fortigate cli ref 54

7/26/2019 Fortigate Cli Ref 54

1/995

FortiOS - CLI Reference

VERSION 5.4.0

#


2/995

FORTINET DOCUMENT LIBRARY

http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATE COOKBOOK

http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER

http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: [email protected]

December-16-15

FortiOS - CLI Reference

01-540-99686-20151216
http://docs.fortinet.com/http://video.fortinet.com/https://blog.fortinet.com/https://support.fortinet.com/http://cookbook.fortinet.com/how-to-work-with-fortinet-support/http://cookbook.fortinet.com/http://www.fortinet.com/training/http://www.fortiguard.com/http://www.fortinet.com/doc/legal/EULA.pdfmailto:[email protected]:[email protected]://www.fortinet.com/doc/legal/EULA.pdfhttp://www.fortiguard.com/http://www.fortinet.com/training/http://cookbook.fortinet.com/http://cookbook.fortinet.com/how-to-work-with-fortinet-support/https://support.fortinet.com/https://blog.fortinet.com/http://video.fortinet.com/http://docs.fortinet.com/


3/995

Change Log

Change Log

Date Change Description

December 16, 2015 New FortiOS 5.4.0 release.

CLI Reference for FortiOS 5.4Fortinet Technologies Inc.

3


4/995

How this guide is organized Introduction

Introduction

This document describes FortiOS 5.4 CLI commands used to configure and manage a FortiGate unit from the

command line interface (CLI).

How this guide is organized

This document contains the following sections:

Managing Firmware with t he FortiGate BIOS describes how to change firmware at the console during FortiGate

unit boot-up.

configdescribes the commands for each configuration branch of the FortiOS CLI. The command branches and

commands are in alphabetical order. The information in this section has been extracted and formatted from

FortiOS source code. The extracted information includes the command syntax, command descriptions (extractedfrom CLI help) and default values. This is the first version of this content produced in this way. You can send

comments about this content to [email protected].

executedescribes execute commands.

getdescribes get commands.

treedescribes the tree command.

Availability of commands and options

Some FortiOS CLI commands and options are not available on all FortiGate units. The CLI displays an errormessage if you attempt to enter a command or option that is not available. You can use the question mark ? to

verify the commands and options that are available.

Commands and options may not be available for the following reasons:

FortiGate model

All commands are not available on all FortiGate models. For example, low-end FortiGat e models do not support

the aggregate interface type option of the config system interfacecommand.

Hardware configuration

For example, some AMC module commands are only available when an AMC module is installed.

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

Commands for extended functionality are not available on all FortiGate models. The CLI Reference includes

commands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.


4
mailto://[email protected]://[email protected]


5/995

Managing Firmware with the FortiGate BIOS Accessing the BIOS

Managing Firmware with the FortiGate BIOS

FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the web-

based manager or by using the CLIexecute restorecommand. From the console, you can also interrupt theFortiGate units boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.

Using the BIOS, you can:

l view system informat ion

l format the boot device

l load firmware and reboot (see )

l reboot the FortiGate unit from the backup firmware, which then becomes the default firmware (see )

Accessing the BIOS

The BIOS menu is available only through direct connection to the FortiGate units Console port. During boot-up,

Press any key appears briefly. If you press any keyboard key at t his time, boot-up is suspended and the BIOS

menu appears. I f you are too late, the boot-up process continues as usual.

Navigating the menu

The main BIOS menu looks like this:

[C]: Configure TFTP parameters

[R]: Review TFTP paramters

[T]: Initiate TFTP firmware transfer

[F]: Format boot device

[Q]: Quit menu and continue to boot

[I]: System Information

[B]: Boot with backup firmare and set as default

[Q]: Quit menu and continue to boot

[H]: Display this list of options

Enter C,R,T,F,I,B,Q,or H:

Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. An

option value in square brackets at the end of the Enter line is the default value which you can enter simply by

pressing Return. For example,

Enter image download port number [WAN1]:

In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.

Loading firmware

The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.

You need to know the IP address of the server and the name of the firmware file to download.


5


6/995

Loading firmware Managing Firmware with the FortiGate BIOS

The downloaded firmware can be saved as either the default or backup firmware. I t is also possible to boot the

downloaded firmware without saving it.

Configuring TFTP parameters

Starting from the main BIOS menu

[C]: Configure TFTP parameters.

Selecting the VLAN (if VLANs are used)

[V]: Set local VLAN ID.

Choose port and whether to use DHCP

[P]: Set firmware download port.

The options listed depend on the FortiGate model. Choose the network interface through which the TFTP

server can be reached. For example:

[0]: Any of port 1 - 7

[1]: WAN1[2]: WAN2

Enter image download port number [WAN1]:

[D]: Set DHCP mode.

Please select DHCP setting

[1]: Enable DHCP

[2]: Disable DHCP

If there is a DHCP server on the network, select[1]. This simplifies configuration. Otherwise, select[2].

Non-DHCP steps

[I]: Set local IP address.

Enter local IP address [192.168.1.188]:

This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the samesubnet t o which the network interface connects.

[S]: Set local subnet mask.

Enter local subnet mask [255.255.252.0]:

[G]: Set local gateway.

The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which the

FortiGate unit is connected.

TFTP and filename

[T]: Set remote TFTP server IP address.

Enter remote TFTP server IP address [192.168.1.145]:[F]: Set firmware file name.

Enter firmware file name [image.out]:

Enter[Q] to return to the main menu.

Initiating TFTP firmware transfer


[T]: Initiate TFTP firmware transfer.


6


7/995

Managing Firmware with the FortiGate BIOS Booting the backup firmware

Please connect TFTP server to Ethernet port 'WAN1'.

MAC: 00:09:0f:b5:55:28

Connect to tftp server 192.168.1.145 ...

##########################################################

Image Received.Checking image... OK

Save as Default firmware/Backup firmware/Run image without

saving:[D/B/R]?

After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while the

firmware is copied:

Programming the boot device now.

................................................................

................................................................

Booting the backup firmware

You can reboot the FortiGate unit from t he backup firmware, which then becomes the default f irmware.


[B]: Boot with backup firmware and set as default.

If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:

Failed to mount filesystem. . .

Mount back up partition failed.

Back up image open failed.

Press Y or y to boot default image.


7


8/995

Booting the backup firmware config

config

Use the config commands to change your FortiGate's configuration.

