fortigate-cli-52 (1)

8/10/2019 fortigate-cli-52 (1)

1/1092

FortiOS

CLI Reference for FortiOS 5.2


2/1092

FortiOS CLI Reference for FortiOS 5.2

August 14, 2014

01-520-99686-20140814

Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare andFortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and otherFortinet names herein may also be registered and/or common law trademarks of Fortinet. Allother product or company names may be trademarks of their respective owners. Performanceand other metrics contained herein were attained in internal lab tests under ideal conditions,and actual performance and other resultsmay vary. Network variables, different networkenvironments and other conditions may affect performance results. Nothing herein representsany binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express orimplied, except to the extent Fortinet enters a binding written contract, signed by Fortinets

General Counsel, with a purchaser that expressly warrants that the identified product willperform according to certain expressly-identified performance metrics and, in such event, onlythe specific performance metrics expressly identified in such binding written contract shall bebinding on Fortinet. For absolute clarity, any such warranty will be limited to performance in thesame ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any covenants,representations,and guarantees pursuant hereto, whether express or implied. Fortinet reservesthe right to change, modify, transfer, or otherwise revise this publication without notice, and themost current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]
http://docs.fortinet.com/http://kb.fortinet.com/https://support.fortinet.com/http://training.fortinet.com/http://www.fortiguard.com/mailto:[email protected]?Subject=Technical%20Documentation%20Feedbackmailto:[email protected]?Subject=Technical%20Documentation%20Feedbackhttp://www.fortiguard.com/http://training.fortinet.com/https://support.fortinet.com/http://kb.fortinet.com/http://docs.fortinet.com/


3/1092

Page 3

Contents

Introduction..................................................................................................... 19

How this guide is organized............................................................................. 19Availability of commands and options............................................................. 19

Managing Firmware with the FortiGate BIOS.............................................. 20

Accessing the BIOS ............................................................................................... 20

Navigating the menu........................................................................................ 20

Loading firmware ................................................................................................... 21

Configuring TFTP parameters.......................................................................... 21

Initiating TFTP firmware transfer...................................................................... 22

Booting the backup firmware ................................................................................ 22

Whats new...................................................................................................... 23

antivirus........................................................................................................... 30

heuristic ................................................................................................................. 31

mms-checksum..................................................................................................... 32

notification ............................................................................................................. 33

profile ..................................................................................................................... 34

config {http | https | ftp | ftps | imap | imaps | mapi | pop3 | pop3s | smb | smtp |smtps | nntp}.................................................................................................. 35

config nac-quar................................................................................................ 36

quarantine.............................................................................................................. 37

service.................................................................................................................... 40settings .................................................................................................................. 41

application....................................................................................................... 42

custom................................................................................................................... 43

list .......................................................................................................................... 44

name...................................................................................................................... 47

dlp .................................................................................................................... 48

filepattern............................................................................................................... 49

fp-doc-source........................................................................................................ 51

fp-sensitivity........................................................................................................... 53sensor .................................................................................................................... 54

settings .................................................................................................................. 56

endpoint-control............................................................................................. 57

forticlient-registration-sync.................................................................................... 58

profile ..................................................................................................................... 59

settings .................................................................................................................. 64


4/1092

Fortinet Technologies Inc. Page 4 FortiOS - CLI Reference for FortiOS 5.2

firewall ............................................................................................................. 65

address, address6 ................................................................................................. 66

addrgrp, addrgrp6 ................................................................................................. 69

auth-portal ............................................................................................................. 70

carrier-endpoint-bwl .............................................................................................. 71

carrier-endpoint-ip-filter......................................................................................... 73

central-nat.............................................................................................................. 74

dnstranslation ........................................................................................................ 75

DoS-policy, DoS-policy6 ....................................................................................... 76

gtp.......................................................................................................................... 78

identity-based-route .............................................................................................. 94

interface-policy ...................................................................................................... 95

interface-policy6 .................................................................................................... 97

ipmacbinding setting ............................................................................................. 99

ipmacbinding table .............................................................................................. 100

ippool, ippool6..................................................................................................... 101

ip-translation........................................................................................................ 103

ipv6-eh-filter......................................................................................................... 104

ldb-monitor .......................................................................................................... 105

local-in-policy, local-in-policy6............................................................................ 107

mms-profile.......................................................................................................... 108

config dupe {mm1 | mm4}.............................................................................. 115

config flood {mm1 | mm4}.............................................................................. 117

config log ....................................................................................................... 118

config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7}. 118config notif-msisdn ........................................................................................ 122

multicast-address ................................................................................................ 123

multicast-policy ................................................................................................... 125

policy, policy6...................................................................................................... 127

policy46, policy64 ................................................................................................ 143

profile-group ........................................................................................................ 145

profile-protocol-options....................................................................................... 147

config http...................................................................................................... 149

config ftp........................................................................................................ 150config dns ...................................................................................................... 151

config imap .................................................................................................... 151

config mapi .................................................................................................... 152

config pop3.................................................................................................... 152

config smtp .................................................................................................... 153

config nntp..................................................................................................... 154

config mail-signature ..................................................................................... 155

schedule onetime................................................................................................. 156
http://www.fortinet.com/http://www.fortinet.com/


