eapol-logoff-flood Enable/disable EAPOL-Logoff flooding (to AP)detection.

disable

eapol-logoff-thresh The threshold value for EAPOL-Logoff flooding inspecified interval.

10


860

eapol-logoff-intv The detection interval for EAPOL-Logoff floodingin sec.

1

eapol-succ-flood Enable/disable EAPOL-Success flooding (to AP)detection.

disable

eapol-succ-thresh The threshold value for EAPOL-Success floodingin specified interval.

10

eapol-succ-intv The detection interval for EAPOL-Successflooding in sec.

1

eapol-fail-flood Enable/disable EAPOL-Failure flooding (to AP)detection.

disable

eapol-fail-thresh The threshold value for EAPOL-Failure floodingin specified interval.

10

eapol-fail-intv The detection interval for EAPOL-Failure floodingin sec.

1

eapol-pre-succ-flood Enable/disable premature EAPOL-Successflooding (to STA) detection.

disable

eapol-pre-succ-thresh The threshold value for premature EAPOL-Success flooding in specified interval.

10

eapol-pre-succ-intv The detection interval for premature EAPOL-Success flooding in sec.

1

eapol-pre-fail-flood Enable/disable premature EAPOL-Failureflooding (to STA) detection.

disable

eapol-pre-fail-thresh The threshold value for premature EAPOL-Failure flooding in specified interval.

10

eapol-pre-fail-intv The detection interval for premature EAPOL-Failure flooding in sec.

1

deauth-unknown-src-thresh

Threshold value per second to deauth unknownsrc for DoS attack(0: no limit).

10


861

wireless-controller/wtpCLI Syntax

config wireless-controller wtp edit <name_str> set wtp-id <string> set index <integer> set admin {discovered | disable | enable} set name <string> set location <string> set wtp-mode {normal | remote} set wtp-profile <string> set override-led-state {enable | disable} set led-state {enable | disable} set override-wan-port-mode {enable | disable} set wan-port-mode {wan-lan | wan-only} set override-ip-fragment {enable | disable} set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable} set tun-mtu-uplink <integer> set tun-mtu-downlink <integer> set override-split-tunnel {enable | disable} set split-tunneling-acl-local-ap-subnet {enable | disable} config split-tunneling-acl edit <name_str> set id <integer> set dest-ip <ipv4-classnet> end set override-lan {enable | disable} config lan edit <name_str> set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port-ssid <string> set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port1-ssid <string> set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port2-ssid <string> set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port3-ssid <string> set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port4-ssid <string> set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port5-ssid <string> set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port6-ssid <string> set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port7-ssid <string> set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port8-ssid <string> end set override-allowaccess {enable | disable}


862

set allowaccess {telnet | http} set override-login-passwd-change {enable | disable} set login-passwd-change {yes | default | no} set login-passwd <password> config radio-1 edit <name_str> set radio-id <integer> set override-band {enable | disable} set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11ac-only} set override-analysis {enable | disable} set spectrum-analysis {enable | disable} set override-txpower {enable | disable} set auto-power-level {enable | disable} set auto-power-high <integer> set auto-power-low <integer> set power-level <integer> set override-vaps {enable | disable} set vap-all {enable | disable} config vaps edit <name_str> set name <string> end set override-channel {enable | disable} config channel edit <name_str> set chan <string> end end config radio-2 edit <name_str> set radio-id <integer> set override-band {enable | disable} set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11ac-only} set override-analysis {enable | disable} set spectrum-analysis {enable | disable} set override-txpower {enable | disable} set auto-power-level {enable | disable} set auto-power-high <integer> set auto-power-low <integer> set power-level <integer> set override-vaps {enable | disable} set vap-all {enable | disable} config vaps edit <name_str> set name <string> end set override-channel {enable | disable} config channel edit <name_str>


863

edit <name_str> set chan <string> end end set image-download {enable | disable} set mesh-bridge-enable {default | enable | disable} set coordinate-enable {enable | disable} set coordinate-x <string> set coordinate-y <string> end


864

Description


wtp-id WTP ID. (Empty)

index Index (0 - 4294967295). 0

admin Admin status. enable

name WTP name. (Empty)

location WTP location. (Empty)

wtp-mode WTP mode. normal

wtp-profile WTP profile name. (Empty)

override-led-state Enable/disable override of LED state. disable

led-state Enable/disable use of LEDs on WTP. enable

override-wan-port-mode

Enable/disable override of wan-port-mode. disable

wan-port-mode Enable/disable use of WAN port as LAN port. wan-only

override-ip-fragment Enable/disable override of IP fragmentprevention.

disable

ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunnelledcontrol and data packets.

tcp-mss-adjust

tun-mtu-uplink Uplink tunnel MTU. 0

tun-mtu-downlink Downlink tunnel MTU. 0

override-split-tunnel Enable/disable override of split tunneling. disable

split-tunneling-acl-local-ap-subnet

Enable/disable split tunneling ACL local APsubnet.

disable

split-tunneling-acl Split tunneling ACL filter list. (Empty)

override-lan Enable/disable override of WTP LAN port. disable

lan WTP LAN port mapping. Details below


865

Configuration Default Valueport-mode offlineport-ssid (Empty)port1-mode offlineport1-ssid (Empty)port2-mode offlineport2-ssid (Empty)port3-mode offlineport3-ssid (Empty)port4-mode offlineport4-ssid (Empty)port5-mode offlineport5-ssid (Empty)port6-mode offlineport6-ssid (Empty)port7-mode offlineport7-ssid (Empty)port8-mode offlineport8-ssid (Empty)

override-allowaccess Enable/disable override of management accessto managed AP.

disable

allowaccess Allow management access to managed AP. (Empty)

override-login-passwd-change

Enable/disable override of login password ofmanaged AP.

disable

login-passwd-change Configuration options for login password ofmanaged AP.

no

login-passwd Login password of managed AP. (Empty)

radio-1 Radio 1. Details below


866

Configuration Default Valueradio-id 0override-band disableband (Empty)override-analysis disablespectrum-analysis disableoverride-txpower disableauto-power-level disableauto-power-high 17auto-power-low 10power-level 100override-vaps disablevap-all enablevaps (Empty)override-channel disablechannel (Empty)


Configuration Default Valueradio-id 1override-band disableband (Empty)override-analysis disablespectrum-analysis disableoverride-txpower disableauto-power-level disableauto-power-high 17auto-power-low 10power-level 100override-vaps disablevap-all enablevaps (Empty)override-channel disablechannel (Empty)

image-download Enable/disable WTP image download. enable

mesh-bridge-enable Enable/disable mesh Ethernet bridge when WTPis configured as a mesh branch/leaf AP.

default

coordinate-enable Enable/disable WTP coordinates. disable

coordinate-x X axis coordinate. 0


867

coordinate-y Y axis coordinate. 0


868

wireless-controller/wtp-profileCLI Syntax

config wireless-controller wtp-profile edit <name_str> set name <string> set comment <var-string> config platform edit <name_str> set type {FWF | 220A | 220B | 223B | 210B | 222B | 112B | 320B | 11C | 14C | 28C | 320C | 221C | 25D | 222C | 224D | 214B | 21D | 24D | 112D | 223C | 321C | S321C | S323C | S311C | S313C} end set wan-port-mode {wan-lan | wan-only} config lan edit <name_str> set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port-ssid <string> set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port1-ssid <string> set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port2-ssid <string> set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port3-ssid <string> set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port4-ssid <string> set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port5-ssid <string> set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port6-ssid <string> set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port7-ssid <string> set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} set port8-ssid <string> end set led-state {enable | disable} set dtls-policy {clear-text | dtls-enabled} set dtls-in-kernel {enable | disable} set max-clients <integer> set handoff-rssi <integer> set handoff-sta-thresh <integer> set handoff-roaming {enable | disable} config deny-mac-list edit <name_str> set id <integer> set mac <mac-address> end set ap-country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | BZ | BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG | SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN


869

| ID | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU | MO | MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA | PG | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA | ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY | UZ | VE | VN | YE | ZW | JP | AU | CA} set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable} set tun-mtu-uplink <integer> set tun-mtu-downlink <integer> set split-tunneling-acl-local-ap-subnet {enable | disable} config split-tunneling-acl edit <name_str> set id <integer> set dest-ip <ipv4-classnet> end set allowaccess {telnet | http} set login-passwd-change {yes | default | no} set login-passwd <password> set lldp {enable | disable} config radio-1 edit <name_str> set radio-id <integer> set mode {disabled | ap | monitor | sniffer} set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11ac-only} set protection-mode {rtscts | ctsonly | disable} set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate-follow} set amsdu {enable | disable} set coexistence {enable | disable} set short-guard-interval {enable | disable} set channel-bonding {80MHz | 40MHz | 20MHz} set auto-power-level {enable | disable} set auto-power-high <integer> set auto-power-low <integer> set power-level <integer> set dtim <integer> set beacon-interval <integer> set rts-threshold <integer> set frag-threshold <integer> set ap-sniffer-bufsize <integer> set ap-sniffer-chan <integer> set ap-sniffer-addr <mac-address> set ap-sniffer-mgmt-beacon {enable | disable} set ap-sniffer-mgmt-probe {enable | disable} set ap-sniffer-mgmt-other {enable | disable} set ap-sniffer-ctl {enable | disable} set ap-sniffer-data {enable | disable} set spectrum-analysis {enable | disable} set wids-profile <string> set darrp {enable | disable} set max-clients <integer> set max-distance <integer>


870

set max-distance <integer> set frequency-handoff {enable | disable} set ap-handoff {enable | disable} set vap-all {enable | disable} config vaps edit <name_str> set name <string> end config channel edit <name_str> set chan <string> end end config radio-2 edit <name_str> set radio-id <integer> set mode {disabled | ap | monitor | sniffer} set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11ac-only} set protection-mode {rtscts | ctsonly | disable} set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate-follow} set amsdu {enable | disable} set coexistence {enable | disable} set short-guard-interval {enable | disable} set channel-bonding {80MHz | 40MHz | 20MHz} set auto-power-level {enable | disable} set auto-power-high <integer> set auto-power-low <integer> set power-level <integer> set dtim <integer> set beacon-interval <integer> set rts-threshold <integer> set frag-threshold <integer> set ap-sniffer-bufsize <integer> set ap-sniffer-chan <integer> set ap-sniffer-addr <mac-address> set ap-sniffer-mgmt-beacon {enable | disable} set ap-sniffer-mgmt-probe {enable | disable} set ap-sniffer-mgmt-other {enable | disable} set ap-sniffer-ctl {enable | disable} set ap-sniffer-data {enable | disable} set spectrum-analysis {enable | disable} set wids-profile <string> set darrp {enable | disable} set max-clients <integer> set max-distance <integer> set frequency-handoff {enable | disable} set ap-handoff {enable | disable} set vap-all {enable | disable} config vaps edit <name_str>


871

edit <name_str> set name <string> end config channel edit <name_str> set chan <string> end end config lbs edit <name_str> set ekahau-blink-mode {enable | disable} set ekahau-tag <mac-address> set erc-server-ip <ipv4-address-any> set erc-server-port <integer> set aeroscout {enable | disable} set aeroscout-server-ip <ipv4-address-any> set aeroscout-server-port <integer> set aeroscout-mu-factor <integer> set aeroscout-mu-timeout <integer> set fortipresence {enable | disable} set fortipresence-server <ipv4-address-any> set fortipresence-port <integer> set fortipresence-secret <password> set fortipresence-project <string> set fortipresence-frequency <integer> set fortipresence-rogue {enable | disable} set fortipresence-unassoc {enable | disable} set station-locate {enable | disable} end end


872

Description


name WTP profile name. (Empty)


platform WTP platform. Details below

Configuration Default Valuetype 220B

wan-port-mode Enable/disable use of WAN port as LAN port. wan-only

lan WTP LAN port mapping. Details below

Configuration Default Valueport-mode offlineport-ssid (Empty)port1-mode offlineport1-ssid (Empty)port2-mode offlineport2-ssid (Empty)port3-mode offlineport3-ssid (Empty)port4-mode offlineport4-ssid (Empty)port5-mode offlineport5-ssid (Empty)port6-mode offlineport6-ssid (Empty)port7-mode offlineport7-ssid (Empty)port8-mode offlineport8-ssid (Empty)

led-state Enable/disable use of LEDs on WTP. enable

dtls-policy WTP data channel DTLS policy. clear-text

dtls-in-kernel Enable/disable data channel DTLS in kernel. disable

max-clients Maximum number of STAs supported by theWTP.

0


873

handoff-rssi Minimum RSSI value for handoff. 25

handoff-sta-thresh Threshold value for AP handoff. 30

handoff-roaming Enable/disable handoff when a client is roaming. enable

deny-mac-list Deny MAC filter list. (Empty)

ap-country AP country code. NA

ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunneledcontrol and data packets.

tcp-mss-adjust

tun-mtu-uplink Uplink tunnel MTU. 0

tun-mtu-downlink Downlink tunnel MTU. 0

split-tunneling-acl-local-ap-subnet

Enable/disable split tunneling ACL local APsubnet.

disable

split-tunneling-acl Split tunneling ACL filter list. (Empty)

allowaccess Allow management access to managed AP. (Empty)

login-passwd-change Configuration options for login password ofmanaged AP.

no

login-passwd Login password of managed AP. (Empty)

lldp Enable/disable LLDP. disable



874

Configuration Default Valueradio-id 0mode apband (Empty)protection-mode disablepowersave-optimize (Empty)amsdu enablecoexistence enableshort-guard-interval disablechannel-bonding 20MHzauto-power-level disableauto-power-high 17auto-power-low 10power-level 100dtim 1beacon-interval 100rts-threshold 2346frag-threshold 2346ap-sniffer-bufsize 16ap-sniffer-chan 36ap-sniffer-addr 00:00:00:00:00:00ap-sniffer-mgmt-beacon enableap-sniffer-mgmt-probe enableap-sniffer-mgmt-other enableap-sniffer-ctl enableap-sniffer-data enablespectrum-analysis disablewids-profile (Empty)darrp disablemax-clients 0max-distance 0frequency-handoff disableap-handoff disablevap-all enablevaps (Empty)channel (Empty)



875

Configuration Default Valueradio-id 1mode apband (Empty)protection-mode disablepowersave-optimize (Empty)amsdu enablecoexistence enableshort-guard-interval disablechannel-bonding 20MHzauto-power-level disableauto-power-high 17auto-power-low 10power-level 100dtim 1beacon-interval 100rts-threshold 2346frag-threshold 2346ap-sniffer-bufsize 16ap-sniffer-chan 6ap-sniffer-addr 00:00:00:00:00:00ap-sniffer-mgmt-beacon enableap-sniffer-mgmt-probe enableap-sniffer-mgmt-other enableap-sniffer-ctl enableap-sniffer-data enablespectrum-analysis disablewids-profile (Empty)darrp disablemax-clients 0max-distance 0frequency-handoff disableap-handoff disablevap-all enablevaps (Empty)channel (Empty)

lbs Location based service. Details below


876

Configuration Default Valueekahau-blink-mode disableekahau-tag 01:18:8e:00:00:00erc-server-ip 0.0.0.0erc-server-port 8569aeroscout disableaeroscout-server-ip 0.0.0.0aeroscout-server-port 0aeroscout-mu-factor 20aeroscout-mu-timeout 5fortipresence disablefortipresence-server 0.0.0.0fortipresence-port 3000fortipresence-secret fortinetfortipresence-project fortipresencefortipresence-frequency 30fortipresence-rogue disablefortipresence-unassoc disablestation-locate disable


877

execute backup

execute

The execute commands perform immediate operations on the FortiGate unit, including:

l Maintenance operations, such as back up and restore the system configuration, reset the configuration to factorysettings, update antivirus and attack definitions, view and delete log messages, set the date and time.

l Network operations, such as view and clear DHCP leases, clear arp table entries, use ping or traceroute to diagnosenetwork problems.

l Generate certificate requests and install certificates for VPN authentication.

backup

Back up the FortiGate configuration files, logs, or IPS user-defined signatures file to a TFTP or FTP server, USBdisk, or a management station. Management stations can either be a FortiManager unit, or FortiGuard Analysisand Management Service. For more information, see "fortiguard" on page 1 or "central-management" on page 1.

When virtual domain configuration is enabled (in global, vdom-admin is enabled), the content of the backup filedepends on the administrator account that created it.

A backup of the system configuration from the super admin account contains the global settings and the settingsfor all of the VDOMs. Only the super admin can restore the configuration from this file.

When you back up the system configuration from a regular administrator account, the backup file contains theglobal settings and the settings for the VDOM to which the administrator belongs. Only a regular administratoraccount can restore the configuration from this file.

Syntaxexecute backup config flash <comment>execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_

int]> [<username_str> [<password_str>]] [<backup_password_str>]execute backup config management-station <comment_str>execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]execute backup config usb <filename_str> [<backup_password_str>]execute backup config-with-forticlient-info usb-mode [<backup_password_str>]execute backup config-with-forticlient-info ftp <filename_str> <server_ipv4[:port_int]

| server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]execute backup config-with-forticlient-info tftp <filename_str> <server_ipv4> [<backup_

password_str>]execute backup config-with-forticlient-info usb [<backup_password_str>]execute backup config-with-forticlient-info usb-mode [<backup_password_str>]execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn

[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]execute backup full-config usb <filename_str> [<backup_password_str>]execute backup full-config usb-mode <filename_str> [<backup_password_str>]execute backup ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn

[:port_int]> [<username_str> [<password_str>]]execute backup ipsuserdefsig tftp tftp <filename_str> <server_ipv4>execute backup {disk | memory} alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_

int]> [<username_str> <password_str>]


878

backup execute

execute backup {disk | memory} alllogs tftp <server_ipv4>execute backup {disk | memory} alllogs usbexecute backup {disk | memory} log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]

> <username_str> <password_str> {traffic | event | ids | virus | webfilter | spam| dlp | voip | app-ctrl | netscan}

execute backup {disk | memory} log tftp <server_ipv4> {traffic | event | ids | virus| webfilter | spam | dlp | voip | app-ctrl | netscan}

execute backup {disk | memory} log usb {traffic | event | ids | virus | webfilter| spam | dlp | voip | app-ctrl | netscan}

Variable Description

config flash <comment> Back up the system configuration to the flash disk.Optionally, include a comment.

config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str>[<password_str>]] [<backup_password_str>]

Back up the system configuration to an FTP server.

Optionally, you can specify a password to protect thesaved data.

config management-station<comment_str>

Back up the system configuration to a configuredmanagement station. If you are adding a comment, donot add spaces, underscore characters (_), or quotationmarks (“ “) or any other punctuation marks.

The comment you enter displays in both the portalwebsite and FortiGate web-based manager (System >Maintenance >Revision).

config tftp <filename_str><server_ipv4> [<backup_password_str>]

Back up the system configuration to a file on a TFTPserver. Optionally, you can specify a password to protectthe saved data.

config usb <filename_str>[<backup_password_str>]

Back up the system configuration to a file on a USB disk.Optionally, you can specify a password to protect thesaved data.

config usb-mode [<backup_password_str>]

Back up the system configuration to a USB disk (Globaladmin only). Optionally, you can specify a password toprotect the saved data.

config-with-forticlient-info ftp<filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str> [<password_str>]][<backup_password_str>]

Back up the system configuration to a file on an FTPserver. Optionally, you can specify a password to protectthe saved data.

config-with-forticlient-info tftp<filename_str> <server_ipv4>[<backup_password_str>]

Back up the system configuration to a file on a TFTPserver. Optionally, you can specify a password to protectthe saved data.