The command branches and commands are in alphabetical order. The information in this section has been

extracted and formatt ed from FortiOS source code. The extracted information includes the command syntax,

command descriptions (extracted from CLI help) and default values. This is the first version of this content

produced in this way. You can send comments about this content to [email protected]


8
mailto://[email protected]://[email protected]


9/995

alertemail/setting

CLI Syntax

config alertemail setting

edit

set username

set mailto1

set mailto2

set mailto3

set filter-mode {category | threshold}

set email-interval

set IPS-logs {enable | disable}

set firewall-authentication-failure-logs {enable | disable}

set HA-logs {enable | disable}

set IPsec-errors-logs {enable | disable}

set FDS-update-logs {enable | disable}

set PPP-errors-logs {enable | disable}

set sslvpn-authentication-errors-logs {enable | disable}

set antivirus-logs {enable | disable}

set webfilter-logs {enable | disable}

set configuration-changes-logs {enable | disable}

set violation-traffic-logs {enable | disable}

set admin-login-logs {enable | disable}

set FDS-license-expiring-warning {enable | disable}

set log-disk-usage-warning {enable | disable}

set fortiguard-log-quota-warning {enable | disable}

set amc-interface-bypass-mode {enable | disable}

set FIPS-CC-errors {enable | disable}

set FDS-license-expiring-days

set local-disk-usage

set emergency-interval

set alert-interval

set critical-interval

set error-interval

set warning-interval

set notification-interval

set information-interval

set debug-interval

set severity {emergency | alert | critical | error | warning | notification | info

rmation | debug}

end


9


10/995

Description

Configuration Description Default Value

username Email from address. (Empty)

mailto1 Destination email address 1. (Empty)



filter-mode Filter mode. category

email-interval Interval between each email. 5

IPS-logs Enable/disable IPS Logs. disable

firewall-authentication-failure-logs

Enable/disable logging of firewall authenticationfailures.

disable

HA-logs Enable/disable HA Logs. disable

IPsec-errors-logs Enable/disable IPsec errors logs. disable

FDS-update-logs Enable/disable FortiGuard update logs. disable

PPP-errors-logs Enable/disable PPP errors logs. disable

sslvpn-authentication-

errors-logs

Enable/disable logging of SSL-VPN

authentication error.

disable

antivirus-logs Enable/disable antivirus logs. disable

webfilter-logs Enable/disable web filter logging. disable

configuration-changes-

logs

Enable/disable logging of configuration changes. disable

violation-traffic-logs Enable/disable logging of violation traffic. disable

admin-login-logs Enable/disable logging of administrator

login/logouts.

disable

FDS-license-expiring-

warning

Enable/disable FortiGuard license expiration

warning.

disable

log-disk-usage-warning Enable/disable logging of disk usage warning. disable


10


11/995

fortiguard-log-quota-

warning

Enable/disable warning of FortiCloud log quota. disable

amc-interface-bypass-

mode

Enable/disable Fortinet Advanced Mezzanine

Card (AMC) interface bypass mode.

disable

FIPS-CC-errors Enable/disable FIPS and Common Criteria errors. disable

FDS-license-expiring-

days

Number of days to end alert email prior to

FortiGuard license expiration (1 - 100 days).

15

local-disk-usage Percentage at which to send alert email prior to

disk usage exceeding this threshold (1 - 99

percent).

75

emergency-interval Emergency alert interval in minutes. 1

alert-interval Alert alert interval in minutes. 2

critical-interval Critical alert interval in minutes. 3

error-interval Error alert interval in minutes. 5

warning-interval Warning alert interval in minutes. 10

notification-interval Notification alert interval in minutes. 20

information-interval Information alert interval in minutes. 30

debug-interval Debug alert interval in minutes. 60

severity Lowest severity level to log. alert


11


12/995

antivirus/heuristic

CLI Syntax

config antivirus heuristic

edit

set mode {pass | block | disable}

end


12


13/995

Description


mode Mode to use for heuristics. disable


13


14/995

antivirus/profile

CLI Syntax

config antivirus profile

edit

set name

set comment set replacemsg-group

set inspection-mode {proxy | flow-based}

set ftgd-analytics {disable | suspicious | everything}

set analytics-max-upload

set analytics-wl-filetype

set analytics-bl-filetype

set analytics-db {disable | enable}

set mobile-malware-db {disable | enable}

config http

edit

set options {scan | avmonitor | avquery | quarantine}

set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh

andled}

set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan

dled}

set emulator {enable | disable}

end

config ftp

edit



andled}


dled}


end

config imap

edit



andled}


dled}


set executables {default | virus}

end

config pop3

edit



andled}


dled}


14


15/995



end

config smtp

edit



andled}


dled}



end

config mapi

edit



andled}


dled}



end

config nntp

edit



andled}


dled}


end

config smb

edit



andled}


dled}


end

config nac-quar

edit

set infected {none | quar-src-ip | quar-interface}

set expiry

set log {enable | disable}

end

set av-virus-log {enable | disable}

set av-block-log {enable | disable}

set scan-mode {quick | full}

end


15


16/995

Description


name Profile name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

inspection-mode Inspection mode. flow-based

ftgd-analytics Submit suspicious or supposedly clean files to

FortiSandbox.

disable

analytics-max-upload Maximum upload size to FortiSandbox (in MB). 10

analytics-wl-filetype Do not submit files matching this file-pattern table

to the FortiSandbox.

0

analytics-bl-filetype Only submit files matching this file-pattern table

to the FortiSandbox.

0

analytics-db Use signature database from FortiSandbox to

supplement the AV signature databases.

disable

mobile-malware-db Use mobile malware signature database. enable

http HTTP. Details below

Configuration Default Value

options (Empty)

archive-block (Empty)

archive-log (Empty)

emulator enable

ftp FTP. Details below

Configuration Default Valueoptions (Empty)


archive-log (Empty)

emulator enable

imap IMAP. Details below


16


17/995


options (Empty)


archive-log (Empty)

emulator enable

executables default

pop3 POP3. Details below


options (Empty)


archive-log (Empty)

emulator enable

executables default

smtp SMTP. Details below


options (Empty)


archive-log (Empty)

emulator enable

executables default

mapi MAPI. Details below


options (Empty)


archive-log (Empty)

emulator enable

executables default

nntp NNTP. Details below

Configuration Default Valueoptions (Empty)


archive-log (Empty)

emulator enable

smb SMB. Details below


17


18/995


options (Empty)


archive-log (Empty)

emulator enable

nac-quar Quarantine settings. Details below


infected none

expiry 5m

log disable

av-virus-log Enable/disable logging for antivirus scanning. enable

av-block-log Enable/disable logging for antivirus file blocking. enable

scan-mode Choose between full scan mode and quick scanmode.

