Documente Academic
Documente Profesional
Documente Cultură
FortiOS - CLIReference
VERSION 5.4.1
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
FEEDBACK
Email: techdocs@fortinet.com
June 3, 2016
FortiOS - CLIReference
01-541-99686-20160603
Change Log
Change Log
Date
Change Description
June 3, 2016
Introduction
Introduction
This document describes FortiOS 5.4 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI).
FortiGate model
All commands are not available on all FortiGate models. For example, low-end FortiGate models do not support
the aggregate interface type option of the config system interface command.
Hardware configuration
For example, some AMC module commands are only available when an AMC module is installed.
reboot the FortiGate unit from the backup firmware, which then becomes the default firmware (see )
Enter C,R,T,F,I,B,Q,or H:
Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. An
option value in square brackets at the end of the Enter line is the default value which you can enter simply by
pressing Return. For example,
Enter image download port number [WAN1]:
In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.
Loading firmware
The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.
You need to know the IP address of the server and the name of the firmware file to download.
Loading firmware
The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot the
downloaded firmware without saving it.
The options listed depend on the FortiGate model. Choose the network interface through which the TFTP
server can be reached. For example:
[0]: Any of port 1 - 7
[1]: WAN1
[2]: WAN2
Enter image download port number [WAN1]:
[D]: Set DHCP mode.
Please select DHCP setting
[1]: Enable DHCP
[2]: Disable DHCP
If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].
Non-DHCP steps
[I]: Set local IP address.
Enter local IP address [192.168.1.188]:
This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the same
subnet to which the network interface connects.
[S]: Set local subnet mask.
Enter local subnet mask [255.255.252.0]:
[G]: Set local gateway.
The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which the
FortiGate unit is connected.
After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while the
firmware is copied:
Programming the boot device now.
................................................................
................................................................
If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:
Failed to mount filesystem. . .
Mount back up partition failed.
Back up image open failed.
Press Y or y to boot default image.
config
config
Use the config commands to change your FortiGate's configuration.
The command branches and commands are in alphabetical order. The information in this section has been
extracted and formatted from FortiOS source code. The extracted information includes the command syntax,
command descriptions (extracted from CLI help)and default values. This is the first version of this content
produced in this way. You can send comments about this content to techdoc@fortinet.com
alertemail/setting
CLI Syntax
config alertemail setting
edit <name_str>
set username <string>
set mailto1 <string>
set mailto2 <string>
set mailto3 <string>
set filter-mode {category | threshold}
set email-interval <integer>
set IPS-logs {enable | disable}
set firewall-authentication-failure-logs {enable | disable}
set HA-logs {enable | disable}
set IPsec-errors-logs {enable | disable}
set FDS-update-logs {enable | disable}
set PPP-errors-logs {enable | disable}
set sslvpn-authentication-errors-logs {enable | disable}
set antivirus-logs {enable | disable}
set webfilter-logs {enable | disable}
set configuration-changes-logs {enable | disable}
set violation-traffic-logs {enable | disable}
set admin-login-logs {enable | disable}
set FDS-license-expiring-warning {enable | disable}
set log-disk-usage-warning {enable | disable}
set fortiguard-log-quota-warning {enable | disable}
set amc-interface-bypass-mode {enable | disable}
set FIPS-CC-errors {enable | disable}
set FDS-license-expiring-days <integer>
set local-disk-usage <integer>
set emergency-interval <integer>
set alert-interval <integer>
set critical-interval <integer>
set error-interval <integer>
set warning-interval <integer>
set notification-interval <integer>
set information-interval <integer>
set debug-interval <integer>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
end
Description
Configuration
Description
Default Value
username
(Empty)
mailto1
(Empty)
mailto2
(Empty)
mailto3
(Empty)
filter-mode
Filter mode.
category
email-interval
IPS-logs
disable
firewall-authenticationfailure-logs
disable
HA-logs
Enable/disable HA Logs.
disable
IPsec-errors-logs
disable
FDS-update-logs
disable
PPP-errors-logs
disable
sslvpn-authenticationerrors-logs
disable
antivirus-logs
disable
webfilter-logs
disable
configuration-changeslogs
disable
violation-traffic-logs
disable
admin-login-logs
disable
FDS-license-expiringwarning
disable
log-disk-usage-warning
disable
10
fortiguard-log-quotawarning
disable
amc-interface-bypassmode
disable
FIPS-CC-errors
disable
FDS-license-expiringdays
15
local-disk-usage
75
emergency-interval
alert-interval
critical-interval
error-interval
warning-interval
10
notification-interval
20
information-interval
30
debug-interval
60
severity
alert
11
antivirus/heuristic
CLI Syntax
config antivirus heuristic
edit <name_str>
set mode {pass | block | disable}
end
12
Description
Configuration
Description
Default Value
mode
disable
13
antivirus/profile
CLI Syntax
config antivirus profile
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set inspection-mode {proxy | flow-based}
set ftgd-analytics {disable | suspicious | everything}
set analytics-max-upload <integer>
set analytics-wl-filetype <integer>
set analytics-bl-filetype <integer>
set analytics-db {disable | enable}
set mobile-malware-db {disable | enable}
config http
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
end
config ftp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
end
config imap
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config pop3
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
14
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
| mailbomb | unh
mailbomb | unhan
15
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
(Empty)
inspection-mode
Inspection mode.
flow-based
ftgd-analytics
disable
analytics-max-upload
10
analytics-wl-filetype
analytics-bl-filetype
analytics-db
disable
mobile-malware-db
enable
http
HTTP.
Details below
Configuration
options
archive-block
archive-log
emulator
ftp
Default Value
(Empty)
(Empty)
(Empty)
enable
FTP.
Configuration
options
archive-block
archive-log
emulator
imap
Default Value
(Empty)
(Empty)
(Empty)
enable
IMAP.
Details below
Details below
16
Configuration
options
archive-block
archive-log
emulator
executables
pop3
Default Value
(Empty)
(Empty)
(Empty)
enable
default
POP3.
Configuration
options
archive-block
archive-log
emulator
executables
smtp
Details below
Default Value
(Empty)
(Empty)
(Empty)
enable
default
SMTP.
Configuration
options
archive-block
archive-log
emulator
executables
mapi
Details below
Default Value
(Empty)
(Empty)
(Empty)
enable
default
MAPI.
Configuration
options
archive-block
archive-log
emulator
executables
nntp
Details below
Default Value
(Empty)
(Empty)
(Empty)
enable
default
NNTP.
Configuration
options
archive-block
archive-log
emulator
smb
Default Value
(Empty)
(Empty)
(Empty)
enable
SMB.
Details below
Details below
17
Configuration
options
archive-block
archive-log
emulator
nac-quar
Configuration
infected
expiry
log
Default Value
(Empty)
(Empty)
(Empty)
enable
Quarantine settings.
Details below
Default Value
none
5m
disable
av-virus-log
enable
av-block-log
enable
scan-mode
full
18
antivirus/quarantine
CLI Syntax
config antivirus quarantine
edit <name_str>
set agelimit <integer>
set maxfilesize <integer>
set quarantine-quota <integer>
set drop-infected {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-infected {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s |
ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-heuristic {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-heuristic {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3
s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set lowspace {drop-new | ovrw-old}
set destination {NULL | disk | FortiAnalyzer}
end
19
Description
Configuration
Description
Default Value
agelimit
maxfilesize
quarantine-quota
Quarantine quota.
drop-infected
(Empty)
store-infected
drop-blocked
(Empty)
store-blocked
drop-heuristic
(Empty)
store-heuristic
lowspace
ovrw-old
destination
disk
20
antivirus/settings
CLI Syntax
config antivirus settings
edit <name_str>
set default-db {normal | extended | extreme}
set grayware {enable | disable}
end
21
Description
Configuration
Description
Default Value
default-db
extended
grayware
disable
22
application/custom
CLI Syntax
config application custom
edit <name_str>
set tag <string>
set name <string>
set id <integer>
set comment <string>
set signature <string>
set category <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
end
23
Description
Configuration
Description
Default Value
tag
Signature tag.
(Empty)
name
Application name.
(Empty)
id
Application ID.
comment
Comment.
(Empty)
signature
Signature text.
(Empty)
category
protocol
Application protocol.
(Empty)
technology
Application technology.
(Empty)
behavior
Application behavior.
(Empty)
vendor
Application vendor.
(Empty)
24
application/list
CLI Syntax
config application list
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set other-application-action {pass | block}
set app-replacemsg {disable | enable}
set other-application-log {disable | enable}
set unknown-application-action {pass | block}
set unknown-application-log {disable | enable}
set p2p-black-list {skype | edonkey | bittorrent}
set deep-app-inspection {disable | enable}
set options {allow-dns | allow-icmp | allow-http | allow-ssl}
config entries
edit <name_str>
set id <integer>
config risk
edit <name_str>
set level <integer>
end
config category
edit <name_str>
set id <integer>
end
config sub-category
edit <name_str>
set id <integer>
end
config application
edit <name_str>
set id <integer>
end
set protocols <user>
set vendor <user>
set technology <user>
set behavior <user>
set popularity {1 | 2 | 3 | 4 | 5}
config tags
edit <name_str>
set name <string>
end
config parameters
edit <name_str>
set id <integer>
set value <string>
end
set action {pass | block | reset}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
25
set
set
set
set
set
set
set
set
set
set
set
set
set
end
end
26
Description
Configuration
Description
Default Value
name
List name.
(Empty)
comment
comments
(Empty)
replacemsg-group
(Empty)
other-application-action
pass
app-replacemsg
enable
other-application-log
disable
unknown-applicationaction
pass
unknown-applicationlog
disable
p2p-black-list
(Empty)
deep-app-inspection
disable
options
Options.
allow-dns
entries
(Empty)
27
application/name
CLI Syntax
config application name
edit <name_str>
set name <string>
set id <integer>
set category <integer>
set sub-category <integer>
set popularity <integer>
set risk <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
set parameter <string>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end
28
Description
Configuration
Description
Default Value
name
Application name.
(Empty)
id
Application ID.
category
sub-category
popularity
Application popularity.
risk
Application risk.
protocol
Application protocol.
(Empty)
technology
Application technology.
(Empty)
behavior
Application behavior.
(Empty)
vendor
Application vendor.
(Empty)
parameter
(Empty)
metadata
Meta data.
(Empty)
29
application/rule-settings
CLI Syntax
config application rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end
30
Description
Configuration
Description
Default Value
id
Rule ID.
tags
(Empty)
31
certificate/ca
CLI Syntax
config certificate ca
edit <name_str>
set name <string>
set ca <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set trusted {enable | disable}
set scep-url <string>
set auto-update-days <integer>
set auto-update-days-warning <integer>
set source-ip <ipv4-address>
end
32
Description
Configuration
Description
Default Value
name
Name.
(Empty)
ca
CA certificate.
(Empty)
range
CA certificate range.
global
source
CA certificate source.
user
trusted
enable
scep-url
(Empty)
auto-update-days
auto-update-dayswarning
source-ip
0.0.0.0
33
certificate/crl
CLI Syntax
config certificate crl
edit <name_str>
set name <string>
set crl <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set update-vdom <string>
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set http-url <string>
set scep-url <string>
set scep-cert <string>
set update-interval <integer>
set source-ip <ipv4-address>
end
34
Description
Configuration
Description
Default Value
name
Name.
(Empty)
crl
(Empty)
range
CRL range.
global
source
CRL source.
user
update-vdom
root
ldap-server
LDAP server.
(Empty)
ldap-username
(Empty)
ldap-password
(Empty)
http-url
(Empty)
scep-url
(Empty)
scep-cert
Fortinet_CA_SSL
update-interval
source-ip
0.0.0.0
35
certificate/local
CLI Syntax
config certificate local
edit <name_str>
set name <string>
set password <password>
set comments <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set scep-url <string>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set source-ip <ipv4-address>
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end
36
Description
Configuration
Description
Default Value
name
Name.
(Empty)
password
Password.
(Empty)
comments
Comment.
(Empty)
private-key
Private key.
(Empty)
certificate
Certificate.
(Empty)
csr
(Empty)
state
(Empty)
scep-url
(Empty)
range
Certificate range.
global
source
Certificate source.
user
auto-regenerate-days
auto-regenerate-dayswarning
scep-password
(Empty)
ca-identifier
(Empty)
name-encoding
printable
source-ip
0.0.0.0
ike-localid
(Empty)
ike-localid-type
asn1dn
37
dlp/filepattern
CLI Syntax
config dlp filepattern
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set filter-type {pattern | type}
set pattern <string>
set file-type {7z | arj | cab | lzh | rar | tar | zip | bzip | gzip | bzip2 |
xz | bat | msc | uue | mime | base64 | binhex | bin | elf | exe | hta | html | jad | c
lass | cod | javascript | msoffice | msofficex | fsg | upx | petite | aspack | prc | s
is | hlp | activemime | jpeg | gif | tiff | png | bmp | ignored | unknown | mpeg | mov
| mp3 | wma | wav | pdf | avi | rm | torrent | hibun}
end
end
38
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
(Empty)
39
dlp/fp-doc-source
CLI Syntax
config dlp fp-doc-source
edit <name_str>
set name <string>
set server-type {samba}
set server <string>
set period {none | daily | weekly | monthly}
set vdom {mgmt | current}
set scan-subdirectories {enable | disable}
set scan-on-creation {enable | disable}
set remove-deleted {enable | disable}
set keep-modified {enable | disable}
set username <string>
set password <password>
set file-path <string>
set file-pattern <string>
set sensitivity <string>
set tod-hour <integer>
set tod-min <integer>
set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set date <integer>
end
40
Description
Configuration
Description
Default Value
name
DLP Server.
(Empty)
server-type
DLP Server.
samba
server
(Empty)
period
none
vdom
mgmt
scan-subdirectories
enable
scan-on-creation
enable
remove-deleted
enable
keep-modified
enable
username
Login username.
(Empty)
password
Login password.
(Empty)
file-path
(Empty)
file-pattern
sensitivity
(Empty)
tod-hour
tod-min
weekday
sunday
date
41
dlp/fp-sensitivity
CLI Syntax
config dlp fp-sensitivity
edit <name_str>
set name <string>
end
42
Description
Configuration
Description
Default Value
name
(Empty)
43
dlp/sensor
CLI Syntax
config dlp sensor
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
config filter
edit <name_str>
set id <integer>
set name <string>
set severity {info | low | medium | high | critical}
set type {file | message}
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | mm1
| mm3 | mm4 | mm7}
set filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprin
t | watermark | encrypted}
set file-size <integer>
set company-identifier <string>
config fp-sensitivity
edit <name_str>
set name <string>
end
set match-percentage <integer>
set file-type <integer>
set regexp <string>
set archive {disable | enable}
set action {allow | log-only | block | ban | quarantine-ip | quarantine-port}
set expiry <user>
end
set dlp-log {enable | disable}
set nac-quar-log {enable | disable}
set flow-based {enable | disable}
set options {}
set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | m
api | mm1 | mm3 | mm4 | mm7}
set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi |
mm1 | mm3 | mm4 | mm7}
end
44
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
(Empty)
filter
(Empty)
dlp-log
enable
nac-quar-log
disable
flow-based
disable
options
options
full-archive-proto
(Empty)
summary-proto
(Empty)
45
dlp/settings
CLI Syntax
config dlp settings
edit <name_str>
set storage-device <string>
set size <integer>
set db-mode {stop-adding | remove-modified-then-oldest | remove-oldest}
set cache-mem-percent <integer>
set chunk-size <integer>
end
46
Description
Configuration
Description
Default Value
storage-device
Storage name.
(Empty)
size
16
db-mode
stop-adding
cache-mem-percent
chunk-size
2800
47
dnsfilter/profile
CLI Syntax
config dnsfilter profile
edit <name_str>
set name <string>
set comment <var-string>
config urlfilter
edit <name_str>
set urlfilter-table <integer>
end
config ftgd-dns
edit <name_str>
set options {error-allow | ftgd-disable}
config filters
edit <name_str>
set id <integer>
set category <integer>
set action {block | monitor}
set log {enable | disable}
end
end
set log-all-url {enable | disable}
set sdns-ftgd-err-log {enable | disable}
set sdns-url-log {enable | disable}
set block-action {block | redirect}
set redirect-portal <ipv4-address>
set block-botnet {disable | enable}
end
48
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
urlfilter
Details below
Configuration
urlfilter-table
ftgd-dns
Configuration
options
filters
Default Value
0
FortiGuard DNS Filter settings.
Details below
Default Value
(Empty)
(Empty)
log-all-url
disable
sdns-ftgd-err-log
enable
sdns-url-log
enable
block-action
redirect
redirect-portal
0.0.0.0
block-botnet
disable
49
dnsfilter/urlfilter
CLI Syntax
config dnsfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {block | allow | monitor}
set status {enable | disable}
end
end
50
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
(Empty)
51
endpoint-control/client
CLI Syntax
config endpoint-control client
edit <name_str>
set id <integer>
set ftcl-uid <string>
set src-ip <ipv4-address-any>
set src-mac <mac-address>
set info <user>
set ad-groups <var-string>
end
52
Description
Configuration
Description
Default Value
id
ftcl-uid
(Empty)
src-ip
0.0.0.0
src-mac
00:00:00:00:00:00
info
(Empty)
ad-groups
(Empty)
53
endpoint-control/forticlient-registration-sync
CLI Syntax
config endpoint-control forticlient-registration-sync
edit <name_str>
set peer-name <string>
set peer-ip <ipv4-address>
end
54
Description
Configuration
Description
Default Value
peer-name
Peer name.
(Empty)
peer-ip
0.0.0.0
55
endpoint-control/profile
CLI Syntax
config endpoint-control profile
edit <name_str>
set profile-name <string>
config forticlient-winmac-settings
edit <name_str>
set compliance-action {block | warning | auto-update}
set forticlient-av {enable | disable}
set av-realtime-protection {enable | disable}
set av-signature-up-to-date {enable | disable}
set sandbox-analysis {enable | disable}
set sandbox-address <string>
set forticlient-application-firewall {enable | disable}
set forticlient-application-firewall-list <string>
set forticlient-system-compliance {enable | disable}
set forticlient-minimum-software-version {enable | disable}
set forticlient-win-ver <string>
set forticlient-mac-ver <string>
set os-av-software-installed {enable | disable}
config forticlient-operating-system
edit <name_str>
set id <integer>
set os-type {custom | mac_os | win_10 | win_svr_10 | win_81 | win_svr_2012
_r2 | win_80 | win_svr_2012 | win_7 | win_svr_2008_r2 | win_vista | win_svr_2008 | win
_svr_2003_r2 | win_sto_svr_2003 | win_home_svr | win_svr_2003 | win_xp | win_2000}
set os-name <string>
end
config forticlient-running-app
edit <name_str>
set id <integer>
set app-name <string>
set process-name <string>
set app-sha256-signature <string>
set process-name2 <string>
set app-sha256-signature2 <string>
set process-name3 <string>
set app-sha256-signature3 <string>
set process-name4 <string>
set app-sha256-signature4 <string>
end
config forticlient-registry-entry
edit <name_str>
set id <integer>
set registry-entry <string>
end
config forticlient-own-file
edit <name_str>
set id <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
56
57
58
Description
Configuration
Description
Default Value
profile-name
Profile name.
(Empty)
forticlient-winmacsettings
Details below
Configuration
compliance-action
forticlient-av
av-realtime-protection
av-signature-up-to-date
sandbox-analysis
sandbox-address
forticlient-application-firewall
forticlient-application-firewall-list
forticlient-system-compliance
forticlient-minimum-software-version
forticlient-win-ver
forticlient-mac-ver
os-av-software-installed
forticlient-operating-system
forticlient-running-app
forticlient-registry-entry
forticlient-own-file
forticlient-log-upload
forticlient-log-upload-level
forticlient-log-upload-server
forticlient-wf
forticlient-wf-profile
forticlient-vuln-scan
forticlient-vuln-scan-enforce
forticlient-vuln-scan-enforce-grace
forticlient-androidsettings
Default Value
auto-update
disable
disable
disable
disable
(Empty)
disable
(Empty)
enable
disable
5.4.1
5.4.1
disable
(Empty)
(Empty)
(Empty)
(Empty)
enable
traffic vulnerability event
(Empty)
disable
default
enable
high
1
Details below
59
Configuration
forticlient-wf
forticlient-wf-profile
disable-wf-when-protected
forticlient-vpn-provisioning
forticlient-advanced-vpn
forticlient-advanced-vpn-buffer
forticlient-vpn-settings
forticlient-ios-settings
Default Value
disable
(Empty)
enable
disable
disable
(Empty)
(Empty)
Configuration
forticlient-wf
forticlient-wf-profile
disable-wf-when-protected
client-vpn-provisioning
client-vpn-settings
distribute-configuration-profile
configuration-name
configuration-content
Details below
Default Value
disable
(Empty)
enable
disable
(Empty)
disable
(Empty)
(Empty)
description
Description.
(Empty)
src-addr
Source addresses.
(Empty)
device-groups
Device groups.
(Empty)
users
Users.
(Empty)
user-groups
User groups.
(Empty)
on-net-addr
(Empty)
replacemsg-overridegroup
(Empty)
60
endpoint-control/registered-forticlient
CLI Syntax
config endpoint-control registered-forticlient
edit <name_str>
set uid <string>
set vdom <string>
set ip <ipv4-address-any>
set mac <mac-address>
set status <integer>
set flag <integer>
set reg-fortigate <string>
end
61
Description
Configuration
Description
Default Value
uid
FortiClient UID.
(Empty)
vdom
Registering vdom.
(Empty)
ip
Endpoint IP address.
0.0.0.0
mac
00:00:00:00:00:00
status
flag
reg-fortigate
(Empty)
62
endpoint-control/settings
CLI Syntax
config endpoint-control settings
edit <name_str>
set forticlient-reg-key-enforce {enable | disable}
set forticlient-reg-key <password>
set forticlient-reg-timeout <integer>
set download-custom-link <string>
set download-location {fortiguard | custom}
set forticlient-keepalive-interval <integer>
set forticlient-sys-update-interval <integer>
set forticlient-avdb-update-interval <integer>
end
63
Description
Configuration
Description
Default Value
forticlient-reg-keyenforce
disable
forticlient-reg-key
(Empty)
forticlient-reg-timeout
download-custom-link
(Empty)
download-location
fortiguard
forticlient-keepaliveinterval
60
forticlient-sys-updateinterval
720
forticlient-avdb-updateinterval
64
extender-controller/extender
CLI Syntax
config extender-controller extender
edit <name_str>
set id <string>
set admin {disable | discovered | enable}
set ifname <string>
set vdom <integer>
set role {none | primary | secondary}
set mode {standalone | redundant}
set dial-mode {dial-on-demand | always-connect}
set redial {none | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10}
set redundant-intf <string>
set dial-status <integer>
set conn-status <integer>
set ext-name <string>
set description <string>
set quota-limit-mb <integer>
set billing-start-day <integer>
set at-dial-script <string>
set modem-passwd <password>
set initiated-update {enable | disable}
set modem-type {cdma | gsm/lte | wimax}
set ppp-username <string>
set ppp-password <password>
set ppp-auth-protocol {auto | pap | chap}
set ppp-echo-request {enable | disable}
set wimax-carrier <string>
set wimax-realm <string>
set wimax-auth-protocol {tls | ttls}
set sim-pin <password>
set access-point-name <string>
set multi-mode {auto | auto-3g | force-lte | force-3g | force-2g}
set roaming {enable | disable}
set cdma-nai <string>
set aaa-shared-secret <password>
set ha-shared-secret <password>
set primary-ha <string>
set secondary-ha <string>
set cdma-aaa-spi <string>
set cdma-ha-spi <string>
end
65
Description
Configuration
Description
Default Value
id
(Empty)
admin
disable
ifname
(Empty)
vdom
VDOM
role
none
mode
FortiExtender mode.
standalone
dial-mode
always-connect
redial
none
redundant-intf
Redundant interface.
(Empty)
dial-status
Dial status.
conn-status
Connection status.
ext-name
FortiExtender name.
(Empty)
description
Description.
(Empty)
quota-limit-mb
billing-start-day
at-dial-script
(Empty)
modem-passwd
MODEM password.
(Empty)
initiated-update
disable
modem-type
gsm/lte
ppp-username
PPP username.
(Empty)
66
ppp-password
PPP password.
(Empty)
ppp-auth-protocol
auto
ppp-echo-request
disable
wimax-carrier
WiMax carrier.
(Empty)
wimax-realm
WiMax realm.
(Empty)
wimax-auth-protocol
tls
sim-pin
SIM PIN.
(Empty)
access-point-name
(Empty)
multi-mode
auto
roaming
disable
cdma-nai
(Empty)
aaa-shared-secret
(Empty)
ha-shared-secret
HA shared secret.
(Empty)
primary-ha
Primary HA.
(Empty)
secondary-ha
Secondary HA.
(Empty)
cdma-aaa-spi
(Empty)
cdma-ha-spi
CDMA HA SPI.