879

execute backup


config-with-forticlient-info usb[<backup_password_str>]

Back up the system configuration to a file on a USB disk.Optionally, you can specify a password to protect thesaved data.

config-with-forticlient-info usb-mode [<backup_password_str>]

Back up the system configuration to a USB disk (Globaladmin only). Optionally, you can specify a password toprotect the saved data.

full-config ftp <filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str>[<password_str>]] [<backup_password_str>]

Back up the full system configuration to a file on an FTPserver. You can optionally specify a password to protectthe saved data.

full-config tftp <filename_str><server_ipv4> [<backup_password_str>]

Back up the full system configuration to a file on a TFTPserver. You can optionally specify a password to protectthe saved data.

full-config usb <filename_str>[<backup_password_str>]

Back up the full system configuration to a file on a USBdisk. You can optionally specify a password to protectthe saved data.

full-config usb-mode <filename_str> [<backup_password_str>]

Back up the full system configuration to a file on a USBdisk (Global admin only). You can optionally specify apassword to protect the saved data.

ipsuserdefsig ftp <filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str>[<password_str>]]

Backup IPS user-defined signatures to a file on an FTPserver.

ipsuserdefsig tftp tftp <filename_str> <server_ipv4>

Back up IPS user-defined signatures to a file on a TFTPserver.

{disk | memory} alllogs ftp<server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str><password_str>]

Back up either all memory or all hard disk log files for thisVDOM to an FTP server. The disk option is available onFortiGate models that log to a hard disk.

The file name has the form: <log_file_name>_<VDOM>_<date>_<time>

{disk | memory} alllogs tftp<server_ipv4>

Back up either all memory or all hard disk log files for thisVDOM to a TFTP server. he disk option is available onFortiGate models that log to a hard disk.

The file name has the form: <log_file_name>_<VDOM>_<date>_<time>


880

batch execute


{disk | memory} alllogs usb Back up either all memory or all hard disk log files for thisVDOM to a USB disk. he disk option is available onFortiGate models that log to a hard disk.The file name has the form: <log_file_name>_<VDOM>_<date>_<time>

{disk | memory} log ftp <server_ipv4[:port_int] | server_fqdn[:port_int]> <username_str><password_str> {traffic | event| ids | virus | webfilter | spam| dlp | voip | app-ctrl | netscan}

Back up the specified type of log file from either harddisk or memory to an FTP server.

The disk option is available on FortiGate models that logto a hard disk.

{disk | memory} log tftp <server_ipv4> {traffic | event | ids| virus | webfilter | spam | dlp| voip | app-ctrl | netscan}

Back up the specified type of log file from either harddisk or memory to a TFTP server.


{disk | memory} log usb{traffic | event | ids | virus| webfilter | spam | dlp | voip| app-ctrl | netscan}

Back up the specified type of log file from either harddisk or memory to a USB disk.


Example

This example shows how to backup the FortiGate unit system configuration to a file named fgt.cfg on aTFTP server at IP address 192.168.1.23.

execute backup config tftp fgt.cfg 192.168.1.23

batch

Execute a series of CLI commands. execute batch commands are controlled by the Maintenance (mntgrp)access control group.

Syntaxexecute batch [<cmd_cue>]

where <cmd_cue> is one of:

end— exit session and run the batch commands

lastlog— read the result of the last batch commands

start— start batch mode

status— batch mode status reporting if batch mode is running or stopped


881

execute bypass-mode

Example

To start batch mode:

execute batch startEnter batch mode...

To enter commands to run in batch mode:

config system globalset refresh 5

end

To execute the batch commands:

execute batch endExit and run batch commands...

bypass-mode

Use this command to manually switch a FortiGate-600C or FortiGate-1000C into bypass mode. This is availablein transparent mode only. If manually switched to bypass mode, the unit remains in bypass-mode until bypassmode is disabled.

Syntaxexecute bypass-mode {enable | disable}

carrier-license

Use this command to enter a l FortiOS Carrier license key if you have installed a FortiOS Carrier build on aFortiGate unit and need to enter a license key to enable FortiOS Carrier functionality.

Contact Fortinet Support for more information about this command.

Syntaxexecute carrier-license <license_key>


<license_key> Enter the FortiOS Carrier license key supplied by Fortinet.

central-mgmt

Update Central Management Service account information. Also used receive configuration file updates from anattached FortiManager unit.

Syntaxexecute central-mgmt set-mgmt-id <management_id>


882

cfg reload execute

execute central-mgmt register-device <fmg-serial-number> <fmg-register-password> <fgt-user-name> <fgt-password>

execute central-mgmt unregister-device <fmg-serial-number>

set-mgmt-id is used to change or initially set the management ID, or your account number for CentralManagement Services. This account ID must be set for the service to be enabled.

register-device registers the FortiGate unit with a specific FortiManager unit specified by serial number.You must also specify the administrator name and password that the FortiManager unit uses to log on to theFortiGate unit.

unregister-device removes the FortiGate unit from the specified FortiManager unit’s device list.

update is used to update your Central Management Service contract with your new management account ID.This command is to be used if there are any changes to your management service account.

Example

If you are registering with the Central Management Service for the first time, and your account number is 123456,you would enter the following:

execute central-mgmt set-mgmt-id 123456

cfg reload

Use this command to restore the saved configuration when the configuration change mode is manual orrevert. This command has no effect if the mode is automatic, the default. The set cfg-save commandin system global sets the configuration change mode.

When you reload the saved system configuration, the your session ends and the FortiGate unit restarts.

In the default configuration change mode, automatic, CLI commands become part of the saved unitconfiguration when you execute them by entering either next or end.

In manual mode, commands take effect but do not become part of the saved configuration unless you executethe execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are saved automatically if theadministrative session is idle for more than a specified timeout period. This provides a way to recover from anerroneous configuration change, such as changing the IP address of the interface you are using foradministration. You set the timeout in system global using the set cfg-revert-timeout command.

Syntaxexecute cfg reload

Example

This is sample output from the command when successful:

# execute cfg reloadconfigs reloaded. system will reboot.This is sample output from the command when not in

runtime-only configuration mode:# execute cfg reloadno config to be reloaded.


883

execute cfg save

cfg save

Use this command to save configuration changes when the configuration change mode is manual or revert. Ifthe mode is automatic, the default, all changes are added to the saved configuration as you make them andthis command has no effect. The set cfg-save command in system global sets the configuration changemode.

In manual mode, commands take effect but do not become part of the saved configuration unless you executethe execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.Configuration changes that were not saved are lost.

The revert mode is similar to manual mode, except that configuration changes are reverted automatically ifthe administrative session is idle for more than a specified timeout period. This provides a way to recover from anerroneous configuration change, such as changing the IP address of the interface you are using foradministration. To change the timeout from the default of 600 seconds, go to system global and use theset cfg-revert-timeout command.

Syntaxexecute cfg save

Example

This is sample output from the command:

# execute cfg saveconfig saved.

This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-onlyconfiguration mode and no changes have been made:

# execute cfg saveno config to be saved.

clear system arp table

Clear all the entries in the arp table.

Syntaxexecute clear system arp table

cli check-template-status

Reports the status of the secure copy protocol (SCP) script template.

Syntaxexecute cli check-template-status


884

cli status-msg-only execute

cli status-msg-only

Enable or disable displaying standardized CLI error output messages. If executed, this command stops otherdebug messages from displaying in the current CLI session. This command is used for compatibility withFortiManager.

Syntaxexecute cli status-msg-only [enable | disable]

Variable Description Default

status-msg-only[enable | disable]

Enable or disable standardized CLI error output messages.Entering the command without enable or disable disablesdisplaying standardized output.

enable

client-reputation

Use these commands to retrieve or remove client reputation information.

Syntax

To erase all client reputation data

execute client-reputation erase

To retrieve client reputation host count

execute client-reputation host-count <rows>

To retrieve client reputation host details

execute client-reputation host detail <host>

To retrieve client reputation host summary

execute client-reputation host summary <host>

To purge old data

execute client-reputation purge

To view the top n records

execute client-reputation <n | all>

date

Get or set the system date.


885

execute disk

Syntaxexecute date [<date_str>]

date_str has the form yyyy-mm-dd, where

yyyy is the year and can be 2001 to 2037

mm is the month and can be 01 to 12

dd is the day of the month and can be 01 to 31

If you do not specify a date, the command returns the current system date. Shortened values, such as ‘06’instead of ‘2006’ for the year or ‘1’ instead of ‘01’ for month or day, are not valid.

Example

This example sets the date to 17 September 2004:

execute date 2004-09-17

disk

Use this command to list and format hard disks installed in FortiGate units or individual partitions on these harddisks.

Syntaxexecute disk format <partition1_ref_int> [...<partitionn_ref_int>]execute disk listexecute disk scan <ref_int>


format

Format the referenced disk partitions or disks. Separatereference numbers with spaces.

If you enter a partition reference number the disk partition isformatted. If you enter a disk reference number the entire diskand all of its partitions are formatted.

listList the disks and partitions and the reference number for eachone.

scan Scan a disk or partition and repair errors.

<ref_int> Disk (device) or partition reference number.

The execute disk format command formats the specified partitions or disks and then reboots the system ifa reboot is required.

In most cases you need to format the entire disk only if there is a problem with the partition. Formatting thepartition removes all data from the partition. Formatting the disk removes all data from the entire disk and createsa single partition on the disk.


886

disk raid execute

Examples

Use the following command to list the disks and partitions.

execute disk list

Disk Internal(boot) ref: 14.9GB type: SSD [ATA SanDisk SSD U100] dev: /dev/sdapartition ref: 3 14.4GB, 14.4GB free mounted: Y label: 7464A257123E07BB dev: /dev/sda3

In this example, there is only one partition and its reference number is 3.

Enter the following command to format the partition.

execute disk format 3

After a confirmation message the FortiGate unit formats the partition and restarts. This can take a few minutes.

disk raid

Use this command to view information about and change the raid settings on FortiGate units that support RAID.

Syntaxexecute disk raid disableexecute disk raid enable {Raid-0 | Raid-1 | Raid-5}execute disk raid rebuildexecute disk raid status


disable Disable raid for the FortiGate unit.

enable {Raid-0 | Raid-1| Raid-5} Change the RAID level on the FortiGate unit.

rebuildRebuild RAID on the FortiGate unit at the same RAID level. You can onlyexecute this command if a RAID error has been detected. Changing theRAID level takes a while and deletes all data on the disk array.

status Display information about the RAID disk array in the FortiGate unit.

Examples

Use the following command to display information about the RAID disk array in a FortiGate-82C.

execute disk raid statusRAID Level: Raid-1RAID Status: OKRAID Size: 1000GB

Disk 1: OK Used 1000GBDisk 2: OK Used 1000GBDisk 3: OK Used 1000GBDisk 4: Unavailable Not-Used 0GB


887

execute disk scan

disk scan

Use this command to run a disk check operation.

Syntaxexecute disk scan <ref_int>

where n is the partition "ref:" number for the disk, shown by execute disk list.

The operation requires the FortiGate unit to reboot. The command responds:

Example# execute disk scan 3scan requested for: 3/Internal (device=/dev/sda3)This action requires the unit to reboot.Do you want to continue? (y/n)

dhcp lease-clear

Clear all DHCP address leases.

Syntax

For IPv4:

execute dhcp lease-clear

For IPv6

execute dhcp6 lease-clear

dhcp lease-list

Display DHCP leases on a given interface

Syntax

For IPv4:

execute dhcp lease-list [interface_name]

For IPv6:

execute dhcp6 lease-list [interface_name]

If you specify an interface, the command lists only the leases issued on that interface. Otherwise, the list includesall leases issued by DHCP servers on the FortiGate unit.

If there are no DHCP leases in user on the FortiGate unit, an error will be returned.


888

disconnect-admin-session execute

disconnect-admin-session

Disconnect an administrator who is logged in.

Syntaxexecute disconnect-admin-session <index_number>

To determine the index of the administrator that you want to disconnect, view the list of logged-in administratorsby using the following command:

execute disconnect-admin-session ?

The list of logged-in administrators looks like this:

Connected:INDEX USERNAME TYPE FROM TIME0 admin WEB 172.20.120.51 Mon Aug 14 12:57:23 20061 admin2 CLI ssh(172.20.120.54) Mon Aug 14 12:57:23 2006

Example

This example shows how to disconnect the logged administrator admin2 from the above list.

execute disconnect-admin-session 1

enter

Use this command to go from global commands to a specific virtual domain (VDOM).

Only available when virtual domains are enabled and you are in config global.

After you enter the VDOM, the prompt will not change from “(global)”. However you will be in the VDOM withall the commands that are normally available in VDOMs.

Syntaxexecute enter <vdom>

Use “?” to see a list of available VDOMs.

erase-disk

Use this command to reformat the boot device or an attached hard disk. Optionally, this command can restorethe image from a TFTP server after erasing.

Syntaxexecute erase-disk <disk_name>

The <disk_name> for the boot device is boot.


889

execute factoryreset

factoryreset

Reset the FortiGate configuration to factory default settings.

Syntaxexecute factoryreset [keepvmlicense]

If keepvmlicense is specified (VM models only), the VM license is retained after reset.

Apart from the keepvmlicense option, this procedure deletes all changes that you have made to the FortiGateconfiguration and reverts the system to its original configuration, including resetting interface addresses.

factoryreset2

Reset the FortiGate configuration to factory default settings except VDOM and interface settings.

Syntaxexecute factoryreset2 [keepvmlicense]

If keepvmlicense is specified (VM models only), the VM license is retained after reset.

formatlogdisk

Format the FortiGate hard disk to enhance performance for logging.

Syntaxexecute formatlogdisk

In addition to deleting logs, this operation will erase all other data on thedisk, including system configuration, quarantine files, and databases forantivirus and IPS.

forticarrier-license

Use this command to perform a FortiCarrier license upgrade.

Syntaxexecute forticarrier-license <activation-code>

forticlient

Use these commands to manage FortiClient licensing.


890

FortiClient-NAC execute

Syntax

To view FortiClient license information

execute forticlient info

To show current FortiClient count

execute forticlient list <connection_type>

where <connection_type> is one of:

0 - IPsec

1 - SSLVPN

2 - NAC (Endpoint Security)

3 - WAN optimization

4 - Test

To upgrade FortiClient licenses

execute forticlient upgrade <license_key_str>

FortiClient-NAC

Use the following command to load a FortiClient license onto a FortiGate unit.

Syntaxexecute FortiClient-NAC update-registration-license <code>

where <code> is the FortiClient registration license key/activation code.

fortiguard-log

Use this to manage FortiGuard Analysis and Management Service (FortiCloud) operation.

Syntax

To create a FortiCloud account

execute fortiguard-log create-account

To perform FortiCloud certification

execute fortiguard-log certification

To retrieve the FortiCloud agreement

execute fortiguard-log agreement


891

execute fortitoken

To test connection to a FortiCloud account

execute fortiguard-log try <account-id> <password>

To join FortiCloud

execute fortiguard-log join

To log in to a FortiCloud account

execute fortiguard-log login <account-id> <password>

To update the FortiGuard Analysis and Management Service contract

execute fortiguard-log update

fortitoken

Use these commands to activate and synchronize a FortiToken device. FortiToken devices are used in two-factorauthentication of administrator and user account logons. The device generates a random six-digit code that youenter during the logon process along with user name and password.

Before they can be used to authenticate account logins, FortiToken devices must be activated with theFortiGuard service. When successfully activated, the status of the FortiToken device will change from New toActive.

Synchronization is sometimes needed due to the internal clock drift of the FortiToken device. It is not unusual fornew FortiToken units to require synchronization before being put into service. Synchronization is accomplished byentering two sequential codes provided by the FortiToken.

Syntax

To activate one or more FortiToken devices

execute fortitoken activate <serial_number> [serial_number2 ... serial_numbern]

To import FortiToken OTP seeds

execute fortitoken import <seeds_file> <seeds_file_preshared_key>

To synchronize a FortiToken device

execute fortitoken sync <serial_number> <code> <next code>

To import a set of FortiToken serial numbers

execute fortitoken import-sn-file <ftk-sn>

FortiCare returns a set of 200 serial numbers that are in the same serial number range as the specifiedFortiToken device.


892

fortitoken-mobile execute

fortitoken-mobile

Use these commands to activate and synchronize a FortiToken Mobile card. FortiToken Mobile cards are used intwo-factor authentication of administrator and user account logons. The FortiGate unit sends a random six-digitcode to the mobile device by email or SMS that the user enters during the logon process along with user nameand password.

Syntax

To import the FortiToken Mobile card serial number

execute fortitoken-mobile import <activation_code>

To poll a FortiToken Mobile token state

execute fortitoken-mobile poll

To provision a FortiToken Mobile token

execute fortitoken-mobile provision <token_serial_number>

fsso refresh

Use this command to manually refresh user group information from Directory Service servers connected to theFortiGate unit using the Fortinet Single Sign On (FSSO) agent.

Syntaxexecute fsso refresh

ha disconnect

Use this command to disconnect a FortiGate unit from a functioning cluster. You must specify the serial numberof the unit to be disconnected. You must also specify an interface name and assign an IP address and netmask tothis interface of the disconnected unit. You can disconnect any unit from the cluster even the primary unit. Afterthe unit is disconnected the cluster responds as if the disconnected unit has failed. The cluster may renegotiateand may select a new primary unit.

To disconnect the unit from the cluster, the execute ha disconnect command sets the HA mode of thedisconnected unit to standalone. In addition, all interface IP addresses of the disconnected unit are set to 0.0.0.0.The interface specified in the command is set to the IP address and netmask that you specify in the command. Inaddition all management access to this interface is enabled. Once the FortiGate unit is disconnected you can useSSH, telnet, HTTPS, or HTTP to connect to and manage the FortiGate unit.

Syntaxexecute ha disconnect <cluster-member-serial_str> <interface_str> <address_ipv4>

<address_ipv4mask>


893

execute ha ignore-hardware-revision


cluster-member-serial_str

The serial number of the cluster unit to be disconnected.

interface_strThe name of the interface to configure. The commandconfigures the IP address and netmask for this interface and alsoenables all management access for this interface.

Example

This example shows how to disconnect a cluster unit with serial number FGT5002803033050. The internalinterface of the disconnected unit is set to IP address 1.1.1.1 and netmask 255.255.255.0.

execute ha disconnect FGT5002803033050 internal 1.1.1.1 255.255.255.0

ha ignore-hardware-revision

Use this command to set ignore-hardware-revision status.

Syntax

To view ignore-hardware-revision status

execute ha ignore-hardware-revision status

To set ignore-hardware-revision status

execute ha ignore-hardware-revision {enable | disable}

ha manage

Use this command from the CLI of a FortiGate unit in an HA cluster to log into the CLI of another unit in thecluster. Usually you would use this command from the CLI of the primary unit to log into the CLI of a subordinateunit. However, if you have logged into a subordinate unit CLI, you can use this command to log into the primaryunit CLI, or the CLI of another subordinate unit.

You can use CLI commands to manage the cluster unit that you have logged into. If you make changes to theconfiguration of any cluster unit (primary or subordinate unit) these changes are synchronized to all cluster units.

Syntaxexecute ha manage <cluster-index>


894

ha synchronize execute


cluster-index

The cluster index is assigned by the FortiGate ClusteringProtocol according to cluster unit serial number. The cluster unitwith the highest serial number has a cluster index of 0. Thecluster unit with the second highest serial number has a clusterindex of 1 and so on.

Enter ? to list the cluster indexes of the cluster units that you canlog into. The list does not show the unit that you are alreadylogged into.

Example

This example shows how to log into a subordinate unit in a cluster of three FortiGate units. In this example youhave already logged into the primary unit. The primary unit has serial number FGT3082103000056. Thesubordinate units have serial numbers FGT3012803021709 and FGT3082103021989.

execute ha manage ?<id> please input slave cluster index.<0> Subsidary unit FGT3012803021709<1> Subsidary unit FGT3082103021989

Type 0 and press enter to connect to the subordinate unit with serial number FGT3012803021709. The CLIprompt changes to the host name of this unit. To return to the primary unit, type exit.