5/1092


schedule recurring ............................................................................................... 157

schedule group.................................................................................................... 158

service category................................................................................................... 159

service custom..................................................................................................... 160

service group ....................................................................................................... 164

shaper per-ip-shaper........................................................................................... 165

shaper traffic-shaper ........................................................................................... 167

sniffer ................................................................................................................... 168

sniff-interface-policy............................................................................................ 171

sniff-interface-policy6 .......................................................................................... 174

ssl setting............................................................................................................. 177

ssl-ssh-profile ...................................................................................................... 178

config {ftps | https | imaps | pop3s | smtps} .................................................. 179

config ssl........................................................................................................ 180

config ssl-exempt .......................................................................................... 180

config ssl-server............................................................................................. 180ttl-policy ............................................................................................................... 182

vip ........................................................................................................................ 183

vip46 .................................................................................................................... 203

vip6 ...................................................................................................................... 205

vip64 .................................................................................................................... 207

vipgrp................................................................................................................... 209

vipgrp46............................................................................................................... 210

vipgrp64............................................................................................................... 211

ftp-proxy........................................................................................................ 212explicit.................................................................................................................. 213

gui .................................................................................................................. 214

console ................................................................................................................ 215

icap ................................................................................................................ 216

profile ................................................................................................................... 217

server ................................................................................................................... 218

ips .................................................................................................................. 219

custom................................................................................................................. 220

decoder................................................................................................................ 221

global ................................................................................................................... 222

rule ....................................................................................................................... 224

sensor .................................................................................................................. 225

setting.................................................................................................................. 230

log .................................................................................................................. 231

custom-field......................................................................................................... 232


6/1092


{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 |syslogd3 | webtrends | fortiguard} filter ............................................................. 233

disk setting........................................................................................................... 237

eventfilter ............................................................................................................. 241

{fortianalyzer | syslogd} override-filter ................................................................. 242

fortianalyzer override-setting ............................................................................... 243

{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting .......................................... 244

fortiguard setting.................................................................................................. 247

gui-display ........................................................................................................... 248

memory setting.................................................................................................... 249

memory global-setting......................................................................................... 250

setting.................................................................................................................. 251

syslogd override-setting ...................................................................................... 253

{syslogd | syslogd2 | syslogd3} setting................................................................ 255

threat-weight........................................................................................................ 257

webtrends setting ................................................................................................ 259

netscan.......................................................................................................... 260

assets................................................................................................................... 261

settings ................................................................................................................ 263

pbx ................................................................................................................. 265

dialplan ................................................................................................................ 266

did........................................................................................................................ 268

extension ............................................................................................................. 269

global ................................................................................................................... 271

ringgrp.................................................................................................................. 273

voice-menu .......................................................................................................... 274

sip-trunk............................................................................................................... 275

report ............................................................................................................. 277

chart..................................................................................................................... 278

dataset................................................................................................................. 283

layout ................................................................................................................... 284

style...................................................................................................................... 289

summary .............................................................................................................. 293

theme................................................................................................................... 294

router ............................................................................................................. 297

access-list, access-list6 ...................................................................................... 298

aspath-list ............................................................................................................ 300

auth-path ............................................................................................................. 301

bfd........................................................................................................................ 302

bgp....................................................................................................................... 303


7/1092


config router bgp ........................................................................................... 307

config admin-distance ................................................................................... 310

config aggregate-address, config aggregate-address6 ................................ 311

config neighbor.............................................................................................. 312

config network, config network6 ................................................................... 321

config redistribute, config redistribute6......................................................... 322

community-list ..................................................................................................... 323gwdetect.............................................................................................................. 325

isis........................................................................................................................ 326

config isis-interface........................................................................................ 330

config isis-net................................................................................................. 331

config redistribute {bgp | connected | ospf | rip | static} ................................ 331

config summary-address ............................................................................... 332

key-chain ............................................................................................................. 333

multicast .............................................................................................................. 335

Sparse mode.................................................................................................. 335