full


18


19/995

antivirus/quarantine

CLI Syntax

config antivirus quarantine

edit

set agelimit

set maxfilesize set quarantine-quota

set drop-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | p

op3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}

set store-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |

pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}

set drop-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s |

ftps | mapi | mm1 | mm3 | mm4 | mm7}

set store-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s

| ftps | mapi | mm1 | mm3 | mm4 | mm7}

set drop-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |


set store-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |


set lowspace {drop-new | ovrw-old}

set destination {NULL | disk | FortiAnalyzer}

end


19


20/995

Description


agelimit Age limit for quarantined files. 0

maxfilesize Maximum file size to quarantine. 0

quarantine-quota Quarantine quota. 0

drop-infected Ignore infected files from a protocol. (Empty)

store-infected Quarantine infected files from a protocol. imap smtp pop3 http ftp

nntp imaps smtps

pop3s https ftps mapi

drop-blocked Drop blocked files from a protocol. (Empty)

store-blocked Quarantine blocked files from a protocol. imap smtp pop3 http ftpnntp imaps smtps

pop3s ftps mapi

drop-heuristic Ignore heuristically caught files from a protocol. (Empty)

store-heuristic Quarantine heuristically caught files from a

protocol.

imap smtp pop3 http ftp

nntp imaps smtps

pop3s https ftps mapi

lowspace Action when the disk is almost full. ovrw-old

destination Quarantine destination: disk/FortiAnalyzer. disk


20


21/995

antivirus/settings

CLI Syntax

config antivirus settings

edit

set default-db {normal | extended | extreme}

set grayware {enable | disable} end


21


22/995

Description


default-db Select AV database to be used for AV scanning. extended

grayware Enable/disable detection of grayware. disable


22


23/995

application/custom

CLI Syntax

config application custom

edit

set tag

set name set id

set comment

set signature

set category

set protocol

set technology

set behavior

set vendor

end


23


24/995

Description


tag Signature tag. (Empty)

name Application name. (Empty)

id Application ID. 0


signature Signature text. (Empty)

category Application category ID. 0

protocol Application protocol. (Empty)

technology Application technology. (Empty)

behavior Application behavior. (Empty)

vendor Application vendor. (Empty)


24


25/995

application/list

CLI Syntax

config application list

edit

set name


set other-application-action {pass | block}

set app-replacemsg {disable | enable}

set other-application-log {disable | enable}

set unknown-application-action {pass | block}

set unknown-application-log {disable | enable}

set p2p-black-list {skype | edonkey | bittorrent}

set deep-app-inspection {disable | enable}

set options {allow-dns | allow-icmp | allow-http | allow-ssl}

config entries

edit

set id

config risk

edit

set level

end

config category

edit

set id

end

config sub-category

edit

set id

end

config application

edit

set id

end

set protocols

set vendor

set technology

set behavior

set popularity {1 | 2 | 3 | 4 | 5}

config tags

edit

set name

end

config parameters

edit

set id

set value

end

set action {pass | block | reset}


25


26/995

set log {disable | enable}

set log-packet {disable | enable}

set rate-count

set rate-duration

set rate-mode {periodical | continuous}

set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}

set session-ttl

set shaper

set shaper-reverse

set per-ip-shaper

set quarantine {none | attacker | both | interface}

set quarantine-expiry

set quarantine-log {disable | enable}

end

end


26


27/995

Description


name List name. (Empty)

comment comments (Empty)


other-application-action Action for other applications. pass

app-replacemsg Enable/disable replacement messages for

blocked applications.

enable

other-application-log Enable/disable logging of other applications. disable

unknown-application-

action

Action for unknown applications. pass

unknown-application-

log

Enable/disable logging of unknown applications. disable

p2p-black-list Action for p2p black list. (Empty)

deep-app-inspection Enable/disable deep application inspection. disable

options Options. allow-dns

entries Application list entries. (Empty)


27


28/995

application/name

CLI Syntax

config application name

edit

set name

set id set category

set sub-category

set popularity

set risk

set protocol

set technology

set behavior

set vendor

set parameter

config metadata

edit

set id

set metaid

set valueid

end

end


28


29/995

Description


name Application name. (Empty)

id Application ID. 0

category Application category ID. 0

sub-category Application sub-category ID. 0

popularity Application popularity. 0

risk Application risk. 0

protocol Application protocol. (Empty)

technology Application technology. (Empty)

behavior Application behavior. (Empty)

vendor Application vendor. (Empty)

parameter Application parameter name. (Empty)

metadata Meta data. (Empty)


29


30/995

application/rule-settings

CLI Syntax

config application rule-settings

edit

set id

config tags edit

set name

end

end


30


31/995

Description


id Rule ID. 0

tags Applied object tags. (Empty)


31


32/995

certificate/ca

CLI Syntax

config certificate ca

edit

set name

set ca set range {global | vdom}

set source {factory | user | bundle | fortiguard}

set trusted {enable | disable}

set scep-url

set auto-update-days

set auto-update-days-warning

set source-ip

end


32


33/995

Description


name Name. (Empty)

ca CA certificate. (Empty)

range CA certificate range. global

source CA certificate source. user

trusted Enable/disable trusted CA. enable

scep-url URL of SCEP server. (Empty)

auto-update-days Days to auto-update before expired, 0=disabled. 0

auto-update-days-warning

Days to send update before auto-update(0=disabled).

0

source-ip Source IP for communications to SCEP server. 0.0.0.0


33


34/995

certificate/crl

CLI Syntax

config certificate crl

edit

set name

set crl set range {global | vdom}


set update-vdom

set ldap-server

set ldap-username

set ldap-password

set http-url

set scep-url

set scep-cert

set update-interval

set source-ip

end


34


35/995

Description


name Name. (Empty)

crl Certificate Revocation List. (Empty)

range CRL range. global

source CRL source. user

update-vdom Virtual domain for CRL update. root

ldap-server LDAP server. (Empty)

ldap-username Login name for LDAP server. (Empty)

ldap-password Login password for LDAP server. (Empty)

http-url URL of HTTP server for CRL update. (Empty)

scep-url URL of CA server for CRL update via SCEP. (Empty)

scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL

update-interval Second between updates, 0=disabled. 0

source-ip Source IP for communications to CA

(HTTP/SCEP) server.