From the subordinate unit you can also use the execute ha manage command to log into the primary unit orinto another subordinate unit. Enter the following command:

execute ha manage ?<id> please input slave cluster index.<1> Subsidary unit FGT3082103021989<2> Subsidary unit FGT3082103000056

Type 2 and press enter to log into the primary unit or type 1 and press enter to log into the other subordinate unit.The CLI prompt changes to the host name of this unit.

ha synchronize

Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with theprimary unit or to stop a synchronization process that is in progress.

Syntaxexecute ha synchronize {start | stop}


start Start synchronizing the cluster configuration.

stop Stop the cluster from completing synchronizing its configuration.


895

execute interface dhcpclient-renew

interface dhcpclient-renew

Renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCPconnection on the specified port, there is no output.

Syntaxexecute interface dhcpclient-renew <port>

Example

This is the output for renewing the DHCP client on port1 before the session closes:

# execute interface dhcpclient-renew port1renewing dhcp lease on port1

interface pppoe-reconnect

Reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoEconnection on the specified port, there is no output.

Syntaxexecute interface pppoe-reconnect <port>

log backup

Use this command to back up all logs, index files, and report databases. The files are compressed and combinedinto a TAR archive.

Syntaxexecute log backup <file name>

where <file name> is the name of the backup file to create.

log client-reputation-report

Use these commands to control client-reputation log actions.

Syntax

To accept a host so that it has its own baselines

execute log client-reputation-report accept <policy-id> <host>


896

log client-reputation-report execute

To clear all auto-profile data

execute log client-reputation-report clear

To ignore a host, removing it from the abnormal list

execute log client-reputation-report ignore <policy-id> <host>

To refresh the data of one option result

execute log client-reputation-report refresh <policy-id> <option> <action>

<option> is one of bandwidth, session, failconn, geo, or app

<action> is one of data, baseline, or data_baseline (both data and baseline)

To get baseline/average information of one option

execute log client-reputation-report result baseline <policy-id> <option>

<option> is one of bandwidth, session, or failconn

To get hourly data of a host visiting a country or using an application

execute log client-reputation-report result details {hourly | total} <policy-id><option> <name> <host>

<option> is geo or app

<name> is the name of the country or application

To list abnormal hosts of one or all options

execute log client-reputation-report result list <policy-id> <option>

<option> is geo, app, or all

To list periodical data of one host of one option

execute log client-reputation-report result period <policy-id> <option> <host><periods>


<periods> is number of periods to list

To list the top 10 abnormal hosts of one option

execute log client-reputation-report result top10 <policy-id> <option>


To run reports immediately

execute log client-reputation-report run <policy-id>


897

execute log convert-oldlogs

log convert-oldlogs

Use this command to convert old compact logs to the new format. This command is available only if you haveupgraded from an earlier version of FortiOS and have old compact logs on your system.

Syntaxexecute log convert-oldlogs

log delete-all

Use this command to clear all log entries for this VDOM in memory and current log files on hard disk. If yourFortiGate unit has no hard disk, only log entries in system memory will be cleared. You will be prompted toconfirm the command.

Syntaxexecute log delete-all

log delete-oldlogs

Use this command to delete old compact logs. This command is available only if you have upgraded from anearlier version of FortiOS and have old compact logs on your system.

Syntaxexecute log delete-oldlogs

log detail

Display UTM-related log entries for traffic log entries in this VDOM.

Syntaxexecute log detail <category> <utm-ref>

where <category> is one of:

2: utm-virus

3: utm-webfilter

4: utm-ips

5: utm-spam

9: utm-dlp

10: utm-app-ctrl


898

log display execute

You can obtain <utm-ref> from the execute log display output.

log display

Use this command to display log messages for this VDOM that you have selected with the execute logfilter command.

Syntaxexecute log display

The console displays the first 10 log messages. To view more messages, run the command again. You can dothis until you have seen all of the selected log messages. To restart viewing the list from the beginning, use thecommands

execute log filter start-line 1execute log display

You can restore the log filters to their default values using the command

execute log filter reset

log downgrade-log

Use this command to downgrade existing logs to v5.0 format prior to a firmware downgrade to FortiOS v5.0.

Syntaxexecute log downgrade-log

log filter

Use this command to select log messages in this VDOM for viewing or deletion. You can view one log category onone device at a time. Optionally, you can filter the messages to select only specified date ranges or severities oflog messages. For traffic logs, you can filter log messages by source or destination IP address.

Commands are cumulative. If you omit a required variable, the command displays the current setting.

Use as many execute log filter commands as you need to define the log messages that you want toview.

Syntaxexecute log filter category <category_name>execute log filter device {disk | memory}execute log filter dumpexecute log filter field <name> <value> [<value2>,...<valuen>] [not]execute log filter ha-member <unitsn_str>execute log filter reset [all | field]execute log filter rolled_number <number>execute log filter sortby <field> [max-sort-lines]execute log filter start-line <line_number>


899

execute log fortianalyzer test-connectivity

execute log filter view-lines <count>


category<category_name>

Enter the type of log you want to select. Tosee a list of available categories, enter

execute log filter category

event

device {disk| memory}

Device where the logs are stored. disk

dump Display current filter settings.Nodefault.

field <name><value>[<value2>,...<valuen>] [not]

Enter execute log filter field toview the list of field names.

Press Enter after <name> to view informationabout value parameters for that field.

not inverts the field value condition.

Nodefault.

ha-member<unitsn_str>

Select logs from the specified HA clustermember. Enter the serial number of the unit.

reset [all | field]Execute this command to reset all filtersettings. You can use field option to reset onlyfilter field settings.

Nodefault.

rolled_number<number>

Select logs from rolled log file. 0 selectscurrent log file.

0

sortby <field>[max-sort-lines]

Sort logs by specified field.Nodefault.

start-line <line_number>

Select logs starting at specified line number. 1

view-lines <count> Set lines per view. Range: 5 to 1000 10

log fortianalyzer test-connectivity

Use this command to test the connection to the FortiAnalyzer unit. This command is available only whenFortiAnalyzer is configured.

Syntaxexecute log fortianalyzer test-connectivity

Example

When FortiAnalyzer is connected, the output looks like this:

FortiAnalyzer Host Name: FortiAnalyzer-800B


900

log list execute

FortiGate Device ID: FG50B3G06500085Registration: registeredConnection: allowDisk Space (Used/Allocated): 468/1003 MBTotal Free Space: 467088 MBLog: Tx & RxReport: Tx & RxContent Archive: Tx & RxQuarantine: Tx & Rx

When FortiAnalyzer is not connected, the output is: Connect Error

log list

You can view the list of current and rolled log files for this VDOM on the console. The list shows the file name,size and timestamp.

Syntaxexecute log list <category>

To see a list of available categories, enter

execute log list

Example

The output looks like this:

elog 8704 Fri March 6 14:24:35 2009elog.1 1536 Thu March 5 18:02:51 2009elog.2 35840 Wed March 4 22:22:47 2009

At the end of the list, the total number of files in the category is displayed. For example:

501 event log file(s) found.

log rebuild-sqldb

Use this command to rebuild the SQL database from log files.

If run in the VDOM context, only this VDOM’s SQL database is rebuilt. If run in the global context, the SQLdatabase is rebuilt for all VDOMs.

If SQL logging is disabled, this command is unavailable.

Syntaxexecute log rebuild-sqldb

log recreate-sqldb

Use this command to recreate SQL log database.


901

execute log-report reset


Syntaxexecute log recreate-sqldb

log-report reset

Use this command to delete all logs, archives and user configured report templates.

Syntaxexecute log-report reset

log restore

Use this command to restore up all logs, index files, and report databases from a backup file created with the "logbackup" on page 27 command.

This command will wipe out all existing logs and report database for the vdom. It is only available for debugfirmware builds.

It is recommended to kill reportd and miglogd prior to running this command.

kill -3 1killall miglogdkillall reportd

Syntaxexecute log restore <file name>

where <file name> is the name of the backup file to use.

log roll

Use this command to roll all log files.

Syntaxexecute log roll

log shift-time

Use this command in conjunction with the "log backup" on page 27 and "log restore" on page 33 commands. Youcan load a log set generated previously to do demos or testing without needing to regenerate data.


902

log upload-progress execute

Syntaxexecute log shift-time <number of hours>

log upload-progress

Use this command to display the progress of the latest log upload.

Syntaxexecute log upload-progress

modem dial

Dial the modem.

The dial command dials the accounts configured in config system modem until it makes a connection or ithas made the maximum configured number of redial attempts.

This command can be used if the modem is in Standalone mode.

Syntaxexecute modem dial

modem hangup

Hang up the modem.

This command can be used if the modem is in Standalone mode.

Syntaxexecute modem hangup

modem trigger

This command sends a signal to the modem daemon, which causes the state machine to re-evaluate its currentstate. If for some reason the modem should be connected but isn't, then it will trigger a redial. If the modemshould not be connected but is, this command will cause the modem to disconnect.

Syntaxexecute modem trigger


903

execute mrouter clear

mrouter clear

Clear multicast routes, RP-sets, IGMPmembership records or routing statistics.

Syntax

Clear IGMPmemberships:

execute mrouter clear igmp-group {{<group-address>} <interface-name>}execute mrouter clear igmp-interface <interface-name>

Clear multicast routes:

execute mrouter clear <route-type> {<group-address> {<source-address>}}

Clear PIM-SM RP-sets learned from the bootstrap router (BSR):

execute mrouter clear sparse-mode-bsr

Clear statistics:

execute mrouter clear statistics {<group-address> {<source-address>}}


<interface-name>Enter the name of the interface on which you want to clear IGMPmemberships.

<group-address>Optionally enter a group address to limit the command to aparticular group.

<route-type>

Enter one of:

dense-routes - clear only PIM dense routes

multicast-routes - clear all types of multicast routes

sparse-routes - clear only sparse routes

<source-address>Optionally, enter a source address to limit the command to aparticular source address. You must also specifygroup-address.

netscan

Use this command to start and stop the network vulnerability scanner and perform related functions.

Syntaxexecute netscan importexecute netscan listexecute netscan start scanexecute netscan statusexecute netscan stop


904

pbx execute


import Import hosts discovered on the last asset discovery scan.

list List the hosts discovered on the last asset discover scan.

start scan Start configured vulnerability scan.

status Display the status of the current network vulnerability scan.

stop Stop the current network vulnerability scan.

pbx

Use this command to view active channels and to delete, list or upload music files for when music is playing whilea caller is on hold.

Syntaxexecute pbx active-call <list>execute pbx extension <list>execute pbx ftgd-voice-pkg {sip-trunk}execute pbx music-on-hold {delete | list | upload}execute pbx prompt upload ftp <file.tgz> <ftp_server_address>[:port] [<username>]

[password>]execute pbx prompt upload tftp <file.tgz> <ftp_server_address>[:port] [<username>]

[password>]execute pbx prompt upload usb <file.tgz> <ftp_server_address>[:port] [<username>]

[password>]execute pbx restore-default-promptsexecute pbx sip-trunk list

Variables Description

active-call <list>Enter to display a list of the active calls being processed by theFortiGate Voice unit.

extension <list>Enter to display the status of all extensions with SIP phones thathave connected to the FortiGate Voice unit.

ftgd-voice-pkg{sip-trunk}

Enter to retrieve FortiGuard voice package sip trunk information.

music-on-hold{delete | list | upload}

Enter to either delete, list or upload music on hold files. You canupload music on hold files using FTP, TFTP, or from a USB driveplugged into the FortiGate Voice unit.


905

execute pbx

Variables Description

prompt upload ftp<file.tgz> <ftp_server_address>[:port] [<username>][password>]

Upload new pbx voice prompt files using FTP. The voice promptfiles should be added to a tar file and zipped. This file wouldusually have the extension tgz. You must include the filename,FTP server address (domain name of IPv4 address) and ifrequired the username and password for the server.

prompt upload tftp<file.tgz> <ftp_server_address>[:port] [<username>][password>]

Upload new pbx voice prompt files using TFTP. The voiceprompt files should be added to a tar file and zipped. This filewould usually have the extension tgz. You must include thefilename and TFTP server IP address.

prompt upload usb<file.tgz> <ftp_server_address>[:port] [<username>][password>]

Upload new pbx voice prompt files from a USB drive plugged intothe FortiGate Voice unit. The voice prompt files should be addedto a tar file and zipped. This file would usually have the extensiontgz. You must include the filename.

restore-default-prompts

Restore default English voicemail and other PBX systemprompts. Use this command if you have changed the defaultprompts and want to restore the default settings.

sip-trunk listEnter to display the status of all SIP trunks that have been addedto the FortiGate Voice configuration.

Example command output

Enter the following command to view active calls:

execute pbx active-call

Call-From Call-To Durationed6016 6006 00:00:46

Enter the following command to display the status of all extensions

execute pbx extension listExtension Host Dialplan6052 Unregister company-default6051 Unregister company-default6050 Unregister company-default6022 Unregister company-default6021/6021 172.30.63.34 company-default6020 Unregister company-default

Enter the following command to display the status of all SIP trunks

execute pbx sip-trunk listName Host Username Account-Type StateProvider_1 192.169.20.1 +5555555 Static N/A


906

ping execute

ping

Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and anothernetwork device.

Syntaxexecute ping {<address_ipv4> | <host-name_str>}

<host-name_str> should be an IP address, or a fully qualified domain name.

Example

This example shows how to ping a host with the IP address 172.20.120.16.

#execute ping 172.20.120.16

PING 172.20.120.16 (172.20.120.16): 56 data bytes64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5 ms64 bytes from 172.20.120.16: icmp_seq=1 ttl=128 time=0.2 ms64 bytes from 172.20.120.16: icmp_seq=2 ttl=128 time=0.2 ms64 bytes from 172.20.120.16: icmp_seq=3 ttl=128 time=0.2 ms64 bytes from 172.20.120.16: icmp_seq=4 ttl=128 time=0.2 ms

--- 172.20.120.16 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max = 0.2/0.2/0.5 ms

ping-options, ping6-options

Set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiGateunit and another network device.

Syntaxexecute ping-options data-size <bytes>execute ping-options df-bit {yes | no}execute ping-options pattern <2-byte_hex>execute ping-options repeat-count <repeats>execute ping-options source {auto | <source-intf_ip>}execute ping-options timeout <seconds>execute ping-options tos <service_type>execute ping-options ttl <hops>execute ping-options validate-reply {yes | no}execute ping-options view-settings


data-size<bytes>

Specify the datagram size in bytes. 56


907

execute ping-options, ping6-options


df-bit {yes | no}Set df-bit to yes to prevent the ICMP packetfrom being fragmented. Set df-bit to no toallow the ICMP packet to be fragmented.

no

pattern <2-byte_hex>

Used to fill in the optional data buffer at the end ofthe ICMP packet. The size of the buffer isspecified using the data_size parameter. Thisallows you to send out packets of different sizesfor testing the effect of packet size on theconnection.

Nodefault.

repeat-count<repeats>

Specify how many times to repeat ping. 5

source{auto |<source-intf_ip>}

Specify the FortiGate interface from which to sendthe ping. If you specify auto, the FortiGate unitselects the source address and interface based onthe route to the <host-name_str> or <host_ip>. Specifying the IP address of a FortiGateinterface tests connections to different networksegments from the specified interface.

auto

timeout<seconds>

Specify, in seconds, how long to wait until pingtimes out.

2

tos <service_type>

Set the ToS (Type of Service) field in the packetheader to provide an indication of the quality ofservice wanted.

lowdelay = minimize delay

throughput = maximize throughput

reliability = maximize reliability

lowcost = minimize cost

0

ttl <hops>Specify the time to live. Time to live is the numberof hops the ping packet should be allowed to makebefore being discarded or returned.

64

validate-reply{yes | no}

Select yes to validate reply data. no

view-settings Display the current ping-option settings.Nodefault.

Example

Use the following command to increase the number of pings sent.

execute ping-options repeat-count 10

Use the following command to send all pings from the FortiGate interface with IP address 192.168.10.23.


908

ping6 execute

execute ping-options source 192.168.10.23

ping6

Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and an IPv6capable network device.

Syntaxexecute ping6 {<address_ipv6> | <host-name_str>}

Example

This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.

execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF

policy-packet-capture delete-all

Use this command to delete captured packets.

Syntaxexecute policy-packet-capture delete-all

You will be asked to confirm that you want delete the packets.

reboot

Restart the FortiGate unit.

Abruptly powering off your FortiGate unit may corrupt its configuration.Using the reboot and shutdown options here or in the web-based managerensure proper shutdown procedures are followed to prevent any loss ofconfiguration.

Syntaxexecute reboot <comment “comment_string”>

<comment “comment_string”> allows you to optionally add a message that will appear in the hard disk logindicating the reason for the reboot. If the message is more than one word it must be enclosed in quotes.

Example

This example shows the reboot command with a message included.

execute reboot comment “December monthly maintenance”


909

execute report

report

Use these commands to manage reports.

Syntax

To flash report caches:

execute report flash-cache

To recreate the report database:

execute report recreate-db

To generate a report:

execute report run [<layout_name>["start-time" "end-time"]]

The start and end times have the format yyyy-mm-dd hh:mm:ss

report-config reset

Use this command to reset report templates to the factory default. Logs are not deleted.


Syntaxexecute report-config reset

restore

Use this command to

l restore the configuration from a filel change the FortiGate firmwarel change the FortiGate backup firmwarel restore an IPS custom signature file

When virtual domain configuration is enabled (in system global, vdom-admin is enabled), the content ofthe backup file depends on the administrator account that created it.

A backup of the system configuration from the super admin account contains the global settings and the settingsfor all of the VDOMs. Only the super admin account can restore the configuration from this file.

A backup file from a regular administrator account contains the global settings and the settings for the VDOM towhich the administrator belongs. Only a regular administrator account can restore the configuration from this file.


910

restore execute

Syntaxexecute restore av ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>

[<username_str> <password_str>]execute restore av tftp <filename_str> <server_ipv4[:port_int]>execute restore config flash <revision>execute restore config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_

int]> [<username_str> <password_str>] [<backup_password_str>]execute restore config management-station {normal | template | script} <rev_int>execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]execute restore config usb <filename_str> [<backup_password_str>]execute restore config usb-mode [<backup_password_str>]execute restore forticlient tftp <filename_str> <server_ipv4>execute restore image flash <revision>execute restore image ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_

int]> [<username_str> <password_str>]execute restore image management-station <version_int>execute restore image tftp <filename_str> <server_ipv4>execute restore image usb <filename_str>execute restore ips ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]

> [<username_str> <password_str>]execute restore ips tftp <filename_str> <server_ipv4>execute restore ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn

[:port_int]> [<username_str> <password_str>]execute restore ipsuserdefsig tftp <filename_str> <server_ipv4>execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] | server_

fqdn[:port_int]> [<username_str> <password_str>]execute restore secondary-image tftp <filename_str> <server_ipv4>execute restore secondary-image usb <filename_str>execute restore src-vis <src-vis-pkgfile>execute restore vcm {ftp | tftp} <filename_str> <server_ipv4>execute restore vmlicense {ftp | tftp} <filename_str> <server_ipv4>


av ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]

Download the antivirus database file from an FTP server to theFortiGate unit.

av tftp <filename_str> <server_ipv4[:port_int]>

Download the antivirus database file from a TFTP server to theFortiGate unit.

config flash<revision>

Restore the specified revision of the system configuration fromthe flash disk.


911

execute restore


config ftp<filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>][<backup_password_str>]

Restore the system configuration from an FTP server. The newconfiguration replaces the existing configuration, includingadministrator accounts and passwords.