(Empty)
67
firewall.ipmacbinding/setting
CLI Syntax
config firewall.ipmacbinding setting
edit <name_str>
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end
68
Description
Configuration
Description
Default Value
bindthroughfw
disable
bindtofw
disable
undefinedhost
block
69
firewall.ipmacbinding/table
CLI Syntax
config firewall.ipmacbinding table
edit <name_str>
set seq-num <integer>
set ip <ipv4-address>
set mac <mac-address>
set name <string>
set status {enable | disable}
end
70
Description
Configuration
Description
Default Value
seq-num
Entry number.
ip
IP address.
0.0.0.0
mac
MAC address.
00:00:00:00:00:00
name
noname
status
disable
71
firewall.schedule/group
CLI Syntax
config firewall.schedule group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set color <integer>
end
72
Description
Configuration
Description
Default Value
name
(Empty)
member
(Empty)
color
73
firewall.schedule/onetime
CLI Syntax
config firewall.schedule onetime
edit <name_str>
set name <string>
set start <user>
set end <user>
set color <integer>
set expiration-days <integer>
end
74
Description
Configuration
Description
Default Value
name
(Empty)
start
00:00 2001/01/01
end
00:00 2001/01/01
color
expiration-days
75
firewall.schedule/recurring
CLI Syntax
config firewall.schedule recurring
edit <name_str>
set name <string>
set start <user>
set end <user>
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | no
ne}
set color <integer>
end
76
Description
Configuration
Description
Default Value
name
(Empty)
start
Start time.
00:00
end
End time.
00:00
day
weekday
none
color
77
firewall.service/category
CLI Syntax
config firewall.service category
edit <name_str>
set name <string>
set comment <var-string>
end
78
Description
Configuration
Description
Default Value
name
(Empty)
comment
Comment.
(Empty)
79
firewall.service/custom
CLI Syntax
config firewall.service custom
edit <name_str>
set name <string>
set explicit-proxy {enable | disable}
set category <string>
set protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP | HTTP | FTP | CONNECT | SOCKS | SO
CKS-TCP | SOCKS-UDP | ALL}
set iprange <user>
set fqdn <string>
set protocol-number <integer>
set icmptype <integer>
set icmpcode <integer>
set tcp-portrange <user>
set udp-portrange <user>
set sctp-portrange <user>
set tcp-halfclose-timer <integer>
set tcp-halfopen-timer <integer>
set tcp-timewait-timer <integer>
set udp-idle-timer <integer>
set session-ttl <integer>
set check-reset-range {disable | strict | default}
set comment <var-string>
set color <integer>
set visibility {enable | disable}
end
80
Description
Configuration
Description
Default Value
name
(Empty)
explicit-proxy
disable
category
Service category.
(Empty)
protocol
Protocol type.
TCP/UDP/SCTP
iprange
0.0.0.0
fqdn
(Empty)
protocol-number
IP protocol number.
icmptype
ICMP type.
(Empty)
icmpcode
ICMP code.
(Empty)
tcp-portrange
(Empty)
udp-portrange
(Empty)
sctp-portrange
(Empty)
tcp-halfclose-timer
tcp-halfopen-timer
tcp-timewait-timer
udp-idle-timer
session-ttl
check-reset-range
default
comment
Comment.
(Empty)
color
visibility
enable
81
firewall.service/group
CLI Syntax
config firewall.service group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set explicit-proxy {enable | disable}
set comment <var-string>
set color <integer>
end
82
Description
Configuration
Description
Default Value
name
(Empty)
member
(Empty)
explicit-proxy
disable
comment
Comment.
(Empty)
color
83
firewall.shaper/per-ip-shaper
CLI Syntax
config firewall.shaper per-ip-shaper
edit <name_str>
set name <string>
set max-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set max-concurrent-session <integer>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
end
84
Description
Configuration
Description
Default Value
name
(Empty)
max-bandwidth
bandwidth-unit
kbps
max-concurrentsession
diffserv-forward
disable
diffserv-reverse
disable
diffservcode-forward
000000
diffservcode-rev
000000
85
firewall.shaper/traffic-shaper
CLI Syntax
config firewall.shaper traffic-shaper
edit <name_str>
set name <string>
set guaranteed-bandwidth <integer>
set maximum-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set priority {low | medium | high}
set per-policy {disable | enable}
set diffserv {enable | disable}
set diffservcode <user>
end
86
Description
Configuration
Description
Default Value
name
(Empty)
guaranteed-bandwidth
maximum-bandwidth
bandwidth-unit
kbps
priority
Traffic priority.
high
per-policy
disable
diffserv
disable
diffservcode
000000
87
firewall.ssl/setting
CLI Syntax
config firewall.ssl setting
edit <name_str>
set proxy-connect-timeout <integer>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-send-empty-frags {enable | disable}
set no-matching-cipher-action {bypass | drop}
set cert-cache-capacity <integer>
set cert-cache-timeout <integer>
set session-cache-capacity <integer>
set session-cache-timeout <integer>
end
88
Description
Configuration
Description
Default Value
proxy-connect-timeout
30
ssl-dh-bits
2048
ssl-send-empty-frags
enable
no-matching-cipheraction
bypass
cert-cache-capacity
200
cert-cache-timeout
10
session-cache-capacity
Obsolete.
500
session-cache-timeout
20
89
firewall/address
CLI Syntax
config firewall address
edit <name_str>
set name <string>
set uuid <uuid>
set subnet <ipv4-classnet-any>
set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set fqdn <string>
set country <string>
set wildcard-fqdn <string>
set cache-ttl <integer>
set wildcard <ipv4-classnet-any>
set comment <var-string>
set visibility {enable | disable}
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end
90
Description
Configuration
Description
Default Value
name
Address name.
(Empty)
uuid
00000000-0000-00000000-000000000000
subnet
0.0.0.0 0.0.0.0
type
Type.
ipmask
start-ip
Start IP.
0.0.0.0
end-ip
End IP.
0.0.0.0
fqdn
(Empty)
country
Country name.
(Empty)
wildcard-fqdn
Wildcard FQDN.
(Empty)
cache-ttl
wildcard
0.0.0.0 0.0.0.0
comment
Comment.
(Empty)
visibility
enable
associated-interface
(Empty)
color
tags
(Empty)
allow-routing
disable
91
firewall/address6
CLI Syntax
config firewall address6
edit <name_str>
set name <string>
set uuid <uuid>
set type {ipprefix | iprange}
set ip6 <ipv6-network>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
end
92
Description
Configuration
Description
Default Value
name
Address name.
(Empty)
uuid
00000000-0000-00000000-000000000000
type
Type.
ipprefix
ip6
::/0
start-ip
Start IP.
::
end-ip
End IP.
::
visibility
enable
color
tags
(Empty)
comment
Comment.
(Empty)
93
firewall/addrgrp
CLI Syntax
config firewall addrgrp
edit <name_str>
set name <string>
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end
94
Description
Configuration
Description
Default Value
name
(Empty)
uuid
00000000-0000-00000000-000000000000
member
(Empty)
comment
Comment.
(Empty)
visibility
enable
color
tags
(Empty)
allow-routing
95
firewall/addrgrp6
CLI Syntax
config firewall addrgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set visibility {enable | disable}
set color <integer>
set comment <var-string>
config member
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end
96
Description
Configuration
Description
Default Value
name
(Empty)
uuid
00000000-0000-00000000-000000000000
visibility
enable
color
comment
Comment.
(Empty)
member
(Empty)
tags
(Empty)
97
firewall/auth-portal
CLI Syntax
config firewall auth-portal
edit <name_str>
config groups
edit <name_str>
set name <string>
end
set portal-addr <string>
set portal-addr6 <string>
set identity-based-route <string>
end
98
Description
Configuration
Description
Default Value
groups
Group name.
(Empty)
portal-addr
(Empty)
portal-addr6
(Empty)
identity-based-route
(Empty)
99
firewall/central-snat-map
CLI Syntax
config firewall central-snat-map
edit <name_str>
set policyid <integer>
set status {enable | disable}
config orig-addr
edit <name_str>
set name <string>
end
config dst-addr
edit <name_str>
set name <string>
end
config nat-ippool
edit <name_str>
set name <string>
end
set protocol <integer>
set orig-port <integer>
set nat-port <user>
end
100
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
enable
orig-addr
Original address.
(Empty)
dst-addr
Destination address.
(Empty)
nat-ippool
(Empty)
protocol
Protocol (0 - 255).
orig-port
Original port.
nat-port
101
firewall/dnstranslation
CLI Syntax
config firewall dnstranslation
edit <name_str>
set id <integer>
set src <ipv4-address>
set dst <ipv4-address>
set netmask <ipv4-netmask>
end
102
Description
Configuration
Description
Default Value
id
ID.
src
Source IP.
0.0.0.0
dst
Destination IP.
0.0.0.0
netmask
Network mask.
255.255.255.255
103
firewall/DoS-policy
CLI Syntax
config firewall DoS-policy
edit <name_str>
set policyid <integer>
set status {enable | disable}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
end
104
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
enable
interface
Interface name.
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
service
Service name.
(Empty)
anomaly
Anomaly.
(Empty)
105
firewall/DoS-policy6
CLI Syntax
config firewall DoS-policy6
edit <name_str>
set policyid <integer>
set status {enable | disable}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
end
106
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
enable
interface
Interface name.
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
service
Service name.
(Empty)
anomaly
Anomaly.
(Empty)
107
firewall/explicit-proxy-address
CLI Syntax
config firewall explicit-proxy-address
edit <name_str>
set name <string>
set uuid <uuid>
set type {host-regex | url | category | method | ua | header | src-advanced | dstadvanced}
set host <string>
set host-regex <string>
set path <string>
config category
edit <name_str>
set id <integer>
end
set method {get | post | put | head | connect | trace | options | delete}
set ua {chrome | ms | firefox | safari | other}
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
config header-group
edit <name_str>
set id <integer>
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
end
108
Description
Configuration
Description
Default Value
name
Address name.
(Empty)
uuid
00000000-0000-00000000-000000000000
type
Address type.
url
host
Host address
(Empty)
host-regex
(Empty)
path
(Empty)
category
(Empty)
method
HTTP methods.
(Empty)
ua
User agent.
(Empty)
header-name
HTTP header.
(Empty)
header
(Empty)
case-sensitivity
disable
header-group
(Empty)
color
tags
(Empty)
comment
Comment.
(Empty)
visibility
disable
109
firewall/explicit-proxy-addrgrp
CLI Syntax
config firewall explicit-proxy-addrgrp
edit <name_str>
set name <string>
set type {src | dst}
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
end
110
Description
Configuration
Description
Default Value
name
(Empty)
type
src
uuid
00000000-0000-00000000-000000000000
member
(Empty)
color
tags
(Empty)
comment
Comment.
(Empty)
visibility
disable
111
firewall/explicit-proxy-policy
CLI Syntax
config firewall explicit-proxy-policy
edit <name_str>
set uuid <uuid>
set policyid <integer>
set proxy {web | ftp | wanopt}
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set action {accept | deny}
set status {enable | disable}
set schedule <string>
set logtraffic {all | utm | disable}
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
set identity-based {enable | disable}
set ip-based {enable | disable}
set active-auth-method {ntlm | basic | digest | form | negotiate | none}
set sso-auth-method {fsso | rsso | none}
set require-tfa {enable | disable}
set web-auth-cookie {enable | disable}
set transaction-based {enable | disable}
config identity-based-policy
edit <name_str>
set id <integer>
set schedule <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
112
113
114
Description
Configuration
Description
Default Value
uuid
00000000-0000-00000000-000000000000
policyid
Policy ID.
proxy
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
service
Service name.
(Empty)
srcaddr-negate
disable
dstaddr-negate
disable
service-negate
disable
action
Policy action.
deny
status
enable
schedule
Schedule name.
(Empty)
logtraffic
utm
srcaddr6
(Empty)
dstaddr6
(Empty)
identity-based
disable
ip-based
disable
active-auth-method
basic
115
sso-auth-method
none
require-tfa
disable
web-auth-cookie
disable
transaction-based
disable
identity-based-policy
Identity-based policy.
(Empty)
webproxy-forwardserver
(Empty)
webproxy-profile
(Empty)
transparent
disable
webcache
disable
webcache-https
disable
disclaimer
disable
utm-status
disable
profile-type
profile type
single
profile-group
profile group
(Empty)
av-profile
Antivirus profile.
(Empty)
webfilter-profile
(Empty)
spamfilter-profile
(Empty)
dlp-sensor
DLP sensor.
(Empty)
ips-sensor
IPS sensor.
(Empty)
application-list
Application list.
(Empty)
casi-profile
CASI profile.
(Empty)
icap-profile
ICAP profile.
(Empty)
waf-profile
(Empty)
116
profile-protocol-options
(Empty)
ssl-ssh-profile
(Empty)
replacemsg-overridegroup
(Empty)
logtraffic-start
disable
tags
(Empty)
label
(Empty)
global-label
(Empty)
scan-botnetconnections
disable
comments
Comment.
(Empty)
117
firewall/identity-based-route
CLI Syntax
config firewall identity-based-route
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set gateway <ipv4-address>
set device <string>
config groups
edit <name_str>
set name <string>
end
end
end
118
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Description/comments.
(Empty)
rule
Rule.
(Empty)
119
firewall/interface-policy
CLI Syntax
config firewall interface-policy
edit <name_str>
set policyid <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set address-type {ipv4 | ipv6}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set scan-botnet-connections {disable | block | monitor}
set label <string>
end
120
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
enable
logtraffic
utm
address-type
ipv4
interface
Interface name.
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
service
Service name.
(Empty)
application-list-status
disable
application-list
(Empty)
casi-profile-status
Enable/disable CASI.
disable
casi-profile
(Empty)
ips-sensor-status
disable
ips-sensor
(Empty)
dsri
Enable/disable DSRI.
disable
av-profile-status
Enable/disable antivirus.
disable
av-profile
Antivirus profile.
(Empty)
webfilter-profile-status
disable
webfilter-profile
(Empty)
spamfilter-profile-status
disable
spamfilter-profile
(Empty)
dlp-sensor-status
disable
121
dlp-sensor
DLP sensor.
(Empty)
scan-botnetconnections
disable
label
Label.
(Empty)
122
firewall/interface-policy6
CLI Syntax
config firewall interface-policy6
edit <name_str>
set policyid <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set address-type {ipv4 | ipv6}
set interface <string>
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service6
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set scan-botnet-connections {disable | block | monitor}
set label <string>
end
123
Description
Configuration
Description
Default Value
policyid
Policy ID.
status
enable
logtraffic
utm
address-type
ipv6
interface
Interface name.
(Empty)
srcaddr6
(Empty)
dstaddr6
(Empty)
service6
Service name.
(Empty)
application-list-status
disable
application-list
(Empty)
casi-profile-status
Enable/disable CASI.
disable
casi-profile
(Empty)
ips-sensor-status
disable
ips-sensor
(Empty)
dsri
Enable/disable DSRI.
disable
av-profile-status
Enable/disable antivirus.
disable
av-profile
Antivirus profile.
(Empty)
webfilter-profile-status
disable
webfilter-profile
(Empty)
spamfilter-profile-status
disable
spamfilter-profile
(Empty)
dlp-sensor-status
disable
124
dlp-sensor
DLP sensor.
(Empty)
scan-botnetconnections
disable
label
Label.
(Empty)
125
firewall/ip-translation
CLI Syntax
config firewall ip-translation
edit <name_str>
set transid <integer>
set type {SCTP}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set map-startip <ipv4-address-any>
end
126
Description
Configuration
Description
Default Value
transid
IP translation ID.
type
IP translation type.
SCTP
startip
Start IP.
0.0.0.0
endip
End IP.
0.0.0.0
map-startip
0.0.0.0
127
firewall/ippool
CLI Syntax
config firewall ippool
edit <name_str>
set name <string>
set type {overload | one-to-one | fixed-port-range | port-block-allocation}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set source-startip <ipv4-address-any>
set source-endip <ipv4-address-any>
set block-size <integer>
set num-blocks-per-user <integer>
set permit-any-host {disable | enable}
set arp-reply {disable | enable}
set arp-intf <string>
set comments <var-string>
end
128
Description
Configuration
Description
Default Value
name
IP pool name.
(Empty)
type
IP pool type.
overload
startip
Start IP.
0.0.0.0
endip
End IP.
0.0.0.0
source-startip
0.0.0.0
source-endip
0.0.0.0
block-size
Block size.
128
num-blocks-per-user
permit-any-host
disable
arp-reply
enable
arp-intf
(Empty)
comments
Comment.
(Empty)
129
firewall/ippool6
CLI Syntax
config firewall ippool6
edit <name_str>
set name <string>
set startip <ipv6-address>
set endip <ipv6-address>
set comments <var-string>
end
130
Description
Configuration
Description
Default Value
name
(Empty)
startip
Start IP.
::
endip
End IP.
::
comments
Comment.
(Empty)
131
firewall/ipv6-eh-filter
CLI Syntax
config firewall ipv6-eh-filter
edit <name_str>
set hop-opt {enable | disable}
set dest-opt {enable | disable}
set hdopt-type <integer>
set routing {enable | disable}
set routing-type <integer>
set fragment {enable | disable}
set auth {enable | disable}
set no-next {enable | disable}
end
132
Description
Configuration
Description
Default Value
hop-opt
disable
dest-opt
disable
hdopt-type
(Empty)
routing
enable
routing-type
fragment
disable
auth
disable
no-next
disable
133
firewall/ldb-monitor
CLI Syntax
config firewall ldb-monitor
edit <name_str>
set name <string>
set type {ping | tcp | http | passive-sip}
set interval <integer>
set timeout <integer>
set retry <integer>
set port <integer>
set http-get <string>
set http-match <string>
set http-max-redirects <integer>
end
134
Description
Configuration
Description
Default Value
name
Monitor name.
(Empty)
type
Monitor type.
(Empty)
interval
Detect interval.
10
timeout
retry
port
Service port.
http-get
(Empty)
http-match
(Empty)
http-max-redirects
135
firewall/local-in-policy
CLI Syntax
config firewall local-in-policy
edit <name_str>
set policyid <integer>
set ha-mgmt-intf-only {enable | disable}
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
config service
edit <name_str>
set name <string>
end
set schedule <string>
set status {enable | disable}
end
136
Description
Configuration
Description
Default Value
policyid
ha-mgmt-intf-only
disable
intf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
deny
service
Service name.
(Empty)
schedule
Schedule name.
(Empty)
status
enable
137
firewall/local-in-policy6
CLI Syntax
config firewall local-in-policy6
edit <name_str>
set policyid <integer>
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
config service
edit <name_str>
set name <string>
end
set schedule <string>
set status {enable | disable}
end
138
Description
Configuration
Description
Default Value
policyid
intf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
deny
service
Service name.
(Empty)
schedule
Schedule name.
(Empty)
status
enable
139
firewall/multicast-address
CLI Syntax
config firewall multicast-address
edit <name_str>
set name <string>
set type {multicastrange | broadcastmask}
set subnet <ipv4-classnet-any>
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set comment <var-string>
set visibility {enable | disable}
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end
140
Description
Configuration
Description
Default Value
name
(Empty)
type
type
multicastrange
subnet
0.0.0.0 0.0.0.0
start-ip
Start IP.
0.0.0.0
end-ip
End IP.
0.0.0.0
comment
Comment.
(Empty)
visibility
enable
associated-interface
(Empty)
color
tags
(Empty)
141
firewall/multicast-address6
CLI Syntax
config firewall multicast-address6
edit <name_str>
set name <string>
set ip6 <ipv6-network>
set comment <var-string>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
end
142
Description
Configuration
Description
Default Value
name
(Empty)
ip6
::/0
comment
Comment.
(Empty)
visibility
enable
color
tags
(Empty)
143
firewall/multicast-policy
CLI Syntax
config firewall multicast-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set snat {enable | disable}
set snat-ip <ipv4-address>
set dnat <ipv4-address-any>
set action {accept | deny}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set auto-asic-offload {enable | disable}
end
144
Description
Configuration
Description
Default Value
id
Policy ID.
status
enable
logtraffic
disable
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
snat
disable
snat-ip
0.0.0.0
dnat
0.0.0.0
action
Policy action.
accept
protocol
Protocol number.
start-port
end-port
65535
auto-asic-offload
enable
145
firewall/multicast-policy6
CLI Syntax
config firewall multicast-policy6
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set auto-asic-offload {enable | disable}
end
146
Description
Configuration
Description
Default Value
id
Policy ID.
status
enable
logtraffic
disable
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
Policy action.
accept
protocol
Protocol number.
start-port
end-port
65535
auto-asic-offload
enable
147
firewall/policy
CLI Syntax
config firewall policy
edit <name_str>
set policyid <integer>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set rtp-nat {disable | enable}
config rtp-addr
edit <name_str>
set name <string>
end
set learning-mode {enable | disable}
set action {accept | deny | ipsec | ssl-vpn}
set send-deny-packet {disable | enable}
set firewall-session-dirty {check-all | check-new}
set status {enable | disable}
set schedule <string>
set schedule-timeout {enable | disable}
config service
edit <name_str>
set name <string>
end
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set dnsfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
148
149
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
set auth-path {enable | disable}
set disclaimer {enable | disable}
set vpntunnel <string>
set natip <ipv4-classnet>
set match-vip {enable | disable}
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
set label <string>
set global-label <string>
set auth-cert <string>
set auth-redirect-addr <string>
set redirect-url <string>
set identity-based-route <string>
set block-notification {enable | disable}
config custom-log-fields
edit <name_str>
set field-id <string>
end
config tags
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set timeout-send-rst {enable | disable}
set captive-portal-exempt {enable | disable}
set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
set scan-botnet-connections {disable | block | monitor}
set dsri {enable | disable}
set delay-tcp-npu-sessoin {enable | disable}
end
150
Description
Configuration
Description
Default Value
policyid
Policy ID.
name
Policy name.
(Empty)
uuid
00000000-0000-00000000-000000000000
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
rtp-nat
disable
rtp-addr
(Empty)
learning-mode
disable
action
Policy action.
deny
send-deny-packet
disable
firewall-session-dirty
check-all
status
enable
schedule
Schedule name.
(Empty)
schedule-timeout
disable
service
Service name.
(Empty)
utm-status
disable
profile-type
profile type
single
profile-group
profile group
(Empty)
av-profile
Antivirus profile.
(Empty)
webfilter-profile
(Empty)
151
dnsfilter-profile
(Empty)
spamfilter-profile
(Empty)
dlp-sensor
DLP sensor.
(Empty)
ips-sensor
IPS sensor.
(Empty)
application-list
Application list.
(Empty)
casi-profile
CASI profile.
(Empty)
voip-profile
VoIP profile.
(Empty)
icap-profile
ICAP profile.
(Empty)
waf-profile
(Empty)
profile-protocol-options
(Empty)
ssl-ssh-profile
(Empty)
logtraffic
utm
logtraffic-start
disable
capture-packet
disable
auto-asic-offload
enable
wanopt
disable
wanopt-detection
active
wanopt-passive-opt
default
wanopt-profile
(Empty)
wanopt-peer
(Empty)
webcache
disable
webcache-https
disable
traffic-shaper
Traffic shaper.
(Empty)
152
traffic-shaper-reverse
Traffic shaper.
(Empty)
per-ip-shaper
Per-IP shaper.
(Empty)
nat
disable
permit-any-host
disable
permit-stun-host
disable
fixedport
disable
ippool
disable
poolname
(Empty)
session-ttl
Session TTL.
vlan-cos-fwd
255
vlan-cos-rev
255
inbound
disable
outbound
disable
natinbound
disable
natoutbound
disable
wccp
disable
ntlm
disable
ntlm-guest
disable
ntlm-enabled-browsers
(Empty)
fsso
disable
wsso
enable
rsso
disable
fsso-agent-for-ntlm
(Empty)
153
groups
(Empty)
users
User name.
(Empty)
devices
(Empty)
auth-path
disable
disclaimer
disable
vpntunnel
(Empty)
natip
NAT address.
0.0.0.0 0.0.0.0
match-vip
disable
diffserv-forward
disable
diffserv-reverse
disable
diffservcode-forward
000000
diffservcode-rev
000000
tcp-mss-sender
tcp-mss-receiver
comments
Comment.
(Empty)
label
(Empty)
global-label
(Empty)
auth-cert
(Empty)
auth-redirect-addr
(Empty)
redirect-url
(Empty)
identity-based-route
(Empty)
block-notification
disable
custom-log-fields
(Empty)
154
tags
(Empty)
replacemsg-overridegroup
(Empty)
srcaddr-negate
disable
dstaddr-negate
disable
service-negate
disable
timeout-send-rst
disable
captive-portal-exempt
disable
ssl-mirror
disable
ssl-mirror-intf
(Empty)
scan-botnetconnections
disable
dsri
Enable/disable DSRI.
disable
delay-tcp-npu-sessoin
disable
155
firewall/policy46
CLI Syntax
config firewall policy46
edit <name_str>
set permit-any-host {enable | disable}
set policyid <integer>
set uuid <uuid>
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set status {enable | disable}
set schedule <string>
config service
edit <name_str>
set name <string>
end
set logtraffic {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set fixedport {enable | disable}
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
config tags
edit <name_str>
set name <string>
end
end
156
Description
Configuration
Description
Default Value
permit-any-host
disable
policyid
Policy ID.
uuid
00000000-0000-00000000-000000000000
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
Policy action.
deny
status
Policy status.
enable
schedule
Schedule name.