Dense mode................................................................................................... 336

config router multicast ................................................................................... 338

config interface .............................................................................................. 339

config pim-sm-global..................................................................................... 342

multicast6 ............................................................................................................ 347

multicast-flow ...................................................................................................... 348

ospf...................................................................................................................... 349

config router ospf........................................................................................... 352

config area ..................................................................................................... 354

config distribute-list ....................................................................................... 359

config neighbor .............................................................................................. 360

config network ............................................................................................... 361

config ospf-interface...................................................................................... 362

config redistribute.......................................................................................... 365

config summary-address ............................................................................... 366

ospf6.................................................................................................................... 367

policy, policy6...................................................................................................... 373

prefix-list, prefix-list6 ........................................................................................... 377

rip......................................................................................................................... 379

config router rip.............................................................................................. 380config distance............................................................................................... 382

config distribute-list ....................................................................................... 382

config interface .............................................................................................. 383

config neighbor .............................................................................................. 385

config network ............................................................................................... 386

config offset-list ............................................................................................. 386

config redistribute.......................................................................................... 387

ripng..................................................................................................................... 388


8/1092


config distance............................................................................................... 390

route-map ............................................................................................................ 394

Using route maps with BGP .......................................................................... 396

setting.................................................................................................................. 401

static .................................................................................................................... 402

static6 .................................................................................................................. 404

spamfilter ...................................................................................................... 405

bwl ....................................................................................................................... 406

bword................................................................................................................... 409

dnsbl .................................................................................................................... 411

fortishield ............................................................................................................. 413

iptrust................................................................................................................... 415

mheader............................................................................................................... 416

options................................................................................................................. 418

profile ................................................................................................................... 419

config {imap | imaps | mapi | pop3 | pop3s | smtp | smtps}........................... 421

config {gmail | msn-hotmail | yahoo-mail}...................................................... 422

switch-controller .......................................................................................... 423

managed-switch .................................................................................................. 424

vlan ...................................................................................................................... 425

system ........................................................................................................... 426

3g-modem custom .............................................................................................. 427

accprofile ............................................................................................................. 428

admin................................................................................................................... 431

amc...................................................................................................................... 440

arp-table .............................................................................................................. 441

auto-install ........................................................................................................... 442

autoupdate push-update ..................................................................................... 443

autoupdate schedule ........................................................................................... 444

autoupdate tunneling........................................................................................... 445

aux ....................................................................................................................... 446

bug-report............................................................................................................ 447

bypass ................................................................................................................. 448

central-management............................................................................................ 449

console ................................................................................................................ 451

ddns..................................................................................................................... 452

dedicated-mgmt .................................................................................................. 454

dhcp reserved-address........................................................................................ 455

dhcp server.......................................................................................................... 456

dhcp6 server........................................................................................................ 461


9/1092


dns ....................................................................................................................... 463

dns-database....................................................................................................... 464

dns-server............................................................................................................ 467

elbc ...................................................................................................................... 468

email-server ......................................................................................................... 469

fips-cc .................................................................................................................. 470

fortiguard ............................................................................................................. 471

fortisandbox......................................................................................................... 476

geoip-override...................................................................................................... 477

gi-gk..................................................................................................................... 478

global ................................................................................................................... 479

gre-tunnel............................................................................................................. 498

ha ......................................................................................................................... 499

interface ............................................................................................................... 511

ipip-tunnel............................................................................................................ 539

ips-urlfilter-dns..................................................................................................... 540

ipv6-neighbor-cache............................................................................................ 541

ipv6-tunnel ........................................................................................................... 542

mac-address-table .............................................................................................. 543

modem................................................................................................................. 544

monitors............................................................................................................... 548

nat64.................................................................................................................... 550

network-visibility .................................................................................................. 551

npu....................................................................................................................... 552

ntp........................................................................................................................ 553

object-tag ............................................................................................................ 554

password-policy .................................................................................................. 555

physical-switch .................................................................................................... 556

port-pair ............................................................................................................... 557

probe-response ................................................................................................... 558

proxy-arp ............................................................................................................. 559

pstn...................................................................................................................... 560

replacemsg admin ............................................................................................... 562

replacemsg alertmail............................................................................................ 563

replacemsg auth .................................................................................................. 565

replacemsg device-detection-portal.................................................................... 569

replacemsg ec ..................................................................................................... 570

replacemsg fortiguard-wf .................................................................................... 572

replacemsg ftp..................................................................................................... 574

replacemsg http................................................................................................... 576