If the backup file was created with a password, you must specifythe password.

configmanagement-station {normal| template | script}<rev_int>

Restore the system configuration from the central managementserver. The new configuration replaces the existingconfiguration, including administrator accounts and passwords.

rev_int is the revision number of the saved configuration torestore. Enter 0 for the most recent revision.

config tftp<filename_str><server_ipv4>[<backup_password_str>]

Restore the system configuration from a file on a TFTP server.The new configuration replaces the existing configuration,including administrator accounts and passwords.


config usb<filename_str>[<backup_password_str>]

Restore the system configuration from a file on a USB disk. Thenew configuration replaces the existing configuration, includingadministrator accounts and passwords.


config usb-mode[<backup_password_str>]

Restore the system configuration from a USB disk. The newconfiguration replaces the existing configuration, includingadministrator accounts and passwords. When the USB drive isremoved, the FortiGate unit needs to reboot and revert to theunit’s existing configuration.


forticlient tftp<filename_str><server_ipv4>

Download the FortiClient image from a TFTP server to theFortiGate unit. The filename must have the format:FortiClientSetup_versionmajor.versionminor.build.exe.For example, FortiClientSetup.4.0.377.exe.

image flash<revision>

Restore specified firmware image from flash disk.


912

restore execute


image ftp<filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]

Download a firmware image from an FTP server to the FortiGateunit. The FortiGate unit reboots, loading the new firmware.

This command is not available in multiple VDOM mode.

imagemanagement-station <version_int>

Download a firmware image from the central managementstation. This is available if you have configured a FortiManagerunit as a central management server. This is also available ifyour account with FortiGuard Analysis and Management Serviceallows you to upload firmware images.

image tftp<filename_str><server_ipv4>

Download a firmware image from a TFTP server to the FortiGateunit. The FortiGate unit reboots, loading the new firmware.


image usb<filename_str>

Download a firmware image from a USB disk to the FortiGateunit. The FortiGate unit reboots, loading the new firmware.

ips ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]

Download the IPS database file from an FTP server to theFortiGate unit.

ips tftp <filename_str> <server_ipv4>

Download the IPS database file from a TFTP server to theFortiGate unit.

ipsuserdefsig ftp<filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]

Restore IPS custom signature file from an FTP server. The filewill overwrite the existing IPS custom signature file.

ipsuserdefsig tftp<filename_str><server_ipv4>

Restore an IPS custom signature file from a TFTP server. Thefile will overwrite the existing IPS custom signature file.


913

execute revision


secondary-image ftp<filename_str><server_ipv4[:port_int] | server_fqdn[:port_int]>[<username_str><password_str>]

Download a firmware image from an FTP server as the backupfirmware of the FortiGate unit. Available on models that supportbackup firmware images.

secondary-imagetftp <filename_str><server_ipv4>

Download a firmware image from a TFTP server as the backupfirmware of the FortiGate unit. Available on models that supportbackup firmware images.

secondary-imageusb <filename_str>

Download a firmware image from a USB disk as the backupfirmware of the FortiGate unit. The unit restarts when the uploadis complete. Available on models that support backup firmwareimages.

src-vis <src-vis-pkgfile>

Download source visibility signature package.

vcm {ftp | tftp}<filename_str><server_ipv4>

Restore VCM engine/plugin from an ftp or tftp server.

vmlicense {ftp | tftp}<filename_str><server_ipv4>

Restore VM license (VM version of product only).

Example

This example shows how to upload a configuration file from a TFTP server to the FortiGate unit and restart theFortiGate unit with this configuration. The name of the configuration file on the TFTP server is backupconfig.The IP address of the TFTP server is 192.168.1.23.

execute restore config tftp backupconfig 192.168.1.23

revision

Use these commands to manage configuration and firmware image files on the local disk.

Syntax

To delete a configuration file

execute revision delete config <revision>

To delete a firmware image file

execute revision delete image <revision>


914

router clear bfd session execute

To list the configuration files

execute revision list config

To delete a firmware image file

execute revision list image

router clear bfd session

Use this command to clear bi-directional forwarding session.

Syntaxexecute router clear bfd session <src_ip> <dst_ip> <interface>


<src_ip> Select the source IP address of the session.

<dst_ip> Select the destination IP address of the session.

<interface> Select the interface for the session.

router clear bgp

Use this command to clear BGP peer connections.

Syntaxexecute router clear bgp all [soft] [in | out]execute router clear bgp as <as_number> [soft] [in | out]execute router clear bgp dampening {ip_address | ip/netmask}execute router clear bgp external {in prefix-filter} [soft] [in | out]execute router clear bgp flap-statistics {ip_address | ip/netmask}execute router clear bgp ip <ip_address> [soft] [in | out]


all Clear all BGP peer connections.

as <as_number> Clear BGP peer connections by AS number.

dampening {ip_address |ip/netmask}

Clear route flap dampening information for peer or network.

external {in prefix-filter}

Clear all external peers.


915

execute router clear ospf process


ip <ip_address> Clear BGP peer connections by IP address.

peer-group Clear all members of a BGP peer-group.

[in | out] Optionally limit clear operation to inbound only or outbound only.

flap-statistics {ip_address |ip/netmask}

Clear flap statistics for peer or network.

softDo a soft reset that changes the configuration but does notdisturb existing sessions.

router clear ospf process

Use this command to clear and restart the OSPF router.

Syntax

IPv4:

execute router clear ospf process

IPv6:

execute router clear ospf6 process

router restart

Use this command to restart the routing software.

Syntaxexecute router restart

send-fds-statistics

Use this command to send an FDS statistics report now, without waiting for the FDS statistics report interval toexpire.

Syntaxexecute send-fds-statistics


916

set system session filter execute

set system session filter

Use these commands to define the session filter for get system session commands.

Syntax

To clear the filter settings

execute set system session filter clear{all|dport|dst|duration|expire|policy|proto|sport|src|vd}

To specify destination port

execute set system session filter dport <port_range>

To specify destination IP address

execute set system session filter dst <ip_range>

To specify duration

execute set system session filter duration <duration_range>

To specify expiry

execute set system session filter expire <expire_range>

To list the filter settings

execute set system session filter list

To invert a filter setting

execute set system session filter negate{dport|dst|duration|expire|policy|proto|sport|src|vd}

To specify firewall policy ID

execute set system session filter policy <policy_range>

To specify protocol

execute set system session filter proto <protocol_range>

To specify source port

execute set system session filter sport <port_range>

To specify source IP address

execute set system session filter src <ip_range>


917

execute set-next-reboot

To specify virtual domain

execute set system session filter vd <vdom_index>


<duration_range> The start and end times, separated by a space.

<expire_range> The start and end times, separated by a space.

<ip_range> The start and end IP addresses, separated by a space.

<policy_range> The start and end policy numbers, separated by a space.

<port_range> The start and end port numbers, separated by a space.

<protocol_range> The start and end protocol numbers, separated by a space.

<vdom_index> The VDOM index number. -1 means all VDOMs.

set-next-reboot

Use this command to start the FortiGate unit with primary or secondary firmware after the next reboot. Availableon models that can store two firmware images. By default, the FortiGate unit loads the firmware from the primarypartition.

VDOM administrators do not have permission to run this command. It must be executed by a super administrator.

Syntaxexecute set-next-reboot {primary | secondary}

sfp-mode-sgmii

Change the SFPmode for an NP2 card to SGMII. By default when an AMC card is inserted the SFPmode is setto SERDESmode by default.

If a configured NP2 card is removed and re-inserted, the SFPmode goes back to the default.

In these situations, the sfpmode-sgmii command will change the SFPmode from SERDES to SGMII for theinterface specified.

Syntaxexecute sfpmode-sgmii <interface>

<interface> is the NP2 interface where you are changing the SFPmode.

shutdown

Shut down the FortiGate unit now. You will be prompted to confirm this command.


918

ssh execute

Abruptly powering off your FortiGate unit may corrupt its configuration.Using the reboot and shutdown options here or in the web-based managerensure proper shutdown procedures are followed to prevent any loss ofconfiguration.

Syntaxexecute shutdown [comment <comment_string>]

comment is optional but you can use it to add a message that will appear in the event log message that recordsthe shutdown. The comment message of the does not appear on the Alert Message console. If the message ismore than one word it must be enclosed in quotes.

Example

This example shows the reboot command with a message included.

execute shutdown comment “emergency facility shutdown”

An event log message similar to the following is recorded:

2009-09-08 11:12:31 critical admin 41986 ssh(172.20.120.11) shutdown User admin shutdownthe device from ssh(172.20.120.11). The reason is 'emergency facility shutdown'

ssh

Use this command to establish an ssh session with another system.

Syntaxexecute ssh <destination> [<port>]

<destination> - the destination in the form user@ip or user@host.

[<port>] - optional TCP port number

Exampleexecute ssh [email protected]

To end an ssh session, type exit:

FGT-6028030112 # exitConnection to 172.20.120.122 closed.FGT-8002805000 #

sync-session

Use this command to force a session synchronization.

Syntaxexecute sync-session


919

execute system custom-language import

system custom-language import

Use this command to import a custom language file from a TFTP server.

The web-based manager provides a downloadable template file. Go to System > Config > Advanced.

Syntaxexecute system custom-language import <lang_name> <file_name> <tftp_server_ip>

<lang_name> - language name

<file_name> - the language file name

<tftp_server_ip> the TFTP server IP address

system fortisandbox test-connectivity

Use this command to query FortiSandbox connection status.

Syntaxexecute fortisandbox test-connectivity

tac report

Use this command to create a debug report to send to Fortinet Support. Normally you would only use thiscommand if requested to by Fortinet Support.

Syntaxexecute tac report

telnet

Use telnet client. You can use this tool to test network connectivity.

Syntaxexecute telnet <telnet_ipv4>

<telnet_ipv4> is the address to connect with.

Type exit to close the telnet session.

time

Get or set the system time.


920

traceroute execute

Syntaxexecute time [<time_str>]

time_str has the form hh:mm:ss, where

hh is the hour and can be 00 to 23

mm is the minutes and can be 00 to 59

ss is the seconds and can be 00 to 59

If you do not specify a time, the command returns the current system time.

You are allowed to shorten numbers to only one digit when setting the time. For example both 01:01:01 and 1:1:1are allowed.

Example

This example sets the system time to 15:31:03:

execute time 15:31:03

traceroute

Test the connection between the FortiGate unit and another network device, and display information about thenetwork hops between the device and the FortiGate unit.

Syntaxexecute traceroute {<ip_address> | <host-name>}

Example

This example shows how to test the connection with http://docs.forticare.com. In this example the traceroutecommand times out after the first hop indicating a possible problem.

#execute traceoute docs.forticare.comtraceroute to docs.forticare.com (65.39.139.196), 30 hops max, 38 byte packets1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms 2 * * *

If your FortiGate unit is not connected to a working DNS server, you will not be able to connect to remote host-named locations with traceroute.

tracert6

Test the connection between the FortiGate unit and another network device using IPv6 protocol, and displayinformation about the network hops between the device and the FortiGate unit.

Syntaxtracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl][-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]host [paddatalen]


921

execute update-av


-F Set Don’t Fragment bit.

-d Enable debugging.

-n Do not resolve numeric address to domain name.

-f <first_ttl> Set the initial time-to-live used in the first outgoing probe packet.

-i <interface> Select interface to use for tracert.

-m <max_ttl> Set the max time-to-live (max number of hops) used in outgoingprobe packets.

-s <src_addr> Set the source IP address to use in outgoing probe packets.

-q <nprobes> Set the number probes per hop.

-w <waittime> Set the time in seconds to wait for response to a probe. Defaultis 5.

-z <sendwait> Set the time in milliseconds to pause between probes.

host Enter the IP address or FQDN to probe.

<paddatalen> Set the packet size to use when probing.

update-av

Use this command to manually initiate the virus definitions and engines update. To update both virus and attackdefinitions, use the execute update-now command.

Syntaxexecute update-av

update-geo-ip

Use this command to obtain an update to the IP geography database from FortiGuard.

Syntaxexecute update-geo-ip

update-ips

Use this command to manually initiate the Intrusion Prevention System (IPS) attack definitions and engineupdate. To update both virus and attack definitions, use the execute update-now command.


922

update-list execute

Syntaxexecute update-ips

update-list

Use this command to download an updated FortiGuard server list.

Syntaxexecute update-list

update-now

Use this command to manually initiate both virus and attack definitions and engine updates. To initiate only virusor attack definitions, use the execute update-av or execute update-ids command respectively.

Syntaxexecute update-now

update-src-vis

Use this command to trigger an FDS update of the source visibility signature package.

Syntaxexecute update-src-vis

upd-vd-license

Use this command to enter a Virtual Domain (VDOM) license key.

If you have a FortiGate- unit that supports VDOM licenses, you can purchase a license key from Fortinet toincrease the maximum number of VDOMs to 25, 50, 100 or 500. By default, FortiGate units support a maximumof 10 VDOMs.

Available on FortiGate models that can be licensed for more than 10 VDOMs.

Syntaxexecute upd-vd-license <license_key>


<license_key>The license key is a 32-character string supplied by Fortinet.Fortinet requires your unit serial number to generate the licensekey.


923

execute upload

upload

Use this command to upload system configurations and firmware images to the flash disk from FTP, TFTP, orUSB sources.

Syntax

To upload configuration files:

execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]

execute upload config tftp <filename_str> <comment> <server_ipv4>execute upload config usb <filename_str> <comment>

To upload firmware image files:

execute upload image ftp <filename_str> <comment> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]]

execute upload image tftp <filename_str> <comment> <server_ipv4>execute upload image usb <filename_str> <comment>

To upload report image files:

execute upload report-img ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_int]> [<username_str> [<password_str>]]

execute upload report-img tftp <filename_str> <server_ipv4>


<comment> Comment string.

<filename_str> Filename to upload.

<server_fqdn[:port_int]>

Server fully qualified domain name and optional port.

<server_ipv4[:port_int]>

Server IP address and optional port number.

<username_str> Username required on server.

<password_str> Password required on server.

<backup_password_str>

Password for backup file.

usb-device

Use these commands to manage FortiExplorer IOS devices.


924

usb-disk execute

Syntax

List connected FortiExplorer IOS devices

execute usb-device list

Disconnect FortiExplorer IOS devices

execute usb-device disconnect

usb-disk

Use these commands to manage your USB disks.

Syntaxexecute usb-disk delete <filename>execute usb-disk formatexecute usb-disk listexecute usb-disk rename <old_name> <new_name>


delete <filename> Delete the named file from the USB disk.

format Format the USB disk.

list List the files on the USB disk.

rename <old_name> <new_name>

Rename a file on the USB disk.

vpn certificate ca

Use this command to import a CA certificate from a TFTP or SCEP server to the FortiGate unit, or to export a CAcertificate from the FortiGate unit to a TFTP server.

Before using this command you must obtain a CA certificate issued by a CA.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate thatthe FortiGate unit uses to authenticate itself to other devices.

VPN peers must use digital certificates that adhere to the X.509 standard.

Digital certificates are not required for configuring FortiGate VPNs. Digitalcertificates are an advanced feature provided for the convenience of systemadministrators. This manual assumes the user has prior knowledge of howto configure digital certificates for their implementation.


925

execute vpn certificate crl

Syntaxexecute vpn certificate ca export tftp <certificate-name_str> <file-name_str> <tftp_ip>execute vpn certificate ca import auto <ca_server_url> <ca_identifier_str>execute vpn certificate ca import tftp <file-name_str> <tftp_ip>


importImport the CA certificate from a TFTP server to the FortiGateunit.

exportExport or copy the CA certificate from the FortiGate unit to a fileon the TFTP server. Type ? for a list of certificates.

<certificate-name_str>

Enter the name of the CA certificate.

<file-name_str> Enter the file name on the TFTP server.

<tftp_ip> Enter the TFTP server address.

auto Retrieve a CA certificate from a SCEP server.

tftpImport the CA certificate to the FortiGate unit from a file on aTFTP server (local administrator PC).

<ca_server_url> Enter the URL of the CA certificate server.

<ca_identifier_str> CA identifier on CA certificate server (optional).

Examples

Use the following command to import the CA certificate named trust_ca to the FortiGate unit from a TFTPserver with the address 192.168.21.54.

execute vpn certificate ca import trust_ca 192.168.21.54

vpn certificate crl

Use this command to get a CRL via LDAP, HTTP, or SCEP protocol, depending on the auto-update configuration.

In order to use the command execute vpn certificate crl, the authentication servers must already be configured.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate thatthe FortiGate unit uses to authenticate itself to other devices.




926

vpn certificate local export execute

Syntaxexecute vpn certificate crl import auto <crl-name>


importImport the CRL from the configured LDAP, HTTP, or SCEPauthentication server to the FortiGate unit.

<crl-name> Enter the name of the CRL.

autoTrigger an auto-update of the CRL from the configured LDAP,HTTP, or SCEP authentication server.

vpn certificate local export

Use this command to export a local certificate from the FortiGate unit to a TFTP server.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate thatthe FortiGate unit uses to authenticate itself to other devices.



Syntaxexecute vpn certificate local export tftp <certificate-name_str> <file-name_str> <tftp_

ip>


exportExport or copy the local certificate from the FortiGate unit to afile on the TFTP server. Type ? for a list of certificates.


Enter the name of the local certificate.

To view a list of the local certificates, you can enter:

execute vpn certificate local export tftp ?



Example

Use the following command to export the local certificate request generated in the above example from theFortiGate unit to a TFTP server. The example uses the file name testcert for the downloaded file and the


927

execute vpn certificate local generate

TFTP server address 192.168.21.54.

execute vpn certificate local export branch_cert testcert 192.168.21.54

vpn certificate local generate

Use this command to generate a local certificate.


When you generate a certificate request, you create a private and public key pair for the local FortiGate unit. Thepublic key accompanies the certificate request. The private key remains confidential.

When you receive the signed certificate from the CA, use the vpn certificate local command to install iton the FortiGate unit.



Syntax

To generate the default CA certificate used by SSL Inspection

execute vpn certificate local generate default-ssl-ca

To generate the default server key used by SSL Inspection

execute vpn certificate local generate default-ssl-serv-key

To generate an elliptical curve certificate request

execute vpn certificate local generate ec <certificate-name_str> <elliptic-curve-name><subject_str> [<optional_information>]

To generate an RSA certificate request

execute vpn certificate local generate rsa <certificate-name_str> <key-length><subject_str> [<optional_information>]



Enter a name for the certificate. The name can contain numbers(0-9), uppercase and lowercase letters (A-Z, a-z), and the specialcharacters - and _. Other special characters and spaces are notallowed.


928

vpn certificate local generate execute


<elliptic-curve-name>

Enter the elliptic curve name: secp256rl, secp384rl, orsecp521rl.

<key-length>Enter 1024, 1536 or 2048 for the size in bits of the encryptionkey.

<subject_str>

Enter the FortiGate unit host IP address, its fully qualifieddomain name, or an email address to identify the FortiGate unitbeing certified.

An IP address or domain name is preferred. If this is impossible(such as with a dialup client), use an e-mail address.

If you specify a host IP or domain name, use the IP address ordomain name associated with the interface on which IKEnegotiations will take place (usually the external interface of thelocal FortiGate unit). If the IP address in the certificate does notmatch the IP address of this interface (or if the domain name inthe certificate does not match a DNS query of the FortiGateunit’s IP), then some implementations of IKEmay reject theconnection. Enforcement of this rule varies for different IPSecproducts.

[<optional_information>]

Enter optional_information as required to further identifythe certificate. See Optional information variables on page 60 forthe list of optional information variables. You must enter theoptional variables in order that they are listed in the table. Toenter any optional variable you must enter all of the variablesthat come before it in the list. For example, to enter theorganization_name_str, you must first enter thecountry_code_str, state_name_str, and city_name_str. While entering optional variables, you can type ? for helpon the next required variable.

Optional information variables


<country_code_str>

Enter the two-character country code. Enter execute vpncertificates local generate <name_str>country followed by a ? for a list of country codes. The countrycode is case sensitive. Enter null if you do not want to specifya country.

<state_name_str>Enter the name of the state or province where the FortiGate unitis located.


929

execute vpn certificate local import


<city_name_str>Enter the name of the city, or town, where the person ororganization certifying the FortiGate unit resides.