(Empty)
service
Service name.
(Empty)
logtraffic
disable
traffic-shaper
Traffic shaper.
(Empty)
traffic-shaper-reverse
(Empty)
per-ip-shaper
(Empty)
fixedport
disable
tcp-mss-sender
tcp-mss-receiver
comments
Comment.
(Empty)
tags
(Empty)
157
firewall/policy6
CLI Syntax
config firewall policy6
edit <name_str>
set policyid <integer>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny | ipsec | ssl-vpn}
set firewall-session-dirty {check-all | check-new}
set status {enable | disable}
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
set schedule <string>
config service
edit <name_str>
set name <string>
end
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set voip-profile <string>
set icap-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
158
159
160
Description
Configuration
Description
Default Value
policyid
Policy ID.
name
Policy name.
(Empty)
uuid
00000000-0000-00000000-000000000000
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
Policy action.
deny
firewall-session-dirty
check-all
status
enable
vlan-cos-fwd
255
vlan-cos-rev
255
schedule
Schedule name.
(Empty)
service
Service name.
(Empty)
utm-status
disable
profile-type
profile type
single
profile-group
profile group
(Empty)
av-profile
Antivirus profile.
(Empty)
webfilter-profile
(Empty)
spamfilter-profile
(Empty)
dlp-sensor
DLP sensor.
(Empty)
ips-sensor
IPS sensor.
(Empty)
161
application-list
Application list.
(Empty)
casi-profile
CASI profile.
(Empty)
voip-profile
VoIP profile.
(Empty)
icap-profile
ICAP profile.
(Empty)
profile-protocol-options
(Empty)
ssl-ssh-profile
(Empty)
logtraffic
utm
logtraffic-start
disable
auto-asic-offload
enable
traffic-shaper
Traffic shaper.
(Empty)
traffic-shaper-reverse
Traffic shaper.
(Empty)
per-ip-shaper
Per-IP shaper.
(Empty)
nat
disable
fixedport
disable
ippool
disable
poolname
(Empty)
session-ttl
Session TTL.
inbound
disable
outbound
disable
natinbound
disable
natoutbound
disable
send-deny-packet
disable
vpntunnel
(Empty)
diffserv-forward
disable
162
diffserv-reverse
disable
diffservcode-forward
000000
diffservcode-rev
000000
tcp-mss-sender
tcp-mss-receiver
comments
Comment.
(Empty)
label
(Empty)
global-label
(Empty)
rsso
disable
custom-log-fields
(Empty)
tags
(Empty)
replacemsg-overridegroup
(Empty)
srcaddr-negate
disable
dstaddr-negate
disable
service-negate
disable
groups
(Empty)
users
User name.
(Empty)
devices
(Empty)
timeout-send-rst
disable
ssl-mirror
disable
ssl-mirror-intf
(Empty)
dsri
Enable/disable DSRI.
disable
163
firewall/policy64
CLI Syntax
config firewall policy64
edit <name_str>
set policyid <integer>
set uuid <uuid>
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set status {enable | disable}
set schedule <string>
config service
edit <name_str>
set name <string>
end
set logtraffic {enable | disable}
set permit-any-host {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
config tags
edit <name_str>
set name <string>
end
end
164
Description
Configuration
Description
Default Value
policyid
Policy ID.
uuid
00000000-0000-00000000-000000000000
srcintf
(Empty)
dstintf
(Empty)
srcaddr
(Empty)
dstaddr
(Empty)
action
Policy action.
deny
status
enable
schedule
Schedule name.
(Empty)
service
Service name.
(Empty)
logtraffic
disable
permit-any-host
disable
traffic-shaper
Traffic shaper.
(Empty)
traffic-shaper-reverse
(Empty)
per-ip-shaper
(Empty)
fixedport
disable
ippool
disable
poolname
(Empty)
tcp-mss-sender
tcp-mss-receiver
comments
Comment.
(Empty)
tags
(Empty)
165
firewall/profile-group
CLI Syntax
config firewall profile-group
edit <name_str>
set name <string>
set av-profile <string>
set webfilter-profile <string>
set dnsfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set voip-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
end
166
Description
Configuration
Description
Default Value
name
(Empty)
av-profile
Antivirus profile.
(Empty)
webfilter-profile
(Empty)
dnsfilter-profile
(Empty)
spamfilter-profile
(Empty)
dlp-sensor
DLP sensor.
(Empty)
ips-sensor
IPS sensor.
(Empty)
application-list
Application list.
(Empty)
casi-profile
CASI profile.
(Empty)
voip-profile
VoIP profile.
(Empty)
icap-profile
ICAP profile.
(Empty)
waf-profile
(Empty)
profile-protocol-options
(Empty)
ssl-ssh-profile
(Empty)
167
firewall/profile-protocol-options
CLI Syntax
config firewall profile-protocol-options
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set oversize-log {disable | enable}
set switching-protocols-log {disable | enable}
config http
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {clientcomfort | servercomfort | oversize | no-content-summary | c
hunkedbypass}
set comfort-interval <integer>
set comfort-amount <integer>
set range-block {disable | enable}
set post-lang {jisx0201 | jisx0208 | jisx0212 | gb2312 | ksc5601-ex | euc-jp |
sjis | iso2022-jp | iso2022-jp-1 | iso2022-jp-2 | euc-cn | ces-gbk | hz | ces-big5 |
euc-kr | iso2022-jp-3 | iso8859-1 | tis620 | cp874 | cp1252 | cp1251}
set fortinet-bar {enable | disable}
set fortinet-bar-port <integer>
set streaming-content-bypass {enable | disable}
set switching-protocols {bypass | block}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set block-page-status-code <integer>
set retry-count <integer>
end
config ftp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {clientcomfort | oversize | no-content-summary | splice | bypass-r
est-command | bypass-mode-command}
set comfort-interval <integer>
set comfort-amount <integer>
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config imap
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
168
169
end
config dns
edit <name_str>
set ports <integer>
set status {enable | disable}
end
config mail-signature
edit <name_str>
set status {disable | enable}
set signature <string>
end
set rpc-over-http {enable | disable}
end
170
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
(Empty)
oversize-log
disable
switching-protocols-log
disable
http
HTTP.
Details below
Configuration
ports
status
inspect-all
options
comfort-interval
comfort-amount
range-block
post-lang
fortinet-bar
fortinet-bar-port
streaming-content-bypass
switching-protocols
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
block-page-status-code
retry-count
ftp
FTP.
Default Value
(Empty)
enable
disable
(Empty)
10
1
disable
(Empty)
disable
8011
enable
bypass
10
10
12
enable
200
0
Details below
171
Configuration
ports
status
inspect-all
options
comfort-interval
comfort-amount
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
imap
Default Value
(Empty)
enable
disable
(Empty)
10
1
10
10
12
enable
IMAP.
Configuration
ports
status
inspect-all
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
mapi
Details below
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable
MAPI
Configuration
ports
status
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
pop3
POP3.
Details below
Default Value
(Empty)
enable
(Empty)
10
10
12
enable
Details below
172
Configuration
ports
status
inspect-all
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
smtp
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable
SMTP.
Configuration
ports
status
inspect-all
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
server-busy
nntp
Details below
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable
disable
NNTP.
Configuration
ports
status
inspect-all
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
dns
Details below
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable
DNS.
Configuration
ports
status
mail-signature
Details below
Default Value
(Empty)
enable
Mail signature.
Details below
173
Configuration
status
signature
rpc-over-http
Default Value
disable
(Empty)
Enable/disable inspection of RPC over HTTP.
enable
174
firewall/shaping-policy
CLI Syntax
config firewall shaping-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set ip-version {4 | 6}
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
config application
edit <name_str>
set id <integer>
end
config app-category
edit <name_str>
set id <integer>
end
config url-category
edit <name_str>
set id <integer>
end
config dstintf
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
175
176
Description
Configuration
Description
Default Value
id
status
enable
ip-version
IP version.
srcaddr
Source address.
(Empty)
dstaddr
Destination address.
(Empty)
srcaddr6
(Empty)
dstaddr6
(Empty)
service
Service name.
(Empty)
users
User name.
(Empty)
groups
(Empty)
application
Application ID list.
(Empty)
app-category
(Empty)
url-category
(Empty)
dstintf
(Empty)
traffic-shaper
(Empty)
traffic-shaper-reverse
(Empty)
per-ip-shaper
Per IP shaper.
(Empty)
177
firewall/sniffer
CLI Syntax
config firewall sniffer
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set ipv6 {enable | disable}
set non-ip {enable | disable}
set interface <string>
set host <string>
set port <string>
set protocol <string>
set vlan <string>
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set ips-dos-status {enable | disable}
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
set scan-botnet-connections {disable | block | monitor}
set max-packet-count <integer>
end
178
Description
Configuration
Description
Default Value
id
Sniffer ID.
status
enable
logtraffic
utm
ipv6
disable
non-ip
disable
interface
Interface name.
(Empty)
host
(Empty)
port
Port list.
(Empty)
protocol
IP protocol list.
(Empty)
vlan
VLAN list.
(Empty)
application-list-status
disable
application-list
(Empty)
casi-profile-status
Enable/disable CASI.
disable
casi-profile
(Empty)
ips-sensor-status
disable
ips-sensor
(Empty)
dsri
Enable/disable DSRI.
disable
av-profile-status
Enable/disable antivirus.
disable
av-profile
Antivirus profile.
(Empty)
webfilter-profile-status
disable
webfilter-profile
(Empty)
spamfilter-profile-status
disable
179
spamfilter-profile
(Empty)
dlp-sensor-status
disable
dlp-sensor
DLP sensor.
(Empty)
ips-dos-status
disable
anomaly
Configure anomaly.
(Empty)
scan-botnetconnections
disable
max-packet-count
4000
180
firewall/ssl-server
CLI Syntax
config firewall ssl-server
edit <name_str>
set name <string>
set ip <ipv4-address-any>
set port <integer>
set ssl-mode {half | full}
set add-header-x-forwarded-proto {enable | disable}
set mapped-port <integer>
set ssl-cert <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-algorithm {high | medium | low}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-send-empty-frags {enable | disable}
set url-rewrite {enable | disable}
end
181
Description
Configuration
Description
Default Value
name
Server name.
(Empty)
ip
Server IP address.
0.0.0.0
port
443
ssl-mode
full
add-header-xforwarded-proto
enable
mapped-port
80
ssl-cert
Fortinet_CA_SSL
ssl-dh-bits
2048
ssl-algorithm
high
ssl-client-renegotiation
allow
ssl-min-version
tls-1.0
ssl-max-version
tls-1.2
ssl-send-empty-frags
enable
url-rewrite
disable
182
firewall/ssl-ssh-profile
CLI Syntax
config firewall ssl-ssh-profile
edit <name_str>
set name <string>
set comment <var-string>
config ssl
edit <name_str>
set inspect-all {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config https
edit <name_str>
set ports <integer>
set status {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config ftps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config imaps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config pop3s
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
183
end
config smtps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config ssh
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set inspect-all {disable | deep-inspection | enable}
set block {x11-filter | ssh-shell | exec | port-forward}
set log {x11-filter | ssh-shell | exec | port-forward}
end
set whitelist {enable | disable}
config ssl-exempt
edit <name_str>
set id <integer>
set type {fortiguard-category | address | address6}
set fortiguard-category <integer>
set address <string>
set address6 <string>
end
set server-cert-mode {re-sign | replace}
set use-ssl-server {disable | enable}
set caname <string>
set untrusted-caname <string>
set certname <string>
set server-cert <string>
config ssl-server
edit <name_str>
set id <integer>
set ip <ipv4-address-any>
set https-client-cert-request {bypass | inspect | block}
set smtps-client-cert-request {bypass | inspect | block}
set pop3s-client-cert-request {bypass | inspect | block}
set imaps-client-cert-request {bypass | inspect | block}
set ftps-client-cert-request {bypass | inspect | block}
set ssl-other-client-cert-request {bypass | inspect | block}
end
set ssl-invalid-server-cert-log {disable | enable}
set rpc-over-https {enable | disable}
set mapi-over-https {enable | disable}
end
184
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comment
Comment.
(Empty)
ssl
ssl
Details below
Configuration
inspect-all
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
https
Default Value
disable
bypass
bypass
disable
allow
https
Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
ftps
Details below
Default Value
(Empty)
deep-inspection
bypass
bypass
disable
allow
ftps
Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
imaps
Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
Details below
Default Value
(Empty)
deep-inspection
bypass
bypass
disable
allow
imaps
Details below
Default Value
(Empty)
deep-inspection
inspect
bypass
disable
allow
185
pop3s
pop3s
Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
smtps
Default Value
(Empty)
deep-inspection
inspect
bypass
disable
allow
smtps
Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
ssh
Details below
Details below
Default Value
(Empty)
deep-inspection
inspect
bypass
disable
allow
ssh
Configuration
ports
status
inspect-all
block
log
Details below
Default Value
(Empty)
deep-inspection
disable
(Empty)
(Empty)
whitelist
disable
ssl-exempt
(Empty)
server-cert-mode
re-sign
use-ssl-server
disable
caname
Fortinet_CA_SSL
untrusted-caname
Fortinet_CA_Untrusted
certname
Certificate containing the key to use when resigning server certificates for SSL inspection.
Fortinet_SSL
186
server-cert
Fortinet_SSL
ssl-server
SSL servers.
(Empty)
ssl-invalid-server-certlog
disable
rpc-over-https
enable
mapi-over-https
enable
187
firewall/ttl-policy
CLI Syntax
config firewall ttl-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set action {accept | deny}
set srcintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set schedule <string>
set ttl <user>
end
188
Description
Configuration
Description
Default Value
id
ID.
status
status
enable
action
Action.
deny
srcintf
(Empty)
srcaddr
(Empty)
service
Service name.
(Empty)
schedule
Schedule name.
(Empty)
ttl
TTL range.
(Empty)
189
firewall/vip
CLI Syntax
config firewall vip
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
set type {static-nat | load-balance | server-load-balance | dns-translation | fqdn
}
set dns-mapping-ttl <integer>
set ldb-method {static | round-robin | weighted | least-session | least-rtt | firs
t-alive | http-host}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
config mappedip
edit <name_str>
set range <string>
end
set mapped-addr <string>
set extintf <string>
set arp-reply {disable | enable}
set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip}
set persistence {none | http-cookie | ssl-session-id}
set nat-source-vip {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp | icmp}
set extport <user>
set mappedport <user>
set gratuitous-arp-interval <integer>
config srcintf-filter
edit <name_str>
set interface-name <string>
end
set portmapping-type {1-to-1 | m-to-n}
config realservers
edit <name_str>
set id <integer>
set ip <ipv4-address-any>
set port <integer>
set status {active | standby | disable}
set weight <integer>
set holddown-interval <integer>
set healthcheck {disable | enable | vip}
set http-host <string>
set max-connections <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
190
191
SHA | TLS-RSA-WITH-DES-CBC-SHA}
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
set ssl-server-algorithm {high | medium | low | custom | client}
config ssl-server-cipher-suites
edit <name_str>
set priority <integer>
set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH
-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WI
TH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-S
HA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TL
S-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WIT
H-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM
-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 |
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE
-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH
-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES
-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GC
M-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITHAES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256
| TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITHCAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-25
6-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-S
HA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | T
LS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WIT
H-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 |
TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DH
E-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5
| TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBCSHA | TLS-RSA-WITH-DES-CBC-SHA}
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
set ssl-pfs {require | deny | allow}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-server-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}
set ssl-server-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}
set ssl-send-empty-frags {enable | disable}
set ssl-client-fallback {disable | enable}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-client-session-state-type {disable | time | count | both}
set ssl-client-session-state-timeout <integer>
set ssl-client-session-state-max <integer>
set ssl-server-session-state-type {disable | time | count | both}
set ssl-server-session-state-timeout <integer>
set ssl-server-session-state-max <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
192
set
set
set
set
set
set
end
ssl-server-session-state-max <integer>
ssl-http-location-conversion {enable | disable}
ssl-http-match-host {enable | disable}
monitor <string>
max-embryonic-connections <integer>
color <integer>
193
Description
Configuration
Description
Default Value
name
Virtual IP name.
(Empty)
id
uuid
00000000-0000-00000000-000000000000
comment
Comment.
(Empty)
type
static-nat
dns-mapping-ttl
ldb-method
static
src-filter
(Empty)
extip
0.0.0.0
mappedip
(Empty)
mapped-addr
Mapped address.
(Empty)
extintf
External interface.
(Empty)
arp-reply
enable
server-type
Server type.
(Empty)
persistence
Persistence.
none
nat-source-vip
disable
portforward
disable
protocol
tcp
extport
mappedport
194
gratuitous-arp-interval
srcintf-filter
(Empty)
portmapping-type
1-to-1
realservers
Real servers.
(Empty)
http-cookie-domainfrom-host
disable
http-cookie-domain
(Empty)
http-cookie-path
(Empty)
http-cookie-generation
http-cookie-age
60
http-cookie-share
same-ip
https-cookie-secure
disable
http-multiplex
disable
http-ip-header
disable
http-ip-header-name
(Empty)
outlook-web-access
disable
weblogic-server
disable
websphere-server
disable
195
ssl-mode
half
ssl-certificate
(Empty)
ssl-dh-bits
2048
ssl-algorithm
high
ssl-cipher-suites
(Empty)
ssl-server-algorithm
client
ssl-server-cipher-suites
(Empty)
ssl-pfs
allow
ssl-min-version
tls-1.0
ssl-max-version
tls-1.2
ssl-server-min-version
client
ssl-server-max-version
client
ssl-send-empty-frags
enable
ssl-client-fallback
enable
ssl-client-renegotiation
allow
ssl-client-session-statetype
both
196
ssl-client-session-statetimeout
30
ssl-client-session-statemax
1000
ssl-server-sessionstate-type
both
ssl-server-sessionstate-timeout
60
ssl-server-sessionstate-max
100
ssl-http-locationconversion
disable
ssl-http-match-host
disable
monitor
Health monitors.
(Empty)
max-embryonicconnections
1000
color
197
firewall/vip46
CLI Syntax
config firewall vip46
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp}
set extport <user>
set mappedport <user>
set color <integer>
end
198
Description
Configuration
Description
Default Value
name
VIP46 name.
(Empty)
id
uuid
00000000-0000-00000000-000000000000
comment
Comment.
(Empty)
src-filter
(Empty)
extip
Start-external-IP [-end-external-IP].
0.0.0.0
mappedip
::
arp-reply
enable
portforward
disable
protocol
tcp
extport
mappedport
color
199
firewall/vip6
CLI Syntax
config firewall vip6
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
set type {static-nat}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp}
set extport <user>
set mappedport <user>
set color <integer>
end
200
Description
Configuration
Description
Default Value
name
(Empty)
id
uuid
00000000-0000-00000000-000000000000
comment
Comment.
(Empty)
type
static-nat
src-filter
(Empty)
extip
::
mappedip
::
arp-reply
enable
portforward
disable
protocol
tcp
extport
mappedport
color
201
firewall/vip64
CLI Syntax
config firewall vip64
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp}
set extport <user>
set mappedport <user>
set color <integer>
end
202
Description
Configuration
Description
Default Value
name
VIP64 name.
(Empty)
id
uuid
00000000-0000-00000000-000000000000
comment
Comment.
(Empty)
src-filter
(Empty)
extip
Start-external-IP [-End-external-IP].
::
mappedip
Start-mapped-IP [-End-mapped-IP].
0.0.0.0
arp-reply
enable
portforward
disable
protocol
tcp
extport
mappedport
color
203
firewall/vipgrp
CLI Syntax
config firewall vipgrp
edit <name_str>
set name <string>
set uuid <uuid>
set interface <string>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end
204
Description
Configuration
Description
Default Value
name
(Empty)
uuid
00000000-0000-00000000-000000000000
interface
interface
(Empty)
color
comments
Comment.
(Empty)
member
(Empty)
205
firewall/vipgrp46
CLI Syntax
config firewall vipgrp46
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end
206
Description
Configuration
Description
Default Value
name
(Empty)
uuid
00000000-0000-00000000-000000000000
color
comments
Comment.
(Empty)
member
(Empty)
207
firewall/vipgrp6
CLI Syntax
config firewall vipgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end
208
Description
Configuration
Description
Default Value
name
(Empty)
uuid
00000000-0000-00000000-000000000000
color
comments
Comment.
(Empty)
member
(Empty)
209
firewall/vipgrp64
CLI Syntax
config firewall vipgrp64
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end
210
Description
Configuration
Description
Default Value
name
(Empty)
uuid
00000000-0000-00000000-000000000000
color
comments
Comment.
(Empty)
member
(Empty)
211
ftp-proxy/explicit
CLI Syntax
config ftp-proxy explicit
edit <name_str>
set status {enable | disable}
set incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set sec-default-action {accept | deny}
end
212
Description
Configuration
Description
Default Value
status
disable
incoming-port
21
incoming-ip
0.0.0.0
outgoing-ip
(Empty)
sec-default-action
deny
213
gui/console
CLI Syntax
config gui console
edit <name_str>
set preferences <user>
end
214
Description
Configuration
Description
Default Value
preferences
Preferences.
215
icap/profile
CLI Syntax
config icap profile
edit <name_str>
set replacemsg-group <string>
set name <string>
set request {disable | enable}
set response {disable | enable}
set streaming-content-bypass {disable | enable}
set request-server <string>
set response-server <string>
set request-failure {error | bypass}
set response-failure {error | bypass}
set request-path <string>
set response-path <string>
set methods {delete | get | head | options | post | put | trace | other}
end
216
Description
Configuration
Description
Default Value
replacemsg-group
(Empty)
name
(Empty)
request
disable
response
disable
streaming-contentbypass
disable
request-server
(Empty)
response-server
(Empty)
request-failure
error
response-failure
error
request-path
(Empty)
response-path
(Empty)
methods
217
icap/server
CLI Syntax
config icap server
edit <name_str>
set name <string>
set ip-version {4 | 6}
set ip-address <ipv4-address-any>
set ip6-address <ipv6-address>
set port <integer>
set max-connections <integer>
end
218
Description
Configuration
Description
Default Value
name
Server name.
(Empty)
ip-version
IP version.
ip-address
0.0.0.0
ip6-address
::
port
1344
max-connections
100
219
ips/custom
CLI Syntax
config ips custom
edit <name_str>
set tag <string>
set signature <string>
set sig-name <string>
set rule-id <integer>
set severity <user>
set location <user>
set os <user>
set application <user>
set protocol <user>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block}
set comment <string>
end
220
Description
Configuration
Description
Default Value
tag
Signature tag.
(Empty)
signature
Signature text.
(Empty)
sig-name
Signature name.
(Empty)
rule-id
Signature ID.
severity
severity
(Empty)
location
Vulnerable location.
(Empty)
os
(Empty)
application
Vulnerable applications.
(Empty)
protocol
Vulnerable service.
(Empty)
status
Enable/disable status.
enable
log
Enable/disable logging.
enable
log-packet
disable
action
Action.
pass
comment
Comment.
(Empty)
221
ips/dbinfo
CLI Syntax
config ips dbinfo
edit <name_str>
set version <integer>
end
222
Description
Configuration
Description
Default Value
version
223
ips/decoder
CLI Syntax
config ips decoder
edit <name_str>
set name <string>
config parameter
edit <name_str>
set name <string>
set value <string>
end
end
224
Description
Configuration
Description
Default Value
name
Decoder name.
(Empty)
parameter
(Empty)
225
ips/global
CLI Syntax
config ips global
edit <name_str>
set fail-open {enable | disable}
set database {regular | extended}
set traffic-submit {enable | disable}
set anomaly-mode {periodical | continuous}
set session-limit-mode {accurate | heuristic}
set intelligent-mode {enable | disable}
set socket-size <integer>
set engine-count <integer>
set algorithm {engine-pick | low | high | super}
set sync-session-ttl {enable | disable}
set np-accel-mode {none | basic}
set ips-reserve-cpu {disable | enable}
set cp-accel-mode {none | basic | advanced}
set skype-client-public-ipaddr <var-string>
set default-app-cat-mask <user>
set deep-app-insp-timeout <integer>
set deep-app-insp-db-limit <integer>
set exclude-signatures {none | industrial}
end
226
Description
Configuration
Description
Default Value
fail-open
disable
database
extended
traffic-submit
disable
anomaly-mode
continuous
session-limit-mode
heuristic
intelligent-mode
enable
socket-size
128
engine-count
algorithm
engine-pick
sync-session-ttl
disable
np-accel-mode
basic
ips-reserve-cpu
disable
cp-accel-mode
advanced
skype-client-publicipaddr
(Empty)
default-app-cat-mask
1844674407370955161
5
deep-app-insp-timeout
Timeout for Deep application inspection (1 2147483647 sec., 0 = use recommended setting).
deep-app-insp-db-limit
227
exclude-signatures
Excluded signatures.
industrial
228
ips/rule
CLI Syntax
config ips rule
edit <name_str>
set name <string>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block}
set group <string>
set severity {}
set location {}
set os <user>
set application <user>
set service <user>
set rule-id <integer>
set rev <integer>
set date <integer>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end
229
Description
Configuration
Description
Default Value
name
Rule name.