10/1092


replacemsg im ..................................................................................................... 579

replacemsg mail................................................................................................... 581

replacemsg mm1................................................................................................. 584

replacemsg mm3................................................................................................. 587

replacemsg mm4................................................................................................. 589

replacemsg mm7................................................................................................. 591

replacemsg-group ............................................................................................... 594

replacemsg-group ............................................................................................... 596

replacemsg-image ............................................................................................... 599

replacemsg nac-quar........................................................................................... 600

replacemsg nntp.................................................................................................. 602

replacemsg spam ................................................................................................ 604

replacemsg sslvpn............................................................................................... 607

replacemsg traffic-quota ..................................................................................... 608

replacemsg utm................................................................................................... 609

replacemsg webproxy ......................................................................................... 611

resource-limits ..................................................................................................... 612

server-probe ........................................................................................................ 614

session-helper ..................................................................................................... 615

session-sync........................................................................................................ 617

session-ttl ............................................................................................................ 620

settings ................................................................................................................ 622

sit-tunnel .............................................................................................................. 628

sflow..................................................................................................................... 629

sms-server ........................................................................................................... 630

snmp community ................................................................................................. 631

snmp sysinfo........................................................................................................ 635

snmp user ............................................................................................................ 637

sp ......................................................................................................................... 640

storage................................................................................................................. 642

stp........................................................................................................................ 643

switch-interface ................................................................................................... 644

tos-based-priority ................................................................................................ 646

vdom-dns............................................................................................................. 647

vdom-link ............................................................................................................. 648

vdom-property..................................................................................................... 649

vdom-radius-server ............................................................................................. 652

vdom-sflow.......................................................................................................... 653

virtual-switch........................................................................................................ 654

wccp .................................................................................................................... 655


11/1092


zone ..................................................................................................................... 658

user ................................................................................................................ 659

Configuring users for authentication.................................................................... 660

Configuring users for password authentication............................................. 660

Configuring peers for certificate authentication............................................. 660

ban....................................................................................................................... 661

device .................................................................................................................. 664

device-access-list................................................................................................ 665

device-category................................................................................................... 666

device-group........................................................................................................ 667

fortitoken.............................................................................................................. 668

fsso ...................................................................................................................... 669

fsso-polling .......................................................................................................... 671

group.................................................................................................................... 673

ldap...................................................................................................................... 677

local ..................................................................................................................... 680

password-policy .................................................................................................. 682

peer...................................................................................................................... 683

peergrp ................................................................................................................ 685

pop3..................................................................................................................... 686

radius ................................................................................................................... 687

security-exempt-list............................................................................................. 692

setting.................................................................................................................. 693

tacacs+ ................................................................................................................ 695

voip ................................................................................................................ 696

profile ................................................................................................................... 697

config sip ....................................................................................................... 699

config sccp .................................................................................................... 708

vpn ................................................................................................................. 709

certificate ca ........................................................................................................ 710

certificate crl ........................................................................................................ 711

certificate local..................................................................................................... 713

certificate ocsp-server ......................................................................................... 715

certificate remote................................................................................................. 716

certificate setting ................................................................................................. 717

ipsec concentrator............................................................................................... 718

ipsec forticlient..................................................................................................... 719

ipsec manualkey .................................................................................................. 720

ipsec manualkey-interface................................................................................... 723

ipsec phase1........................................................................................................ 726


12/1092


ipsec phase1-interface ........................................................................................ 735

ipsec phase2........................................................................................................ 749

ipsec phase2-interface ........................................................................................ 756

l2tp....................................................................................................................... 765

pptp ..................................................................................................................... 767

ssl settings........................................................................................................... 769

ssl web host-check-software............................................................................... 775

ssl web portal....................................................................................................... 777

ssl web realm....................................................................................................... 785

ssl web user-bookmark ....................................................................................... 786

ssl web virtual-desktop-app-list .......................................................................... 789

wanopt........................................................................................................... 790

auth-group ........................................................................................................... 791

peer...................................................................................................................... 792

profile ................................................................................................................... 793

settings ................................................................................................................ 797

ssl-server ............................................................................................................. 798

storage................................................................................................................. 801

webcache ............................................................................................................ 802

config cache-exemption-list .......................................................................... 804

webfilter......................................................................................................... 805

content................................................................................................................. 806

content-header .................................................................................................... 808

fortiguard ............................................................................................................. 809

ftgd-local-cat ....................................................................................................... 811

ftgd-local-rating ................................................................................................... 812

ftgd-warning ........................................................................................................ 813

ips-urlfilter-cache-setting..................................................................................... 815

ips-urlfilter-setting................................................................................................ 816

override ................................................................................................................ 817

override-user........................................................................................................ 818

profile ................................................................................................................... 820

config ftgd-wf................................................................................................. 824

config override ............................................................................................... 826

config quota................................................................................................... 826

config web ..................................................................................................... 827

search-engine ...................................................................................................... 828

urlfilter .................................................................................................................. 829

web-proxy ..................................................................................................... 831

explicit.................................................................................................................. 832

forward-server ..................................................................................................... 836