<organization-name_str>

Enter the name of the organization that is requesting thecertificate for the FortiGate unit.

<organization-unit_name_str>

Enter a name that identifies the department or unit within theorganization that is requesting the certificate for the FortiGateunit.

<email_address_str> Enter a contact e-mail address for the FortiGate unit.

<ca_server_url>Enter the URL of the CA (SCEP) certificate server that allowsauto-signing of the request.

<challenge_password>

Enter the challenge password for the SCEP certificate server.

Example

Use the following command to generate a local certificate request with the name branch_cert, the domainname www.example.com and a key size of 1536.

execute vpn certificate local generate branch_cert 1536 www.example.com

vpn certificate local import

Use this command to import a local certificate to the FortiGate unit from a TFTP server.




Syntaxexecute vpn certificate local import tftp <file-name_str> <tftp_ip>



Enter the name of the local certificate.


930

vpn certificate remote execute




Example

Use the following command to import the signed local certificate named branch_cert to the FortiGate unitfrom a TFTP server with the address 192.168.21.54.

execute vpn certificate local import branch_cert 192.168.21.54

vpn certificate remote

Use this command to import a remote certificate from a TFTP server, or export a remote certificate from theFortiGate unit to a TFTP server. The remote certificates are public certificates without a private key. They areused as OCSP (Online Certificate Status Protocol) server certificates.

Syntaxexecute vpn certificate remote import tftp <file-name_str> <tftp_ip>execute vpn certificate remote export tftp <certificate-name_str> <file-name_str>

<tftp_ip>

Field/variable Description

importImport the remote certificate from the TFTP server to theFortiGate unit.

exportExport or copy the remote certificate from the FortiGate unit to afile on the TFTP server. Type ? for a list of certificates.


Enter the name of the public certificate.



tftp Import/export the remote certificate via a TFTP server.

vpn ipsec tunnel down

Use this command to shut down an IPsec VPN tunnel.

Syntaxexecute vpn ipsec tunnel down <phase2> [<phase1> <phase2_serial>]

where:


931

execute vpn ipsec tunnel up

<phase2> is the phase 2 name


<phase2_serial> is the phase 2 serial number

<phase1> is required on a dial-up tunnel.

vpn ipsec tunnel up

Use this command to activate an IPsec VPN tunnel.

Syntaxexecute vpn ipsec tunnel up <phase2> [<phase1> <phase2_serial>]

where:



<phase2_serial> is the phase 2 serial number

This command cannot activate a dial-up tunnel.

vpn sslvpn del-all

Use this command to delete all SSL VPN connections in this VDOM.

Syntaxexecute vpn sslvpn del-all

vpn sslvpn del-tunnel

Use this command to delete an SSL tunnel connection.

Syntaxexecute vpn sslvpn del-tunnel <tunnel_index>

<tunnel_index> identifies which tunnel to delete if there is more than one active tunnel.

vpn sslvpn del-web

Use this command to delete an active SSL VPN web connection.

Syntaxexecute vpn sslvpn del-web <web_index>


932

vpn sslvpn list execute

<web_index> identifies which web connection to delete if there is more than one active connection.

vpn sslvpn list

Use this command to list current SSL VPN tunnel connections.

Syntaxexecute vpn sslvpn list {web | tunnel}

webfilter quota-reset

Use this command to reset user quota.

Syntaxexecute webfilter quota-reset <wf-profile> <user_ip4addr>execute webfilter quota-reset <wf-profile> <user_name>

wireless-controller delete-wtp-image

Use this command to delete all firmware images for WLAN Termination Points (WTPs), also known as physicalaccess points.

Syntaxexecute wireless-controller delete-wtp-image

wireless-controller list-wtp-image

Use this command to list all firmware images for WLAN Termination Points (WTPs), also known asWiFi physicalaccess points.

Syntaxexecute wireless-controller list-wtp-image

Example outputWTP Images on AC:ImageName ImageSize(B) ImageInfo ImageMTimeFAP22A-IMG.wtp 3711132 FAP22A-v4.0-build212 Mon Jun 6 12:26:41 2011


933

execute wireless-controller reset-wtp

wireless-controller reset-wtp

Use this command to reset a physical access point (WTP).

If the FortiGate unit has a more recent version of the FortiAP firmware, the FortiAP unit will download and installit. Use the command execute wireless-controller upload-wtp-image to upload FortiAP firmware to the FortiGateunit.

Syntaxexecute wireless-controller reset-wtp {<serialNumber_str> | all}

where <serialNumber_str> is the FortiWiFi unit serial number.

Use the all option to reset all APs.

wireless-controller restart-acd

Use this command to restart the wireless-controller daemon.

Syntaxexecute wireless-controller restart-acd

wireless-controller restart-wtpd

Use this command to restart the wireless access point daemon.

Syntaxexecute wireless-controller restart-wtpd

wireless-controller upload-wtp-image

Use this command to upload a FortiWiFi firmware image to the FortiGate unit. Wireless APs controlled by thiswireless controller can download the image as needed. Use the execute wireless-controller reset-wtp commandto trigger FortiAP units to update their firmware.

Syntax

FTP:

execute wireless-controller upload-wtp-image ftp <filename_str> <server_ipv4[:port_int]> [<username_str> <password_str>]

TFTP:

execute wireless-controller upload-wtp-image tftp <filename_str> <server_ipv4>


934

endpoint-control app-detect get

get

The get commands retrieve information about the operation and performance of your FortiGate unit.

endpoint-control app-detect

Use this command to retrieve information about predefined application detection signatures for Endpoint NAC.

Syntaxget endpoint-control app-detect predefined-category statusget endpoint-control app-detect predefined-group statusget endpoint-control app-detect predefined-signature statusget endpoint-control app-detect predefined-vendor status

Example output (partial)get endpoint-control app-detect predefined-category statusFG200A2907500558 # get endpoint-control app-detect predefined-category statusname: "Anti-Malware Software"id: 1group: 1

name: "Authentication and Authorization"id: 2group: 1

name: "Encryption, PKI"id: 3group: 1

name: "Firewalls"id: 4group: 1

get endpoint-control app-detect predefined-group statusFG200A2907500558 # get endpoint-control app-detect predefined-group statusname: "Security"id: 1

name: "Multimedia"id: 2

name: "Communication"id: 3

name: "Critical Functions"id: 4


935

get extender modem-status

get endpoint-control app-detect predefined-signature statusFG200A2907500558 # get endpoint-control app-detect predefined-signature statusname: "Apache HTTP Server"id: 256category: 26vendor: 149

name: "RealPlayer (32-bit)"id: 1category: 10vendor: 68

name: "VisualSVN Server"id: 257category: 26vendor: 162

name: "QQ2009"id: 2category: 14vendor: 78

get endpoint-control app-detect predefined-vendor statusFG200A2907500558 # get endpoint-control app-detect predefined-vendor statusname: "Access Remote PC (www.access-remote-pc.com)"id: 3

name: "ACD Systems, Ltd."id: 4

name: "Adobe Systems Incorporated"id: 5

name: "Alen Soft"id: 6

extender modem-status

Use this command to display detailed FortiExtender modem status information.

Syntaxget extender modem-status <serno>

where <serno> is the FortiExtender serial number.

Example outputphysical_port: Internalmanufacture: Sierra Wireless, Incorporatedproduct: AirCard 313Umodel: AirCard 313Urevision: SWI9200X_03.05.10.02AP R4684 CARMD-EN-10527 2012/02/25 11:58:38imsi: 310410707582825


936

extender sys-info get

pin_status: READYservice: N/Asignal_strength: 73RSSI: -68 dBmconnection_status: connectedProfile 1: broadbandProfile 2: broadbandProfile 13: wap.cingularProfile 15: broadbandNAI: w.tpProfile: 0 Disabledhome_addr: 127.219.10.128primary_ha: 127.218.246.40secondary_ha: 119.75.69.176aaa_spi: 0ha_spi: 4esn_imei: 012615000227604activation_status: Activatedroaming_status: N/Ausim_status: N/Aoma_dm_version: N/Aplmn: N/Aband: B17signal_rsrq: N/Asignal_rsrp: N/Alte_sinr: N/Alte_rssi: N/Alte_rs_throughput: N/Alte_ts_throughput: N/Alte_physical_cellid: N/Amodem_type:drc_cdma_evdo: N/Acurrent_snr: N/Awireless_operator:operating_mode: N/Awireless_signal: 73usb_wan_mac: 16:78:f7:db:01:07

extender sys-info

Use this command to display detailed FortiExtender system information.

Syntaxget extender sys-info

firewall dnstranslation

Use this command to display the firewall DNS translation table.


937

get firewall iprope appctrl

Syntaxget firewall dnstranslation

firewall iprope appctrl

Use this command to list all application control signatures added to an application control list and display asummary of the application control configuration.

Syntaxget firewall iprope appctrl {list | status}

Example output

In this example, the FortiGate unit includes one application control list that blocks the FTP application.

get firewall iprope appctrl listapp-list=app_list_1/2000 other-action=Passapp-id=15896 list-id=2000 action=Block

get firewall iprope appctrl statusappctrl table 3 list 1 app 1 shaper 0

firewall iprope list

Use this command to list all of the FortiGate unit iprope firewall policies. Optionally include a group number inhexidecimal format to display a single policy. Policies are listed in FortiOS format.

Syntaxget firewall iprope list [<group_number_hex>]

Example outputget firewall iprope list 0010000c

policy flag (8000000): pol_statsflag2 (20): ep_block shapers: / per_ip=imflag: sockport: 1011 action: redirect index: 0schedule() group=0010000c av=00000000 au=00000000 host=0 split=00000000chk_client_info=0x0 app_list=0 misc=0 grp_info=0 seq=0 hash=0npu_sensor_id=0tunnel=zone(1): 0 ->zone(1): 0source(0):dest(0):source wildcard(0):destination wildcard(0):service(1):[6:0x8:1011/(0,65535)->(80,80)]


938

firewall proute, proute6 get

nat(0):mms: 0 0

firewall proute, proute6

Use these commands to list policy routes.

Syntax

For IPv4 policy routes:

get firewall proute

For IPv6 policy routes:

get firewall proute6

Example outputget firewall proutelist route policy info(vf=root):iff=5 src=1.1.1.0/255.255.255.0 tos=0x00 tos_mask=0x00 dst=0.0.0.0/0.0.0.0 protocol=80

port=1:65535oif=3 gwy=1.2.3.4

firewall service custom

Use this command to view the list of custom services. If you do not specify a <service_name> the command listsall of the pre-defined services.

Syntaxget firewall service custom

This lists the services.

To view details about all services

config firewall service customshow full-configuration

To view details about a specific service

This example lists the configuration for the ALL_TCP service:

config firewall service customedit ALL_TCP

show full-configuration

Example output

This is a partial output.

get firewall service custom


939

get firewall shaper

== [ ALL ]name: ALL== [ ALL_TCP ]name: ALL_TCP== [ ALL_UDP ]name: ALL_UDP== [ ALL_ICMP ]name: ALL_ICMP== [ ALL_ICMP6 ]name: ALL_ICMP6== [ GRE ]name: GRE== [ AH ]name: AH== [ ESP ]name: ESP== [ AOL ]name: AOL== [ BGP ]name: BGP== [ DHCP ]name: DHCP== [ DNS ]name: DNS== [ FINGER ]name: FINGER

firewall shaper

Use these command to retrieve information about traffic shapers.

Syntax

To get information about per-ip traffic shapers

get firewall shaper per-ip

To get information about shared traffic shapers

get firewall shaper traffic-shaper

grep

In many cases the get and show (and diagnose) commands may produce a large amount of output. If you arelooking for specific information in a large get or show command output you can use the grep command to filterthe output to only display what you are looking for. The grep command is based on the standard UNIX grep,used for searching text output based on regular expressions.

Information about how to use grep and regular expressions is available from the Internet. For example, seehttp://www.opengroup.org/onlinepubs/009695399/utilities/grep.html.


940

http://www.opengroup.org/onlinepubs/009695399/utilities/grep.html

gui console status get

Syntax{get | show| diagnose} | grep <regular_expression>

Example output

Use the following command to display the MAC address of the FortiGate unit internal interface:

get hardware nic internal | grep Current_HWaddrCurrent_HWaddr 00:09:0f:cb:c2:75

Use the following command to display all TCP sessions in the session list and include the session list line numberin the output

get system session list | grep -n tcp19:tcp 1110 10.31.101.10:1862 172.20.120.122:30670 69.111.193.57:1469 -27:tcp 3599 10.31.101.10:2061 - 10.31.101.100:22 -38:tcp 3594 10.31.101.10:4780 172.20.120.122:49700 172.20.120.100:445 -43:tcp 3582 10.31.101.10:4398 172.20.120.122:49574 24.200.188.171:48726 -

Use the following command to display all lines in HTTP replacement message commands that contain URL(upper or lower case):

show system replacemsg http | grep -i urlset buffer "<HTML><BODY>The page you requested has been blocked because it contains a

banned word. URL = %%PROTOCOL%%%%URL%%</BODY></HTML>"config system replacemsg http "url-block"set buffer "<HTML><BODY>The URL you requested has been blocked. URL =

%%URL%%</BODY></HTML>"config system replacemsg http "urlfilter-err"

.

.

.

gui console status

Display information about the CLI console.

Syntaxget gui console status

Example

The output looks like this:Preferences: User: admin Colour scheme (RGB): text=FFFFFF, background=000000 Font: style=monospace, size=10pt History buffer=50 lines, external input=disabled


941

get gui topology status

gui topology status

Display information about the topology viewer database. The topology viewer is available only if the Topologywidget has been added to a customized web-based manager menu layout.

Syntaxget gui topology status

Example outputPreferences: Canvas dimensions (pixels): width=780, height=800 Colour scheme (RGB): canvas=12ff08, lines=bf0f00, exterior=ddeeee Background image: type=none, placement: x=0, y=0 Line style: thickness=2

Custom background image file: none

Topology element database: __FortiGate__: x=260, y=340 Office: x=22, y=105 ISPnet: x=222, y=129 __Text__: x=77, y=112: "Ottawa" __Text__: x=276, y=139: "Internet"

hardware cpu

Use this command to display detailed information about all of the CPUs in your FortiGate unit.

Syntaxget hardware cpu

Example outputget hardware npu legacy listNo npu ports are found

620_ha_1 # get hardware cpuprocessor : 0vendor_id : GenuineIntelcpu family : 6model : 15model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHzstepping : 13cpu MHz : 1795.545cache size : 64 KBfdiv_bug : nohlt_bug : nof00f_bug : nocoma_bug : no


942

hardware memory get

fpu : yesfpu_exception : yescpuid level : 10wp : yesflags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush

dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 estbogomips : 3578.26

processor : 1vendor_id : GenuineIntelcpu family : 6model : 15model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHzstepping : 13cpu MHz : 1795.545cache size : 64 KBfdiv_bug : nohlt_bug : nof00f_bug : nocoma_bug : nofpu : yesfpu_exception : yescpuid level : 10wp : yesflags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush

dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 estbogomips : 3578.26

hardware memory

Use this command to display information about FortiGate unit memory use including the total, used, and freememory.

Syntaxget hardware memory

Example outputget hardware memorytotal: used: free: shared: buffers: cached: shm:Mem: 3703943168 348913664 3355029504 0 192512 139943936 137314304Swap: 0 0 0MemTotal: 3617132 kBMemFree: 3276396 kBMemShared: 0 kBBuffers: 188 kBCached: 136664 kBSwapCached: 0 kBActive: 22172 kBInactive: 114740 kBHighTotal: 1703936 kBHighFree: 1443712 kBLowTotal: 1913196 kBLowFree: 1832684 kB


943

get hardware nic

SwapTotal: 0 kBSwapFree: 0 kB

hardware nic

Use this command to display hardware and status information about each FortiGate interface. The hardwareinformation includes details such as the driver name and version and chip revision. Status information includestransmitted and received packets, and different types of errors.

Syntaxget hardware nic <interface_name>


<interface_name> A FortiGate interface name such as port1, wan1, internal, etc.

Example outputget hardware nic port9Chip_Model FA2/ISCP1B-v3/256MBFPGA_REV_TAG 06101916Driver Name iscp1a/b-DEDriver Version 0.1Driver Copyright Fortinet Inc.

Link downSpeed N/ADuplex N/AState up

Rx_Packets 0Tx_Packets 0Rx_Bytes 0Tx_Bytes 0

Current_HWaddr 00:09:0f:77:09:68Permanent_HWaddr 00:09:0f:77:09:68

Frame_Received 0Bad Frame Received 0Tx Frame 0Tx Frame Drop 0Receive IP Error 0FIFO Error 0

Small PktBuf Left 125Normal PktBuf Left 1021Jumbo PktBuf Left 253NAT Anomaly 0


944

hardware npu get

hardware npu

Use this command to display information about the network processor unit (NPU) hardware installed in aFortiGate unit. The NPUs can be built-in or on an installed AMCmodule.

Syntaxget hardware npu legacy {list | session <device_name_str> | setting <device_name_str>}get hardware npu np1 {list | status}get hardware npu np2 {list | performance <device_id_int> | status <device_id_int>}get hardware npu np4 {list | status <device_id_int>}get hardware npu sp {list | status}

Example outputget hardware npu np1 listID Interface0 port9 port10

get hardware npu np1 statusISCP1A 10ee:0702RX SW Done 0 MTP 0x00000000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Total Number of Interfaces: 2Number of Interface In-Use: 2Interface[0] Tx done: 0desc_size = 0x00004000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000TX timeout = 0x00000000 BD_empty = 0x00000000HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000Interface[1] Tx done: 0desc_size = 0x00004000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000TX timeout = 0x00000000 BD_empty = 0x00000000HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000NAT Information:head = 0x00000001 tail = 00000001ISCP1A Performance [Top]:Nr_int : 0x00000000 INTwoInd : 0x00000000 RXwoDone : 0x00000000PKTwoEnd : 0x00000000 PKTCSErr : 0x00000000PKTidErr : 0x00000000 PHY0Int : 0x00000000 PHY1INT : 0x00000000CSUMOFF : 0x00000000 BADCSUM : 0x00000000 MSGINT : 0x00000000IPSEC : 0x00000000 IPSVLAN : 0x00000000 SESMISS : 0x00000000TOTUP : 0x00000000 RSVD MEMU : 0x00000010MSG Performance:QLEN: 0x00001000(QW) HEAD: 0x00000000Performance:TOTMSG: 0x00000000 BADMSG: 0x00000000 TOUTMSG: 0x00000000 QUERY: 0x00000000NULLTK: 0x00000000NAT Performance: BYPASS (Enable) BLOCK (Disable)IRQ : 00000001 QFTL : 00000000 DELF : 00000000 FFTL : 00000000OVTH : 00000001 QRYF : 00000000 INSF : 00000000 INVC : 00000000ALLO : 00000000 FREE : 00000000 ALLOF : 00000000 BPENTR: 00000000 BKENTR: 00000000PBPENTR: 00000000 PBKENTR: 00000000 NOOP : 00000000 THROT : 00000000(0x002625a0)


945

get hardware npu

SWITOT : 00000000 SWDTOT : 00000000 ITDB : 00000000 OTDB : 00000000SPISES : 00000000 FLUSH : 00000000APS (Disabled) information:MODE: BOTH UDPTH 255 ICMPTH 255 APSFLAGS: 0x00000000IPSEC Offload Status: 0x58077dcb

get hardware npu np2 listID PORTS-- -----0 amc-sw1/10 amc-sw1/20 amc-sw1/30 amc-sw1/4ID PORTS-- -----1 amc-dw2/1ID PORTS-- -----2 amc-dw2/2

get hardware npu np2 status 0NP2 Status

ISCP2 f7750000 (Neighbor 00000000) 1a29:0703 256MB Base f8aad000 DBG 0x00000000RX SW Done 0 MTP 0x0desc_alloc = f7216000desc_size = 0x2000 count = 0x100nxt_to_u = 0x0 nxt_to_f = 0x0Total Interfaces: 4 Total Ports: 4Number of Interface In-Use: 4Interface f7750100 netdev 81b1e000 0 Name amc-sw1-1PHY: AttachedLB Mode 0 LB IDX 0/1 LB Ports: f7750694, 00000000, 00000000, 00000000Port f7750694 Id 0 Status Down ictr 4desc = 8128c000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Intf f7750100Interface f7750264 netdev 81b2cc00 1 Name amc-sw1-2PHY: AttachedLB Mode 0 LB IDX 0/1 LB Ports: f7750748, 00000000, 00000000, 00000000Port f7750748 Id 1 Status Down ictr 0desc = 81287000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Intf f7750264Interface f77503c8 netdev 81b2c800 2 Name amc-sw1-3PHY: AttachedLB Mode 0 LB IDX 0/1 LB Ports: f77507fc, 00000000, 00000000, 00000000Port f77507fc Id 2 Status Down ictr 0desc = 81286000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Intf f77503c8Interface f775052c netdev 81b2c400 3 Name amc-sw1-4


946

hardware status get

PHY: AttachedLB Mode 0 LB IDX 0/1 LB Ports: f77508b0, 00000000, 00000000, 00000000Port f77508b0 Id 3 Status Down ictr 0desc = 81281000desc_size = 0x00001000 count = 0x00000100nxt_to_u = 0x00000000 nxt_to_f = 0x00000000Intf f775052cNAT Information:cmdq_qw = 0x2000 cmdq = 82160000head = 0x1 tail = 0x1APS (Enabled) information:Session Install when TMM TSE OOE: DisableSession Install when TMM TAE OOE: DisableIPS anomaly check policy: Follow configMSG Base = 82150000 QL = 0x1000 H = 0x0

hardware status

Report information about the FortiGate unit hardware including FortiASIC version, CPU type, amount of memory,flash drive size, hard disk size (if present), USB flash size (if present), network card chipset, and WiFi chipset(FortiWifi models). This information can be useful for troubleshooting, providing information about your FortiGateunit to Fortinet Support, or confirming the features that your FortiGate model supports.