0.0.0.0


35


36/995

certificate/local

CLI Syntax

config certificate local

edit

set name

set password set comments

set private-key

set certificate

set csr

set state

set scep-url

set range {global | vdom}


set auto-regenerate-days

set auto-regenerate-days-warning

set scep-password

set ca-identifier

set name-encoding {printable | utf8}

set source-ip

set ike-localid

set ike-localid-type {asn1dn | fqdn}

end


36


37/995

Description


name Name. (Empty)

password Password. (Empty)

comments Comment. (Empty)

private-key Private key. (Empty)

certificate Certificate. (Empty)

csr Certificate Signing Request. (Empty)

state Certificate Signing Request State. (Empty)

scep-url URL of SCEP server. (Empty)

range Certificate range. global

source Certificate source. user

auto-regenerate-days Days to auto-regenerate before expired,

0=disabled.

0

auto-regenerate-days-

warning

Days to send warning before auto-regeneration,

0=disabled.

0

scep-password SCEP server challenge password for auto-

regeneration.

(Empty)

ca-identifier CA identifier of the CA server for signing via

SCEP.

(Empty)

name-encoding Name encoding for auto-regeneration. printable

source-ip Source IP for communications to SCEP server. 0.0.0.0

ike-localid IKE local ID. (Empty)

ike-localid-type IKE local ID type. asn1dn


37


38/995

dlp/filepattern

CLI Syntax

config dlp filepattern

edit

set id

set name set comment

config entries

edit

set filter-type {pattern | type}

set pattern

set file-type {7z | arj | cab | lzh | rar | tar | zip | bzip | gzip | bzip2 |

xz | bat | msc | uue | mime | base64 | binhex | bin | elf | exe | hta | html | jad | c

lass | cod | javascript | msoffice | msofficex | fsg | upx | petite | aspack | prc | s

is | hlp | activemime | jpeg | gif | tiff | png | bmp | ignored | unknown | mpeg | mov

| mp3 | wma | wav | pdf | avi | rm | torrent | hibun}

end

end


38


39/995

Description


id ID. 0

name Name of table. (Empty)


entries Configure file patterns used by DLP blocking. (Empty)


39


40/995

dlp/fp-doc-source

CLI Syntax

config dlp fp-doc-source

edit

set name

set server-type {samba} set server

set period {none | daily | weekly | monthly}

set vdom {mgmt | current}

set scan-subdirectories {enable | disable}

set scan-on-creation {enable | disable}

set remove-deleted {enable | disable}

set keep-modified {enable | disable}

set username

set password

set file-path

set file-pattern

set sensitivity

set tod-hour

set tod-min

set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}

set date

end


40


41/995

Description


name DLP Server. (Empty)

server-type DLP Server. samba

server Server location (can be IP or IPv6 address). (Empty)

period Select periodic server checking. none

vdom Select source on management or current VDOM. mgmt

scan-subdirectories Enable/disable scanning of subdirectories. enable

scan-on-creation Enable/disable force scan of server to happen

when document source is created or edited.

enable

remove-deleted Enable/disable removing chunks of files deleted

from the server.

enable

keep-modified Enable/disable retaining old chunks of modified

files.

enable

username Login username. (Empty)

password Login password. (Empty)

file-path File path on server. (Empty)

file-pattern File patterns to fingerprint (wildcard). *

sensitivity DLP fingerprint sensitivity defined for these files. (Empty)

tod-hour Time of day to run scans (hour part, 24 hour

clock).

1

tod-min Time of day to run scans (min). 0

weekday Day of week to run scans. sunday

date Date within a month to run scans. 1


41


42/995

dlp/fp-sensitivity

CLI Syntax

config dlp fp-sensitivity

edit

set name

end


42


43/995

Description


name DLP Sensitivity Levels. (Empty)


43


44/995

dlp/sensor

CLI Syntax

config dlp sensor

edit

set name


config filter

edit

set id

set name

set severity {info | low | medium | high | critical}

set type {file | message}

set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq

| msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}

set filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprin

t | watermark | encrypted}

set file-size

set company-identifier

config fp-sensitivity

edit

set name

end

set match-percentage

set file-type

set regexp

set archive {disable | enable}

set action {allow | log-only | block | ban | quarantine-ip | quarantine-port}

set expiry

end

set dlp-log {enable | disable}

set nac-quar-log {enable | disable}

set flow-based {enable | disable}

set options {}

set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | a

im | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}

set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim |

icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}

end


44


45/995

Description


name Name. (Empty)



filter Configure DLP filters. (Empty)

dlp-log Enable/disable logging for data leak prevention. enable

nac-quar-log Enable/disable logging for NAC quarantine

creation.

disable

flow-based Enable/disable flow-based data leak prevention. disable

options options

full-archive-proto Protocols to always content archive. (Empty)

summary-proto Protocols to always log summary. (Empty)


45


46/995

dlp/settings

CLI Syntax

config dlp settings

edit

set storage-device

set size set db-mode {stop-adding | remove-modified-then-oldest | remove-oldest}

set cache-mem-percent

set chunk-size

end


46


47/995

Description


storage-device Storage name. (Empty)

size Maximum total size of files within the storage

(MB).

16

db-mode Method of maintaining database size. stop-adding

cache-mem-percent Maximum percentage of available memory

allocated to caching (1 - 15%).

2

chunk-size Maximum fingerprint chunk size. **Changing will

flush the entire database**.

2800


47


48/995

dnsfilter/profile

CLI Syntax

config dnsfilter profile

edit

set name

set comment config urlfilter

edit

set urlfilter-table

end

config ftgd-dns

edit

set options {error-allow | ftgd-disable}

config filters

edit

set id

set category

set action {block | monitor}


end

end

set log-all-url {enable | disable}

set block-action {block | redirect}

set redirect-portal

set block-botnet {disable | enable}

end


48


49/995

Description


name Profile name. (Empty)


urlfilter URL filter settings. Details below


urlfilter-table 0

ftgd-dns FortiGuard DNS Filter settings. Details below


options (Empty)

filters (Empty)

log-all-url Enable/disable log all URLs visited. disable

block-action Action to take for blocked domains. redirect

redirect-portal IP address of the SDNS portal. 0.0.0.0

block-botnet Enable/disable block of botnet C&C. disable


49


50/995

dnsfilter/urlfilter

CLI Syntax

config dnsfilter urlfilter

edit

set id

set name set comment

config entries

edit

set id

set url

set type {simple | regex | wildcard}

set action {block | allow | monitor}

set status {enable | disable}

end

end


50


51/995

Description


id ID. 0

name Name of table. (Empty)


entries DNS URL filter. (Empty)


51


52/995

endpoint-control/client

CLI Syntax

config endpoint-control client

edit

set id

set ftcl-uid set src-ip

set src-mac

set info

set ad-groups

end


52


53/995

Description


id Endpoint client ID. 0

ftcl-uid Endpoint FortiClient UID. (Empty)

src-ip Endpoint client IP address. 0.0.0.0

src-mac Endpoint client MAC address. 00:00:00:00:00:00

info Endpoint client information. (Empty)

ad-groups Endpoint client AD logon groups. (Empty)