13/1092


forward-server-group........................................................................................... 837

global ................................................................................................................... 838

url-match.............................................................................................................. 840

wireless-controller ....................................................................................... 841

ap-status.............................................................................................................. 842

global ................................................................................................................... 843

setting.................................................................................................................. 844

timers................................................................................................................... 845

vap ....................................................................................................................... 846

wids-profile .......................................................................................................... 851

wtp ....................................................................................................................... 854

wtp-profile............................................................................................................ 858

execute.......................................................................................................... 864

backup................................................................................................................. 865

batch.................................................................................................................... 868

bypass-mode....................................................................................................... 869

carrier-license ...................................................................................................... 870

central-mgmt ....................................................................................................... 871

cfg reload............................................................................................................. 872

cfg save ............................................................................................................... 873

clear system arp table ......................................................................................... 874

cli check-template-status .................................................................................... 875

cli status-msg-only .............................................................................................. 876

client-reputation................................................................................................... 877

date...................................................................................................................... 878

disk ...................................................................................................................... 879

disk raid ............................................................................................................... 880

dhcp lease-clear .................................................................................................. 881

dhcp lease-list ..................................................................................................... 882

disconnect-admin-session .................................................................................. 883

enter..................................................................................................................... 884

erase-disk ............................................................................................................ 885

factoryreset.......................................................................................................... 886factoryreset2........................................................................................................ 887

formatlogdisk....................................................................................................... 888

forticarrier-license................................................................................................ 889

forticlient .............................................................................................................. 890

FortiClient-NAC.................................................................................................... 891

fortiguard-log....................................................................................................... 892

fortisandbox test-connectivity ............................................................................. 893


14/1092


fortitoken.............................................................................................................. 894

fortitoken-mobile.................................................................................................. 895

fsso refresh .......................................................................................................... 896

ha disconnect ...................................................................................................... 897

ha ignore-hardware-revision................................................................................ 898

ha manage ........................................................................................................... 899

ha synchronize..................................................................................................... 900

interface dhcpclient-renew.................................................................................. 901

interface pppoe-reconnect .................................................................................. 902

log client-reputation-report.................................................................................. 903

log convert-oldlogs.............................................................................................. 904

log delete-all ........................................................................................................ 905

log delete-oldlogs ................................................................................................ 906

log detail .............................................................................................................. 907

log display............................................................................................................ 908

log filter ................................................................................................................ 909

log fortianalyzer test-connectivity........................................................................ 910

log list................................................................................................................... 911

log rebuild-sqldb.................................................................................................. 912

log recreate-sqldb ............................................................................................... 913

log-report reset .................................................................................................... 914

log roll .................................................................................................................. 915

log upload-progress ............................................................................................ 916

modem dial .......................................................................................................... 917

modem hangup.................................................................................................... 918

modem trigger ..................................................................................................... 919

mrouter clear........................................................................................................ 920

netscan ................................................................................................................ 921

pbx....................................................................................................................... 922

ping...................................................................................................................... 924

ping-options, ping6-options ................................................................................ 925

ping6.................................................................................................................... 927

policy-packet-capture delete-all.......................................................................... 928

reboot .................................................................................................................. 929

report ................................................................................................................... 930

report-config reset ............................................................................................... 931

restore.................................................................................................................. 932

revision................................................................................................................. 936

router clear bfd session ....................................................................................... 937

router clear bgp ................................................................................................... 938


15/1092


router clear ospf process..................................................................................... 939

router restart ........................................................................................................ 940

send-fds-statistics ............................................................................................... 941

set system session filter ...................................................................................... 942

set-next-reboot.................................................................................................... 944

sfp-mode-sgmii ................................................................................................... 945

shutdown ............................................................................................................. 946

ssh ....................................................................................................................... 947

sync-session........................................................................................................ 948

tac report ............................................................................................................. 949

telnet .................................................................................................................... 950

time ...................................................................................................................... 951

traceroute............................................................................................................. 952

tracert6................................................................................................................. 953

update-av............................................................................................................. 954

update-geo-ip...................................................................................................... 955

update-ips............................................................................................................ 956

update-now.......................................................................................................... 957

update-src-vis...................................................................................................... 958

upd-vd-license..................................................................................................... 959

upload.................................................................................................................. 960

usb-device ........................................................................................................... 961

usb-disk ............................................................................................................... 962

vpn certificate ca ................................................................................................. 963

vpn certificate crl ................................................................................................. 964

vpn certificate local export .................................................................................. 965

vpn certificate local generate............................................................................... 966