Syntaxget hardware status

Example outputModel name: Fortigate-620BASIC version: CP6ASIC SRAM: 64MCPU: Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHzRAM: 2020 MBCompact Flash: 493 MB /dev/sdaHard disk: 76618 MB /dev/sdbUSB Flash: not availableNetwork Card chipset: Broadcom 570x Tigon3 Ethernet Adapter (rev.0x5784100)

ips decoder status

Displays all the port settings of all the IPS decoders.

Syntaxget ips decoder status

Example output# get ips decoder status


947

get ips rule status

decoder-name: "back_orifice"

decoder-name: "dns_decoder"port_list: 53

decoder-name: "ftp_decoder"port_list: 21

decoder-name: "http_decoder"

decoder-name: "im_decoder"

decoder-name: "imap_decoder"port_list: 143

Ports are shown only for decoders with configurable port settings.

ips rule status

Displays current configuration information about IPS rules.

Syntaxget ips rule status

Example output# get ips rule statusrule-name: "IP.Land"rule-id: 12588rev: 2.464action: passstatus: disablelog: enablelog-packet: disableseverity: 3.highservice: Alllocation: server, clientos: Allapplication: All

rule-name: "IP.Loose.Src.Record.Route.Option"rule-id: 12805rev: 2.464action: passstatus: disablelog: enablelog-packet: disableseverity: 2.mediumservice: Alllocation: server, clientos: Allapplication: All


948

ips session get

ips session

Displays current IPS session status.

Syntaxget ips session

Example outputget ips session

SYSTEM:memory capacity 279969792memory used 5861008recent pps\bps 0\0Ksession in-use 0TCP: in-use\active\total 0\0\0UDP: in-use\active\total 0\0\0ICMP: in-use\active\total 0\0\0

ipsec tunnel

List the current IPSec VPN tunnels and their status.

Syntax

To view details of all IPsec tunnels:

get ipsec tunnel details

To list IPsec tunnels by name:

get ipsec tunnel name

To view a summary of IPsec tunnel information:

get ipsec tunnel summary

ips view-map

Use this command to view the policies examined by IPS. This is mainly used for debugging. If there is no ips viewmap, it means IPS is not used or enabled.

Syntaxget ips view-map <id>


949

get mgmt-data status

Example outputid : 1id-policy-id : 0policy-id : 2vdom-id : 0which : firewall


id IPS policy ID

id-policy-id Identity-based policy ID (0 means none)

policy-id Policy ID

vdom-id VDOM, identified by ID number

whichType of policy id: firewall, firewall6, sniffer, sniffer6, interface,interface6

mgmt-data status

Use this command to display information additional to that provided by get system status orget hardware status.

Syntaxget mgmt-data status

Sample output

FG100D3G12801361 # get mgmt-data status

Model name: FortiGate-100DCPU: 4RAM: 1977 MBis_ssd_available: 0is_logdisk_mounted: 1is_support_log_on_boot_device: 1is_rev_support_wanopt: 1

netscan settings

Use this command to display tcp and udp ports that are scanned by the current scan mode.

Syntaxget netscan settings


950

pbx branch-office get

Example outputscan-mode : fulltcp-ports : 1-65535udp-ports : 1-65535

pbx branch-office

Use this command to list the configured branch offices.

Syntaxget pbx branch-office

Example output== [ Branch 15 ]name: Branch 15== [ Branch 12 ]name: Branch 12

pbx dialplan

Use this command to list the configured dial plans.

Syntaxget pbx dialplan

Example output== [ company-default ]name: company-default== [ inbound ]name: inbound

pbx did

Use this command to list the configured direct inward dial (DID) numbers.

Syntaxget pbx did

Example output== [ Operator ]name: Operator== [ Emergency ]name: Emergency


951

get pbx extension

pbx extension

Use this command to list the configured extensions.

Syntaxget pbx extension

Example output== [ 6555 ]extension: 6555== [ 6777 ]extension: 6777== [ 6111 ]extension: 6111

pbx ftgd-voice-pkg

Use this command to display the current FortiGate Voice service package status.

Syntaxget pbx ftgd-voice-pkg status

Example outputStatus: ActivatedTotal 1 Packages:Package Type: B, Credit Left: 50.00, Credit Used: 0.00,Expiration Date: 2011-01-01 12:00:00

Total 1 Dids:12345678901Total 1 Efaxs:12345678902Total 0 Tollfrees:

pbx global

Use this command to display the current global pbx settings.

Syntaxget pbx global

Example outputblock-blacklist : enablecountry-area : USAcountry-code : 1


952

pbx ringgrp get

efax-check-interval : 5extension-pattern : 6XXXfax-admin-email : [email protected] : service.fortivoice.comlocal-area-code : 408max-voicemail : 60outgoing-prefix : 9ring-timeout : 20rtp-hold-timeout : 0rtp-timeout : 60voicemail-extension : *97

pbx ringgrp

Use this command to display the currently configured ring groups.

Syntaxget pbx ringgrp

Example output== [ 6001 ]name: 6001== [ 6002 ]name: 6002

pbx sip-trunk

Use this command to display the currently configured SIP trunks.

Syntaxget pbx sip-trunk

Example output== [ __FtgdVoice_1 ]name: __FtgdVoice_1

pbx voice-menu

Use this command to display the current voice menu and recorder extension configuration.

Syntaxget pbx voice-menu


953

get router info bfd neighbor

Example outputcomment : generalpassword : *press-0:ring-group : 6001type : ring-grouppress-1:type : voicemailpress-2:type : directorypress-3:type : nonepress-4:type : nonepress-5:type : nonepress-6:type : nonepress-7:type : nonepress-8:type : nonepress-9:type : nonerecorder-exten : *30

router info bfd neighbor

Use this command to list state information about the neighbors in the bi-directional forwarding table.

Syntaxget router info bfd neighbour

router info bgp

Use this command to display information about the BGP configuration.

Syntaxget router info bgp <keyword>

<keyword> Description

cidr-only Show all BGP routes having non-natural network masks.

community Show all BGP routes having their COMMUNITY attribute set.


954

router info bgp get


community-infoShow general information about the configured BGPcommunities, including the routes in each community and theirassociated network addresses.

community-list Show all routes belonging to configured BGP community lists.

dampening{dampened-paths| flap-statistics| parameters}

Display information about dampening:

Type dampened-paths to show all paths that have beensuppressed due to flapping.

Type flap-statistics to show flap statistics related to BGProutes.

Type parameters to show the current dampening settings.

filter-list Show all routes matching configured AS-path lists.

inconsistent-asShow all routes associated with inconsistent autonomoussystems of origin.

memory Show the BGPmemory table.

neighbors[<address_ipv4>| <address_ipv4>advertised-routes| <address_ipv4>received prefix-filter| <address_ipv4>received-routes| <address_ipv4>routes]

Show information about connections to TCP and BGP neighbors.

network [<address_ipv4mask>]

Show general information about the configured BGP networks,including their network addresses and associated prefixes.

network-longer-prefixes <address_ipv4mask>

Show general information about the BGP route that you specify(for example, 12.0.0.0/14) and any specific routesassociated with the prefix.

pathsShow general information about BGP AS paths, including theirassociated network addresses.

prefix-list <name> Show all routes matching configured prefix list <name>.

quote-regexp<regexp_str>

Enter the regular expression to compare to the AS_PATHattribute of BGP routes (for example, ^730$) and enable the useof output modifiers (for example, include, exclude, andbegin) to search the results.


955

get router info bgp


regexp <regexp_str>Enter the regular expression to compare to the AS_PATHattribute of BGP routes (for example, ^730$).

route-map Show all routes matching configured route maps.

scanShow information about next-hop route scanning, including thescan interval setting.

summary Show information about BGP neighbor status.

Example outputget router info bgp memoryMemory type Alloc count Alloc bytes=================================== ============= ===============BGP structure : 2 1408BGP VR structure : 2 104BGP global structure : 1 56BGP peer : 2 3440BGP as list master : 1 24Community list handler : 1 32BGP Damp Reuse List Array : 2 4096BGP table : 62 248----------------------------------- ------------- ---------------Temporary memory : 4223 96095Hash : 7 140Hash index : 7 28672Hash bucket : 11 132Thread master : 1 564Thread : 4 144Link list : 32 636Link list node : 24 288Show : 1 396Show page : 1 4108Show server : 1 36Prefix IPv4 : 10 80Route table : 4 32Route node : 63 2772Vector : 2180 26160Vector index : 2180 18284Host config : 1 2Message of The Day : 1 100IMI Client : 1 708VTY master : 1 20VTY if : 11 2640VTY connected : 5 140Message handler : 2 120NSM Client Handler : 1 12428NSM Client : 1 1268Host : 1 64Log information : 2 72Context : 1 232----------------------------------- ------------- ---------------bgp proto specifc allocations : 9408 B


956

router info isis get

bgp generic allocations : 196333 Bbgp total allocations : 205741 B

router info isis

Use this command to display information about the FortiGate ISIS.

Syntaxget router info isis interfaceget router info isis neighborget router info isis is-neighborget router info isis databaseget router info isis routeget router info isis topology

router info kernel

Use this command to display the FortiGate kernel routing table. The kernel routing table displays informationabout all of the routes in the kernel.

Syntaxget router info kernel [<routing_type_int>]

router info multicast

Use this command to display information about a Protocol Independent Multicasting (PIM) configuration.Multicast routing is supported in the root virtual domain only.

Syntaxget router info multicast <keywords>


957

get router info multicast

<keywords> Description

igmp

Show Internet Group Management Protocol (IGMP) membershipinformation according to one of these qualifiers:

Type groups [{<interface-name> | <group-address>}] to show IGMP information for the multicast group(s) associated with the specified interface or multicast groupaddress.

Type groups-detail [{<interface-name> |<group-address>}] to show detailed IGMP information forthe multicast group(s) associated with the specified interface ormulticast group address.

Type interface [<interface-name>] to show IGMPinformation for all multicast groups associated with the specifiedinterface.

pim dense-mode

Show information related to dense mode operation according toone of these qualifiers:

Type interface to show information about PIM-enabledinterfaces.

Type interface-detail to show detailed information aboutPIM-enabled interfaces.

Type neighbor to show the current status of PIM neighbors.

Type neighbor-detail to show detailed information aboutPIM neighbors.

Type next-hop to show information about next-hop PIMrouters.

Type table [<group-address>][<source-address>]to show the multicast routing table entries associated with thespecified multicast group address and/or multicast sourceaddress.


958

router info ospf get

<keywords> Description

pim sparse-mode

Show information related to sparse mode operation according toone of these qualifiers:

Type bsr-info to show Boot Strap Router (BSR) information.

Type interface to show information about PIM-enabledinterfaces.

Type interface-detail to show detailed information aboutPIM-enabled interfaces.

Type neighbor to show the current status of PIM neighbors.

Type neighbor-detail to show detailed information aboutPIM neighbors.

Type next-hop to show information about next-hop PIMrouters.

Type rp-mapping to show Rendezvous Point (RP) information.

Type table [<group-address>][<source-address>]to show the multicast routing table entries associated with thespecified multicast group address and/or multicast sourceaddress.

table[<group-address>][<source-address>]

Show the multicast routing table entries associated with thespecified multicast group address and/or multicast sourceaddress.

table-count[<group-address>][<source-address>]

Show statistics related to the specified multicast group addressand/or multicast source address.

router info ospf

Use this command to display information about the FortiGate OSPF configuration and/or the Link-StateAdvertisements (LSAs) that the FortiGate unit obtains and generates. An LSA identifies the interfaces of allOSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select theshortest path to a destination.

Syntaxget router info ospf <keyword>


border-routersShow OSPF routing table entries that have an AreaBorder Router (ABR) or Autonomous SystemBoundary Router (ASBR) as a destination.


959

get router info ospf


database <qualifier>

Show information from the OSPF routing databaseaccording to the of these qualifiers.

Some qualifiers require a target that can be one ofthe following values:

Type adv_router <address_ipv4> to limit theinformation to LSAs originating from the router at thespecified IP address.

Type self-originate <address_ipv4> tolimit the information to LSAs originating from theFortiGate unit.

adv-router<address_ipv4>

Type adv-router <address_ipv4> to showospf Advertising Router link states for the router atthe given IP address.

asbr-summary<target>

Type asbr-summary to show information aboutASBR summary LSAs.

briefType brief to show the number and type of LSAsassociated with each OSPF area.

external<target>

Type external to show information about externalLSAs.

max-age Type max-age to show all LSAs in the MaxAge list.

network<target>

Type network to show information about networkLSAs.

nssa-external<target>

Type nssa-external to show information aboutnot-so-stubby external LSAs.

opaque-area<address_ipv4>

Type opaque-area <address_ipv4> to showinformation about opaque Type 10 (area-local) LSAs(see RFC 2370).

opaque-as<address_ipv4>

Type opaque-as <address_ipv4> to showinformation about opaque Type 11 LSAs (see RFC2370), which are flooded throughout the AS.

opaque-link<address_ipv4>

Type opaque-link <address_ipv4> to showinformation about opaque Type 9 (link-local) LSAs(see RFC 2370).


960

router info protocols get


router<target>

Type router to show information about routerLSAs.

self-originate

Type self-originate to show self-originatedLSAs.

summary<target>

Type summary to show information about summaryLSAs.

interface [<interface_name>]Show the status of one or all FortiGate interfacesand whether OSPF is enabled on those interfaces.

neighbor [all | <neighbor_id>| detail | detail all| interface <address_ipv4>]

Show general information about OSPF neighbors,excluding down-status neighbors:

Type all to show information about all neighbors,including down-status neighbors.

Type <neighbor_id> to show detailedinformation about the specified neighbor only.

Type detail to show detailed information about allneighbors, excluding down-status neighbors.

Type detail all to show detailed informationabout all neighbors, including down-statusneighbors.

Type interface <address_ipv4> to showneighbor information based on the FortiGateinterface IP address that was used to establish theneighbor’s relationship.

route Show the OSPF routing table.

statusShow general information about the OSPF routingprocesses.

virtual-links Show information about OSPF virtual links.

router info protocols

Use this command to show the current states of active routing protocols. Inactive protocols are not displayed.

Syntaxget router info protocols

Routing Protocol is "rip"Sending updates every 30 seconds with +/-50%Timeout after 180 seconds, garbage collect after 120 secondsOutgoing update filter list for all interface is not set


961

get router info rip

Incoming update filter list for all interface is not setDefault redistribution metric is 1Redistributing:Default version control: send version 2, receive version 2Interface Send Recv Key-chainRouting for Networks:Routing Information Sources:Gateway Distance Last Update Bad Packets Bad RoutesDistance: (default is 120)

Routing Protocol is "ospf 0"Invalid after 0 seconds, hold down 0, flushed after 0Outgoing update filter list for all interfaces isIncoming update filter list for all interfaces isRedistributing:Routing for Networks:Routing Information Sources: Gateway Distance Last UpdateDistance: (default is 110) Address Mask Distance List

Routing Protocol is "bgp 5"IGP synchronization is disabledAutomatic route summarization is disabledDefault local-preference applied to incoming route is 100Redistributing:Neighbor(s):Address AddressFamily FiltIn FiltOut DistIn DistOut RouteMapIn RouteMapOut Weight 192.168.20.10 unicast

router info rip

Use this command to display information about the RIP configuration.

Syntaxget router info rip <keyword>


database Show the entries in the RIP routing database.

interface[<interface_name>]

Show the status of the specified FortiGate unit interface<interface_name> and whether RIP is enabled.

If interface is used alone it lists all the FortiGate unit interfacesand whether RIP is enabled on each.

router info routing-table

Use this command to display the routes in the routing table.


962

router info vrrp get

Syntaxget router info routing-table <keyword>


all Show all entries in the routing table.

bgp Show the BGP routes in the routing table.

connected Show the connected routes in the routing table.

database Show the routing information database.

details [<address_ipv4mask>]

Show detailed information about a route in the routing table,including the next-hop routers, metrics, outgoing interfaces, andprotocol-specific information.

ospf Show the OSPF routes in the routing table.

rip Show the RIP routes in the routing table.

static Show the static routes in the routing table.

router info vrrp

Use this command to display information about the VRRP configuration.

Syntaxget router info vrrp

Example outputInterface: port1, primary IP address: 9.1.1.2

VRID: 1vrip: 9.1.1.254, priority: 100, state: BACKUPadv_interval: 1, preempt: 1, start_time: 3vrdst: 0.0.0.0

router info6 bgp

Use this command to display information about the BGP IPv6 configuration.

Syntaxget router info6 bgp <keyword>


community Show all BGP routes having their COMMUNITY attribute set.


963

get router info6 interface


community-list Show all routes belonging to configured BGP community lists.

dampening{dampened-paths| flap-statistics| parameters}

Display information about dampening:

Type dampened-paths to show all paths that have beensuppressed due to flapping.

Type flap-statistics to show flap statistics related to BGProutes.

Type parameters to show the current dampening settings.

filter-list Show all routes matching configured AS-path lists.

inconsistent-asShow all routes associated with inconsistent autonomoussystems of origin.

neighbors[<address_ipv6mask>

Show information about connections to TCP and BGP neighbors.

network [<address_ipv6mask>]

Show general information about the configured BGP networks,including their network addresses and associated prefixes.

network-longer-prefixes <address_ipv6mask>

Show general information about the BGP route that you specify(for example, 12.0.0.0/14) and any specific routesassociated with the prefix.

pathsShow general information about BGP AS paths, including theirassociated network addresses.

prefix-list <name> Show all routes matching configured prefix list <name>.

quote-regexp<regexp_str>

Enter the regular expression to compare to the AS_PATHattribute of BGP routes (for example, ^730$) and enable the useof output modifiers (for example, include, exclude, andbegin) to search the results.

regexp <regexp_str>Enter the regular expression to compare to the AS_PATHattribute of BGP routes (for example, ^730$).

route-map Show all routes matching configured route maps.

summary Show information about BGP neighbor status.

router info6 interface

Use this command to display information about IPv6 interfaces.