(Empty)
status
Enable/disable status.
enable
log
Enable/disable logging.
enable
log-packet
disable
action
Action.
pass
group
Group.
(Empty)
severity
Severity.
(Empty)
location
Vulnerable location.
(Empty)
os
(Empty)
application
Vulnerable applications.
(Empty)
service
Vulnerable service.
(Empty)
rule-id
Rule ID.
rev
Revision.
date
Date.
metadata
Meta data.
(Empty)
230
ips/rule-settings
CLI Syntax
config ips rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end
231
Description
Configuration
Description
Default Value
id
Rule ID.
tags
(Empty)
232
ips/sensor
CLI Syntax
config ips sensor
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set block-malicious-url {disable | enable}
config entries
edit <name_str>
set id <integer>
config rule
edit <name_str>
set id <integer>
end
set location <user>
set severity <user>
set protocol <user>
set os <user>
set application <user>
config tags
edit <name_str>
set name <string>
end
set status {disable | enable | default}
set log {disable | enable}
set log-packet {disable | enable}
set log-attack-context {disable | enable}
set action {pass | block | reset | default}
set rate-count <integer>
set rate-duration <integer>
set rate-mode {periodical | continuous}
set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
end
config filter
edit <name_str>
set name <string>
set location <user>
set severity <user>
set protocol <user>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
233
set os <user>
set application <user>
set status {disable | enable | default}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block | reset | default}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <integer>
set quarantine-log {disable | enable}
end
config override
edit <name_str>
set rule-id <integer>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block | reset}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <integer>
set quarantine-log {disable | enable}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
end
end
234
Description
Configuration
Description
Default Value
name
Sensor name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
(Empty)
block-malicious-url
disable
entries
(Empty)
filter
(Empty)
override
(Empty)
235
ips/settings
CLI Syntax
config ips settings
edit <name_str>
set packet-log-history <integer>
set packet-log-post-attack <integer>
set packet-log-memory <integer>
set ips-packet-quota <integer>
end
236
Description
Configuration
Description
Default Value
packet-log-history
packet-log-post-attack
packet-log-memory
256
ips-packet-quota
237
log.disk/filter
CLI Syntax
config log.disk filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set auth {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
238
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
dlp-archive
enable
gtp
enable
event
enable
system
enable
radius
enable
ipsec
enable
dhcp
enable
ppp
enable
admin
enable
ha
enable
auth
enable
pattern
enable
239
sslvpn-log-auth
enable
sslvpn-log-adm
enable
sslvpn-log-session
enable
vip-ssl
enable
ldb-monitor
enable
wan-opt
enable
wireless-activity
enable
cpu-memory-usage
disable
filter
(Empty)
filter-type
include
240
log.disk/setting
CLI Syntax
config log.disk setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set max-log-file-size <integer>
set max-policy-packet-capture-size <integer>
set roll-schedule {daily | weekly}
set roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday
}
set roll-time <user>
set diskfull {overwrite | nolog}
set log-quota <integer>
set dlp-archive-quota <integer>
set report-quota <integer>
set maximum-log-age <integer>
set upload {enable | disable}
set upload-destination {ftp-server}
set uploadip <ipv4-address>
set uploadport <integer>
set source-ip <ipv4-address>
set uploaduser <string>
set uploadpass <password>
set uploaddir <string>
set uploadtype {traffic | event | virus | webfilter | IPS | spamfilter | dlp-archi
ve | anomaly | voip | dlp | app-ctrl | waf | netscan | gtp}
set uploadzip {disable | enable}
set uploadsched {disable | enable}
set uploadtime <integer>
set upload-delete-files {enable | disable}
set upload-ssl-conn {default | high | low | disable}
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end
241
Description
Configuration
Description
Default Value
status
disable
ips-archive
enable
max-log-file-size
20
max-policy-packetcapture-size
10
roll-schedule
daily
roll-day
sunday
roll-time
00:00
diskfull
overwrite
log-quota
dlp-archive-quota
report-quota
maximum-log-age
upload
disable
upload-destination
Server type.
ftp-server
uploadip
0.0.0.0
uploadport
21
source-ip
0.0.0.0
uploaduser
(Empty)
uploadpass
(Empty)
uploaddir
(Empty)
242
uploadtype
uploadzip
disable
uploadsched
disable
uploadtime
upload-delete-files
enable
upload-ssl-conn
default
full-first-warningthreshold
75
full-second-warningthreshold
90
full-final-warningthreshold
95
243
log.fortianalyzer/filter
CLI Syntax
config log.fortianalyzer filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
244
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include
245
log.fortianalyzer/override-filter
CLI Syntax
config log.fortianalyzer override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
246
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include
247
log.fortianalyzer/override-setting
CLI Syntax
config log.fortianalyzer override-setting
edit <name_str>
set override {enable | disable}
set use-management-vdom {enable | disable}
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end
248
Description
Configuration
Description
Default Value
override
disable
use-managementvdom
disable
status
Enable/disable FortiAnalyzer.
disable
ips-archive
enable
server
(Empty)
hmac-algorithm
sha256
enc-algorithm
high
conn-timeout
10
monitor-keepaliveperiod
monitor-failure-retryperiod
mgmt-name
(Empty)
faz-type
source-ip
(Empty)
__change_ip
Hidden attribute.
upload-option
realtime
upload-interval
daily
upload-day
(Empty)
249
upload-time
00:59
reliable
disable
250
log.fortianalyzer/setting
CLI Syntax
config log.fortianalyzer setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end
251
Description
Configuration
Description
Default Value
status
Enable/disable FortiAnalyzer.
disable
ips-archive
enable
server
(Empty)
hmac-algorithm
sha256
enc-algorithm
high
conn-timeout
10
monitor-keepaliveperiod
monitor-failure-retryperiod
mgmt-name
FGh_Log1
faz-type
source-ip
(Empty)
__change_ip
Hidden attribute.
upload-option
realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:59
reliable
disable
252
log.fortianalyzer2/filter
CLI Syntax
config log.fortianalyzer2 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
253
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include
254
log.fortianalyzer2/setting
CLI Syntax
config log.fortianalyzer2 setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end
255
Description
Configuration
Description
Default Value
status
Enable/disable FortiAnalyzer.
disable
ips-archive
enable
server
(Empty)
hmac-algorithm
sha256
enc-algorithm
high
conn-timeout
10
monitor-keepaliveperiod
monitor-failure-retryperiod
mgmt-name
FGh_Log2
faz-type
source-ip
(Empty)
__change_ip
Hidden attribute.
upload-option
realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:59
reliable
disable
256
log.fortianalyzer3/filter
CLI Syntax
config log.fortianalyzer3 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
257
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
gtp
enable
filter
(Empty)
filter-type
include
258
log.fortianalyzer3/setting
CLI Syntax
config log.fortianalyzer3 setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end
259
Description
Configuration
Description
Default Value
status
Enable/disable FortiAnalyzer.
disable
ips-archive
enable
server
(Empty)
hmac-algorithm
sha256
enc-algorithm
high
conn-timeout
10
monitor-keepaliveperiod
monitor-failure-retryperiod
mgmt-name
FGh_Log3
faz-type
source-ip
(Empty)
__change_ip
Hidden attribute.
upload-option
realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:59
reliable
disable
260
log.fortiguard/filter
CLI Syntax
config log.fortiguard filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
261
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include
262
log.fortiguard/override-filter
CLI Syntax
config log.fortiguard override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
263
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
dlp-archive
enable
gtp
enable
filter
(Empty)
filter-type
include
264
log.fortiguard/override-setting
CLI Syntax
config log.fortiguard override-setting
edit <name_str>
set override {enable | disable}
set status {enable | disable}
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
end
265
Description
Configuration
Description
Default Value
override
disable
status
Enable FortiCloud.
disable
upload-option
realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:00
266
log.fortiguard/setting
CLI Syntax
config log.fortiguard setting
edit <name_str>
set status {enable | disable}
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set enc-algorithm {default | high | low | disable}
set source-ip <ipv4-address>
end
267
Description
Configuration
Description
Default Value
status
Enable FortiCloud.
disable
upload-option
realtime
upload-interval
daily
upload-day
(Empty)
upload-time
00:00
enc-algorithm
high
source-ip
0.0.0.0
268
log.memory/filter
CLI Syntax
config log.memory filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set auth {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
269
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
gtp
enable
event
enable
system
enable
radius
enable
ipsec
enable
dhcp
enable
ppp
enable
admin
enable
ha
enable
auth
enable
pattern
enable
sslvpn-log-auth
enable
270
sslvpn-log-adm
enable
sslvpn-log-session
enable
vip-ssl
enable
ldb-monitor
enable
wan-opt
enable
wireless-activity
enable
cpu-memory-usage
disable
filter
(Empty)
filter-type
include
271
log.memory/global-setting
CLI Syntax
config log.memory global-setting
edit <name_str>
set max-size <integer>
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end
272
Description
Configuration
Description
Default Value
max-size
163840
full-first-warningthreshold
75
full-second-warningthreshold
90
full-final-warningthreshold
95
273
log.memory/setting
CLI Syntax
config log.memory setting
edit <name_str>
set status {enable | disable}
set diskfull {overwrite}
end
274
Description
Configuration
Description
Default Value
status
enable
diskfull
overwrite
275
log.syslogd/filter
CLI Syntax
config log.syslogd filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
276
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
gtp
enable
filter
(Empty)
filter-type
include
277
log.syslogd/override-filter
CLI Syntax
config log.syslogd override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
278
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
gtp
enable
filter
(Empty)
filter-type
include
279
log.syslogd/override-setting
CLI Syntax
config log.syslogd override-setting
edit <name_str>
set override {enable | disable}
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end
280
Description
Configuration
Description
Default Value
override
disable
status
disable
server
(Empty)
reliable
disable
port
514
csv
disable
facility
local7
source-ip
(Empty)
281
log.syslogd/setting
CLI Syntax
config log.syslogd setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end
282
Description
Configuration
Description
Default Value
status
disable
server
(Empty)
reliable
disable
port
514
csv
disable
facility
local7
source-ip
(Empty)
283
log.syslogd2/filter
CLI Syntax
config log.syslogd2 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
284
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
gtp
enable
filter
(Empty)
filter-type
include
285
log.syslogd2/setting
CLI Syntax
config log.syslogd2 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end
286
Description
Configuration
Description
Default Value
status
disable
server
(Empty)
reliable
disable
port
514
csv
disable
facility
local7
source-ip
(Empty)
287
log.syslogd3/filter
CLI Syntax
config log.syslogd3 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
288
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
gtp
enable
filter
(Empty)
filter-type
include
289
log.syslogd3/setting
CLI Syntax
config log.syslogd3 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end
290
Description
Configuration
Description
Default Value
status
disable
server
(Empty)
reliable
disable
port
514
csv
disable
facility
local7
source-ip
(Empty)
291
log.syslogd4/filter
CLI Syntax
config log.syslogd4 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
292
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
gtp
enable
filter
(Empty)
filter-type
include
293
log.syslogd4/setting
CLI Syntax
config log.syslogd4 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end
294
Description
Configuration
Description
Default Value
status
disable
server
(Empty)
reliable
disable
port
514
csv
disable
facility
local7
source-ip
(Empty)
295
log.webtrends/filter
CLI Syntax
config log.webtrends filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end
296
Description
Configuration
Description
Default Value
severity
information
forward-traffic
enable
local-traffic
enable
multicast-traffic
enable
sniffer-traffic
enable
anomaly
enable
netscan-discovery
netscan-vulnerability
voip
enable
gtp
enable
filter
(Empty)
filter-type
include
297
log.webtrends/setting
CLI Syntax
config log.webtrends setting
edit <name_str>
set status {enable | disable}
set server <string>
end
298
Description
Configuration
Description
Default Value
status
disable
server
(Empty)
299
log/custom-field
CLI Syntax
config log custom-field
edit <name_str>
set id <string>
set name <string>
set value <string>
end
300
Description
Configuration
Description
Default Value
id
ID.
(Empty)
name
Field name.
(Empty)
value
Field value.
(Empty)
301
log/eventfilter
CLI Syntax
config log eventfilter
edit <name_str>
set event {enable | disable}
set system {enable | disable}
set vpn {enable | disable}
set user {enable | disable}
set router {enable | disable}
set wireless-activity {enable | disable}
set wan-opt {enable | disable}
set endpoint {enable | disable}
set ha {enable | disable}
set compliance-check {enable | disable}
end
302
Description
Configuration
Description
Default Value
event
enable
system
enable
vpn
enable
user
enable
router
enable
wireless-activity
enable
wan-opt
enable
endpoint
enable
ha
enable
compliance-check
enable
303
log/gui-display
CLI Syntax
config log gui-display
edit <name_str>
set resolve-hosts {enable | disable}
set resolve-apps {enable | disable}
set fortiview-unscanned-apps {enable | disable}
set fortiview-local-traffic {enable | disable}
set location {memory | disk | fortianalyzer | fortiguard}
end
304
Description
Configuration
Description
Default Value
resolve-hosts
enable
resolve-apps
enable
fortiview-unscannedapps
disable
fortiview-local-traffic
disable
location
memory
305
log/setting
CLI Syntax
config log setting
edit <name_str>
set resolve-ip {enable | disable}
set resolve-port {enable | disable}
set log-user-in-upper {enable | disable}
set fwpolicy-implicit-log {enable | disable}
set fwpolicy6-implicit-log {enable | disable}
set log-invalid-packet {enable | disable}
set local-in-allow {enable | disable}
set local-in-deny-unicast {enable | disable}
set local-in-deny-broadcast {enable | disable}
set local-out {enable | disable}
set daemon-log {enable | disable}
set neighbor-event {enable | disable}
set brief-traffic-format {enable | disable}
set user-anonymize {enable | disable}
set fortiview-weekly-data {enable | disable}
end
306
Description
Configuration
Description
Default Value
resolve-ip
disable
resolve-port
enable
log-user-in-upper
disable
fwpolicy-implicit-log
disable
fwpolicy6-implicit-log
disable
log-invalid-packet
disable
local-in-allow
disable
local-in-deny-unicast
disable
local-in-deny-broadcast
disable
local-out
disable
daemon-log
disable
neighbor-event
disable
brief-traffic-format
disable
user-anonymize
disable
fortiview-weekly-data
disable
307
log/threat-weight
CLI Syntax
config log threat-weight
edit <name_str>
set status {enable | disable}
config level
edit <name_str>
set low <integer>
set medium <integer>
set high <integer>
set critical <integer>
end
set blocked-connection {disable | low | medium | high | critical}
set failed-connection {disable | low | medium | high | critical}
set malware-detected {disable | low | medium | high | critical}
set url-block-detected {disable | low | medium | high | critical}
set botnet-connection-detected {disable | low | medium | high | critical}
config ips
edit <name_str>
set info-severity {disable | low | medium | high | critical}
set low-severity {disable | low | medium | high | critical}
set medium-severity {disable | low | medium | high | critical}
set high-severity {disable | low | medium | high | critical}
set critical-severity {disable | low | medium | high | critical}
end
config web
edit <name_str>
set id <integer>
set category <integer>
set level {disable | low | medium | high | critical}
end
config geolocation
edit <name_str>
set id <integer>
set country <string>
set level {disable | low | medium | high | critical}
end
config application
edit <name_str>
set id <integer>
set category <integer>
set level {disable | low | medium | high | critical}
end
end
308
Description
Configuration
Description
Default Value
status
enable
level
Details below
Configuration
low
medium
high
critical
Default Value
5
10
30
50
blocked-connection
high
failed-connection
low
malware-detected
critical
url-block-detected
high
botnet-connectiondetected
critical
ips
Details below
Configuration
info-severity
low-severity
medium-severity
high-severity
critical-severity
Default Value
disable
low
medium
high
critical
web
(Empty)
geolocation
(Empty)
application
(Empty)
309
netscan/assets
CLI Syntax
config netscan assets
edit <name_str>
set asset-id <integer>
set name <string>
set scheduled {disable | enable}
set addr-type {ip | range}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set auth-windows {disable | enable}
set auth-unix {disable | enable}
set win-username <string>
set win-password <password>
set unix-username <string>
set unix-password <password>
end
310
Description
Configuration
Description
Default Value
asset-id
Asset ID.
name
(Empty)
scheduled
disable
addr-type
IP address or range.
ip
start-ip
0.0.0.0
end-ip
0.0.0.0
auth-windows
disable
auth-unix
disable
win-username
(Empty)
win-password
(Empty)
unix-username
(Empty)
unix-password
(Empty)
311
netscan/settings
CLI Syntax
config netscan settings
edit <name_str>
set scan-mode {quick | standard | full}
set scheduled-pause {disable | enable}
set time <user>
set pause-from <user>
set pause-to <user>
set recurrence {daily | weekly | monthly}
set day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | satur
day}
set day-of-month <integer>
set tcp-ports <user>
set udp-ports <user>
set tcp-scan {auto | enable | disable}
set udp-scan {auto | enable | disable}
set service-detection {auto | enable | disable}
set os-detection {auto | enable | disable}
end
312
Description
Configuration
Description
Default Value
scan-mode
quick
scheduled-pause
disable
time
00:00
pause-from
00:00
pause-to
00:00
recurrence
weekly
day-of-week
sunday
day-of-month
tcp-ports
(Empty)
udp-ports
(Empty)
tcp-scan
auto
udp-scan
auto
service-detection
auto
os-detection
Enable/disable OS detection.
auto
313
report/chart
CLI Syntax
config report chart
edit <name_str>
set name <string>
set policy <integer>
set type {graph | table}
set period {last24h | last7d}
config drill-down-charts
edit <name_str>
set id <integer>
set chart-name <string>
set status {enable | disable}
end
set comments <string>
set dataset <string>
set category {misc | traffic | event | virus | webfilter | attack | spam | dlp | a
pp-ctrl | vulnerability}
set favorite {no | yes}
set graph-type {none | bar | pie | line | flow}
set style {auto | manual}
set dimension {2D | 3D}
config x-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set is-category {yes | no}
set scale-unit {minute | hour | day | month | year}
set scale-step <integer>
set scale-direction {decrease | increase}
set scale-format {YYYY-MM-DD-HH-MM | YYYY-MM-DD HH | YYYY-MM-DD | YYYY-MM | YY
YY | HH-MM | MM-DD}
set unit <string>
end
config y-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set group <string>
set unit <string>
set extra-y {enable | disable}
set extra-databind <string>
set y-legend <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
314
end
end
315
Description
Configuration
Description
Default Value
name
(Empty)
policy
type
Chart type.
graph
period
Time period.
last24h
drill-down-charts
(Empty)
comments
Comment.
(Empty)
dataset
(Empty)
category
Category.
misc
favorite
Favorite.
no
graph-type
Graph type.
none
style
Style.
auto
dimension
Dimension.
3D
x-series
X-series of chart.
Details below
Configuration
databind
caption
caption-font-size
font-size
label-angle
is-category
scale-unit
scale-step
scale-direction
scale-format
unit
y-series
Default Value
(Empty)
(Empty)
0
0
45-degree
yes
day
1
decrease
YYYY-MM-DD-HH-MM
(Empty)
Y-series of chart.
Details below
316
Configuration
databind
caption
caption-font-size
font-size
label-angle
group
unit
extra-y
extra-databind
y-legend
extra-y-legend
category-series
Default Value
(Empty)
(Empty)
0
0
horizontal
(Empty)
(Empty)
disable
(Empty)
(Empty)
(Empty)
Category series of pie chart.
Configuration
databind
font-size
value-series
Details below
Default Value
(Empty)
0
Value series of pie chart.
Configuration
databind
Details below
Default Value
(Empty)
title
Chart title.
(Empty)
title-font-size
background
Chart background.
(Empty)
color-palette
(Empty)
legend
enable
legend-font-size
column
(Empty)
317
report/dataset
CLI Syntax
config report dataset
edit <name_str>
set name <string>
set policy <integer>
set query <string>
config field
edit <name_str>
set id <integer>
set type {text | integer | double}
set name <string>
set displayname <string>
end
config parameters
edit <name_str>
set id <integer>
set display-name <string>
set field <string>
set data-type {text | integer | double | long-integer | date-time}
end
end
318
Description
Configuration
Description
Default Value
name
Name.
(Empty)
policy
query
(Empty)
field
Fields.
(Empty)
parameters
Parameters.
(Empty)
319
report/layout
CLI Syntax
config report layout
edit <name_str>
set name <string>
set title <string>
set subtitle <string>
set description <string>
set style-theme <string>
set options {include-table-of-content | auto-numbering-heading | view-chart-as-hea
ding | show-html-navbar-before-heading | dummy-option}
set format {html | pdf}
set schedule-type {demand | daily | weekly}
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set time <user>
set cutoff-option {run-time | custom}
set cutoff-time <user>
set email-send {enable | disable}
set email-recipients <string>
set max-pdf-report <integer>
config page
edit <name_str>
set paper {a4 | letter}
set column-break-before {heading1 | heading2 | heading3}
set page-break-before {heading1 | heading2 | heading3}
set options {header-on-first-page | footer-on-first-page}
config header
edit <name_str>
set style <string>
config header-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image}
set style <string>
set content <string>
set img-src <string>
end
end
config footer
edit <name_str>
set style <string>
config footer-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image}
set style <string>
set content <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
320
321
Description
Configuration
Description
Default Value
name
(Empty)
title
Report title.
(Empty)
subtitle
Report subtitle.
(Empty)
description
Description.
(Empty)
style-theme
(Empty)
options
include-table-of-content
auto-numberingheading view-chart-asheading
format
Report format.
html
schedule-type
daily
day
sunday
time
00:00
cutoff-option
run-time
cutoff-time
00:00
email-send
disable
email-recipients
(Empty)
max-pdf-report
31
page
Details below
322
Configuration
paper
column-break-before
page-break-before
options
header
footer
body-item
Default Value
a4
(Empty)
(Empty)
(Empty)
{"style":"","header-item":[]}
{"style":"","footer-item":[]}
(Empty)
323
report/setting
CLI Syntax
config report setting
edit <name_str>
set pdf-report {enable | disable}
set fortiview {enable | disable}
set report-source {forward-traffic | sniffer-traffic}
set web-browsing-threshold <integer>
end
324
Description
Configuration
Description
Default Value
pdf-report
enable
fortiview
enable
report-source
forward-traffic
web-browsingthreshold
325
report/style
CLI Syntax
config report style
edit <name_str>
set name <string>
set options {font | text | color | align | size | margin | border | padding | colu
mn}
set font-family {Verdana | Arial | Helvetica | Courier | Times}
set font-style {normal | italic}
set font-weight {normal | bold}
set font-size <string>
set line-height <string>
set fg-color <string>
set bg-color <string>
set align {left | center | right | justify}
set width <string>
set height <string>
set margin-top <string>
set margin-right <string>
set margin-bottom <string>
set margin-left <string>
set border-top <user>
set border-right <user>
set border-bottom <user>
set border-left <user>
set padding-top <string>
set padding-right <string>
set padding-bottom <string>
set padding-left <string>
set column-span {none | all}
set column-gap <string>
end
326
Description
Configuration
Description
Default Value
name
(Empty)
options
(Empty)
font-family
Font family.
(Empty)
font-style
Font style.
normal
font-weight
Font weight.
normal
font-size
Font size.
(Empty)
line-height
(Empty)
fg-color
Foreground color.
(Empty)
bg-color
Background color.
(Empty)
align
Alignment.
(Empty)
width
Width.
(Empty)
height
Height.
(Empty)
margin-top
Margin top.
(Empty)
margin-right
Margin right.
(Empty)
margin-bottom
Margin bottom.
(Empty)
margin-left
Margin left.
(Empty)
border-top
Border top.
border-right
Border right.
border-bottom
Border bottom.
border-left
Border left.
padding-top
Padding top.
(Empty)
padding-right
Padding right.
(Empty)
327
padding-bottom
Padding bottom.
(Empty)
padding-left
Padding left.
(Empty)
column-span
Column span.
none
column-gap
Column gap.