vpn certificate local import .................................................................................. 968

vpn certificate remote.......................................................................................... 969

vpn ipsec tunnel down......................................................................................... 970

vpn ipsec tunnel up ............................................................................................. 971

vpn sslvpn del-all................................................................................................. 972

vpn sslvpn del-tunnel........................................................................................... 973

vpn sslvpn del-web.............................................................................................. 974

vpn sslvpn list ...................................................................................................... 975

webfilter quota-reset............................................................................................ 976

wireless-controller delete-wtp-image.................................................................. 977

wireless-controller list-wtp-image ....................................................................... 978

wireless-controller reset-wtp ............................................................................... 979

wireless-controller restart-acd............................................................................. 980


16/1092


17/1092


18/1092


user adgrp.......................................................................................................... 1072

vpn ike gateway................................................................................................. 1073

vpn ipsec tunnel details ..................................................................................... 1074

vpn ipsec tunnel name....................................................................................... 1075

vpn ipsec stats crypto ....................................................................................... 1076

vpn ipsec stats tunnel........................................................................................ 1077

vpn ssl monitor .................................................................................................. 1078

vpn status l2tp ................................................................................................... 1079

vpn status pptp.................................................................................................. 1080

vpn status ssl..................................................................................................... 1081

webfilter ftgd-statistics ...................................................................................... 1082

webfilter status .................................................................................................. 1084

wireless-controller rf-analysis............................................................................ 1085

wireless-controller scan..................................................................................... 1086

wireless-controller status................................................................................... 1087

wireless-controller vap-status ........................................................................... 1088

wireless-controller wlchanlistlic......................................................................... 1089

wireless-controller wtp-status ........................................................................... 1092

tree............................................................................................................... 1094


19/1092

Page 19

Introduction

This document describes FortiOS 5.2 CLI commands used to configure and manage aFortiGate unit from the command line interface (CLI).

How this guide is organized

Most of the chapters in this document describe the commands for each configuration branch ofthe FortiOS CLI. The command branches and commands are in alphabetical order.

This document also contains the following sections:

Managing Firmware with the FortiGate BIOSdescribes how to change firmware at the consoleduring FortiGate unit boot-up.

Whats newdescribes changes to the 5.2 CLI.

config chapters describe the config commands.

executedescribes execute commands.

getdescribes get commands.

treedescribes the tree command.

Availability of commands and options

Some FortiOS CLI commands and options are not available on all FortiGate units. The CLIdisplays an error message if you attempt to enter a command or option that is not available. Youcan use the question mark ? to verify the commands and options that are available.

Commands and options may not be available for the following reasons:

FortiGate model. All commands are not available on all FortiGate models. For example, lowend FortiGate models do not support the aggregateinterface typeoption of the configsystem interfacecommand.

Hardware configuration. For example, some AMC module commands are only availablewhen an AMC module is installed.

FortiOS Carrier, FortiGate Voice, FortiWiFi etc. Commands for extended functionality arenot available on all FortiGate models. The CLI Reference includes commands only availablefor FortiWiFi units, FortiOS Carrier, and FortiGate Voice units


20/1092

Page 20

Managing Firmware with the FortiGateBIOS

FortiGate units are shipped with firmware installed. Usually firmware upgrades are performedthrough the web-based manager or by using the CLI execute restorecommand. From theconsole, you can also interrupt the FortiGate units boot-up process to load firmware using theBIOS firmware that is a permanent part of the unit.

Using the BIOS, you can:

view system information

format the boot device

load firmware and reboot (see Loading firmware on page 21)

reboot the FortiGate unit from the backup firmware, which then becomes the defaultfirmware (see Booting the backup firmware on page 22)

Accessing the BIOS

The BIOS menu is available only through direct connection to the FortiGate units Console port.During boot-up, Press any key appears briefly. If you press any keyboard key at this time,boot-up is suspended and the BIOS menu appears. If you are too late, the boot-up processcontinues as usual.

Navigating the menu

The main BIOS menu looks like this:

[C]: Configure TFTP parameters[R]: Review TFTP paramters

[T]: Initiate TFTP firmware transfer

[F]: Format boot device

[Q]: Quit menu and continue to boot

[I]: System Information

[B]: Boot with backup firmare and set as default

[Q]: Quit menu and continue to boot

[H]: Display this list of options

Enter C,R,T,F,I,B,Q,or H:

Typing the bracketed letter selects the option. Input is case-sensitive. Most options present asubmenu. An option value in square brackets at the end of the Enter line is the default valuewhich you can enter simply by pressing Return. For example,

Enter image download port number [WAN1]:

In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.