964

router info6 kernel get

Syntaxget router info6 interface <interface_name>

Example output

The command returns the status of the interface and the assigned IPv6 address.

dmz2 [administratively down/down]2001:db8:85a3:8d3:1319:8a2e:370:7348fe80::209:fff:fe04:4cfd

router info6 kernel

Use this command to display the FortiGate kernel routing table. The kernel routing table displays informationabout all of the routes in the kernel.

Syntaxget router info6 kernel

router info6 ospf

Use this command to display information about the OSPF IPv6 configuration.

Syntaxget router info6 ospf

router info6 protocols

Use this command to display information about the configuration of all IPv6 dynamic routing protocols.

Syntaxget router info6 protocols

router info6 rip

Use this command to display information about the RIPng configuration.

Syntaxget router info6 rip


965

get router info6 routing-table

router info6 routing-table

Use this command to display the routes in the IPv6 routing table.

Syntaxget router info6 routing-table <item>

where <item> is one of the following:


<ipv6_ip> Destination IPv6 address or prefix.

bgp Show BGP routing table entries.

connected Show connected routing table entries.

database Show routing information base.

ospf Show OSPF routing table entries.

rip Show RIP routing table entries.

static Show static routing table entries.

system admin list

View a list of all the current administration sessions.

Syntaxget system admin list

Example output# get system admin listusername local device remote startedadmin sshv2 port1:172.20.120.148:22 172.20.120.16:4167 2006-08-09 12:24:20admin https port1:172.20.120.148:443 172.20.120.161:56365 2006-08-09 12:24:20admin https port1:172.20.120.148:443 172.20.120.16:4214 2006-08-09 12:25:29


username Name of the admin account for this session

local The protocol this session used to connect to the FortiGate unit.

deviceThe interface, IP address, and port used by this session toconnect to the FortiGate unit.


966

system admin status get


remoteThe IP address and port used by the originating computer toconnect to the FortiGate unit.

started The time the current session started.

system admin status

View the status of the currently logged in admin and their session.

Syntaxget system admin status

Example


# get system admin statususername: adminlogin local: sshv2login device: port1:172.20.120.148:22login remote: 172.20.120.16:4167login vdom: rootlogin started: 2006-08-09 12:24:20current time: 2006-08-09 12:32:12


username Name of the admin account currently logged in.

login local The protocol used to start the current session.

login deviceThe login information from the FortiGate unit including interface,IP address, and port number.

login remoteThe computer the user is logging in from including the IP addressand port number.

login vdom The virtual domain the admin is current logged into.

login started The time the current session started.

current time The current time of day on the FortiGate unit

system arp

View the ARP table entries on the FortiGate unit.



967

get system auto-update

Syntaxget system arp

Example output# get system arpAddress Age(min) Hardware Addr Interface172.20.120.16 0 00:0d:87:5c:ab:65 internal172.20.120.138 0 00:08:9b:09:bb:01 internal

system auto-update

Use this command to display information about the status FortiGuard updates on the FortiGate unit.

Syntaxget system auto-update statusget system auto-update versions

Example outputget system auto-update statusFDN availability: available at Thu Apr 1 08:22:58 2010

Push update: disableScheduled update: enable

Update daily: 8:22Virus definitions update: enableIPS definitions update: enableServer override: disablePush address override: disableWeb proxy tunneling: disable

system central-management

View information about the Central Management System configuration.

Syntaxget system central-management

Example


FG600B3908600705 # get system central-managementstatus : enabletype : fortimanagerauto-backup : disableschedule-config-restore: enableschedule-script-restore: enableallow-push-configuration: enable


968

system checksum get

allow-pushd-firmware: enableallow-remote-firmware-upgrade: enableallow-monitor : enablefmg : 172.20.120.161vdom : rootauthorized-manager-only: enableserial-number : "FMG-3K2404400063"

system checksum

View the checksums for global, root, and all configurations. These checksums are used by HA to compare theconfigurations of each cluster unit.

Syntaxget system checksum status

Example output# get system checksum statusglobal: 7a 87 3c 14 93 bc 98 92 b0 58 16 f2 eb bf a4 15root: bb a4 80 07 42 33 c2 ff f1 b5 6e fe e4 bb 45 fball: 1c 28 f1 06 fa 2e bc 1f ed bd 6b 21 f9 4b 12 88

system cmdb status

View information about cmdbsvr on the FortiGate unit. FortiManager uses some of this information.

Syntaxget system cmdb status

Example output# get system cmdb statusversion: 1owner id: 18update index: 6070config checksum: 12879299049430971535last request pid: 68last request type: 29last request: 78


version Version of the cmdb software.

owner id Process ID of the cmdbsvr daemon.

update indexThe updated index shows how many changes have been made incmdb.


969

get system fortianalyzer-connectivity


config checksum The config file version used by FortiManager.

last request pid The last process to access the cmdb.

last requst type Type of the last attempted access of cmdb.

last request The number of the last attempted access of cmdb.

system fortianalyzer-connectivity

Display connection and remote disk usage information about a connected FortiAnalyzer unit.

Syntaxget fortianalyzer-connectivity status

Example output# get system fortianalyzer-connectivity statusStatus: connectedDisk Usage: 0%

system fortiguard-log-service status

Command returns information about the status of the FortiGuard Log & Analysis Service including license anddisk information.

Syntaxget system fortiguard-log-service status

Example output# get system fortiguard-log-service statusFortiGuard Log & Analysis ServiceExpire on: 20071231Total disk quota: 1111 MBMax daily volume: 111 MBCurrent disk quota usage: n/a

system fortiguard-service status

COMMAND REPLACED. Command returns information about the status of the FortiGuard service including thename, version late update, method used for the last update and when the update expires. This information isshown for the AV Engine, virus definitions, attack definitions, and the IPS attack engine.


970

system ha-nonsync-csum get

Syntaxget system fortiguard-service status

Example outputNAME VERSION LAST UPDATE METHOD EXPIREAV Engine 2.002 2006-01-26 19:45:00 manual 2006-06-12 08:00:00Virus Definitions 6.513 2006-06-02 22:01:00 manual 2006-06-12 08:00:00Attack Definitions 2.299 2006-06-09 19:19:00 manual 2006-06-12 08:00:00IPS Attack Engine 1.015 2006-05-09 23:29:00 manual 2006-06-12 08:00:00

system ha-nonsync-csum

FortiManager uses this command to obtain a system checksum.

Syntaxget system ha-nonsync-csum

system ha status

Use this command to display information about an HA cluster. The command displays general HA configurationsettings. The command also displays information about how the cluster unit that you have logged into isoperating in the cluster.

Usually you would log into the primary unit CLI using SSH or telnet. In this case the get system ha statuscommand displays information about the primary unit first, and also displays the HA state of the primary unit (theprimary unit operates in the work state). However, if you log into the primary unit and then use the execute hamanage command to log into a subordinate unit, (or if you use a console connection to log into a subordinateunit) the get system status command displays information about this subordinate unit first, and alsodisplays the HA state of this subordinate unit. The state of a subordinate unit is work for an active-active clusterand standby for an active-passive cluster.

For a virtual cluster configuration, the get system ha status command displays information about how thecluster unit that you have logged into is operating in virtual cluster 1 and virtual cluster 2. For example, if youconnect to the cluster unit that is the primary unit for virtual cluster 1 and the subordinate unit for virtual cluster 2,the output of the get system ha status command shows virtual cluster 1 in the work state and virtualcluster 2 in the standby state. The get system ha status command also displays additional informationabout virtual cluster 1 and virtual cluster 2.

Syntaxget system ha status

The command display includes the following fields. For more information see the examples that follow.


Model The FortiGate model number.


971

get system ha status


Mode The HAmode of the cluster: a-a or a-p.

Group The group ID of the cluster.

Debug The debug status of the cluster.

ses_pickup The status of session pickup: enable or disable.

load_balanceThe status of the load-balance-all field: enable or disable.Displayed for active-active clusters only.

scheduleThe active-active load balancing schedule. Displayed for active-active clusters only.

Master

Slave

Master displays the device priority, host name, serial number,and actual cluster index of the primary (or master) unit.

Slave displays the device priority, host name, serial number,and actual cluster index of the subordinate (or slave, or backup)unit or units.

The list of cluster units changes depending on how you log intothe CLI. Usually you would use SSH or telnet to log into theprimary unit CLI. In this case the primary unit would be at the topthe list followed by the other cluster units.

If you use execute ha manage or a console connection to loginto a subordinate unit CLI, and then enter get system hastatus the subordinate unit that you have logged into appearsat the top of the list of cluster units.

number of vclusterThe number of virtual clusters. If virtual domains are notenabled, the cluster has one virtual cluster. If virtual domains areenabled the cluster has two virtual clusters.


972

system ha status get


vcluster 1

The HA state (hello, work, or standby) and HA heartbeat IPaddress of the cluster unit that you have logged into in virtualcluster 1. If virtual domains are not enabled, vcluster 1displays information for the cluster. If virtual domains areenabled, vcluster 1 displays information for virtual cluster 1.

The HA heartbeat IP address is 10.0.0.1 if you are logged into athe primary unit of virtual cluster 1 and 10.0.0.2 if you are loggedinto a subordinate unit of virtual cluster 1.

vcluster 1 also lists the primary unit (master) andsubordinate units (slave) in virtual cluster 1. The list includes theoperating cluster index and serial number of each cluster unit invirtual cluster 1. The cluster unit that you have logged into is atthe top of the list.

If virtual domains are not enabled and you connect to the primaryunit CLI, the HA state of the cluster unit in virtual cluster 1 iswork. The display lists the cluster units starting with the primaryunit.

If virtual domains are not enabled and you connect to asubordinate unit CLI, the HA state of the cluster unit in virtualcluster 1 is standby. The display lists the cluster units startingwith the subordinate unit that you have logged into.

If virtual domains are enabled and you connect to the virtualcluster 1 primary unit CLI, the HA state of the cluster unit invirtual cluster 1 is work. The display lists the cluster units startingwith the virtual cluster 1 primary unit.

If virtual domains are enabled and you connect to the virtualcluster 1 subordinate unit CLI, the HA state of the cluster unit invirtual cluster 1 is standby. The display lists the cluster unitsstarting with the subordinate unit that you are logged into.

In a cluster consisting of two cluster units operating withoutvirtual domains enabled all clustering actually takes place invirtual cluster 1. HA is designed to work this way to support virtualclustering. If this cluster was operating with virtual domainsenabled, adding virtual cluster 2 is similar to adding a new copyof virtual cluster 1. Virtual cluster 2 is visible in the get systemha status command output when you add virtual domains tovirtual cluster 2.


973

get system info admin status


vcluster 2

vcluster 2 only appears if virtual domains are enabled.vcluster 2 displays the HA state (hello, work, or standby) andHA heartbeat IP address of the cluster unit that you have loggedinto in virtual cluster 2. The HA heartbeat IP address is 10.0.0.2 ifyou are logged into the primary unit of virtual cluster 2 and10.0.0.1 if you are logged into a subordinate unit of virtual cluster2.

vcluster 2 also lists the primary unit (master) andsubordinate units (slave) in virtual cluster 2. The list includes thecluster index and serial number of each cluster unit in virtualcluster 2. The cluster unit that you have logged into is at the topof the list.

If you connect to the virtual cluster 2 primary unit CLI, the HAstate of the cluster unit in virtual cluster 2 is work. The displaylists the cluster units starting with the virtual cluster 2 primaryunit.

If you connect to the virtual cluster 2 subordinate unit CLI, the HAstate of the cluster unit in virtual cluster 2 is standby. Thedisplay lists the cluster units starting with the subordinate unitthat you are logged into.

system info admin status

Use this command to display administrators that are logged into the FortiGate unit.

Syntaxget system info admin status

Example

This shows sample output.

Index User name Login type From0 admin CLI ssh(172.20.120.16)1 admin WEB 172.20.120.16


Index The order the administrators logged in.

User name The name of the user account logged in.

Login type Which interface was used to log in.

From The IP address this user logged in from.


974

system info admin ssh get

Related topics

"system info admin ssh" on page 106

system info admin ssh

Use this command to display information about the SSH configuration on the FortiGate unit such as:

the SSH port number

the interfaces with SSH enabled

the hostkey DSA fingerprint

the hostkey RSA fingerprint

Syntaxget system info admin ssh

Example output# get system info admin sshSSH v2 is enabled on port 22SSH is enabled on the following 1 interfaces:internalSSH hostkey DSA fingerprint = cd:e1:87:70:bb:f0:9c:7d:e3:7b:73:f7:44:23:a5:99SSH hostkey RSA fingerprint = c9:5b:49:1d:7c:ba:be:f3:9d:39:33:4d:48:9d:b8:49

system interface physical

Use this command to list information about the unit’s physical network interfaces.

Syntaxget system interface physical


# get system interface physical== [onboard]==[dmz1]mode: staticip: 0.0.0.0 0.0.0.0status: downspeed: n/a==[dmz2]mode: staticip: 0.0.0.0 0.0.0.0status: downspeed: n/a==[internal]mode: staticip: 172.20.120.146 255.255.255.0status: up


975

get system mgmt-csum

speed: 100==[wan1]mode: pppoeip: 0.0.0.0 0.0.0.0status: downspeed: n/a==[wan2]mode: staticip: 0.0.0.0 0.0.0.0status: downspeed: n/a==[modem]mode: staticip: 0.0.0.0 0.0.0.0status: downspeed: n/a

system mgmt-csum

FortiManager uses this command to obtain checksum information from FortiGate units.

Syntaxget system mgmt-csum {global | vdom | all}

where

global retrieves global object checksums

vdom retrieves VDOM object checksums

all retrieves all object checksums.

system performance firewall

Use this command to display packet distribution and traffic statistics information for the FortiGate firewall.

Syntaxget system performance firewall packet-distributionget system performance firewall statistics


packet-distribution

Display a list of packet size ranges and the number of packets ofeach size accepted by the firewall since the system restarted.You can use this information to learn about the packet sizedistribution on your network.

Note: these counts do not include packets offloaded to the NPU.

statisticsDisplay a list of traffic types (browsing, email, DNS etc) and thenumber of packets and number of payload bytes accepted by thefirewall for each type since the FortiGate unit was restarted.


976

system performance status get

Example outputget system performance firewall packet-distributiongetting packet distribution statistics...0 bytes - 63 bytes: 655283 packets64 bytes - 127 bytes: 1678278 packets128 bytes - 255 bytes: 58823 packets256 bytes - 383 bytes: 70432 packets384 bytes - 511 bytes: 1610 packets512 bytes - 767 bytes: 3238 packets768 bytes - 1023 bytes: 7293 packets1024 bytes - 1279 bytes: 18865 packets1280 bytes - 1500 bytes: 58193 packets> 1500 bytes: 0 packets

get system performance firewall statisticsgetting traffic statistics...Browsing: 623738 packets, 484357448 bytesDNS: 5129187383836672 packets, 182703613804544 bytesE-Mail: 23053606 packets, 2 bytesFTP: 0 packets, 0 bytesGaming: 0 packets, 0 bytesIM: 0 packets, 0 bytesNewsgroups: 0 packets, 0 bytesP2P: 0 packets, 0 bytesStreaming: 0 packets, 0 bytesTFTP: 654722117362778112 packets, 674223966126080 bytesVoIP: 16834455 packets, 10 bytesGeneric TCP: 266287972352 packets, 8521215115264 bytesGeneric UDP: 0 packets, 0 bytesGeneric ICMP: 0 packets, 0 bytesGeneric IP: 0 packets, 0 bytes

system performance status

Use this command to display FortiGate CPU usage, memory usage, network usage, sessions, virus, IPS attacks,and system up time.

Syntaxget system performance status


977

get system performance top


CPU states

The percentages of CPU cycles used by user, system, nice andidle categories of processes. These categories are:

user -CPU usage of normal user-space processes

system -CPU usage of kernel

nice - CPU usage of user-space processes having other-than-normal running priority

idle - Idle CPU cycles

Adding user, system, and nice produces the total CPU usage asseen on the CPU widget on the web-based system statusdashboard.

Memory states The percentage of memory used.

Average networkusage

The average amount of network traffic in kbps in the last 1, 10and 30 minutes.

Average sessionsThe average number of sessions connected to the FortiGate unitover the list 1, 10 and 30 minutes.

Virus caughtThe number of viruses the FortiGate unit has caught in the last 1minute.

IPS attacks blockedThe number of IPS attacks that have been blocked in the last 1minute.

Uptime How long since the FortiGate unit has been restarted.

Example output# get system performance statusCPU states: 0% user 0% system 0% nice 100% idleMemory states: 18% usedAverage network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 1 kbps in 30 minutesAverage sessions: 5 sessions in 1 minute, 6 sessions in 10 minutes, 5 sessions in 30

minutesVirus caught: 0 total in 1 minuteIPS attacks blocked: 0 total in 1 minuteUptime: 9days, 22 hours, 0 minutes

system performance top

Use this command to display the list of processes running on the FortiGate unit (similar to the Linux topcommand).

You can use the following commands when get system performance top is running:

• Press Q or Ctrl+C to quit.


978

system session list get

• Press P to sort the processes by the amount of CPU that the processes are using.

• Press M to sort the processes by the amount of memory that the processes are using.

Syntaxget system performance top [<delay_int>] <max_lines_int>]]


<delay_int>The delay, in seconds, between updating the process list. Thedefault is 5 seconds.

<max_lines_int>

The maximum number of processes displayed in the output. Thedefault is 20 lines.

system session list

Command returns a list of all the sessions active on the FortiGate unit. or the current virtual domain if virtualdomain mode is enabled.

Syntaxget system session list

Example outputPROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NATtcp 0 127.0.0.1:1083 - 127.0.0.1:514 -tcp 0 127.0.0.1:1085 - 127.0.0.1:514 -tcp 10 127.0.0.1:1087 - 127.0.0.1:514 -tcp 20 127.0.0.1:1089 - 127.0.0.1:514 -tcp 30 127.0.0.1:1091 - 127.0.0.1:514 -tcp 40 127.0.0.1:1093 - 127.0.0.1:514 -tcp 60 127.0.0.1:1097 - 127.0.0.1:514 -tcp 70 127.0.0.1:1099 - 127.0.0.1:514 -tcp 80 127.0.0.1:1101 - 127.0.0.1:514 -tcp 90 127.0.0.1:1103 - 127.0.0.1:514 -tcp 100 127.0.0.1:1105 - 127.0.0.1:514 -tcp 110 127.0.0.1:1107 - 127.0.0.1:514 -tcp 103 172.20.120.16:3548 - 172.20.120.133:22 -tcp 3600 172.20.120.16:3550 - 172.20.120.133:22 -udp 175 127.0.0.1:1026 - 127.0.0.1:53 -tcp 5 127.0.0.1:1084 - 127.0.0.1:514 -tcp 5 127.0.0.1:1086 - 127.0.0.1:514 -tcp 15 127.0.0.1:1088 - 127.0.0.1:514 -tcp 25 127.0.0.1:1090 - 127.0.0.1:514 -tcp 45 127.0.0.1:1094 - 127.0.0.1:514 -tcp 59 127.0.0.1:1098 - 127.0.0.1:514 -tcp 69 127.0.0.1:1100 - 127.0.0.1:514 -tcp 79 127.0.0.1:1102 - 127.0.0.1:514 -tcp 99 127.0.0.1:1106 - 127.0.0.1:514 -tcp 109 127.0.0.1:1108 - 127.0.0.1:514 -tcp 119 127.0.0.1:1110 - 127.0.0.1:514 -


979

get system session status


PROTO The transfer protocol of the session.

EXPIRE How long before this session will terminate.

SOURCE The source IP address and port number.

SOURCE-NAT The source of the NAT. ‘-’ indicates there is no NAT.