(Empty)
328
report/theme
CLI Syntax
config report theme
edit <name_str>
set name <string>
set page-orient {portrait | landscape}
set column-count {1 | 2 | 3}
set default-html-style <string>
set default-pdf-style <string>
set page-style <string>
set page-header-style <string>
set page-footer-style <string>
set report-title-style <string>
set report-subtitle-style <string>
set toc-title-style <string>
set toc-heading1-style <string>
set toc-heading2-style <string>
set toc-heading3-style <string>
set toc-heading4-style <string>
set heading1-style <string>
set heading2-style <string>
set heading3-style <string>
set heading4-style <string>
set normal-text-style <string>
set bullet-list-style <string>
set numbered-list-style <string>
set image-style <string>
set hline-style <string>
set graph-chart-style <string>
set table-chart-style <string>
set table-chart-caption-style <string>
set table-chart-head-style <string>
set table-chart-odd-row-style <string>
set table-chart-even-row-style <string>
end
329
Description
Configuration
Description
Default Value
name
(Empty)
page-orient
portrait
column-count
default-html-style
(Empty)
default-pdf-style
(Empty)
page-style
(Empty)
page-header-style
(Empty)
page-footer-style
(Empty)
report-title-style
(Empty)
report-subtitle-style
(Empty)
toc-title-style
(Empty)
toc-heading1-style
(Empty)
toc-heading2-style
(Empty)
toc-heading3-style
(Empty)
toc-heading4-style
(Empty)
heading1-style
(Empty)
heading2-style
(Empty)
heading3-style
(Empty)
heading4-style
(Empty)
normal-text-style
(Empty)
bullet-list-style
(Empty)
numbered-list-style
(Empty)
330
image-style
Image style.
(Empty)
hline-style
(Empty)
graph-chart-style
(Empty)
table-chart-style
(Empty)
table-chart-captionstyle
(Empty)
table-chart-head-style
(Empty)
table-chart-odd-rowstyle
(Empty)
table-chart-even-rowstyle
(Empty)
331
router/access-list
CLI Syntax
config router access-list
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set wildcard <user>
set exact-match {enable | disable}
set flags <integer>
end
end
332
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)
333
router/access-list6
CLI Syntax
config router access-list6
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix6 <user>
set exact-match {enable | disable}
set flags <integer>
end
end
334
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)
335
router/aspath-list
CLI Syntax
config router aspath-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
end
end
336
Description
Configuration
Description
Default Value
name
(Empty)
rule
(Empty)
337
router/auth-path
CLI Syntax
config router auth-path
edit <name_str>
set name <string>
set device <string>
set gateway <ipv4-address>
end
338
Description
Configuration
Description
Default Value
name
(Empty)
device
Output interface.
(Empty)
gateway
Gateway IP address.
0.0.0.0
339
router/bfd
CLI Syntax
config router bfd
edit <name_str>
config neighbor
edit <name_str>
set ip <ipv4-address>
set interface <string>
end
end
340
Description
Configuration
Description
Default Value
neighbor
neighbor
(Empty)
341
router/bgp
CLI Syntax
config router bgp
edit <name_str>
set as <integer>
set router-id <ipv4-address-any>
set keepalive-timer <integer>
set holdtime-timer <integer>
set always-compare-med {enable | disable}
set bestpath-as-path-ignore {enable | disable}
set bestpath-cmp-confed-aspath {enable | disable}
set bestpath-cmp-routerid {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set client-to-client-reflection {enable | disable}
set dampening {enable | disable}
set deterministic-med {enable | disable}
set ebgp-multipath {enable | disable}
set ibgp-multipath {enable | disable}
set enforce-first-as {enable | disable}
set fast-external-failover {enable | disable}
set log-neighbour-changes {enable | disable}
set network-import-check {enable | disable}
set ignore-optional-capability {enable | disable}
set cluster-id <ipv4-address-any>
set confederation-identifier <integer>
config confederation-peers
edit <name_str>
set peer <string>
end
set dampening-route-map <string>
set dampening-reachability-half-life <integer>
set dampening-reuse <integer>
set dampening-suppress <integer>
set dampening-max-suppress-time <integer>
set dampening-unreachability-half-life <integer>
set default-local-preference <integer>
set scan-time <integer>
set distance-external <integer>
set distance-internal <integer>
set distance-local <integer>
set synchronization {enable | disable}
set graceful-restart {enable | disable}
set graceful-restart-time <integer>
set graceful-stalepath-time <integer>
set graceful-update-delay <integer>
config aggregate-address
edit <name_str>
set id <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
342
343
344
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
allowas-in6 <integer>
attribute-unchanged {as-path | med | next-hop}
attribute-unchanged6 {as-path | med | next-hop}
activate {enable | disable}
activate6 {enable | disable}
bfd {enable | disable}
capability-dynamic {enable | disable}
capability-orf {none | receive | send | both}
capability-orf6 {none | receive | send | both}
capability-graceful-restart {enable | disable}
capability-graceful-restart6 {enable | disable}
capability-route-refresh {enable | disable}
capability-default-originate {enable | disable}
capability-default-originate6 {enable | disable}
dont-capability-negotiate {enable | disable}
ebgp-enforce-multihop {enable | disable}
next-hop-self {enable | disable}
next-hop-self6 {enable | disable}
override-capability {enable | disable}
passive {enable | disable}
remove-private-as {enable | disable}
remove-private-as6 {enable | disable}
route-reflector-client {enable | disable}
route-reflector-client6 {enable | disable}
route-server-client {enable | disable}
route-server-client6 {enable | disable}
shutdown {enable | disable}
soft-reconfiguration {enable | disable}
soft-reconfiguration6 {enable | disable}
as-override {enable | disable}
as-override6 {enable | disable}
strict-capability-match {enable | disable}
default-originate-routemap <string>
default-originate-routemap6 <string>
description <string>
distribute-list-in <string>
distribute-list-in6 <string>
distribute-list-out <string>
distribute-list-out6 <string>
ebgp-multihop-ttl <integer>
filter-list-in <string>
filter-list-in6 <string>
filter-list-out <string>
filter-list-out6 <string>
interface <string>
maximum-prefix <integer>
maximum-prefix6 <integer>
maximum-prefix-threshold <integer>
maximum-prefix-threshold6 <integer>
maximum-prefix-warning-only {enable | disable}
maximum-prefix-warning-only6 {enable | disable}
prefix-list-in <string>
prefix-list-in6 <string>
345
346
end
config admin-distance
edit <name_str>
set id <integer>
set neighbour-prefix <ipv4-classnet>
set route-list <string>
set distance <integer>
end
end
347
Description
Configuration
Description
Default Value
as
Router AS number.
router-id
Router ID.
0.0.0.0
keepalive-timer
60
holdtime-timer
180
always-compare-med
disable
bestpath-as-pathignore
disable
bestpath-cmp-confedaspath
disable
bestpath-cmp-routerid
disable
bestpath-med-confed
disable
bestpath-med-missingas-worst
disable
client-to-clientreflection
enable
dampening
disable
deterministic-med
disable
ebgp-multipath
disable
ibgp-multipath
disable
enforce-first-as
enable
fast-external-failover
enable
log-neighbour-changes
enable
348
network-import-check
enable
ignore-optionalcapability
enable
cluster-id
0.0.0.0
confederation-identifier
Confederation identifier.
confederation-peers
Confederation peers.
(Empty)
dampening-route-map
(Empty)
dampeningreachability-half-life
15
dampening-reuse
750
dampening-suppress
2000
dampening-maxsuppress-time
60
dampeningunreachability-half-life
15
default-localpreference
100
scan-time
60
distance-external
20
distance-internal
200
distance-local
200
synchronization
disable
graceful-restart
disable
graceful-restart-time
120
graceful-stalepath-time
360
349
graceful-update-delay
120
aggregate-address
(Empty)
aggregate-address6
(Empty)
neighbor
(Empty)
neighbor-group
(Empty)
neighbor-range
(Empty)
network
(Empty)
network6
(Empty)
redistribute
(Empty)
redistribute6
(Empty)
admin-distance
(Empty)
350
router/community-list
CLI Syntax
config router community-list
edit <name_str>
set name <string>
set type {standard | expanded}
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
set match <string>
end
end
351
Description
Configuration
Description
Default Value
name
(Empty)
type
standard
rule
(Empty)
352
router/isis
CLI Syntax
config router isis
edit <name_str>
set is-type {level-1-2 | level-1 | level-2-only}
set auth-mode-l1 {password | md5}
set auth-mode-l2 {password | md5}
set auth-password-l1 <password>
set auth-password-l2 <password>
set auth-keychain-l1 <string>
set auth-keychain-l2 <string>
set auth-sendonly-l1 {enable | disable}
set auth-sendonly-l2 {enable | disable}
set ignore-lsp-errors {enable | disable}
set lsp-gen-interval-l1 <integer>
set lsp-gen-interval-l2 <integer>
set lsp-refresh-interval <integer>
set max-lsp-lifetime <integer>
set spf-interval-exp-l1 <user>
set spf-interval-exp-l2 <user>
set dynamic-hostname {enable | disable}
set adjacency-check {enable | disable}
set overload-bit {enable | disable}
set overload-bit-suppress {external | interlevel}
set overload-bit-on-startup <integer>
set default-originate {enable | disable}
set metric-style {narrow | narrow-transition | narrow-transition-l1 | narrow-trans
ition-l2 | wide | wide-l1 | wide-l2 | wide-transition | wide-transition-l1 | wide-tran
sition-l2 | transition | transition-l1 | transition-l2}
set redistribute-l1 {enable | disable}
set redistribute-l1-list <string>
set redistribute-l2 {enable | disable}
set redistribute-l2-list <string>
config isis-net
edit <name_str>
set id <integer>
set net <user>
end
config isis-interface
edit <name_str>
set name <string>
set status {enable | disable}
set network-type {broadcast | point-to-point}
set circuit-type {level-1-2 | level-1 | level-2}
set csnp-interval-l1 <integer>
set csnp-interval-l2 <integer>
set hello-interval-l1 <integer>
set hello-interval-l2 <integer>
set hello-multiplier-l1 <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
353
354
Description
Configuration
Description
Default Value
is-type
IS type.
level-1-2
auth-mode-l1
password
auth-mode-l2
password
auth-password-l1
(Empty)
auth-password-l2
(Empty)
auth-keychain-l1
(Empty)
auth-keychain-l2
(Empty)
auth-sendonly-l1
disable
auth-sendonly-l2
disable
ignore-lsp-errors
disable
lsp-gen-interval-l1
30
lsp-gen-interval-l2
30
lsp-refresh-interval
900
max-lsp-lifetime
1200
spf-interval-exp-l1
500 50000
spf-interval-exp-l2
500 50000
dynamic-hostname
disable
adjacency-check
disable
overload-bit
disable
overload-bit-suppress
(Empty)
overload-bit-on-startup
355
default-originate
disable
metric-style
narrow
redistribute-l1
disable
redistribute-l1-list
(Empty)
redistribute-l2
disable
redistribute-l2-list
(Empty)
isis-net
(Empty)
isis-interface
(Empty)
summary-address
(Empty)
redistribute
(Empty)
356
router/key-chain
CLI Syntax
config router key-chain
edit <name_str>
set name <string>
config key
edit <name_str>
set id <integer>
set accept-lifetime <user>
set send-lifetime <user>
set key-string <string>
end
end
357
Description
Configuration
Description
Default Value
name
Key-chain name.
(Empty)
key
Key.
(Empty)
358
router/multicast
CLI Syntax
config router multicast
edit <name_str>
set route-threshold <integer>
set route-limit <integer>
set multicast-routing {enable | disable}
config pim-sm-global
edit <name_str>
set message-interval <integer>
set join-prune-holdtime <integer>
set accept-register-list <string>
set bsr-candidate {enable | disable}
set bsr-interface <string>
set bsr-priority <integer>
set bsr-hash <integer>
set bsr-allow-quick-refresh {enable | disable}
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <string>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <string>
set register-source-ip <ipv4-address>
set register-supression <integer>
set null-register-retries <integer>
set rp-register-keepalive <integer>
set spt-threshold {enable | disable}
set spt-threshold-group <string>
set ssm {enable | disable}
set ssm-range <string>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip-address <ipv4-address>
set group <string>
end
end
config interface
edit <name_str>
set name <string>
set ttl-threshold <integer>
set pim-mode {sparse-mode | dense-mode}
set passive {enable | disable}
set bfd {enable | disable}
set neighbour-filter <string>
set hello-interval <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
359
360
Description
Configuration
Description
Default Value
route-threshold
2147483647
route-limit
2147483647
multicast-routing
disable
pim-sm-global
Details below
Configuration
message-interval
join-prune-holdtime
accept-register-list
bsr-candidate
bsr-interface
bsr-priority
bsr-hash
bsr-allow-quick-refresh
cisco-register-checksum
cisco-register-checksum-group
cisco-crp-prefix
cisco-ignore-rp-set-priority
register-rp-reachability
register-source
register-source-interface
register-source-ip
register-supression
null-register-retries
rp-register-keepalive
spt-threshold
spt-threshold-group
ssm
ssm-range
register-rate-limit
rp-address
interface
Default Value
60
210
(Empty)
disable
(Empty)
0
10
disable
disable
(Empty)
disable
disable
enable
disable
(Empty)
0.0.0.0
60
1
185
enable
(Empty)
disable
(Empty)
0
(Empty)
PIM interfaces.
(Empty)
361
router/multicast-flow
CLI Syntax
config router multicast-flow
edit <name_str>
set name <string>
set comments <string>
config flows
edit <name_str>
set id <integer>
set group-addr <ipv4-address-any>
set source-addr <ipv4-address-any>
end
end
362
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
flows
Multicast-flow entries.
(Empty)
363
router/multicast6
CLI Syntax
config router multicast6
edit <name_str>
set multicast-routing {enable | disable}
config interface
edit <name_str>
set name <string>
set hello-interval <integer>
set hello-holdtime <integer>
end
config pim-sm-global
edit <name_str>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip6-address <ipv6-address>
end
end
end
364
Description
Configuration
Description
Default Value
multicast-routing
disable
interface
PIM interfaces.
(Empty)
pim-sm-global
Details below
Configuration
register-rate-limit
rp-address
Default Value
0
(Empty)
365
router/ospf
CLI Syntax
config router ospf
edit <name_str>
set abr-type {cisco | ibm | shortcut | standard}
set auto-cost-ref-bandwidth <integer>
set distance-external <integer>
set distance-inter-area <integer>
set distance-intra-area <integer>
set database-overflow {enable | disable}
set database-overflow-max-lsas <integer>
set database-overflow-time-to-recover <integer>
set default-information-originate {enable | always | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set distance <integer>
set rfc1583-compatible {enable | disable}
set router-id <ipv4-address-any>
set spf-timers <user>
set bfd {enable | disable}
set log-neighbour-changes {enable | disable}
set distribute-list-in <string>
set distribute-route-map-in <string>
set restart-mode {none | lls | graceful-restart}
set restart-period <integer>
config area
edit <name_str>
set id <ipv4-address-any>
set shortcut {disable | enable | default}
set authentication {none | text | md5}
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | always | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set advertise {disable | enable}
set substitute <ipv4-classnet-any>
set substitute-status {enable | disable}
end
config virtual-link
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
366
edit <name_str>
set name <string>
set authentication {none | text | md5}
set authentication-key <password>
set md5-key <user>
set dead-interval <integer>
set hello-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
config filter-list
edit <name_str>
set id <integer>
set list <string>
set direction {in | out}
end
end
config ospf-interface
edit <name_str>
set name <string>
set interface <string>
set ip <ipv4-address>
set authentication {none | text | md5}
set authentication-key <password>
set md5-key <user>
set prefix-length <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set cost <integer>
set priority <integer>
set dead-interval <integer>
set hello-interval <integer>
set hello-multiplier <integer>
set database-filter-out {enable | disable}
set mtu <integer>
set mtu-ignore {enable | disable}
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
set bfd {global | enable | disable}
set status {disable | enable}
set resync-timeout <integer>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set area <ipv4-address-any>
end
config neighbor
edit <name_str>
set id <integer>
set ip <ipv4-address>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
367
set ip <ipv4-address>
set poll-interval <integer>
set cost <integer>
set priority <integer>
end
config passive-interface
edit <name_str>
set name <string>
end
config summary-address
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set tag <integer>
set advertise {disable | enable}
end
config distribute-list
edit <name_str>
set id <integer>
set access-list <string>
set protocol {connected | static | rip}
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set metric-type {1 | 2}
set tag <integer>
end
end
368
Description
Configuration
Description
Default Value
abr-type
standard
auto-cost-ref-bandwidth
1000
distance-external
110
distance-inter-area
110
distance-intra-area
110
database-overflow
disable
database-overflowmax-lsas
10000
database-overflowtime-to-recover
300
default-informationoriginate
disable
default-informationmetric
10
default-informationmetric-type
default-informationroute-map
(Empty)
default-metric
10
distance
110
rfc1583-compatible
disable
router-id
Router ID.
0.0.0.0
spf-timers
5 10
bfd
disable
369
log-neighbour-changes
enable
distribute-list-in
(Empty)
distribute-route-map-in
(Empty)
restart-mode
none
restart-period
120
area
(Empty)
ospf-interface
(Empty)
network
(Empty)
neighbor
(Empty)
passive-interface
(Empty)
summary-address
(Empty)
distribute-list
(Empty)
redistribute
Redistribute configuration.
(Empty)
370
router/ospf6
CLI Syntax
config router ospf6
edit <name_str>
set abr-type {cisco | ibm | standard}
set auto-cost-ref-bandwidth <integer>
set default-information-originate {enable | always | disable}
set log-neighbour-changes {enable | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set router-id <ipv4-address-any>
set spf-timers <user>
config area
edit <name_str>
set id <ipv4-address-any>
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set advertise {disable | enable}
end
config virtual-link
edit <name_str>
set name <string>
set dead-interval <integer>
set hello-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
end
config ospf6-interface
edit <name_str>
set name <string>
set area-id <ipv4-address-any>
set interface <string>
set retransmit-interval <integer>
set transmit-delay <integer>
set cost <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
371
372
Description
Configuration
Description
Default Value
abr-type
standard
auto-cost-ref-bandwidth
1000
default-informationoriginate
disable
log-neighbour-changes
enable
default-informationmetric
10
default-informationmetric-type
default-informationroute-map
(Empty)
default-metric
20
router-id
0.0.0.0
spf-timers
5 10
area
(Empty)
ospf6-interface
(Empty)
passive-interface
(Empty)
redistribute
Redistribute configuration.
(Empty)
summary-address
(Empty)
373
router/policy
CLI Syntax
config router policy
edit <name_str>
set seq-num <integer>
config input-device
edit <name_str>
set name <string>
end
config src
edit <name_str>
set subnet <string>
end
config srcaddr
edit <name_str>
set name <string>
end
set src-negate {enable | disable}
config dst
edit <name_str>
set subnet <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set dst-negate {enable | disable}
set action {deny | permit}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set start-source-port <integer>
set end-source-port <integer>
set gateway <ipv4-address>
set output-device <string>
set tos <user>
set tos-mask <user>
set status {enable | disable}
set comments <var-string>
end
374
Description
Configuration
Description
Default Value
seq-num
Sequence number.
input-device
(Empty)
src
(Empty)
srcaddr
(Empty)
src-negate
disable
dst
(Empty)
dstaddr
(Empty)
dst-negate
disable
action
permit
protocol
Protocol number.
start-port
end-port
65535
start-source-port
end-source-port
65535
gateway
IP address of gateway.
0.0.0.0
output-device
(Empty)
tos
0x00
tos-mask
0x00
status
enable
comments
Comment.
(Empty)
375
router/policy6
CLI Syntax
config router policy6
edit <name_str>
set seq-num <integer>
set input-device <string>
set src <ipv6-network>
set dst <ipv6-network>
set protocol <integer>
set start-port <integer>
set end-port <integer>
set gateway <ipv6-address>
set output-device <string>
set tos <user>
set tos-mask <user>
set status {enable | disable}
set comments <var-string>
end
376
Description
Configuration
Description
Default Value
seq-num
Sequence number.
input-device
(Empty)
src
::/0
dst
::/0
protocol
Protocol number.
start-port
end-port
65535
gateway
::
output-device
(Empty)
tos
0x00
tos-mask
0x00
status
enable
comments
Comment.
(Empty)
377
router/prefix-list
CLI Syntax
config router prefix-list
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end
378
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)
379
router/prefix-list6
CLI Syntax
config router prefix-list6
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix6 <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end
380
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)
381
router/rip
CLI Syntax
config router rip
edit <name_str>
set default-information-originate {enable | disable}
set default-metric <integer>
set max-out-metric <integer>
set recv-buffer-size <integer>
config distance
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set distance <integer>
set access-list <string>
end
config distribute-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set listname <string>
set interface <string>
end
config neighbor
edit <name_str>
set id <integer>
set ip <ipv4-address>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
end
config offset-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set access-list <string>
set offset <integer>
set interface <string>
end
config passive-interface
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
382
383
Description
Configuration
Description
Default Value
default-informationoriginate
disable
default-metric
Default metric.
max-out-metric
recv-buffer-size
655360
distance
distance
(Empty)
distribute-list
Distribute list.
(Empty)
neighbor
neighbor
(Empty)
network
network
(Empty)
offset-list
Offset list.
(Empty)
passive-interface
(Empty)
redistribute
Redistribute configuration.
(Empty)
update-timer
Update timer.
30
timeout-timer
Timeout timer.
180
garbage-timer
Garbage timer.
120
version
RIP version.
interface
(Empty)
384
router/ripng
CLI Syntax
config router ripng
edit <name_str>
set default-information-originate {enable | disable}
set default-metric <integer>
set max-out-metric <integer>
config distance
edit <name_str>
set id <integer>
set distance <integer>
set prefix6 <ipv6-prefix>
set access-list6 <string>
end
config distribute-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set listname <string>
set interface <string>
end
config neighbor
edit <name_str>
set id <integer>
set ip6 <ipv6-address>
set interface <string>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv6-prefix>
end
config aggregate-address
edit <name_str>
set id <integer>
set prefix6 <ipv6-prefix>
end
config offset-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set access-list6 <string>
set offset <integer>
set interface <string>
end
config passive-interface
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
385
386
Description
Configuration
Description
Default Value
default-informationoriginate
disable
default-metric
Default metric.
max-out-metric
distance
distance
(Empty)
distribute-list
Distribute list.
(Empty)
neighbor
neighbor
(Empty)
network
Network.
(Empty)
aggregate-address
Aggregate address.
(Empty)
offset-list
Offset list.
(Empty)
passive-interface
(Empty)
redistribute
Redistribute configuration.
(Empty)
update-timer
Update timer.
30
timeout-timer
Timeout timer.
180
garbage-timer
Garbage timer.
120
interface
(Empty)
387
router/route-map
CLI Syntax
config router route-map
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set match-as-path <string>
set match-community <string>
set match-community-exact {enable | disable}
set match-origin {none | egp | igp | incomplete}
set match-interface <string>
set match-ip-address <string>
set match-ip6-address <string>
set match-ip-nexthop <string>
set match-ip6-nexthop <string>
set match-metric <integer>
set match-route-type {1 | 2 | none}
set match-tag <integer>
set set-aggregator-as <integer>
set set-aggregator-ip <ipv4-address-any>
set set-aspath-action {prepend | replace}
config set-aspath
edit <name_str>
set as <string>
end
set set-atomic-aggregate {enable | disable}
set set-community-delete <string>
config set-community
edit <name_str>
set community <string>
end
set set-community-additive {enable | disable}
set set-dampening-reachability-half-life <integer>
set set-dampening-reuse <integer>
set set-dampening-suppress <integer>
set set-dampening-max-suppress <integer>
set set-dampening-unreachability-half-life <integer>
config set-extcommunity-rt
edit <name_str>
set community <string>
end
config set-extcommunity-soo
edit <name_str>
set community <string>
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
388
set
set
set
set
set
set
set
set
set
set
set
set
end
set-ip-nexthop <ipv4-address>
set-ip6-nexthop <ipv6-address>
set-ip6-nexthop-local <ipv6-address>
set-local-preference <integer>
set-metric <integer>
set-metric-type {1 | 2 | none}
set-originator-id <ipv4-address-any>
set-origin {none | egp | igp | incomplete}
set-tag <integer>
set-weight <integer>
set-flags <integer>
match-flags <integer>
end
389
Description
Configuration
Description
Default Value
name
Name.
(Empty)
comments
Comment.
(Empty)
rule
Rule.
(Empty)
390
router/setting
CLI Syntax
config router setting
edit <name_str>
set show-filter <string>
set hostname <string>
end
391
Description
Configuration
Description
Default Value
show-filter
(Empty)
hostname
(Empty)
392
router/static
CLI Syntax
config router static
edit <name_str>
set seq-num <integer>
set status {enable | disable}
set dst <ipv4-classnet>
set gateway <ipv4-address>
set distance <integer>
set weight <integer>
set priority <integer>
set device <string>
set comment <var-string>
set blackhole {enable | disable}
set dynamic-gateway {enable | disable}
set virtual-wan-link {enable | disable}
set dstaddr <string>
set internet-service <integer>
set internet-service-custom <string>
end
393
Description
Configuration
Description
Default Value
seq-num
Entry number.
status
enable
dst
0.0.0.0 0.0.0.0
gateway
0.0.0.0
distance
10
weight
priority
device
(Empty)
comment
Comment.