21/1092


Loading firmware

The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unitnetwork interface. You need to know the IP address of the server and the name of the firmwarefile to download.

The downloaded firmware can be saved as either the default or backup firmware. It is alsopossible to boot the downloaded firmware without saving it.

Configuring TFTP parameters

Starting from the main BIOS menu

[C]: Configure TFTP parameters.

Selecting the VLAN (if VLANs are used)

[V]: Set local VLAN ID.

Choose port and whether to use DHCP

[P]: Set firmware download port.

The options listed depend on the FortiGate model. Choose the network interface throughwhich the TFTP server can be reached. For example:

[0]: Any of port 1 - 7

[1]: WAN1

[2]: WAN2

Enter image download port number [WAN1]:

[D]: Set DHCP mode.

Please select DHCP setting

[1]: Enable DHCP

[2]: Disable DHCP

If there is a DHCP server on the network, select [1]. This simplifies configuration.

Otherwise, select [2].

Non-DHCP steps

[I]: Set local IP address.

Enter local IP address [192.168.1.188]:

This is a temporary IP address for the FortiGate unit network interface. Use a unique addresson the same subnet to which the network interface connects.

[S]: Set local subnet mask.

Enter local subnet mask [255.255.252.0]:

[G]: Set local gateway.

The local gateway IP address is needed if the TFTP server is on a different subnet than theone to which the FortiGate unit is connected.

TFTP and filename

[T]: Set remote TFTP server IP address.

Enter remote TFTP server IP address [192.168.1.145]:

[F]: Set firmware file name.

Enter firmware file name [image.out]:

Enter [Q]to return to the main menu.


22/1092


Initiating TFTP firmware transfer


[T]: Initiate TFTP firmware transfer.

Please connect TFTP server to Ethernet port 'WAN1'.

MAC: 00:09:0f:b5:55:28

Connect to tftp server 192.168.1.145 ...

##########################################################

Image Received.

Checking image... OK

Save as Default firmware/Backup firmware/Run image without

saving:[D/B/R]?

After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first apause while the firmware is copied:

Programming the boot device now.................................................................

................................................................

Booting the backup firmware

You can reboot the FortiGate unit from the backup firmware, which then becomes the defaultfirmware.


[B]: Boot with backup firmware and set as default.

If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unitresponds:

Failed to mount filesystem. . .

Mount back up partition failed.

Back up image open failed.

Press Y or y to boot default image.


23/1092

Page 23

Whats new

The FortiGate CLI Reference for FortiOS 5.2is a dictionary of FortiOS CLI commands definingeach command and its options, ranges, defaults and dependencies. The CLI Reference nowincludes FortiOS Carrier commands and future versions will include FortiGate Voice commands.

The table below lists the CLI commands and options in FortiOS 5.2 that have changed since thelast major release of FortiOS.

Command Change

config antivirus profile

edit

config im Option removed.

set block-botnet-connections Option removed. See scan-botnet-connections.

set extended-utm-log Field removed.

set scan-botnet-connections New field. Enables monitoring or blocking of botnetcommunication.

config antivirus quarantine

set drop-heuristic im Option removed.

set drop-infected im Option removed.

set store-heuristic im Option removed.

set store-infected im Option removed.

config application list

edit

config entries

edit

set block-audio Field removed.

set block-encrypt Field removed.

set block-file Field removed.

set block-im Field removed.

set block-long-chat Field removed.

set block-photo Field removed.

set im-no-content-summary Field removed.

set imoversizechat Field removed.

set log Field removed.

config client-reputation profile Renamed to config log threat-weight.config dlp sensor

edit

set full-archive-proto aim icq msn

yahoo

Options removed.

set summary-proto aim icq msn yahoo Options removed.

config filter

edit


24/1092


set proto aim icq msn yahoo Options removed.

set name

set severity

Fields added.

config endpoint-control profile

edit

config forticlient-winmac-settings

set auto-vpn-when-off-net

set auto-vpn-name

New fields. Enable automatic connection to a VPNwhen the endpoint is not directly connected to theFortiGate network.

set client-log-when-on-net New field. Enables client-based logging when on-net.

config firewall address, address6

edit

set type url New option. Creates URL address for explicit proxy.

config firewall deep-inspection-options Renamed to config firewall ssl-ssh-profileand re-organized.

config firewall gtp

edit

set gtpu-denied-log New field. Enables logging of denied GTP-U packets.

set gtpu-forwarded-log New field. Enables logging of forwarded GTP-Upackets.

set gtpu-log-freq New field. Sets logging rate in packets per log entry.

config firewall ldb-monitor

edit

set http-max-redirects New field. Sets maximum number of HTTP redirectsallowed.

config firewall policy, policy6

set captive-portal-exempt New field. Exempts users of this policy from theinterface captive portal.

set identity-based

set identity-from

set fall-through-unauthenticated

set log-unmatched-traffic

set device-detection-portal

set email-collection-portal

set forticlient-compliance-enforcement-

portal

set forticlient-compliance-devices

Fields removed.

set deep-inspection-options Field renamed to ssl-ssh-profile.

set devices

set endpoint-compliance

set groups

set users

Fields moved fromconfig identity-based-policy.

config identity-based policy Subcommand removed.

set ssl-ssh-profile Field renamed from deep-inspection-options.The only profiles now are certificate-inspectionand deep-inspection.