53


54/995

endpoint-control/forticlient-registration-sync

CLI Syntax

config endpoint-control forticlient-registration-sync

edit

set peer-name

set peer-ip end


54


55/995

Description


peer-name Peer name. (Empty)

peer-ip Peer connecting IP. 0.0.0.0


55


56/995

endpoint-control/profile

CLI Syntax

config endpoint-control profile

edit

set profile-name

config forticlient-winmac-settings edit

set view-profile-details {enable | disable}

set forticlient-av {enable | disable}

set av-realtime-protection {enable | disable}

set scan-download-file {enable | disable}

set sandbox-scan {enable | disable}

set sandbox-address

set wait-sandbox-result {enable | disable}

set use-sandbox-signature {enable | disable}

set block-malicious-website {enable | disable}

set block-attack-channel {enable | disable}

set av-scheduled-scan {enable | disable}

set av-scan-type {quick | full | custom}

set av-scan-folder

set av-scan-schedule {daily | weekly | monthly}

set av-scan-day-of-week {sunday | monday | tuesday | wednesday | thursday | fr

iday | saturday}

set av-scan-day-of-month

set av-scan-time

config av-scan-exclusions

edit

set id

set type {file | folder}

set name

end

set forticlient-application-firewall {enable | disable}

set forticlient-application-firewall-list

set monitor-unknown-application {enable | disable}

set install-ca-certificate {enable | disable}

set forticlient-wf {enable | disable}

set forticlient-wf-profile

set disable-wf-when-protected {enable | disable}

set forticlient-vuln-scan {enable | disable}

set forticlient-vuln-scan-schedule {daily | weekly | monthly}

set forticlient-vuln-scan-on-registration {enable | disable}

set forticlient-vpn-provisioning {enable | disable}

set forticlient-advanced-vpn {enable | disable}

set forticlient-advanced-vpn-buffer

config forticlient-vpn-settings

edit

set name

set type {ipsec | ssl}

set remote-gw


56


57/995

set sslvpn-access-port

set sslvpn-require-certificate {enable | disable}

set auth-method {psk | certificate}

set preshared-key

end

set disable-unregister-option {enable | disable}

set forticlient-log-upload {enable | disable}

set forticlient-log-upload-server

set forticlient-log-ssl-upload {enable | disable}

set forticlient-log-upload-schedule {hourly | daily}

set forticlient-update-from-fmg {enable | disable}

config forticlient-update-server

edit

set name

end

set forticlient-update-failover-to-fdn {enable | disable}

set forticlient-settings-lock {enable | disable}

set forticlient-settings-lock-passwd

set auto-vpn-when-off-net {enable | disable}

set auto-vpn-name

set client-log-when-on-net {enable | disable}

set forticlient-ad {enable | disable}

set fsso-ma {enable | disable}

set fsso-ma-server

set fsso-ma-psk

set allow-personal-vpn {enable | disable}

set disable-user-disconnect {enable | disable}

set vpn-before-logon {enable | disable}

set vpn-captive-portal {enable | disable}

set forticlient-ui-options {av | wf | af | vpn | vs}

set forticlient-advanced-cfg {enable | disable}

set forticlient-advanced-cfg-buffer

config extra-buffer-entries

edit

set id

set buffer

end

end

config forticlient-android-settings

edit




set forticlient-vpn-provisioning {enable | disable}

set forticlient-advanced-vpn {enable | disable}

set forticlient-advanced-vpn-buffer

config forticlient-vpn-settings

edit

set name


set remote-gw



57


58/995



set preshared-key

end

end

config forticlient-ios-settings

edit




set client-vpn-provisioning {enable | disable}

config client-vpn-settings

edit

set name


set vpn-configuration-name

set vpn-configuration-content

set remote-gw




set preshared-key

end

set distribute-configuration-profile {enable | disable}

set configuration-name

set configuration-content

end

set description

config src-addr

edit

set name

end

config device-groups

edit

set name

end

config users

edit

set name

end

config user-groups

edit

set name

end

config on-net-addr

edit

set name

end

set replacemsg-override-group

end


58


59/995

Description


profile-name Profile name. (Empty)

forticlient-winmac-

settings

FortiClient settings for Windows/Mac platform. Details below


view-profile-details enable

forticlient-av enable

av-realtime-protection enable

scan-download-file enable

sandbox-scan disable

sandbox-address (Empty)

wait-sandbox-result disable

use-sandbox-signature disableblock-malicious-website disable

block-attack-channel disable

av-scheduled-scan disable

av-scan-type quick

av-scan-folder (Empty)

av-scan-schedule daily

av-scan-day-of-week sunday

av-scan-day-of-month 0

av-scan-time 00:00

av-scan-exclusions (Empty)

forticlient-application-firewall disable

forticlient-application-firewall-list (Empty)

monitor-unknown-application disable

install-ca-certificate disable

forticlient-wf enable

forticlient-wf-profile default

disable-wf-when-protected enable

forticlient-vuln-scan disable

forticlient-vuln-scan-schedule monthlyforticlient-vuln-scan-on-registration enable

forticlient-vpn-provisioning disable

forticlient-advanced-vpn disable

forticlient-advanced-vpn-buffer (Empty)

forticlient-vpn-settings (Empty)

disable-unregister-option disable

forticlient-log-upload disable

forticlient-log-upload-server (Empty)


59


60/995

forticlient-log-ssl-upload enable

forticlient-log-upload-schedule daily

forticlient-update-from-fmg disable

forticlient-update-server (Empty)

forticlient-update-failover-to-fdn enable

forticlient-settings-lock disable

forticlient-settings-lock-passwd (Empty)

auto-vpn-when-off-net disableauto-vpn-name (Empty)

client-log-when-on-net disable

forticlient-ad disable

fsso-ma disable

fsso-ma-server (Empty)

fsso-ma-psk (Empty)

allow-personal-vpn enable

disable-user-disconnect disable

vpn-before-logon disable

vpn-captive-portal disable

forticlient-ui-options av wf vpn

forticlient-advanced-cfg disable

forticlient-advanced-cfg-buffer (Empty)

extra-buffer-entries (Empty)

forticlient-android-

settings

FortiClient settings for Android platform. Details below


forticlient-wf disable

forticlient-wf-profile (Empty)


forticlient-vpn-provisioning disable

forticlient-advanced-vpn disable

forticlient-advanced-vpn-buffer (Empty)

forticlient-vpn-settings (Empty)

forticlient-ios-settings FortiClient settings for iOS platform. Details below


60


61/995


forticlient-wf disable

forticlient-wf-profile (Empty)


client-vpn-provisioning disable

client-vpn-settings (Empty)

distribute-configuration-profile disable

configuration-name (Empty)

configuration-content (Empty)

description Description. (Empty)

src-addr Source addresses. (Empty)

device-groups Device groups. (Empty)

users Users. (Empty)

user-groups User groups. (Empty)

on-net-addr Addresses for on-net detection. (Empty)

replacemsg-override-

group

Specify endpoint control replacement message

override group.