(Empty)
blackhole
disable
dynamic-gateway
disable
virtual-wan-link
disable
dstaddr
(Empty)
internet-service
internet-service-custom
(Empty)
394
router/static6
CLI Syntax
config router static6
edit <name_str>
set seq-num <integer>
set status {enable | disable}
set dst <ipv6-network>
set gateway <ipv6-address>
set device <string>
set devindex <integer>
set distance <integer>
set priority <integer>
set comment <var-string>
set blackhole {enable | disable}
end
395
Description
Configuration
Description
Default Value
seq-num
Sequence number.
status
enable
dst
::/0
gateway
::
device
(Empty)
devindex
distance
10
priority
comment
Comment.
(Empty)
blackhole
disable
396
spamfilter/bwl
CLI Syntax
config spamfilter bwl
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set type {ip | email}
set action {reject | spam | clear}
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
set pattern-type {wildcard | regexp}
set email-pattern <string>
end
end
397
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
(Empty)
398
spamfilter/bword
CLI Syntax
config spamfilter bword
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set pattern <string>
set pattern-type {wildcard | regexp}
set action {spam | clear}
set where {subject | body | all}
set language {western | simch | trach | japanese | korean | french | thai | sp
anish}
set score <integer>
end
end
399
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
(Empty)
400
spamfilter/dnsbl
CLI Syntax
config spamfilter dnsbl
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set server <string>
set action {reject | spam}
end
end
401
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
(Empty)
402
spamfilter/fortishield
CLI Syntax
config spamfilter fortishield
edit <name_str>
set spam-submit-srv <string>
set spam-submit-force {enable | disable}
set spam-submit-txt2htm {enable | disable}
end
403
Description
Configuration
Description
Default Value
spam-submit-srv
www.nospammer.net
spam-submit-force
enable
spam-submit-txt2htm
enable
404
spamfilter/iptrust
CLI Syntax
config spamfilter iptrust
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
end
end
405
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
(Empty)
406
spamfilter/mheader
CLI Syntax
config spamfilter mheader
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set fieldname <string>
set fieldbody <string>
set pattern-type {wildcard | regexp}
set action {spam | clear}
end
end
407
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
(Empty)
408
spamfilter/options
CLI Syntax
config spamfilter options
edit <name_str>
set dns-timeout <integer>
end
409
Description
Configuration
Description
Default Value
dns-timeout
410
spamfilter/profile
CLI Syntax
config spamfilter profile
edit <name_str>
set name <string>
set comment <var-string>
set flow-based {enable | disable}
set replacemsg-group <string>
set spam-log {disable | enable}
set spam-log-fortiguard-response {disable | enable}
set spam-filtering {enable | disable}
set external {enable | disable}
set options {bannedword | spambwl | spamfsip | spamfssubmit | spamfschksum | spamf
surl | spamhelodns | spamraddrdns | spamrbl | spamhdrcheck | spamfsphish}
config imap
edit <name_str>
set log {enable | disable}
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config pop3
edit <name_str>
set log {enable | disable}
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config smtp
edit <name_str>
set log {enable | disable}
set action {pass | tag | discard}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
set hdrip {enable | disable}
set local-override {enable | disable}
end
config mapi
edit <name_str>
set log {enable | disable}
set action {pass | discard}
end
config msn-hotmail
edit <name_str>
set log {enable | disable}
end
config yahoo-mail
edit <name_str>
set log {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
411
end
config gmail
edit <name_str>
set log {enable | disable}
end
set spam-bword-threshold <integer>
set spam-bword-table <integer>
set spam-bwl-table <integer>
set spam-mheader-table <integer>
set spam-rbl-table <integer>
set spam-iptrust-table <integer>
end
412
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
flow-based
disable
replacemsg-group
(Empty)
spam-log
enable
spam-log-fortiguardresponse
disable
spam-filtering
disable
external
disable
options
Options.
(Empty)
imap
IMAP.
Details below
Configuration
log
action
tag-type
tag-msg
pop3
Default Value
disable
tag
subject spaminfo
Spam
POP3.
Configuration
log
action
tag-type
tag-msg
smtp
Default Value
disable
tag
subject spaminfo
Spam
SMTP.
Details below
Details below
413
Configuration
log
action
tag-type
tag-msg
hdrip
local-override
mapi
Default Value
disable
discard
subject spaminfo
Spam
disable
disable
MAPI.
Configuration
log
action
msn-hotmail
Default Value
disable
discard
MSN Hotmail.
Configuration
log
yahoo-mail
Configuration
log
Details below
Default Value
disable
Yahoo! Mail.
Configuration
log
gmail
Details below
Details below
Default Value
disable
Gmail.
Details below
Default Value
disable
spam-bword-threshold
10
spam-bword-table
spam-bwl-table
spam-mheader-table
spam-rbl-table
spam-iptrust-table
414
system.autoupdate/push-update
CLI Syntax
config system.autoupdate push-update
edit <name_str>
set status {enable | disable}
set override {enable | disable}
set address <ipv4-address-any>
set port <integer>
end
415
Description
Configuration
Description
Default Value
status
disable
override
disable
address
0.0.0.0
port
9443
416
system.autoupdate/schedule
CLI Syntax
config system.autoupdate schedule
edit <name_str>
set status {enable | disable}
set frequency {every | daily | weekly}
set time <user>
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}
end
417
Description
Configuration
Description
Default Value
status
enable
frequency
Update frequency.
every
time
Update time.
02:60
day
Update day.
Monday
418
system.autoupdate/tunneling
CLI Syntax
config system.autoupdate tunneling
edit <name_str>
set status {enable | disable}
set address <string>
set port <integer>
set username <string>
set password <password>
end
419
Description
Configuration
Description
Default Value
status
disable
address
(Empty)
port
username
(Empty)
password
(Empty)
420
system.dhcp/server
CLI Syntax
config system.dhcp server
edit <name_str>
set id <integer>
set status {disable | enable}
set lease-time <integer>
set mac-acl-default-action {assign | block}
set forticlient-on-net-status {disable | enable}
set dns-service {local | default | specify}
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set dns-server3 <ipv4-address>
set wifi-ac1 <ipv4-address>
set wifi-ac2 <ipv4-address>
set wifi-ac3 <ipv4-address>
set ntp-service {local | default | specify}
set ntp-server1 <ipv4-address>
set ntp-server2 <ipv4-address>
set ntp-server3 <ipv4-address>
set domain <string>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set default-gateway <ipv4-address>
set next-server <ipv4-address>
set netmask <ipv4-netmask>
set interface <string>
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
set timezone-option {disable | default | specify}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set tftp-server <string>
set filename <string>
config options
edit <name_str>
set id <integer>
set code <integer>
set type {hex | string | ip}
set value <string>
set ip <user>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
421
end
set server-type {regular | ipsec}
set ip-mode {range | usrgrp}
set conflicted-ip-timeout <integer>
set ipsec-lease-hold <integer>
set auto-configuration {disable | enable}
set ddns-update {disable | enable}
set ddns-update-override {disable | enable}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-ttl <integer>
set vci-match {disable | enable}
config vci-string
edit <name_str>
set vci-string <string>
end
config exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
config reserved-address
edit <name_str>
set id <integer>
set ip <ipv4-address>
set mac <mac-address>
set action {assign | block | reserved}
set description <var-string>
end
end
422
Description
Configuration
Description
Default Value
id
ID.
status
enable
lease-time
604800
mac-acl-default-action
assign
forticlient-on-net-status
enable
dns-service
specify
dns-server1
DNS server 1.
0.0.0.0
dns-server2
DNS server 2.
0.0.0.0
dns-server3
DNS server 3.
0.0.0.0
wifi-ac1
WiFi AC 1.
0.0.0.0
wifi-ac2
WiFi AC 2.
0.0.0.0
wifi-ac3
WiFi AC 3.
0.0.0.0
ntp-service
specify
ntp-server1
NTP server 1.
0.0.0.0
ntp-server2
NTP server 2.
0.0.0.0
ntp-server3
NTP server 3.
0.0.0.0
domain
Domain name.
(Empty)
wins-server1
WINS server 1.
0.0.0.0
wins-server2
WINS server 2.
0.0.0.0
default-gateway
0.0.0.0
next-server
0.0.0.0
netmask
Netmask.
0.0.0.0
423
interface
Interface name.
(Empty)
ip-range
(Empty)
timezone-option
disable
timezone
Time zone.
00
tftp-server
(Empty)
filename
(Empty)
options
DHCP options.
(Empty)
server-type
regular
ip-mode
range
conflicted-ip-timeout
1800
ipsec-lease-hold
60
auto-configuration
enable
ddns-update
disable
ddns-update-override
disable
ddns-server-ip
0.0.0.0
ddns-zone
(Empty)
ddns-auth
disable
ddns-keyname
(Empty)
ddns-key
'ENC
isr0V46YyB8yJjNbUYA
s/vUYxB1aL6ALCHlEb
Pq6PJBZtDpbY7N1pqs
liSaL2Fw4Jz0bZklu47K
49hcFNvrKsIh9YC2uAi
mJqm9qGNuxRLsBAi/
+1yyNDp0Hjjc='
424
ddns-ttl
TTL.
300
vci-match
disable
vci-string
VCI strings.
(Empty)
exclude-range
(Empty)
reserved-address
(Empty)
425
system.dhcp6/server
CLI Syntax
config system.dhcp6 server
edit <name_str>
set id <integer>
set status {disable | enable}
set rapid-commit {disable | enable}
set lease-time <integer>
set dns-service {delegated | default | specify}
set dns-server1 <ipv6-address>
set dns-server2 <ipv6-address>
set dns-server3 <ipv6-address>
set domain <string>
set subnet <ipv6-prefix>
set interface <string>
set option1 <user>
set option2 <user>
set option3 <user>
set upstream-interface <string>
set ip-mode {range | delegated}
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
end
end
426
Description
Configuration
Description
Default Value
id
ID.
status
enable
rapid-commit
disable
lease-time
604800
dns-service
specify
dns-server1
DNS server 1.
::
dns-server2
DNS server 2.
::
dns-server3
DNS server 3.
::
domain
Domain name.
(Empty)
subnet
::/0
interface
Interface name.
(Empty)
option1
Option 1.
option2
Option 2.
option3
Option 3.
upstream-interface
(Empty)
ip-mode
range
ip-range
(Empty)
427
system.replacemsg/admin
CLI Syntax
config system.replacemsg admin
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
428
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
429
system.replacemsg/alertmail
CLI Syntax
config system.replacemsg alertmail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
430
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
431
system.replacemsg/auth
CLI Syntax
config system.replacemsg auth
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
432
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
433
system.replacemsg/device-detection-portal
CLI Syntax
config system.replacemsg device-detection-portal
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
434
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
435
system.replacemsg/ec
CLI Syntax
config system.replacemsg ec
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
436
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
437
system.replacemsg/fortiguard-wf
CLI Syntax
config system.replacemsg fortiguard-wf
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
438
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
439
system.replacemsg/ftp
CLI Syntax
config system.replacemsg ftp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
440
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
441
system.replacemsg/http
CLI Syntax
config system.replacemsg http
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
442
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
443
system.replacemsg/mail
CLI Syntax
config system.replacemsg mail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
444
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
445
system.replacemsg/nac-quar
CLI Syntax
config system.replacemsg nac-quar
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
446
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
447
system.replacemsg/nntp
CLI Syntax
config system.replacemsg nntp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
448
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
449
system.replacemsg/spam
CLI Syntax
config system.replacemsg spam
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
450
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
451
system.replacemsg/sslvpn
CLI Syntax
config system.replacemsg sslvpn
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
452
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
453
system.replacemsg/traffic-quota
CLI Syntax
config system.replacemsg traffic-quota
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
454
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
455
system.replacemsg/utm
CLI Syntax
config system.replacemsg utm
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
456
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
457
system.replacemsg/webproxy
CLI Syntax
config system.replacemsg webproxy
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
458
Description
Configuration
Description
Default Value
msg-type
Message type.
(Empty)
buffer
Message string.
(Empty)
header
Header flag.
none
format
Format flag.
none
459
system.snmp/community
CLI Syntax
config system.snmp community
edit <name_str>
set id <integer>
set name <string>
set status {enable | disable}
config hosts
edit <name_str>
set id <integer>
set source-ip <ipv4-address>
set ip <user>
set interface <string>
set ha-direct {enable | disable}
set host-type {any | query | trap}
end
config hosts6
edit <name_str>
set id <integer>
set source-ipv6 <ipv6-address>
set ipv6 <ipv6-prefix>
set ha-direct {enable | disable}
set interface <string>
set host-type {any | query | trap}
end
set query-v1-status {enable | disable}
set query-v1-port <integer>
set query-v2c-status {enable | disable}
set query-v2c-port <integer>
set trap-v1-status {enable | disable}
set trap-v1-lport <integer>
set trap-v1-rport <integer>
set trap-v2c-status {enable | disable}
set trap-v2c-lport <integer>
set trap-v2c-rport <integer>
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | avpattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
end
460
Description
Configuration
Description
Default Value
id
Community ID.
name
Community name.
(Empty)
status
enable
hosts
(Empty)
hosts6
(Empty)
query-v1-status
enable
query-v1-port
161
query-v2c-status
enable
query-v2c-port
161
trap-v1-status
enable
trap-v1-lport
162
trap-v1-rport
162
trap-v2c-status
enable
trap-v2c-lport
162
trap-v2c-rport
162
461
events
462
system.snmp/sysinfo
CLI Syntax
config system.snmp sysinfo
edit <name_str>
set status {enable | disable}
set engine-id <string>
set description <string>
set contact-info <string>
set location <string>
set trap-high-cpu-threshold <integer>
set trap-low-memory-threshold <integer>
set trap-log-full-threshold <integer>
end
463
Description
Configuration
Description
Default Value
status
Enable/disable SNMP.
disable
engine-id
(Empty)
description
System description.
(Empty)
contact-info
Contact information.
(Empty)
location
System location.
(Empty)
trap-high-cpu-threshold
80
trap-low-memorythreshold
80
trap-log-full-threshold
90
464
system.snmp/user
CLI Syntax
config system.snmp user
edit <name_str>
set name <string>
set status {enable | disable}
set trap-status {enable | disable}
set trap-lport <integer>
set trap-rport <integer>
set queries {enable | disable}
set query-port <integer>
set notify-hosts <ipv4-address>
set notify-hosts6 <ipv6-address>
set source-ip <ipv4-address>
set source-ipv6 <ipv6-address>
set ha-direct {enable | disable}
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | avpattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
set auth-proto {md5 | sha}
set auth-pwd <password>
set priv-proto {aes | des | aes256 | aes256cisco}
set priv-pwd <password>
end
465
Description
Configuration
Description
Default Value
name
(Empty)
status
enable
trap-status
enable
trap-lport
162
trap-rport
162
queries
enable
query-port
161
notify-hosts
(Empty)
notify-hosts6
(Empty)
source-ip
0.0.0.0
source-ipv6
::
ha-direct
disable
466
events
security-level
no-auth-no-priv
auth-proto
Authentication protocol.
sha
auth-pwd
(Empty)
priv-proto
aes
priv-pwd
(Empty)
467
system/accprofile
CLI Syntax
468
469
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
scope
vdom
comments
Comment.
(Empty)
mntgrp
Maintenance.
none
admingrp
Administrator Users.
none
updategrp
FortiGuard Update.
none
authgrp
none
sysgrp
System Configuration.
none
netgrp
Network Configuration.
none
loggrp
none
routegrp
Router Configuration.
none
fwgrp
Firewall Configuration.
none
vpngrp
VPN Configuration.
none
utmgrp
none
wanoptgrp
none
endpoint-control-grp
Endpoint Security.
none
wifi
Wireless controller.
none
fwgrp-permission
Details below
Configuration
policy
address
service
schedule
packet-capture
others
Default Value
none
none
none
none
none
none
470
loggrp-permission
Configuration
config
data-access
report-access
threat-weight
utmgrp-permission
Configuration
antivirus
ips
webfilter
spamfilter
data-loss-prevention
application-control
icap
casi
voip
waf
dnsfilter
Details below
Default Value
none
none
none
none
Custom UTM permission.
Details below
Default Value
none
none
none
none
none
none
none
none
none
none
none
471
system/admin
CLI Syntax
config system admin
edit <name_str>
set name <string>
set wildcard {enable | disable}
set remote-auth {enable | disable}
set remote-group <string>
set password <password-2>
set peer-auth {enable | disable}
set peer-group <string>
set trusthost1 <ipv4-classnet>
set trusthost2 <ipv4-classnet>
set trusthost3 <ipv4-classnet>
set trusthost4 <ipv4-classnet>
set trusthost5 <ipv4-classnet>
set trusthost6 <ipv4-classnet>
set trusthost7 <ipv4-classnet>
set trusthost8 <ipv4-classnet>
set trusthost9 <ipv4-classnet>
set trusthost10 <ipv4-classnet>
set ip6-trusthost1 <ipv6-prefix>
set ip6-trusthost2 <ipv6-prefix>
set ip6-trusthost3 <ipv6-prefix>
set ip6-trusthost4 <ipv6-prefix>
set ip6-trusthost5 <ipv6-prefix>
set ip6-trusthost6 <ipv6-prefix>
set ip6-trusthost7 <ipv6-prefix>
set ip6-trusthost8 <ipv6-prefix>
set ip6-trusthost9 <ipv6-prefix>
set ip6-trusthost10 <ipv6-prefix>
set accprofile <string>
set allow-remove-admin-session {enable | disable}
set comments <var-string>
set hidden <integer>
config vdom
edit <name_str>
set name <string>
end
set is-admin <integer>
set ssh-public-key1 <user>
set ssh-public-key2 <user>
set ssh-public-key3 <user>
set ssh-certificate <string>
set schedule <string>
set accprofile-override {enable | disable}
set radius-vdom-override {enable | disable}
set password-expire <user>
set force-password-change {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
472
config dashboard
edit <name_str>
set id <integer>
set widget-type {sysinfo | licinfo | sysop | sysres | alert | jsconsole | raid
| tr-history | analytics | usb-modem}
set name <string>
set column <integer>
set refresh-interval <integer>
set time-period <integer>
set chart-color <integer>
set top-n <integer>
set sort-by {bytes | msg-counts | packets | bandwidth | sessions}
set report-by {source | destination | application | dlp-rule | dlp-sensor | po
licy | protocol | web-category | web-domain | all | profile}
set ip-version {ipboth | ipv4 | ipv6}
set resolve-host {enable | disable}
set resolve-service {enable | disable}
set aggregate-hosts {enable | disable}
set resolve-apps {enable | disable}
set display-format {chart | table | line}
set view-type {real-time | historical}
set cpu-display-type {average | each}
set interface <string>
set dst-interface <string>
set tr-history-period1 <integer>
set tr-history-period2 <integer>
set tr-history-period3 <integer>
set vdom <string>
set refresh {enable | disable}
set status {close | open}
set protocols <integer>
set show-system-restart {enable | disable}
set show-conserve-mode {enable | disable}
set show-firmware-change {enable | disable}
set show-fds-update {enable | disable}
set show-device-update {enable | disable}
set show-fds-quota {enable | disable}
set show-disk-failure {enable | disable}
set show-power-supply {enable | disable}
set show-admin-auth {enable | disable}
set show-fgd-alert {enable | disable}
set show-fcc-license {enable | disable}
set show-policy-overflow {enable | disable}
end
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set guest-auth {disable | enable}
config guest-usergroups
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
473
edit <name_str>
set name <string>
end
set guest-lang <string>
set history0 <password-2>
set history1 <password-2>
config login-time
edit <name_str>
set usr-name <string>
set last-login <datetime>
set last-failed-login <datetime>
end
config gui-global-menu-favorites
edit <name_str>
set id <string>
end
config gui-vdom-menu-favorites
edit <name_str>
set id <string>
end
end
474
Description
Configuration
Description
Default Value
name
User name.
(Empty)
wildcard
disable
remote-auth
disable
remote-group
(Empty)
password
ENC XXUp2ozpdysrQ
peer-auth
disable
peer-group
(Empty)
trusthost1
0.0.0.0 0.0.0.0
trusthost2
0.0.0.0 0.0.0.0
trusthost3
0.0.0.0 0.0.0.0
trusthost4
0.0.0.0 0.0.0.0
trusthost5
0.0.0.0 0.0.0.0
trusthost6
0.0.0.0 0.0.0.0
trusthost7
0.0.0.0 0.0.0.0
trusthost8
0.0.0.0 0.0.0.0
trusthost9
0.0.0.0 0.0.0.0
trusthost10
0.0.0.0 0.0.0.0
475
ip6-trusthost1
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost2
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost3
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost4
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost5
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost6
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost7
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost8
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost9
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
ip6-trusthost10
Admin user IPv6 trust host IP, default ::/0 for all.
::/0
accprofile
(Empty)
allow-remove-adminsession
enable
comments
Comment.
(Empty)
hidden
vdom
Virtual domains.
(Empty)
is-admin
Is user admin.
ssh-public-key1
(Empty)
ssh-public-key2
(Empty)
ssh-public-key3
(Empty)
ssh-certificate
SSH certificate.
(Empty)
schedule
Schedule name.
(Empty)
accprofile-override
disable
radius-vdom-override
disable
476
password-expire
0000-00-00 00:00:00
force-password-change
disable
dashboard
(Empty)
two-factor
disable
fortitoken
(Empty)
email-to
(Empty)
sms-server
fortiguard
sms-custom-server
(Empty)
sms-phone
(Empty)
guest-auth
disable
guest-usergroups
(Empty)
guest-lang
(Empty)
history0
history0
ENC
history1
history1
ENC
login-time
(Empty)
gui-global-menufavorites
(Empty)
gui-vdom-menufavorites
(Empty)
477
system/alarm
CLI Syntax
config system alarm
edit <name_str>
set status {enable | disable}
set audible {enable | disable}
set sequence <integer>
config groups
edit <name_str>
set id <integer>
set period <integer>
set admin-auth-failure-threshold <integer>
set admin-auth-lockout-threshold <integer>
set user-auth-failure-threshold <integer>
set user-auth-lockout-threshold <integer>
set replay-attempt-threshold <integer>
set self-test-failure-threshold <integer>
set log-full-warning-threshold <integer>
set encryption-failure-threshold <integer>
set decryption-failure-threshold <integer>
config fw-policy-violations
edit <name_str>
set id <integer>
set threshold <integer>
set src-ip <ipv4-address>
set dst-ip <ipv4-address>
set src-port <integer>
set dst-port <integer>
end
set fw-policy-id <integer>
set fw-policy-id-threshold <integer>
end
end
478
Description
Configuration
Description
Default Value
status
Enable/disable alarm.
disable
audible
disable
sequence
Sequence ID of alarms.
groups
Alarm groups.
(Empty)
479
system/arp-table
CLI Syntax
config system arp-table
edit <name_str>
set id <integer>
set interface <string>
set ip <ipv4-address>
set mac <mac-address>
end
480
Description
Configuration
Description
Default Value
id
interface
Interface name.
(Empty)
ip
IP address.
0.0.0.0
mac
MAC address.
00:00:00:00:00:00
481
system/auto-install
CLI Syntax
config system auto-install
edit <name_str>
set auto-install-config {enable | disable}
set auto-install-image {enable | disable}
set default-config-file <string>
set default-image-file <string>
end
482
Description
Configuration
Description
Default Value
auto-install-config
disable
auto-install-image
disable
default-config-file
fgt_system.conf
default-image-file
image.out
483
system/auto-script
CLI Syntax
config system auto-script
edit <name_str>
set name <string>
set interval <integer>
set repeat <integer>
set start {manual | auto}
set script <var-string>
end
484
Description
Configuration
Description
Default Value
name
(Empty)
interval
repeat
start
manual
script
(Empty)
485
system/central-management
CLI Syntax
config system central-management
edit <name_str>
set mode {normal | backup}
set type {fortimanager | fortiguard | none}
set schedule-config-restore {enable | disable}
set schedule-script-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-pushd-firmware {enable | disable}
set allow-remote-firmware-upgrade {enable | disable}
set allow-monitor {enable | disable}
set serial-number <user>
set fmg <string>
set fmg-source-ip <ipv4-address>
set fmg-source-ip6 <ipv6-address>
set vdom <string>
config server-list
edit <name_str>
set id <integer>
set server-type {update | rating}
set addr-type {ipv4 | ipv6 | fqdn}
set server-address <ipv4-address>
set server-address6 <ipv6-address>
set fqdn <string>
end
set include-default-servers {enable | disable}
set enc-algorithm {default | high | low}
end
486
Description
Configuration
Description
Default Value
mode
normal
type
none
schedule-config-restore
enable
schedule-script-restore
enable
allow-pushconfiguration
enable
allow-pushd-firmware
enable
allow-remote-firmwareupgrade
enable
allow-monitor
enable
serial-number
Serial number.