DESTINATION The destination IP address and port number.

DESTINATION-NAT The destination of the NAT. ‘-’ indicates there is no NAT.

system session status

Use this command to display the number of active sessions on the FortiGate unit, or if virtual domain mode isenabled it returns the number of active sessions on the current VDOM. In both situations it will say ‘the currentVDOM.

Syntaxget system session status

Example outputThe total number of sessions for the current VDOM: 3100

system session-helper-info list

Use this command to list the FortiGate session helpers and the protocol and port number configured for eachone.

Syntaxget system sesion-helper-info list

Example outputlist builtin help module:mgcpdcerpcrshpmapdns-tcpdns-udprtsppptpsipmmstns


980

system session-info get

h245h323rastftpftplist session help:help=pmap, protocol=17 port=111help=rtsp, protocol=6 port=8554help=rtsp, protocol=6 port=554help=pptp, protocol=6 port=1723help=rtsp, protocol=6 port=7070help=sip, protocol=17 port=5060help=pmap, protocol=6 port=111help=rsh, protocol=6 port=512help=dns-udp, protocol=17 port=53help=tftp, protocol=17 port=69help=tns, protocol=6 port=1521help=mgcp, protocol=17 port=2727help=dcerpc, protocol=17 port=135help=rsh, protocol=6 port=514help=ras, protocol=17 port=1719help=ftp, protocol=6 port=21help=mgcp, protocol=17 port=2427help=dcerpc, protocol=6 port=135help=mms, protocol=6 port=1863help=h323, protocol=6 port=1720

system session-info

Use this command to display session information.

Syntaxget system session-info expectationget system session-info full-statget system session-info listget system session-info statisticsget system session-info ttl


expectation Display expectation sessions.

full-statDisplay detailed information about the FortiGate session tableincluding a session table and expect session table summary,firewall error statistics, and other information.

list

Display detailed information about all current FortiGate sessions.For each session the command displays the protocol number,traffic shaping information, policy information, state information,statistics and other information.


981

get system source-ip


statisticsDisplay the same information as the full-stat commandexcept for the session table and expect session table summary.

ttlDisplay the current setting of the config system session-ttl command including the overall session timeout as well asthe timeouts for specific protocols.

Example outputget system session-info statisticsmisc info: session_count=15 exp_count=0 clash=0 memory_tension_drop=0 ephemeral=1/32752

removeable=14delete=0, flush=0, dev_down=0/0firewall error stat:error1=00000000error2=00000000error3=00000000error4=00000000tt=00000000cont=00000000ids_recv=00000000url_recv=00000000av_recv=00000000fqdn_count=00000001tcp reset stat:syncqf=0 acceptqf=0 no-listener=227 data=0 ses=0 ips=0global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0

system source-ip

Use this command to list defined source-IPs.

Syntaxget system source-ip

Example output# get sys source-ip statusThe following services force their communication to usea specific source IP address:

service=NTP source-ip=172.18.19.101service=DNS source-ip=172.18.19.101vdom=root service=RADIUS name=server-pc25 source-ip=10.1.100.101vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=10.1.100.101vdom=root service=FSAE name=pc26 source-ip=172.18.19.101vdom=V1 service=RADIUS name=pc25-Radius source-ip=172.16.200.101vdom=V1 service=TACACS+ name=pc25-tacacs+ source-ip=172.16.200.101vdom=V1 service=FSAE name=pc16 source-ip=172.16.200.101


982

system startup-error-log get

system startup-error-log

Use this command to display information about system startup errors. This command only displays information ifan error occurs when the FortiGate unit starts up.

Syntaxget system startup-error-log

system status

Use this command to display system status information including:

FortiGate firmware version, build number and branch point

virus and attack definitions version

FortiGate unit serial number and BIOS version

log hard disk availability

host name

operation mode

virtual domains status: current VDOM, max number of VDOMs, number of NAT and TPmode VDOMs andVDOM status

current HA status

system time

the revision of the WiFi chip in a FortiWiFi unit

Syntaxget system status

Example outputVersion: Fortigate-620B v4.0,build0271,100330 (MR2)Virus-DB: 11.00643(2010-03-31 17:49)Extended DB: 11.00643(2010-03-31 17:50)Extreme DB: 0.00000(2003-01-01 00:00)IPS-DB: 2.00778(2010-03-31 12:55)FortiClient application signature package: 1.167(2010-04-01 10:11)Serial-Number: FG600B3908600705BIOS version: 04000006Log hard disk: AvailableHostname: 620_ha_1Operation Mode: NATCurrent virtual domain: rootMax number of virtual domains: 10Virtual domains status: 1 in NAT mode, 0 in TP modeVirtual domain configuration: disable


983

get test

FIPS-CC mode: disableCurrent HA mode: a-p, masterDistribution: InternationalBranch point: 271Release Version Information: MR2System time: Thu Apr 1 15:27:29 2010

test

Use this command to display information about FortiGate applications and perform operations on FortiGateapplications. You can specify an application name and a test level. Enter ? to display the list of applications. Thetest level performs various functions depending on the application but can include displaying memory usage,dropping connections and restarting the application.

The test levels are different for different applications. In some cases when you enter the command and includean application name but no test level (or an invalid test level) the command output includes a list of valid testlevels.

Syntaxget test <application_name_str> <test_level_int>

Example outputget test httpProxy Worker 0 - http[0:H] HTTP Proxy Test Usage[0:H][0:H] 2: Drop all connections[0:H] 22: Drop max idle connections[0:H] 222: Drop all idle connections[0:H] 4: Display connection stat[0:H] 44: Display info per connection[0:H] 444: Display connections per state[0:H] 4444: Display per-VDOM statistics[0:H] 44444: Display information about idle connections[0:H] 55: Display tcp info per connection

get test http 4HTTP CommonCurrent Connections 0/8032

HTTP StatBytes sent 0 (kb)Bytes received 0 (kb)Error Count (alloc) 0Error Count (accept) 0Error Count (bind) 0Error Count (connect) 0Error Count (socket) 0Error Count (read) 0Error Count (write) 0Error Count (retry) 0Error Count (poll) 0


984

user adgrp get

Error Count (scan reset) 0Error Count (urlfilter wait) 0Last Error 0Web responses clean 0Web responses scan errors 0Web responses detected 0Web responses infected with worms 0Web responses infected with viruses 0Web responses infected with susp 0Web responses file blocked 0Web responses file exempt 0Web responses bannedword detected 0Web requests oversize pass 0Web requests oversize block 0URL requests exempt 0URL requests blocked 0URL requests passed 0URL requests submit error 0URL requests rating error 0URL requests rating block 0URL requests rating allow 0URL requests infected with worms 0Web requests detected 0Web requests file blocked 0Web requests file exempt 0POST requests clean 0POST requests scan errors 0POST requests infected with viruses 0POST requests infected with susp 0POST requests file blocked 0POST requests bannedword detected 0POST requests oversize pass 0POST requests oversize block 0Web request backlog drop 0Web response backlog drop 0

HTTP Accountingsetup_ok=0 setup_fail=0 conn_ok=0 conn_inp=0urlfilter=0/0/0 uf_lookupf=0scan=0 clt=0 srv=0

user adgrp

Use this command to list Directory Service user groups.

Syntaxget user adgrp [<dsgroupname>]

If you do not specify a group name, the command returns information for all Directory Service groups. Forexample:

== [ DOCTEST/Cert Publishers ]name: DOCTEST/Cert Publishers server-name: DSserv1== [ DOCTEST/Developers ]name: DOCTEST/Developers server-name: DSserv1


985

get vpn ike gateway

== [ DOCTEST/Domain Admins ]name: DOCTEST/Domain Admins server-name: DSserv1== [ DOCTEST/Domain Computers ]name: DOCTEST/Domain Computers server-name: DSserv1== [ DOCTEST/Domain Controllers ]name: DOCTEST/Domain Controllers server-name: DSserv1== [ DOCTEST/Domain Guests ]name: DOCTEST/Domain Guests server-name: DSserv1== [ DOCTEST/Domain Users ]name: DOCTEST/Domain Users server-name: DSserv1== [ DOCTEST/Enterprise Admins ]name: DOCTEST/Enterprise Admins server-name: DSserv1== [ DOCTEST/Group Policy Creator Owners ]name: DOCTEST/Group Policy Creator Owners server-name: DSserv1== [ DOCTEST/Schema Admins ]name: DOCTEST/Schema Admins server-name: DSserv1

If you specify a Directory Service group name, the command returns information for only that group. For example:

name : DOCTEST/Developersserver-name : ADserv1

The server-name is the name you assigned to the Directory Service server when you configured it in the userfsae command.

vpn ike gateway

Use this command to display information about FortiGate IPsec VPN IKE gateways.

Syntaxget vpn ike gateway [<gateway_name_str>]

vpn ipsec tunnel details

Use this command to display information about IPsec tunnels.

Syntaxget vpn ipsec tunnel details

vpn ipsec tunnel name

Use this command to display information about a specified IPsec VPN tunnel.

Syntaxget vpn ipsec tunnel name <tunnel_name_str>


986

vpn ipsec stats crypto get

vpn ipsec stats crypto

Use this command to display information about the FortiGate hardware and software crypto configuration.

Syntaxget vpn ipsec stats crypto

Example outputget vpn ipsec stats crypto

IPsec crypto devices in use:

CP6 (encrypted/decrypted): null: 0 0 des: 0 0 3des: 0 0 aes: 0 0CP6 (generated/validated): null: 0 0 md5: 0 0 sha1: 0 0

sha256: 0 0

SOFTWARE (encrypted/decrypted): null: 0 0 des: 0 0 3des: 0 0 aes: 0 0SOFTWARE (generated/validated): null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0

vpn ipsec stats tunnel

Use this command to view information about IPsec tunnels.

Syntaxget vpn ipsec stats tunnel

Example output#get vpn ipsec stats tunneltunnelstotal: 0static/ddns: 0dynamic: 0


987

get vpn ssl monitor

manual: 0errors: 0selectorstotal: 0up: 0

vpn ssl monitor

Use this command to display information about logged in SSL VPN users and current SSL VPN sessions.

Syntaxget vpn ssl monitor

Example output

vpn status l2tp

Use this command to display information about L2TP tunnels.

Syntaxget vpn status l2tp

vpn status pptp

Use this command to display information about PPTP tunnels.

Syntaxget vpn status pptp

vpn status ssl

Use this command to display SSL VPN tunnels and to also verify that the FortiGate unit includes the CP6 orgreater FortiASIC device that supports SSL acceleration.

Syntaxget vpn status ssl hw-acceleration-statusget vpn status ssl list


988

webfilter ftgd-statistics get


hw-acceleration-status

Display whether or not the FortiGate unit contains a FortiASICdevice that supports SSL acceleration.

list Display information about all configured SSL VPN tunnels.

webfilter ftgd-statistics

Use this command to display FortiGuard Web Filtering rating cache and daemon statistics.

Syntaxget webfilter ftgd-statistics

Example outputget webfilter ftgd-statistics

Rating Statistics:=====================DNS failures : 0DNS lookups : 0Data send failures : 0Data read failures : 0Wrong package type : 0Hash table miss : 0Unknown server : 0Incorrect CRC : 0Proxy request failures : 0Request timeout : 0Total requests : 0Requests to FortiGuard servers : 0Server errored responses : 0Relayed rating : 0Invalid profile : 0

Allowed : 0Blocked : 0Logged : 0Errors : 0

Cache Statistics:=====================Maximum memory : 0Memory usage : 0

Nodes : 0Leaves : 0Prefix nodes : 0Exact nodes : 0

Requests : 0


989

get webfilter status

Misses : 0Hits : 0Prefix hits : 0Exact hits : 0

No cache directives : 0Add after prefix : 0Invalid DB put : 0DB updates : 0

Percent full : 0%Branches : 0%Leaves : 0%Prefix nodes : 0%Exact nodes : 0%

Miss rate : 0%Hit rate : 0%Prefix hits : 0%Exact hits : 0%

webfilter status

Use this command to display FortiGate Web Filtering rating information.

Syntaxget webfilter status [<refresh-rate_int>]

wireless-controller client-info

Use this command to get information about WiFi clients.

Syntaxget wireless-controller client-info <vfid> <interface> <client_ip>


# get wireless-controller client-info 0 test-local 192.168.2.100count=1status: sta_mac=10:fe:ed:26:aa:e0 ap_sn=FP320C3X14006184, ap_name=FP320C3X14006184,

chan=6, radio_type=11N

wireless-controller rf-analysis

Use this command to show information about RF conditions at the access point.


990

wireless-controller scan get

Syntaxget wireless-controller rf-analysis [<wtp_id>]

Example output# get wireless-controller rf-analysis<wtp-id> wtp id

FWF60C3G11004319 (global) # get wireless-controller rf-analysisWTP: FWF60C-WIFI0 0-127.0.0.1:15246channel rssi-total rf-score overlap-ap interfere-ap1 418 1 24 262 109 5 0 343 85 7 1 344 64 9 0 355 101 6 1 356 307 1 8 117 82 7 0 168 69 8 1 159 42 10 0 1510 53 10 0 1411 182 1 5 612 43 10 0 613 20 10 0 514 8 10 0 5Controller: FWF60C3G11004319-0channel rssi_total1 4182 1093 854 645 1016 3077 828 699 4210 5311 18212 4313 2014 8

wireless-controller scan

Use this command to view the list of access points detected by wireless scanning.

Syntaxget wireless-controller scan

Example outputCMW SSID BSSID CHAN RATE S:N INT CAPS ACT LIVE AGE WIREDUNN 00:0e:8f:24:18:6d 64 54M 16:0 100 Es N 62576 1668 ?


991

get wireless-controller status

UNN ftiguest 00:15:55:23:d8:62 157 130M 6:0 100 EPs N 98570 2554 ?

wireless-controller status

Use this command to view the numbers of wtp sessions and clients.

Syntaxget wireless-controller status

Example output# get wireless-controller statusWireless Controller :wtp-session-count: 1client-count : 1/0

wireless-controller vap-status

Use this command to view information about your SSIDs.

Syntaxget wireless-controller vap-status

Example output# get wireless-controller vap-statusWLAN: mesh.rootname : mesh.rootvdom : rootssid : fortinet.mesh.rootstatus : upmesh backhaul : yesip : 0.0.0.0mac : 00:ff:0a:57:95:castation info : 0/0WLAN: wifiname : wifivdom : rootssid : ft-meshstatus : upmesh backhaul : yesip : 10.10.80.1mac : 00:ff:45:e1:55:81station info : 1/0

wireless-controller wlchanlistlic

Use this command to display a list of the channels allowed in your region, including


992

wireless-controller wlchanlistlic get

the maximum permitted power for each channel

the channels permitted for each wireless type (802.11n, for example)

The list is in XML format.

Syntaxget wireless-controller wlchanlistlic

Sample outputcountry name: UNITED STATES2, country code:841, iso name:USchannels on 802.11A band without channel bonding:channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=165 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11B band without channel bonding:channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11G band without channel bonding:channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 2.4GHz band without channel bonding:channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2


993

get wireless-controller wtp-status

channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 2.4GHz band with channel bonding plus:channel= 1 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 2 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 3 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 4 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 2.4GHz band with channel bonding minus:channel= 5 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 6 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 7 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 8 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 9 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 10 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2channel= 11 maxRegTxPower= 27 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 5GHz band without channel bonding:channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=165 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2

channels on 802.11N 5GHz band with channel bonding all:channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2

wireless-controller wtp-status

Syntaxget wireless-controller wtp-status


994

wireless-controller wtp-status get

Example output# get wireless-controller wtp-statusWTP: FAP22B3U11005354 0-192.168.3.110:5246wtp-id : FAP22B3U11005354region-code :name :mesh-uplink : meshmesh-downlink : disabledmesh-hop-count : 1parent-wtp-id :software-version :local-ipv4-addr : 0.0.0.0board-mac : 00:00:00:00:00:00join-time : Mon Apr 2 10:23:32 2012connection-state : Disconnectedimage-download-progress: 0last-failure : 0 -- N/Alast-failure-param:last-failure-time: N/ARadio 1 : MonitorRadio 2 : Apcountry-name : NAcountry-code : N/Aclient-count : 0base-bssid : 00:00:00:00:00:00max-vaps : 7oper-chan : 0Radio 3 : Not ExistWTP: FWF60C-WIFI0 0-127.0.0.1:15246wtp-id : FWF60C-WIFI0region-code : ALLname :mesh-uplink : ethernetmesh-downlink : enabledmesh-hop-count : 0parent-wtp-id :software-version : FWF60C-v5.0-build041local-ipv4-addr : 127.0.0.1board-mac : 00:09:0f:fe:cc:56join-time : Mon Apr 2 10:23:35 2012connection-state : Connectedimage-download-progress: 0last-failure : 0 -- N/Alast-failure-param:last-failure-time: N/ARadio 1 : Apcountry-name : UScountry-code : N/Aclient-count : 1base-bssid : 00:0e:8e:3b:63:99max-vaps : 7oper-chan : 1Radio 2 : Not ExistRadio 3 : Not Exist


995

tree

tree

The tree command displays FortiOS config CLI commands in a tree structure called the configuration tree.Each configuration command forms a branch of the tree.

Syntaxtree [branch] [sub-branch]

You can enter the tree command from the top of the configuration tree the command displays the completeconfiguration tree. Commands are displayed in the order that they are processed when the FortiGate unit startsup. For example, the following output shows the first 10 lines of tree command output:

tree-- -- system -- [vdom] --*name (12)+- vcluster-id (0,0)|- <global> -- language|- gui-ipv6|- gui-voip-profile|- gui-lines-per-page (20,1000)|- admintimeout (0,0)|- admin-concurrent|- admin-lockout-threshold (0,0)|- admin-lockout-duration (1,2147483647)|- refresh (0,2147483647)|- interval (0,0)|- failtime (0,0)|- daily-restart|- restart-time

...You can include a branch name with the tree command to view the commands in that branch:

tree user-- user -- [radius] --*name (36)

|- server (64) |- secret |- secondary-server (64) |- secondary-secret...

|- [tacacs+] --*name (36) |- server (64) |- secondary-server (64) |- tertiary-server (64)...

|- [ldap] --*name (36) |- server (64) |- secondary-server (64) |- tertiary-server (64) |- port (1,65535)...

You can include a branch and sub branch name with the tree command to view the commands in that sub branch:

tree user local-- [local] --*name (36)|- status


996

tree

|- type|- passwd|- ldap-server (36)|- radius-server (36)+- tacacs+-server (36)

...If you enter the tree command from inside the configuration tree the command displays the tree for thecurrent command:

config user ldaptree-- [ldap] --*name (36)|- server (64)|- cnid (21)|- dn (512)|- port (1,65535)|- type

...The tree command output includes information about field limits. These apply in both the CLI and the web-based manager. For a numeric field, the two numbers in in parentheses show the lower and upper limits. Forexample (0,32) indicates that values from 0 to 32 inclusive are accepted. For string values, the number inparentheses is one more than the maximum number of characters permitted.

In the following example, the FQDN can contain up to 255 characters.

config firewall addresstree-- [address] --*name (64)

|- subnet |- type |- start-ip |- end-ip |- fqdn (256) |- country (3) |- cache-ttl (0,86400) |- wildcard |- comment |- visibility |- associated-interface (36) |- color (0,32) +- [tags] --*name (64)


997

Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or companynames may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, andactual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing hereinrepresents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding writtencontract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identifiedperformancemetrics and, in such event, only the specific performancemetrics expressly identified in such binding written contract shall be binding on Fortinet. Forabsolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make anycommitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,transfer, or otherwise revise this publication without notice, and themost current version of the publication shall be applicable.


998

Documents

FortiOS 5.4 CLI Referencedocshare02.docshare.tips/files/30730/307306382.pdfChangeLog ChangeLog Date ChangeDescription December16,2015 NewFortiOS5.4.0release. CLI Reference for FortiOS