(Empty)


61


62/995

endpoint-control/registered-forticlient

CLI Syntax

config endpoint-control registered-forticlient

edit

set uid

set vdom set ip

set mac

set status

set flag

set reg-fortigate

end


62


63/995

Description


uid FortiClient UID. (Empty)

vdom Registering vdom. (Empty)

ip Endpoint IP address. 0.0.0.0

mac Endpoint MAC address. 00:00:00:00:00:00

status FortiClient registration status. 1

flag FortiClient registration flag. 0

reg-fortigate Registering FortiGate SN. (Empty)


63


64/995

endpoint-control/settings

CLI Syntax

config endpoint-control settings

edit

set forticlient-reg-key-enforce {enable | disable}

set forticlient-reg-key set forticlient-reg-timeout

set download-custom-link

set download-location {fortiguard | custom}

set forticlient-keepalive-interval

set forticlient-sys-update-interval

end


64


65/995

Description


forticlient-reg-key-

enforce

Enable/disable enforcement of FortiClient

registration key.

disable

forticlient-reg-key FortiClient registration key. (Empty)

forticlient-reg-timeout FortiClient registration license timeout (days, min

= 1, max = 180, 0 = unlimited).

7

download-custom-link Customized URL for downloading FortiClient. (Empty)

download-location FortiClient download location. fortiguard

forticlient-keepalive-

interval

Interval between two KeepAlive messages from

FortiClient (in seconds).

60

forticlient-sys-update-

interval

Interval between two system update messages

from FortiClient (in minutes).

720


65


66/995

extender-controller/extender

CLI Syntax

config extender-controller extender

edit

set id

set admin {disable | discovered | enable} set ifname

set vdom

set role {none | primary | secondary}

set mode {standalone | redundant}

set dial-mode {dial-on-demand | always-connect}

set redial {none | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10}

set redundant-intf

set dial-status

set conn-status

set ext-name

set description

set quota-limit-mb

set billing-start-day

set at-dial-script

set modem-passwd

set initiated-update {enable | disable}

set modem-type {cdma | gsm/lte | wimax}

set ppp-username

set ppp-password

set ppp-auth-protocol {auto | pap | chap}

set ppp-echo-request {enable | disable}

set wimax-carrier

set wimax-realm

set wimax-auth-protocol {tls | ttls}

set sim-pin

set access-point-name

set multi-mode {auto | auto-3g | force-lte | force-3g | force-2g}

set roaming {enable | disable}

set cdma-nai

set aaa-shared-secret

set ha-shared-secret

set primary-ha

set secondary-ha

set cdma-aaa-spi

set cdma-ha-spi

end


66


67/995

Description


id FortiExtender serial number. (Empty)

admin FortiExtender Administration (enable or disable). disable

ifname FortiExtender interface name. (Empty)

vdom VDOM 0

role FortiExtender work role(Primary, Secondary,

None).

none

mode FortiExtender mode. standalone

dial-mode Dial mode (dial-on-demand or always-connect). always-connect

redial Number of redials allowed based on failed

attempts.

none

redundant-intf Redundant interface. (Empty)

dial-status Dial status. 0

conn-status Connection status. 0

ext-name FortiExtender name. (Empty)

description Description. (Empty)

quota-limit-mb Monthly quota limit (MB). 0

billing-start-day Billing start day. 1

at-dial-script Initialization AT commands specific to the

MODEM.

(Empty)

modem-passwd MODEM password. (Empty)

initiated-update Allow/disallow network initiated updates to the

MODEM.

disable

modem-type MODEM type (CDMA, GSM/LTE or WIMAX). gsm/lte

ppp-username PPP username. (Empty)


67


68/995

ppp-password PPP password. (Empty)

ppp-auth-protocol PPP authentication protocol (PAP,CHAP or auto). auto

ppp-echo-request Enable/disable PPP echo request. disable

wimax-carrier WiMax carrier. (Empty)

wimax-realm WiMax realm. (Empty)

wimax-auth-protocol WiMax authentication protocol(TLS or TTLS). tls

sim-pin SIM PIN. (Empty)

access-point-name Access point name(APN). (Empty)

multi-mode MODEM mode of operation(3G,LTE,etc). auto

roaming Enable/disable MODEM roaming. disable

cdma-nai NAI for CDMA MODEMS. (Empty)

aaa-shared-secret AAA shared secret. (Empty)

ha-shared-secret HA shared secret. (Empty)

primary-ha Primary HA. (Empty)

secondary-ha Secondary HA. (Empty)

cdma-aaa-spi CDMA AAA SPI. (Empty)

cdma-ha-spi CDMA HA SPI. (Empty)


68


69/995

firewall.ipmacbinding/setting

CLI Syntax

config firewall.ipmacbinding setting

edit

set bindthroughfw {enable | disable}

set bindtofw {enable | disable} set undefinedhost {allow | block}

end


69


70/995

Description


bindthroughfw Enable/disable going through firewall. disable

bindtofw Enable/disable going to firewall. disable

undefinedhost Allow/block traffic for undefined hosts. block


70


71/995

firewall.ipmacbinding/table

CLI Syntax

config firewall.ipmacbinding table

edit

set seq-num

set ip set mac

set name


end


71


72/995

Description


seq-num Entry number. 0

ip IP address. 0.0.0.0

mac MAC address. 00:00:00:00:00:00

name Name (optional, default = no name). noname

status Enable/disable IP-mac binding. disable


72


73/995

firewall.schedule/group

CLI Syntax

config firewall.schedule group

edit

set name

config member edit

set name

end

set color

end


73


74/995

Description


name Schedule group name. (Empty)

member Schedule group member. (Empty)

color GUI icon color. 0


74


75/995

firewall.schedule/onetime

CLI Syntax

config firewall.schedule onetime

edit

set name

set start set end

set color

set expiration-days

end


75


76/995

Description


name Onetime schedule name. (Empty)

start Start time and date. 00:00 2001/01/01

end End time and date. 00:00 2001/01/01


expiration-days Generate event log before schedule expires (1-

100 days, 0 = disable).