(Empty)
fmg
(Empty)
fmg-source-ip
0.0.0.0
fmg-source-ip6
::
vdom
root
server-list
(Empty)
include-default-servers
enable
enc-algorithm
high
487
system/cluster-sync
CLI Syntax
config system cluster-sync
edit <name_str>
set sync-id <integer>
set peervd <string>
set peerip <ipv4-address>
config syncvd
edit <name_str>
set name <string>
end
config session-sync-filter
edit <name_str>
set srcintf <string>
set dstintf <string>
set srcaddr <ipv4-classnet-any>
set dstaddr <ipv4-classnet-any>
set srcaddr6 <ipv6-network>
set dstaddr6 <ipv6-network>
config custom-service
edit <name_str>
set id <integer>
set src-port-range <user>
set dst-port-range <user>
end
end
end
488
Description
Configuration
Description
Default Value
sync-id
Sync ID.
peervd
root
peerip
0.0.0.0
syncvd
(Empty)
session-sync-filter
Details below
Configuration
srcintf
dstintf
srcaddr
dstaddr
srcaddr6
dstaddr6
custom-service
Default Value
(Empty)
(Empty)
0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0
::/0
::/0
(Empty)
489
system/console
CLI Syntax
config system console
edit <name_str>
set mode {batch | line}
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
set output {standard | more}
set login {enable | disable}
set fortiexplorer {enable | disable}
end
490
Description
Configuration
Description
Default Value
mode
Console mode.
line
baudrate
9600
output
more
login
enable
fortiexplorer
enable
491
system/custom-language
CLI Syntax
config system custom-language
edit <name_str>
set name <string>
set filename <string>
set comments <var-string>
end
492
Description
Configuration
Description
Default Value
name
Name.
(Empty)
filename
(Empty)
comments
Comment.
(Empty)
493
system/ddns
CLI Syntax
config system ddns
edit <name_str>
set ddnsid <integer>
set ddns-server {dyndns.org | dyns.net | ods.org | tzo.com | vavic.com | dipdns.ne
t | now.net.cn | dhs.org | easydns.com | genericDDNS | FortiGuardDDNS}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-ttl <integer>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-domain <string>
set ddns-username <string>
set ddns-sn <string>
set ddns-password <password>
set use-public-ip {disable | enable}
set clear-text {disable | enable}
set ssl-certificate <string>
set bound-ip <ipv4-address>
config monitor-interface
edit <name_str>
set interface-name <string>
end
end
494
Description
Configuration
Description
Default Value
ddnsid
DDNS ID.
ddns-server
DDNS server.
(Empty)
ddns-server-ip
0.0.0.0
ddns-zone
(Empty)
ddns-ttl
TTL.
300
ddns-auth
disable
ddns-keyname
(Empty)
ddns-key
'ENC
ws+aR7RX+Kk/g41Bs0
SWGbHac+vOTiv271H
XGJTNf9n+sPaprfG5u
bPEPH+8ZxccOuEMm
sLafbDZ/F1ySfgOMVa
RSxojcUfjSLNndHqBK
YANZsnuAxu47RJMJ4
A='
ddns-domain
(Empty)
ddns-username
(Empty)
ddns-sn
(Empty)
ddns-password
DDNS password.
(Empty)
use-public-ip
disable
clear-text
enable
ssl-certificate
Fortinet_Factory
bound-ip
Bound IP address.
0.0.0.0
monitor-interface
Monitored interface.
(Empty)
495
system/dedicated-mgmt
CLI Syntax
config system dedicated-mgmt
edit <name_str>
set status {enable | disable}
set interface <string>
set default-gateway <ipv4-address>
set dhcp-server {enable | disable}
set dhcp-netmask <ipv4-netmask>
set dhcp-start-ip <ipv4-address>
set dhcp-end-ip <ipv4-address>
end
496
Description
Configuration
Description
Default Value
status
disable
interface
(Empty)
default-gateway
0.0.0.0
dhcp-server
disable
dhcp-netmask
DHCP netmask.
0.0.0.0
dhcp-start-ip
0.0.0.0
dhcp-end-ip
0.0.0.0
497
system/dns
CLI Syntax
config system dns
edit <name_str>
set primary <ipv4-address>
set secondary <ipv4-address>
set domain <string>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {disable | enable}
set source-ip <ipv4-address>
end
498
Description
Configuration
Description
Default Value
primary
0.0.0.0
secondary
0.0.0.0
domain
(Empty)
ip6-primary
::
ip6-secondary
::
dns-cache-limit
5000
dns-cache-ttl
1800
cache-notfoundresponses
disable
source-ip
0.0.0.0
499
system/dns-database
CLI Syntax
config system dns-database
edit <name_str>
set name <string>
set status {enable | disable}
set domain <string>
set allow-transfer <user>
set type {master | slave}
set view {shadow | public}
set ip-master <ipv4-address-any>
set primary-name <string>
set contact <string>
set ttl <integer>
set authoritative {enable | disable}
set forwarder <user>
set source-ip <ipv4-address>
config dns-entry
edit <name_str>
set id <integer>
set status {enable | disable}
set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
set ttl <integer>
set preference <integer>
set ip <ipv4-address-any>
set ipv6 <ipv6-address>
set hostname <string>
set canonical-name <string>
end
end
500
Description
Configuration
Description
Default Value
name
Zone name.
(Empty)
status
enable
domain
Domain name.
(Empty)
allow-transfer
(Empty)
type
master
view
shadow
ip-master
0.0.0.0
primary-name
dns
contact
hostmaster
ttl
86400
authoritative
enable
forwarder
(Empty)
source-ip
0.0.0.0
dns-entry
DNS entry.
(Empty)
501
system/dns-server
CLI Syntax
config system dns-server
edit <name_str>
set name <string>
set mode {recursive | non-recursive | forward-only}
set dnsfilter-profile <string>
end
502
Description
Configuration
Description
Default Value
name
(Empty)
mode
recursive
dnsfilter-profile
(Empty)
503
system/dscp-based-priority
CLI Syntax
config system dscp-based-priority
edit <name_str>
set id <integer>
set ds <integer>
set priority {low | medium | high}
end
504
Description
Configuration
Description
Default Value
id
Item ID.
ds
priority
high
505
system/email-server
CLI Syntax
config system email-server
edit <name_str>
set type {custom}
set reply-to <string>
set server <string>
set port <integer>
set source-ip <ipv4-address>
set source-ip6 <ipv6-address>
set authenticate {enable | disable}
set validate-server {enable | disable}
set username <string>
set password <password>
set security {none | starttls | smtps}
end
506
Description
Configuration
Description
Default Value
type
custom
reply-to
(Empty)
server
(Empty)
port
25
source-ip
0.0.0.0
source-ip6
::
authenticate
Enable/disable authentication.
disable
validate-server
disable
username
(Empty)
password
(Empty)
security
Connection security.
none
507
system/fips-cc
CLI Syntax
config system fips-cc
edit <name_str>
set status {enable | disable}
set entropy-token {enable | disable | dynamic}
set error-flag {error-mode | exit-ready}
set error-cause {none | memory | disk | syslog}
set self-test-period <integer>
set key-generation-self-test {enable | disable}
end
508
Description
Configuration
Description
Default Value
status
disable
entropy-token
enable
error-flag
(Empty)
error-cause
none
self-test-period
1440
key-generation-self-test
disable
509
system/fm
CLI Syntax
config system fm
edit <name_str>
set status {enable | disable}
set id <string>
set ip <ipv4-address>
set vdom <string>
set auto-backup {enable | disable}
set scheduled-config-restore {enable | disable}
set ipsec {enable | disable}
end
510
Description
Configuration
Description
Default Value
status
Enable/disable FM.
disable
id
ID.
(Empty)
ip
IP address.
0.0.0.0
vdom
VDOM.
root
auto-backup
disable
scheduled-configrestore
disable
ipsec
Enable/disable IPsec.
disable
511
system/fortiguard
CLI Syntax
config system fortiguard
edit <name_str>
set port {53 | 8888 | 80}
set service-account-id <string>
set load-balance-servers <integer>
set antispam-force-off {enable | disable}
set antispam-cache {enable | disable}
set antispam-cache-ttl <integer>
set antispam-cache-mpercent <integer>
set antispam-license <integer>
set antispam-expiration <integer>
set antispam-timeout <integer>
set avquery-force-off {}
set avquery-cache {}
set avquery-cache-ttl <integer>
set avquery-cache-mpercent <integer>
set avquery-license <integer>
set avquery-timeout <integer>
set webfilter-force-off {enable | disable}
set webfilter-cache {enable | disable}
set webfilter-cache-ttl <integer>
set webfilter-license <integer>
set webfilter-expiration <integer>
set webfilter-timeout <integer>
set sdns-server-ip <user>
set sdns-server-port <integer>
set source-ip <ipv4-address>
set source-ip6 <ipv6-address>
set ddns-server-ip <ipv4-address>
set ddns-server-port <integer>
end
512
Description
Configuration
Description
Default Value
port
53
service-account-id
(Empty)
load-balance-servers
antispam-force-off
disable
antispam-cache
enable
antispam-cache-ttl
1800
antispam-cachempercent
antispam-license
License type.
4294967295
antispam-expiration
License expiration.
antispam-timeout
avquery-force-off
avquery-force-off
avquery-cache
avquery-cache
avquery-cache-ttl
avquery-cache-ttl
avquery-cachempercent
avquery-cache-mpercent
avquery-license
avquery-license
avquery-timeout
avquery-timeout
webfilter-force-off
disable
webfilter-cache
enable
webfilter-cache-ttl
3600
513
webfilter-license
License type.
4294967295
webfilter-expiration
License expiration.
webfilter-timeout
15
sdns-server-ip
(Empty)
sdns-server-port
53
source-ip
0.0.0.0
source-ip6
::
ddns-server-ip
0.0.0.0
ddns-server-port
443
514
system/fortimanager
CLI Syntax
config system fortimanager
edit <name_str>
set ip <ipv4-address-any>
set vdom <string>
set ipsec {enable | disable}
set central-management {enable | disable}
set central-mgmt-auto-backup {enable | disable}
set central-mgmt-schedule-config-restore {enable | disable}
set central-mgmt-schedule-script-restore {enable | disable}
end
515
Description
Configuration
Description
Default Value
ip
IP address.
0.0.0.0
vdom
root
ipsec
disable
central-management
disable
central-mgmt-autobackup
disable
central-mgmt-scheduleconfig-restore
disable
central-mgmt-schedulescript-restore
disable
516
system/fortisandbox
CLI Syntax
config system fortisandbox
edit <name_str>
set status {enable | disable}
set server <ipv4-address-any>
set source-ip <ipv4-address>
set enc-algorithm {default | high | low | disable}
set email <string>
end
517
Description
Configuration
Description
Default Value
status
Enable/disable FortiSandbox.
disable
server
Server IP.
0.0.0.0
source-ip
0.0.0.0
enc-algorithm
default
(Empty)
518
system/fsso-polling
CLI Syntax
config system fsso-polling
edit <name_str>
set status {enable | disable}
set listening-port <integer>
set authentication {enable | disable}
set auth-password <password>
end
519
Description
Configuration
Description
Default Value
status
enable
listening-port
8000
authentication
disable
auth-password
(Empty)
520
system/geoip-override
CLI Syntax
config system geoip-override
edit <name_str>
set name <string>
set description <string>
set country-id <string>
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
end
521
Description
Configuration
Description
Default Value
name
Location name.
(Empty)
description
Description.
(Empty)
country-id
Country ID.
(Empty)
ip-range
IP range.
(Empty)
522
system/global
CLI Syntax
config system global
edit <name_str>
set language {english | french | spanish | portuguese | japanese | trach | simch |
korean}
set gui-ipv6 {enable | disable}
set gui-certificates {enable | disable}
set gui-custom-language {enable | disable}
set gui-wireless-opensecurity {enable | disable}
set gui-display-hostname {enable | disable}
set gui-lines-per-page <integer>
set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3}
set admin-https-banned-cipher {rc4 | low}
set admintimeout <integer>
set admin-console-timeout <integer>
set admin-concurrent {enable | disable}
set admin-lockout-threshold <integer>
set admin-lockout-duration <integer>
set refresh <integer>
set interval <integer>
set failtime <integer>
set daily-restart {enable | disable}
set restart-time <user>
set radius-port <integer>
set admin-login-max <integer>
set remoteauthtimeout <integer>
set ldapconntimeout <integer>
set batch-cmdb {enable | disable}
set max-dlpstat-memory <integer>
set dst {enable | disable}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set ntpserver <string>
set ntpsync {enable | disable}
set syncinterval <integer>
set traffic-priority {tos | dscp}
set traffic-priority-level {low | medium | high}
set anti-replay {disable | loose | strict}
set send-pmtu-icmp {enable | disable}
set honor-df {enable | disable}
set split-port <user>
set revision-image-auto-backup {enable | disable}
set revision-backup-on-logout {enable | disable}
set management-vdom <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
523
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
hostname <string>
alias <string>
strong-crypto {enable | disable}
ssh-cbc-cipher {enable | disable}
ssh-hmac-md5 {enable | disable}
snat-route-change {enable | disable}
cli-audit-log {enable | disable}
dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}
fds-statistics {enable | disable}
fds-statistics-period <integer>
multicast-forward {enable | disable}
mc-ttl-notchange {enable | disable}
asymroute {enable | disable}
tcp-option {enable | disable}
phase1-rekey {enable | disable}
lldp-transmission {enable | disable}
explicit-proxy-auth-timeout <integer>
sys-perf-log-interval <integer>
check-protocol-header {loose | strict}
vip-arp-range {unlimited | restricted}
optimize {antivirus | session-setup | throughput}
reset-sessionless-tcp {enable | disable}
allow-traffic-redirect {enable | disable}
strict-dirty-session-check {enable | disable}
tcp-halfclose-timer <integer>
tcp-halfopen-timer <integer>
tcp-timewait-timer <integer>
udp-idle-timer <integer>
block-session-timer <integer>
ip-src-port-range <user>
pre-login-banner {enable | disable}
post-login-banner {disable | enable}
tftp {enable | disable}
av-failopen {pass | idledrop | off | one-shot}
av-failopen-session {enable | disable}
check-reset-range {strict | disable}
vdom-admin {enable | disable}
admin-port <integer>
admin-sport <integer>
admin-https-redirect {enable | disable}
admin-ssh-password {enable | disable}
admin-ssh-port <integer>
admin-ssh-grace-time <integer>
admin-ssh-v1 {enable | disable}
admin-telnet-port <integer>
admin-maintainer {enable | disable}
admin-server-cert <string>
user-server-cert <string>
admin-https-pki-required {enable | disable}
wifi-certificate <string>
wifi-ca-certificate <string>
auth-http-port <integer>
auth-https-port <integer>
524
525
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
end
av-affinity <string>
miglog-affinity <string>
ndp-max-entry <integer>
br-fdb-max-entry <integer>
max-route-cache-size <integer>
ipsec-asic-offload {enable | disable}
device-idle-timeout <integer>
device-identification-active-scan-delay <integer>
compliance-check {enable | disable}
compliance-check-time <time>
gui-device-latitude <string>
gui-device-longitude <string>
private-data-encryption {disable | enable}
auto-auth-extension-device {enable | disable}
gui-theme {green | red | blue | melongene | mariner}
igmp-state-limit <integer>
526
Description
Configuration
Description
Default Value
language
english
gui-ipv6
disable
gui-certificates
enable
gui-custom-language
disable
gui-wirelessopensecurity
disable
gui-display-hostname
disable
gui-lines-per-page
50
admin-https-sslversions
tlsv1-1 tlsv1-2
admin-https-bannedcipher
rc4 low
admintimeout
admin-console-timeout
admin-concurrent
enable
admin-lockoutthreshold
admin-lockout-duration
60
refresh
interval
failtime
daily-restart
disable
restart-time
00:00
527
radius-port
1812
admin-login-max
100
remoteauthtimeout
ldapconntimeout
500
batch-cmdb
enable
max-dlpstat-memory
dst
enable
timezone
Time zone.
00
ntpserver
(Empty)
ntpsync
disable
syncinterval
traffic-priority
tos
traffic-priority-level
medium
anti-replay
Anti-replay control.
strict
send-pmtu-icmp
enable
honor-df
enable
split-port
(Empty)
revision-image-autobackup
disable
revision-backup-onlogout
disable
management-vdom
root
hostname
Firewall hostname.
(Empty)
528
alias
Device alias.
(Empty)
strong-crypto
enable
ssh-cbc-cipher
enable
ssh-hmac-md5
enable
snat-route-change
disable
cli-audit-log
disable
dh-params
2048
fds-statistics
enable
fds-statistics-period
60
multicast-forward
enable
mc-ttl-notchange
disable
asymroute
disable
tcp-option
enable
phase1-rekey
enable
lldp-transmission
disable
explicit-proxy-authtimeout
300
sys-perf-log-interval
check-protocol-header
loose
vip-arp-range
restricted
optimize
antivirus
reset-sessionless-tcp
disable
529
allow-traffic-redirect
enable
strict-dirty-sessioncheck
enable
tcp-halfclose-timer
120
tcp-halfopen-timer
10
tcp-timewait-timer
udp-idle-timer
180
block-session-timer
30
ip-src-port-range
1024-25000
pre-login-banner
Enable/disable pre-login-banner.
disable
post-login-banner
Enable/disable post-login-banner.
disable
tftp
Enable/disable TFTP.
enable
av-failopen
pass
av-failopen-session
disable
check-reset-range
disable
vdom-admin
disable
admin-port
80
admin-sport
443
admin-https-redirect
enable
admin-ssh-password
enable
admin-ssh-port
22
admin-ssh-grace-time
120
530
admin-ssh-v1
disable
admin-telnet-port
23
admin-maintainer
enable
admin-server-cert
Fortinet_Factory
user-server-cert
Fortinet_Factory
admin-https-pkirequired
disable
wifi-certificate
Fortinet_Wifi
wifi-ca-certificate
Fortinet_Wifi_CA
auth-http-port
1000
auth-https-port
1003
auth-keepalive
disable
policy-auth-concurrent
auth-cert
Fortinet_Factory
clt-cert-req
disable
fortiservice-port
8013
endpoint-control-portalport
8009
endpoint-control-fdsaccess
enable
tp-mc-skip-policy
disable
cfg-save
automatic
cfg-revert-timeout
600
531
reboot-upon-configrestore
enable
admin-scp
disable
registration-notification
enable
service-expirenotification
enable
wireless-controller
enable
wireless-controller-port
5246
fortiextender-data-port
25246
fortiextender
disable
switch-controller
disable
switch-controllerreserved-network
169.254.0.0
255.255.0.0
proxy-worker-count
16
scanunit-count
Scanunit count.
39
ssl-worker-count
proxy-kxp-hardwareacceleration
enable
proxy-cipher-hardwareacceleration
enable
fgd-alert-subscription
(Empty)
ipsec-hmac-offload
enable
ipv6-accept-dad
532
csr-ca-attribute
enable
wimax-4g-usb
disable
cert-chain-max
sslvpn-max-workercount
39
sslvpn-kxp-hardwareacceleration
disable
sslvpn-cipherhardware-acceleration
disable
sslvpn-plugin-versioncheck
enable
two-factor-ftk-expiry
Expiration time for FortiToken authentication (60 600 sec, default = 60 sec).
60
two-factor-email-expiry
60
two-factor-sms-expiry
60
two-factor-fac-expiry
60
two-factor-ftm-expiry
72
per-user-bwl
disable
virtual-server-count
20
virtual-serverhardware-acceleration
enable
wad-worker-count
20
login-timestamp
disable
miglogd-children
special-file-23-support
disable
533
log-uuid
policy-only
arp-max-entry
131072
ips-affinity
av-affinity
miglog-affinity
ndp-max-entry
br-fdb-max-entry
8192
max-route-cache-size
ipsec-asic-offload
enable
device-idle-timeout
300
device-identificationactive-scan-delay
90
compliance-check
enable
compliance-check-time
00:00:00
gui-device-latitude
(Empty)
gui-device-longitude
(Empty)
534
private-data-encryption
disable
auto-auth-extensiondevice
enable
gui-theme
green
igmp-state-limit
3200
535
system/gre-tunnel
CLI Syntax
config system gre-tunnel
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set sequence-number-transmission {disable | enable}
set sequence-number-reception {disable | enable}
set checksum-transmission {disable | enable}
set checksum-reception {disable | enable}
set key-outbound <integer>
set key-inbound <integer>
set dscp-copying {disable | enable}
set auto-asic-offload {enable | disable}
set keepalive-interval <integer>
set keepalive-failtimes <integer>
end
536
Description
Configuration
Description
Default Value
name
Tunnel name.
(Empty)
interface
Interface name.
(Empty)
remote-gw
0.0.0.0
local-gw
0.0.0.0
sequence-numbertransmission
disable
sequence-numberreception
disable
checksum-transmission
disable
checksum-reception
disable
key-outbound
key-inbound
dscp-copying
disable
auto-asic-offload
enable
keepalive-interval
keepalive-failtimes
10
537
system/ha
CLI Syntax
config system ha
edit <name_str>
set group-id <integer>
set group-name <string>
set mode {standalone | a-a | a-p}
set password <password>
set key <password>
set hbdev <user>
set session-sync-dev <user>
set route-ttl <integer>
set route-wait <integer>
set route-hold <integer>
set load-balance-all {enable | disable}
set sync-config {enable | disable}
set encryption {enable | disable}
set authentication {enable | disable}
set hb-interval <integer>
set hb-lost-threshold <integer>
set helo-holddown <integer>
set gratuitous-arps {enable | disable}
set arps <integer>
set arps-interval <integer>
set session-pickup {enable | disable}
set session-pickup-connectionless {enable | disable}
set session-pickup-expectation {enable | disable}
set session-pickup-nat {enable | disable}
set session-pickup-delay {enable | disable}
set session-sync-daemon-number <integer>
set link-failed-signal {enable | disable}
set uninterruptible-upgrade {enable | disable}
set standalone-mgmt-vdom {enable | disable}
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface <string>
set ha-mgmt-interface-gateway <ipv4-address>
set ha-mgmt-interface-gateway6 <ipv6-address>
set ha-eth-type <string>
set hc-eth-type <string>
set l2ep-eth-type <string>
set ha-uptime-diff-margin <integer>
set standalone-config-sync {enable | disable}
set vcluster2 {enable | disable}
set vcluster-id <integer>
set override {enable | disable}
set priority <integer>
set override-wait-time <integer>
set schedule {none | hub | leastconnection | round-robin | weight-round-robin | ra
ndom | ip | ipport}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
538
539
Description
Configuration
Description
Default Value
group-id
Group ID (0 - 255).
group-name
Group name.
(Empty)
mode
Mode.
standalone
password
password
(Empty)
key
key
(Empty)
hbdev
Heartbeat interfaces.
"port1" 50 "mgmt1" 50
session-sync-dev
(Empty)
route-ttl
10
route-wait
route-hold
10
load-balance-all
disable
sync-config
enable
encryption
disable
authentication
disable
hb-interval
hb-lost-threshold
helo-holddown
20
gratuitous-arps
enable
arps
arps-interval
session-pickup
disable
540
session-pickupconnectionless
disable
session-pickupexpectation
disable
session-pickup-nat
disable
session-pickup-delay
disable
session-sync-daemonnumber
link-failed-signal
disable
uninterruptible-upgrade
enable
standalone-mgmt-vdom
disable
ha-mgmt-status
disable
ha-mgmt-interface
(Empty)
ha-mgmt-interfacegateway
0.0.0.0
ha-mgmt-interfacegateway6
::
ha-eth-type
8890
hc-eth-type
8891
l2ep-eth-type
8893
ha-uptime-diff-margin
300
standalone-config-sync
disable
vcluster2
disable
vcluster-id
Cluster ID.
override
disable
541
priority
128
override-wait-time
schedule
Schedule.
round-robin
weight
40
cpu-threshold
500
memory-threshold
500
http-proxy-threshold
500
ftp-proxy-threshold
500
imap-proxy-threshold
500
nntp-proxy-threshold
500
pop3-proxy-threshold
500
smtp-proxy-threshold
500
monitor
Interfaces to monitor.
(Empty)
pingserver-monitorinterface
(Empty)
pingserver-failoverthreshold
pingserver-slave-forcereset
enable
pingserver-flip-timeout
60
vdom
VDOM members.