Command Change


25/1092


26/1092


config system accprofile

edit

set loggrp-permission custom

config loggrp-permission

set threat-weight New field. Sets threat-weight log access.

config system dhcp serveredit

set forticlient-on-net-status New field. Enables sending FortiGate serial number toendpoint devices to check on-net status.

config system global

set auth-policy-exact-match Field removed.

set gui-client-reputation Field renamed to gui-threat-weight.

set gui-threat-weight Field renamed from gui-client-reputation.

config system interface

edit

set min-links

set min-links-downNew fields. Set minimum number of working membersfor an aggregrate interface and whether an interfacetaken down for too few members is downoperationally or only operationally.

set security-exempt-list New field. Specifies list of devices or addresses thatwill bypass the captive portal.

set security-redirect-url New field. Specifies a URL for redirection after captiveportal authentication.

config user pop3 New command. Configures users who authenticate ona POP3 server.

config user radius

edit set timeout New field. Sets RADIUS authenticatio timeout.

config user security-exempt-list New command. Configures exempt lists for captiveportals.

config vpn ipsec phase1

edit

set acct-verify New field. Enables VPN to require accountingmessage from RADIUS server for EAP authenticationin IKEv2.

set authmethod rsa-signature Field renamed to signature.

set authmethod signature Field rename from rsa-signature.

set certificate Field renamed from rsa-certificate.

set dhgrp New options: DH Groups 19, 20, 21.

set eap

set eap-identity

New fields. Configure EAP authentication in IKEv2.

set rsa-certificate Field renamed to certificate.

Command Change


27/1092


config vpn ipsec phase1-interface

edit

set acct-verify New field. Enables VPN to require accountingmessage from RADIUS server for EAP authenticationin IKEv2.

set authmethod rsa-signature Option renamed to signature.set authmethod signature Option renamed from rsa-signature.

set backup-gateway New field. Specifies backup gateways for IKEmode-cfg dialup VPNs.

set certificate Field renamed from rsa-certificate.


set eap

set eap-identity

New fields. Configure EAP authentication in IKEv2.

set rsa-certificate Field renamed to certificate.

config vpn ipsec phase2

edit


config vpn ipsec phase2-interface

edit


config vpn ssl settings

allow-ssl-big-buffer Field renamed to ssl-big-buffer.

allow-ssl-client-renegotiation Field renamed to ssl-client-renegotiation.

allow-ssl-insert-empty-fragment Field renamed to ssl-insert-empty-fragment.

allow-unsafe-legacy-renegotiation Field renamed to unsafe-legacy-renegotiation.

auto-tunnel-policy Field removed. No longer relevant due to other SSLVPN changes.

default-portal New field. Selects default SSL VPN portal.

source-address

source-address6

New field. Optionally limits client source address.

source-address-negate

source-address6-negate

New field. Inverts source-addressselection.

source-interface New field. Sets port on which FortiGate listens for SSLVPN clients.

ssl-big-buffer Field renamed from allow-ssl-big-buffer.

ssl-client-renegotiation Field renamed from allow-ssl-client-renegotiation.

ssl-insert-empty-fragment Field renamed from allow-ssl-insert-empty-fragment.

source-interface New field. Specifies interfaces to listen on for clients.

unsafe-legacy-renegotiation Field renamed fromallow-unsafe-legacy-renegotiation.

New field. Allows renegotiating clients to use a less-secure legacy method.

Command Change


28/1092


29/1092


config wireless-controller wtp-profile

edit

set split-tunneling-acl-local-ap-

subnet

New field. Enables split tunneling so that traffic local toAP is not routed through WiFi controller.

config radio-1 or config radio-2

set amsdu New field. Enables AMSDU support.set ap-handoff New field. Enables handoff of clients to other APs.

set ap-sniffer-addr

set ap-sniffer-bufsize

set ap-sniffer-chan

set ap-sniffer-ctl

set ap-sniffer-data

set ap-sniffer-mgmt-beacon

set ap-s

fortigate-cli-52 (1)

Documents