3


76


77/995

firewall.schedule/recurring

CLI Syntax

config firewall.schedule recurring

edit

set name

set start set end

set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | no

ne}

set color

end


77


78/995

Description


name Recurring schedule name. (Empty)

start Start time. 00:00

end End time. 00:00

day weekday sunday



78


79/995

firewall.service/category

CLI Syntax

config firewall.service category

edit

set name

set comment end


79


80/995

Description


name Service category name. (Empty)



80


81/995

firewall.service/custom

CLI Syntax

config firewall.service custom

edit

set name

set explicit-proxy {enable | disable} set category

set protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP | HTTP | FTP | CONNECT | SOCKS | SO

CKS-TCP | SOCKS-UDP | ALL}

set iprange

set fqdn

set protocol-number

set icmptype

set icmpcode

set tcp-portrange

set udp-portrange

set sctp-portrange

set tcp-halfclose-timer

set tcp-halfopen-timer

set tcp-timewait-timer

set udp-idle-timer

set session-ttl

set check-reset-range {disable | strict | default}

set comment

set color

set visibility {enable | disable}

end


81


82/995

Description


name Custom service name. (Empty)

explicit-proxy Enable/disable explicit web proxy service. disable

category Service category. (Empty)

protocol Protocol type. TCP/UDP/SCTP

iprange Start IP-End IP. 0.0.0.0

fqdn Fully qualified domain name. (Empty)

protocol-number IP protocol number. 0

icmptype ICMP type. (Empty)

icmpcode ICMP code. (Empty)

tcp-portrange Multiple TCP port ranges. (Empty)

udp-portrange Multiple UDP port ranges. (Empty)

sctp-portrange Multiple SCTP port ranges. (Empty)

tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, 0 =

default).

0

tcp-halfopen-timer TCP half close timeout (1 - 86400 sec, 0 =

default).

0

tcp-timewait-timer TCP half close timeout (1 - 300 sec, 0 = default). 0

udp-idle-timer TCP half close timeout (0 - 86400 sec, 0 =

default).

0

session-ttl Session TTL (300 - 604800, 0 = default). 0

check-reset-range Enable/disable RST check. default



visibility Enable/disable service visibility. enable


82


83/995

firewall.service/group

CLI Syntax

config firewall.service group

edit

set name

config member edit

set name

end

set explicit-proxy {enable | disable}

set comment

set color

end


83


84/995

Description


name Address group name. (Empty)

member Address group member. (Empty)

explicit-proxy Enable/disable explicit web proxy service group. disable




84


85/995

firewall.shaper/per-ip-shaper

CLI Syntax

config firewall.shaper per-ip-shaper

edit

set name

set max-bandwidth set bandwidth-unit {kbps | mbps | gbps}

set max-concurrent-session

set diffserv-forward {enable | disable}

set diffserv-reverse {enable | disable}

set diffservcode-forward

set diffservcode-rev

end


85


86/995

Description


name Traffic shaper name. (Empty)

max-bandwidth Maximum bandwidth value (0 - 16776000). 0

bandwidth-unit Bandwidth unit (default = kbps). kbps

max-concurrent-

session

Maximum concurrent session (0 - 2097000). 0

diffserv-forward Forward (original) traffic DiffServ. disable

diffserv-reverse Reverse (reply) traffic DiffServ. disable

diffservcode-forward Forward (original) traffic DiffServ code point

value.

000000

diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000


86


87/995

firewall.shaper/traffic-shaper

CLI Syntax

config firewall.shaper traffic-shaper

edit

set name

set guaranteed-bandwidth set maximum-bandwidth

set bandwidth-unit {kbps | mbps | gbps}

set priority {low | medium | high}

set per-policy {disable | enable}

set diffserv {enable | disable}

set diffservcode

end


87


88/995

Description


name Traffic shaper name. (Empty)

guaranteed-bandwidth Guaranteed bandwidth value (0 - 16776000). 0

maximum-bandwidth Maximum bandwidth value (0 - 16776000). 0

bandwidth-unit Bandwidth unit (default = kbps). kbps

priority Traffic priority. high

per-policy Enable/disable use a separate shaper for each

policy.

disable

diffserv Enable/disable traffic DiffServ. disable

diffservcode Traffic DiffServ code point value. 000000


88


89/995

firewall.ssl/setting

CLI Syntax

config firewall.ssl setting

edit

set proxy-connect-timeout

set ssl-dh-bits {768 | 1024 | 1536 | 2048} set ssl-send-empty-frags {enable | disable}

set no-matching-cipher-action {bypass | drop}

set cert-cache-capacity

set cert-cache-timeout

set session-cache-capacity

set session-cache-timeout

end


89


90/995

Description


proxy-connect-timeout Time limit to make an internal connection to the

appropriate proxy process (1 - 60 sec).

30

ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSA

negotiation.

2048

ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV

(SSL 3.0 & TLS 1.0 only).

enable

no-matching-cipher-

action

Bypass or drop the connection when no matching

cipher was found.

bypass

cert-cache-capacity Maximum capacity of the host certificate cache (0

- 500).

200

cert-cache-timeout Minutes to keep certificate cache (1 - 120 min). 10

session-cache-capacity Obsolete. 500

session-cache-timeout Number of minutes to keep SSL session state. 20


90


91/995

firewall/address

CLI Syntax

config firewall address

edit

set name

set uuid set subnet

set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn}

set start-ip

set end-ip

set fqdn

set country

set wildcard-fqdn

set cache-ttl

set wildcard

set comment


set associated-interface

set color

config tags

edit

set name

end

set allow-routing {enable | disable}

end


91


92/995

Description


name Address name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-

0000-000000000000

subnet IP address and netmask. 0.0.0.0 0.0.0.0

type Type. ipmask

start-ip Start IP. 0.0.0.0

end-ip End IP. 0.0.0.0

fqdn Fully qualified domain name. (Empty)

country Country name. (Empty)

wildcard-fqdn Wildcard FQDN. (Empty)

cache-ttl Minimal TTL of individual IP addresses in FQDN

cache.

0

wildcard IP address and wildcard netmask. 0.0.0.0 0.0.0.0


visibility Enable/disable address visibility. enable

associated-interface Associated interface name. (Empty)



allow-routing Enable/disable use of this address in the static

route configuration.

disable


92


93/995

firewall/address6

CLI Syntax

config firewall address6

edit

set name

set uuid set type {ipprefix | iprange}

set ip6

set start-ip

set end-ip


set color

config tags

edit

set name

end

set comment

end


93


94/995

Description




0000-000000000000

type Type. ipprefix

ip6 IPv6 address prefix. ::/0

start-ip Start IP. ::

end-ip End IP. ::

visibility Enable/disable address visibility. enable





94


95/995

firewall/addrgrp

CLI Syntax

config firewall addrgrp

edit

set name

set uuid config member

edit

set name

end

set comment


set color

config tags

edit

set name

end

set allow-routing {enable | disable}

end


95


96/995

Description




0000-000000000000

member Address group member. (Empty)


visibility Enable/disable address group visibility. enable



allow-routing Enable/disable use of this group in the static route

configuration.

disable


96


97/995

firewall/addrgrp6

CLI Syntax

config firewall addrgrp6

edit

set name

set uuid set visibility {enable | disable}

set color

set comment

config member

edit

set name

end

config tags

edit

set name

end

end


97


98/995

Description


name IPv6 address group name. (Empty)


0000-000000000000

visibility Enable/disable address group6 visibility. enable



member IPv6 address group member. (Empty)



98


99/995

firewall/auth-portal

CLI Syntax

config firewall auth-portal

edit

config groups

edit set name

end

set portal-addr

set portal-addr6

set identity-based-route

end


99


100/995

Description


groups Group name. (Empty)

portal-addr Address (or domain name) of authentication

portal.

(Empty)

portal-addr6 IPv6 address (or domain name) of authentication

portal.

(Empty)

identity-based-route Name of identity-based routing rule. (Empty)


100


101/995

firewall/central-snat-map

CLI Syntax

config firewall central-snat-map

edit

set policyid

set status {enable | disable} config orig-addr

edit

set name

end

config dst-addr

edit

set name

end

config nat-ippool

edit

set name

end

set protocol

set orig-port

set nat-port

end


101


102/995

Description


policyid Policy ID. 0

status Enable/disable policy status. enable

orig-addr Original address. (Empty)

dst-addr Destination address. (Empty)

nat-ippool IP pool names for translated address. (Empty)

protocol Protocol (0 - 255). 0

orig-port Original port. 0

nat-port Translated port or port range. 0


102


103/995

firewall/dnstranslation

CLI Syntax

config firewall dnstranslation

edit

set id

set src set dst

set netmask

end


103


104/995

Description


id ID. 0

src Source IP. 0.0.0.0

dst Destination IP. 0.0.0.0

netmask Network mask. 255.255.255.255


104


105/995

firewall/DoS-policy

CLI Syntax

config firewall DoS-policy

edit

set policyid

set status {enable | disable} set interface

config srcaddr

edit

set name

end

config dstaddr

edit

set name

end

config service

edit

set name

end

config anomaly

edit

set name

set status {disable | enable}


set action {pass | block | proxy}




set threshold

set threshold(default)

end

end


105


106/995

Description




interface Interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

service Service name. (Empty)

anomaly Anomaly. (Empty)


106


107/995

firewall/DoS-policy6

CLI Syntax

config firewall DoS-policy6

edit

set policyid

set status {enable | disable} set interface

config srcaddr

edit

set name

end

config dstaddr

edit

set name

end

config service

edit

set name

end

config anomaly

edit

set name

set status {disable | enable}


set action {pass | block | proxy}




set threshold

set threshold(default)

end

end


107


108/995

Description




interface Interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

service Service name. (Empty)

anomaly Anomaly. (Empty)


108


109/995

firewall/explicit-proxy-address

CLI Syntax

config firewall explicit-proxy-address

edit

set name

set uuid set type {host-regex | url | category | method | ua | header | src-advanced | dst-

advanced}

set host

set host-regex

set path

config category

edit

set id

end

set method {get | post | put | head | connect | trace | options | delete}

set ua {chrome | ms | firefox | safari | other}

set header-name

set header

set case-sensitivity {disable | enable}

config header-group

edit

set id

set header-name

set header

set case-sensitivity {disable | enable}

end

set color

config tags

edit

set name

end

set comment


end


109


110/995

Description




0000-000000000000

type Address type. url

host Host address (Empty)

host-regex Host regular expression. (Empty)

path URL path regular expression. (Empty)

category FortiGuard category ID. (Empty)

method HTTP methods. (Empty)

ua User agent. (Empty)

header-name HTTP header. (Empty)

header HTTP header regular expression. (Empty)

case-sensitivity Case sensitivity in pattern. disable

header-group HTTP header group. (Empty)




visibility Enable/disable address visibility. disable


110


111/995

firewall/explicit-proxy-addrgrp

CLI Syntax

config firewall explicit-proxy-addrgrp

edit

set name

set type {src | dst} set uuid

config member

edit

set name

end

set color

config tags

edit

set name

end

set comment


end


111


112/995

Description



type Address group type. src


0000-000000000000

member Address group members. (Empty)




visibility Enable/disable address visibility. disable


112


113/995

firewall/explicit-proxy-policy

CLI Syntax

config firewall explicit-proxy-policy

edit

set uuid

set policyid set proxy {web | ftp | wanopt}

config dstintf

edit

set name

end

config srcaddr

edit

set name

end

config dstaddr

edit

set name

end

config service

edit

set name

end

set srcaddr-negate {enable | disable}

set dstaddr-negate {enable | disable}

set service-negate {enable | disable}

set action {accept | deny}


set schedule

set logtraffic {all | utm | disable}

config srcaddr6

edit

set name

end

config dstaddr6

edit

set name

end

set identity-based {enable | disable}

set ip-based {enable | disable}

set active-auth-method {ntlm | basic | digest | form | none}

set sso-auth-method {fsso | rsso | none}

set require-tfa {enable | disable}

set web-auth-cookie {enable | disable}

set transaction-based {enable | disable}

config identity-based-policy

edit

set id

set schedule


113


114/995

set logtraffic {all | utm | disable}

set logtraffic-start {enable | disable}

set scan-botnet-connections {disable | block | monitor}

set utm-status {enable | disable}

set profile-type {single | group}

set profile-group

set av-profile

set webfilter-profile

set spamfilter-profile

set dlp-sensor

set ips-sensor

set application-list

set casi-profile

set icap-profile

set waf-profile

set profile-protocol-options

set ssl-ssh-profile

config groups

edit

set name

end

config users

edit

set name

end

set disclaimer {disable | domain | policy | user}

set replacemsg-override-group

end

set webproxy-forward-server

set webproxy-profile

set transparent {enable | disable}

set webcache {enable | dis

fortigate cli ref 54

Documents