(Empty)
secondary-vcluster
Details below
542
Configuration
vcluster-id
override
priority
override-wait-time
monitor
pingserver-monitor-interface
pingserver-failover-threshold
pingserver-slave-force-reset
vdom
ha-direct
Default Value
1
enable
128
0
(Empty)
(Empty)
0
enable
(Empty)
disable
543
system/ha-monitor
CLI Syntax
config system ha-monitor
edit <name_str>
set monitor-vlan {enable | disable}
set vlan-hb-interval <integer>
set vlan-hb-lost-threshold <integer>
end
544
Description
Configuration
Description
Default Value
monitor-vlan
disable
vlan-hb-interval
vlan-hb-lost-threshold
545
system/interface
CLI Syntax
config system interface
edit <name_str>
set name <string>
set vdom <string>
set cli-conn-status <integer>
set mode {static | dhcp | pppoe}
set distance <integer>
set priority <integer>
set dhcp-relay-service {disable | enable}
set dhcp-relay-ip <user>
set dhcp-relay-type {regular | ipsec}
set ip <ipv4-classnet-host>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | r
adius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
set ha-priority <integer>
set fail-detect {enable | disable}
set fail-detect-option {detectserver | link-down}
set fail-alert-method {link-failed-signal | link-down}
set fail-action-on-extender {soft-restart | hard-restart | reboot}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
set dhcp-client-identifier <string>
set ipunnumbered <ipv4-address>
set username <string>
set pppoe-unnumbered-negotiate {enable | disable}
set password <password>
set idle-timeout <integer>
set detected-peer-mtu <integer>
set disc-retry-timeout <integer>
set padt-retry-timeout <integer>
set service-name <string>
set ac-name <string>
set lcp-echo-interval <integer>
set lcp-max-echo-fails <integer>
set defaultgw {enable | disable}
set dns-server-override {enable | disable}
set auth-type {auto | pap | chap | mschapv1 | mschapv2}
set pptp-client {enable | disable}
set pptp-user <string>
set pptp-password <password>
set pptp-server-ip <ipv4-address>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
546
547
548
549
set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap
}
set ip6-send-adv {enable | disable}
set ip6-manage-flag {enable | disable}
set ip6-other-flag {enable | disable}
set ip6-max-interval <integer>
set ip6-min-interval <integer>
set ip6-link-mtu <integer>
set ip6-reachable-time <integer>
set ip6-retrans-time <integer>
set ip6-default-life <integer>
set ip6-hop-limit <integer>
set autoconf {enable | disable}
set ip6-upstream-interface <string>
set ip6-subnet <ipv6-prefix>
config ip6-prefix-list
edit <name_str>
set prefix <ipv6-network>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set valid-life-time <integer>
set preferred-life-time <integer>
end
config ip6-delegated-prefix-list
edit <name_str>
set prefix-id <integer>
set upstream-interface <string>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set subnet <ipv6-network>
end
set dhcp6-relay-service {disable | enable}
set dhcp6-relay-type {regular}
set dhcp6-relay-ip <user>
set dhcp6-client-options {rapid | iapd | iana | dns | dnsname}
set dhcp6-prefix-delegation {enable | disable}
set dhcp6-prefix-hint <ipv6-network>
set dhcp6-prefix-hint-plt <integer>
set dhcp6-prefix-hint-vlt <integer>
end
end
550
Description
Configuration
Description
Default Value
name
Name.
(Empty)
vdom
(Empty)
cli-conn-status
mode
static
distance
priority
dhcp-relay-service
disable
dhcp-relay-ip
(Empty)
dhcp-relay-type
regular
ip
IP address of interface.
0.0.0.0 0.0.0.0
allowaccess
(Empty)
gwdetect
disable
ping-serv-status
detectserver
(Empty)
detectprotocol
ping
ha-priority
fail-detect
disable
fail-detect-option
link-down
fail-alert-method
link-down
fail-action-on-extender
soft-restart
fail-alert-interfaces
(Empty)
dhcp-client-identifier
(Empty)
551
ipunnumbered
0.0.0.0
username
User name.
(Empty)
pppoe-unnumberednegotiate
enable
password
Password
(Empty)
idle-timeout
detected-peer-mtu
disc-retry-timeout
padt-retry-timeout
service-name
(Empty)
ac-name
PPPoE AC name.
(Empty)
lcp-echo-interval
lcp-max-echo-fails
defaultgw
enable
dns-server-override
enable
auth-type
auto
pptp-client
disable
pptp-user
(Empty)
pptp-password
PPTP password.
(Empty)
pptp-server-ip
0.0.0.0
pptp-auth-type
auto
pptp-timeout
arpforward
enable
552
ndiscforward
enable
broadcast-forward
disable
bfd
global
bfd-desired-min-tx
250
bfd-detect-mult
bfd-required-min-rx
250
l2forward
Enable/disable l2 forwarding.
disable
icmp-redirect
enable
vlanforward
disable
stpforward
disable
stpforward-mode
rpl-all-ext-id
ips-sniffer-mode
disable
ident-accept
disable
ipmac
disable
subst
disable
macaddr
MAC address.
00:00:00:00:00:00
substitute-dst-mac
00:00:00:00:00:00
speed
Speed
auto
status
Interface status.
up
netbios-forward
disable
wins-ip
0.0.0.0
type
Interface type.
vlan
dedicated-to
none
trust-ip-1
0.0.0.0 0.0.0.0
553
trust-ip-2
0.0.0.0 0.0.0.0
trust-ip-3
0.0.0.0 0.0.0.0
trust-ip6-1
::/0
trust-ip6-2
::/0
trust-ip6-3
::/0
mtu-override
disable
mtu
1500
wccp
disable
netflow-sampler
disable
sflow-sampler
disable
drop-overlappedfragment
disable
drop-fragment
disable
scan-botnetconnections
disable
sample-rate
2000
polling-interval
20
sample-direction
both
explicit-web-proxy
disable
explicit-ftp-proxy
disable
tcp-mss
mediatype
serdes-sfp
554
fp-anomaly
(Empty)
inbandwidth
outbandwidth
spillover-threshold
ingress-spilloverthreshold
weight
interface
Interface name.
(Empty)
external
disable
vlanid
VLAN ID.
forward-domain
remote-ip
0.0.0.0
member
(Empty)
lacp-mode
LACP mode.
active
lacp-ha-slave
LACP HA slave.
enable
lacp-speed
LACP speed.
slow
min-links
min-links-down
operational
algorithm
L4
link-up-delay
50
555
priority-override
enable
aggregate
Aggregate interface.
(Empty)
redundant-interface
Redundant interface.
(Empty)
managed-device
(Empty)
devindex
Device Index.
vindex
switch
Contained in switch.
(Empty)
description
Description.
(Empty)
alias
Alias.
(Empty)
security-mode
Security mode.
none
security-mac-authbypass
disable
security-external-web
(Empty)
security-external-logout
(Empty)
replacemsg-overridegroup
(Empty)
security-redirect-url
(Empty)
security-exempt-list
Name of security-exempt-list.
(Empty)
security-groups
Group name.
(Empty)
device-identification
disable
device-useridentification
enable
device-identificationactive-scan
enable
device-access-list
(Empty)
556
device-netscan
lldp-transmission
vdom
fortiheartbeat
disable
broadcast-forticlientdiscovery
disable
endpoint-compliance
disable
estimated-upstreambandwidth
estimated-downstreambandwidth
vrrp-virtual-mac
disable
vrrp
VRRP configuration.
(Empty)
role
Interface role.
undefined
snmp-index
secondary-IP
disable
secondaryip
(Empty)
auto-auth-extensiondevice
disable
ap-discover
enable
fortilink
disable
fortilink-stacking
enable
557
fortilink-split-interface
disable
internal
Implicitly created.
fortilink-backup-link
color
ipv6
IPv6 of interface.
Details below
Configuration
ip6-mode
ip6-dns-server-override
ip6-address
ip6-extra-addr
ip6-allowaccess
ip6-send-adv
ip6-manage-flag
ip6-other-flag
ip6-max-interval
ip6-min-interval
ip6-link-mtu
ip6-reachable-time
ip6-retrans-time
ip6-default-life
ip6-hop-limit
autoconf
ip6-upstream-interface
ip6-subnet
ip6-prefix-list
ip6-delegated-prefix-list
dhcp6-relay-service
dhcp6-relay-type
dhcp6-relay-ip
dhcp6-client-options
dhcp6-prefix-delegation
dhcp6-prefix-hint
dhcp6-prefix-hint-plt
dhcp6-prefix-hint-vlt
Default Value
static
enable
::/0
(Empty)
(Empty)
disable
disable
disable
600
198
0
0
0
1800
0
disable
(Empty)
::/0
(Empty)
(Empty)
disable
regular
(Empty)
dns
disable
::/0
604800
2592000
558
system/ipip-tunnel
CLI Syntax
config system ipip-tunnel
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set auto-asic-offload {enable | disable}
end
559
Description
Configuration
Description
Default Value
name
(Empty)
interface
Interface name.
(Empty)
remote-gw
0.0.0.0
local-gw
0.0.0.0
auto-asic-offload
enable
560
system/ips-urlfilter-dns
CLI Syntax
config system ips-urlfilter-dns
edit <name_str>
set address <ipv4-address>
set status {enable | disable}
end
561
Description
Configuration
Description
Default Value
address
0.0.0.0
status
enable
562
system/ipv6-neighbor-cache
CLI Syntax
config system ipv6-neighbor-cache
edit <name_str>
set id <integer>
set interface <string>
set ipv6 <ipv6-address>
set mac <mac-address>
end
563
Description
Configuration
Description
Default Value
id
interface
Interface name.
(Empty)
ipv6
IPv6 address.
::
mac
MAC address.
00:00:00:00:00:00
564
system/ipv6-tunnel
CLI Syntax
config system ipv6-tunnel
edit <name_str>
set name <string>
set source <ipv6-address>
set destination <ipv6-address>
set interface <string>
set auto-asic-offload {enable | disable}
end
565
Description
Configuration
Description
Default Value
name
Tunnel name.
(Empty)
source
::
destination
::
interface
Interface name.
(Empty)
auto-asic-offload
enable
566
system/link-monitor
CLI Syntax
config system link-monitor
edit <name_str>
set name <string>
set srcintf <string>
config server
edit <name_str>
set address <string>
end
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set gateway-ip <ipv4-address-any>
set source-ip <ipv4-address-any>
set http-get <string>
set http-match <string>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set security-mode {none | authentication}
set password <password>
set packet-size <integer>
set ha-priority <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set status {enable | disable}
end
567
Description
Configuration
Description
Default Value
name
(Empty)
srcintf
(Empty)
server
Server address(es).
(Empty)
protocol
ping
port
80
gateway-ip
0.0.0.0
source-ip
0.0.0.0
http-get
http-match
(Empty)
interval
Detection interval.
timeout
failtime
recoverytime
security-mode
none
password
(Empty)
packet-size
64
ha-priority
update-cascadeinterface
enable
update-static-route
enable
status
enable
568
system/mac-address-table
CLI Syntax
config system mac-address-table
edit <name_str>
set mac <mac-address>
set interface <string>
set reply-substitute <mac-address>
end
569
Description
Configuration
Description
Default Value
mac
MAC address.
00:00:00:00:00:00
interface
Interface name.
(Empty)
reply-substitute
00:00:00:00:00:00
570
system/management-tunnel
CLI Syntax
config system management-tunnel
edit <name_str>
set status {enable | disable}
set allow-config-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-push-firmware {enable | disable}
set allow-collect-statistics {enable | disable}
set authorized-manager-only {enable | disable}
set serial-number <user>
end
571
Description
Configuration
Description
Default Value
status
enable
allow-config-restore
enable
allow-pushconfiguration
enable
allow-push-firmware
enable
allow-collect-statistics
enable
authorized-manageronly
enable
serial-number
Serial number.
(Empty)
572
system/mobile-tunnel
CLI Syntax
config system mobile-tunnel
edit <name_str>
set name <string>
set status {disable | enable}
set roaming-interface <string>
set home-agent <ipv4-address>
set home-address <ipv4-address>
set renew-interval <integer>
set lifetime <integer>
set reg-interval <integer>
set reg-retry <integer>
set n-mhae-spi <integer>
set n-mhae-key-type {ascii | base64}
set n-mhae-key <user>
set hash-algorithm {hmac-md5}
set tunnel-mode {gre}
config network
edit <name_str>
set id <integer>
set interface <string>
set prefix <ipv4-classnet>
end
end
573
Description
Configuration
Description
Default Value
name
Tunnel name.
(Empty)
status
enable
roaming-interface
(Empty)
home-agent
0.0.0.0
home-address
Home IP address.
0.0.0.0
renew-interval
60
lifetime
65535
reg-interval
reg-retry
n-mhae-spi
256
n-mhae-key-type
ascii
n-mhae-key
'ENC
AQAAAMfMADGjaE1u
XnMNcglZAOU1olJLaQ
Tpy1cUY+iM/eyN61pZ
cd9q4u4lzUZ7Ar7ptVw
gtfiB3PJBXT+jqecFU7F
l7T9EREz21rRkr3XeQ
A6OfVhpJuk3/ZQ='
hash-algorithm
Hash Algorithm.
hmac-md5
tunnel-mode
gre
network
(Empty)
574
system/nat64
CLI Syntax
config system nat64
edit <name_str>
set status {enable | disable}
set nat64-prefix <ipv6-prefix>
set always-synthesize-aaaa-record {enable | disable}
set generate-ipv6-fragment-header {enable | disable}
end
575
Description
Configuration
Description
Default Value
status
Enable/disable NAT64.
disable
nat64-prefix
64:ff9b::/96
always-synthesizeaaaa-record
enable
generate-ipv6fragment-header
disable
576
system/netflow
CLI Syntax
config system netflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
set active-flow-timeout <integer>
set inactive-flow-timeout <integer>
set template-tx-timeout <integer>
set template-tx-counter <integer>
end
577
Description
Configuration
Description
Default Value
collector-ip
Collector IP.
0.0.0.0
collector-port
2055
source-ip
0.0.0.0
active-flow-timeout
30
inactive-flow-timeout
15
template-tx-timeout
30
template-tx-counter
20
578
system/network-visibility
CLI Syntax
config system network-visibility
edit <name_str>
set destination-visibility {disable | enable}
set source-location {disable | enable}
set destination-hostname-visibility {disable | enable}
set hostname-ttl <integer>
set hostname-limit <integer>
set destination-location {disable | enable}
end
579
Description
Configuration
Description
Default Value
destination-visibility
enable
source-location
enable
destination-hostnamevisibility
enable
hostname-ttl
86400
hostname-limit
5000
destination-location
enable
580
system/ntp
CLI Syntax
config system ntp
edit <name_str>
set ntpsync {enable | disable}
set type {fortiguard | custom}
set syncinterval <integer>
config ntpserver
edit <name_str>
set id <integer>
set server <string>
set ntpv3 {enable | disable}
set authentication {enable | disable}
set key <password>
set key-id <integer>
end
set source-ip <ipv4-address>
set server-mode {enable | disable}
config interface
edit <name_str>
set interface-name <string>
end
end
581
Description
Configuration
Description
Default Value
ntpsync
disable
type
fortiguard
syncinterval
ntpserver
NTP Server.
(Empty)
source-ip
0.0.0.0
server-mode
disable
interface
(Empty)
582
system/object-tag
CLI Syntax
config system object-tag
edit <name_str>
set name <string>
end
583
Description
Configuration
Description
Default Value
name
Tag name.
(Empty)
584
system/password-policy
CLI Syntax
config system password-policy
edit <name_str>
set status {enable | disable}
set apply-to {admin-password | ipsec-preshared-key}
set minimum-length <integer>
set min-lower-case-letter <integer>
set min-upper-case-letter <integer>
set min-non-alphanumeric <integer>
set min-number <integer>
set change-4-characters {enable | disable}
set expire-status {enable | disable}
set expire-day <integer>
set reuse-password {enable | disable}
end
585
Description
Configuration
Description
Default Value
status
disable
apply-to
admin-password
minimum-length
min-lower-case-letter
min-upper-case-letter
min-non-alphanumeric
min-number
change-4-characters
disable
expire-status
disable
expire-day
90
reuse-password
enable
586
system/probe-response
CLI Syntax
config system probe-response
edit <name_str>
set port <integer>
set http-probe-value <string>
set ttl-mode {reinit | decrease | retain}
set mode {none | http-probe | twamp}
set security-mode {none | authentication}
set password <password>
set timeout <integer>
end
587
Description
Configuration
Description
Default Value
port
8008
http-probe-value
OK
ttl-mode
retain
mode
none
security-mode
none
password
(Empty)
timeout
300
588
system/proxy-arp
CLI Syntax
config system proxy-arp
edit <name_str>
set id <integer>
set interface <string>
set ip <ipv4-address>
set end-ip <ipv4-address>
end
589
Description
Configuration
Description
Default Value
id
interface
(Empty)
ip
0.0.0.0
end-ip
0.0.0.0
590
system/replacemsg-group
CLI Syntax
config system replacemsg-group
edit <name_str>
set name <string>
set comment <var-string>
set group-type {default | utm
config mail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config http
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config webproxy
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config ftp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config nntp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config fortiguard-wf
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
| auth | ec}
8bit}
html | wml}
8bit}
html | wml}
8bit}
html | wml}
8bit}
html | wml}
8bit}
html | wml}
8bit}
html | wml}
591
config spam
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config alertmail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config admin
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config auth
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config sslvpn
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config ec
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config device-detection-portal
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config nac-quar
edit <name_str>
set msg-type <string>
set buffer <var-string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
wml}
wml}
wml}
wml}
wml}
wml}
wml}
592
| 8bit}
| html | wml}
| 8bit}
| html | wml}
| 8bit}
| html | wml}
| 8bit}
| html | wml}
593
Description
Configuration
Description
Default Value
name
Group name.
(Empty)
comment
Comment.
(Empty)
group-type
Group type.
default
(Empty)
http
(Empty)
webproxy
(Empty)
ftp
(Empty)
nntp
(Empty)
fortiguard-wf
(Empty)
spam
(Empty)
alertmail
(Empty)
admin
(Empty)
auth
(Empty)
sslvpn
(Empty)
ec
(Empty)
device-detection-portal
(Empty)
nac-quar
(Empty)
traffic-quota
(Empty)
utm
(Empty)
custom-message
(Empty)
594
system/replacemsg-image
CLI Syntax
config system replacemsg-image
edit <name_str>
set name <string>
set image-type {gif | jpg | tiff | png}
set image-base64 <var-string>
end
595
Description
Configuration
Description
Default Value
name
Image name.
(Empty)
image-type
Image type.
(Empty)
image-base64
Image data.
(null)
596
system/resource-limits
CLI Syntax
config system resource-limits
edit <name_str>
set session <integer>
set ipsec-phase1 <integer>
set ipsec-phase2 <integer>
set dialup-tunnel <integer>
set firewall-policy <integer>
set firewall-address <integer>
set firewall-addrgrp <integer>
set custom-service <integer>
set service-group <integer>
set onetime-schedule <integer>
set recurring-schedule <integer>
set user <integer>
set user-group <integer>
set sslvpn <integer>
set proxy <integer>
set log-disk-quota <integer>
end
597
Description
Configuration
Description
Default Value
session
ipsec-phase1
ipsec-phase2
dialup-tunnel
firewall-policy
firewall-address
firewall-addrgrp
custom-service
service-group
onetime-schedule
recurring-schedule
user
user-group
sslvpn
proxy
log-disk-quota
598
system/session-helper
CLI Syntax
config system session-helper
edit <name_str>
set id <integer>
set name {ftp | tftp | ras | h323 | h245O | h245I | tns | mms | sip | pptp | rtsp
| dns-udp | dns-tcp | pmap | rsh | dcerpc | mgcp | gtp-c | gtp-u | gtp-b}
set protocol <integer>
set port <integer>
end
599
Description
Configuration
Description
Default Value
id
name
Helper name.
(Empty)
protocol
Protocol number.
port
Protocol port.
600
system/session-ttl
CLI Syntax
config system session-ttl
edit <name_str>
set default <user>
config port
edit <name_str>
set id <integer>
set protocol <integer>
set start-port <integer>
set end-port <integer>
set timeout <user>
end
end
601
Description
Configuration
Description
Default Value
default
Default timeout.
3600
port
(Empty)
602
system/settings
CLI Syntax
config system settings
edit <name_str>
set comments <var-string>
set opmode {nat | transparent}
set inspection-mode {proxy | flow}
set http-external-dest {fortiweb | forticache}
set firewall-session-dirty {check-all | check-new | check-policy-option}
set manageip <user>
set gateway <ipv4-address>
set ip <ipv4-classnet-host>
set manageip6 <ipv6-prefix>
set gateway6 <ipv6-address>
set ip6 <ipv6-prefix>
set device <string>
set bfd {enable | disable}
set bfd-desired-min-tx <integer>
set bfd-required-min-rx <integer>
set bfd-detect-mult <integer>
set bfd-dont-enforce-src-port {enable | disable}
set utf8-spam-tagging {enable | disable}
set wccp-cache-engine {enable | disable}
set vpn-stats-log {ipsec | pptp | l2tp | ssl}
set vpn-stats-period <integer>
set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-ba
sed}
set mac-ttl <integer>
set fw-session-hairpin {enable | disable}
set snat-hairpin-traffic {enable | disable}
set dhcp-proxy {enable | disable}
set dhcp-server-ip <user>
set dhcp6-server-ip <user>
set central-nat {enable | disable}
config gui-default-policy-columns
edit <name_str>
set name <string>
end
set lldp-transmission {enable | disable | global}
set asymroute {enable | disable}
set asymroute-icmp {enable | disable}
set tcp-session-without-syn {enable | disable}
set ses-denied-traffic {enable | disable}
set strict-src-check {enable | disable}
set asymroute6 {enable | disable}
set asymroute6-icmp {enable | disable}
set sip-helper {enable | disable}
set sip-nat-trace {enable | disable}
set status {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
603
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
sip-tcp-port <integer>
sip-udp-port <integer>
sip-ssl-port <integer>
sccp-port <integer>
multicast-forward {enable | disable}
multicast-ttl-notchange {enable | disable}
multicast-skip-policy {enable | disable}
allow-subnet-overlap {enable | disable}
deny-tcp-with-icmp {enable | disable}
ecmp-max-paths <integer>
discovered-device-timeout <integer>
email-portal-check-dns {disable | enable}
default-voip-alg-mode {proxy-based | kernel-helper-based}
gui-icap {enable | disable}
gui-nat46-64 {enable | disable}
gui-implicit-policy {enable | disable}
gui-dns-database {enable | disable}
gui-load-balance {enable | disable}
gui-multicast-policy {enable | disable}
gui-dos-policy {enable | disable}
gui-object-colors {enable | disable}
gui-replacement-message-groups {enable | disable}
gui-voip-profile {enable | disable}
gui-ap-profile {enable | disable}
gui-dynamic-profile-display {enable | disable}
gui-ipsec-manual-key {enable | disable}
gui-local-in-policy {enable | disable}
gui-local-reports {enable | disable}
gui-wanopt-cache {enable | disable}
gui-explicit-proxy {enable | disable}
gui-dynamic-routing {enable | disable}
gui-dlp {enable | disable}
gui-sslvpn-personal-bookmarks {enable | disable}
gui-sslvpn-realms {enable | disable}
gui-policy-based-ipsec {enable | disable}
gui-threat-weight {enable | disable}
gui-multiple-utm-profiles {enable | disable}
gui-spamfilter {enable | disable}
gui-application-control {enable | disable}
gui-casi {enable | disable}
gui-ips {enable | disable}
gui-endpoint-control {enable | disable}
gui-endpoint-on-net {enable | disable}
gui-dhcp-advanced {enable | disable}
gui-vpn {enable | disable}
gui-wireless-controller {enable | disable}
gui-switch-controller {enable | disable}
gui-fortiap-split-tunneling {enable | disable}
gui-webfilter-advanced {enable | disable}
gui-traffic-shaping {enable | disable}
gui-wan-load-balancing {enable | disable}
gui-antivirus {enable | disable}
gui-webfilter {enable | disable}
604
set
set
set
set
set
set
set
set
set
set
set
set
set
end
605
Description
Configuration
Description
Default Value
comments
VDOM comments.
(Empty)
opmode
nat
inspection-mode
Inspection mode.
proxy
http-external-dest
fortiweb
firewall-session-dirty
check-all
manageip
(Empty)
gateway
0.0.0.0
ip
0.0.0.0 0.0.0.0
manageip6
::/0
gateway6
::
ip6
::/0
device
Interface.
(Empty)
bfd
disable
bfd-desired-min-tx
250
bfd-required-min-rx
250
bfd-detect-mult
bfd-dont-enforce-srcport
disable
utf8-spam-tagging
enable
wccp-cache-engine
disable
vpn-stats-log
606
vpn-stats-period
600
v4-ecmp-mode
source-ip-based
mac-ttl
300
fw-session-hairpin
disable
snat-hairpin-traffic
enable
dhcp-proxy
disable
dhcp-server-ip
(Empty)
dhcp6-server-ip
(Empty)
central-nat
disable
gui-default-policycolumns
(Empty)
lldp-transmission
global
asymroute
disable
asymroute-icmp
disable
tcp-session-without-syn
disable
ses-denied-traffic
disable
strict-src-check
disable
asymroute6
disable
asymroute6-icmp
disable
sip-helper
enable
sip-nat-trace
enable
status
enable
607
sip-tcp-port
TCP port the SIP proxy will monitor for SIP traffic.
5060
sip-udp-port
UDP port the SIP proxy will monitor for SIP traffic.
5060
sip-ssl-port
TCP SSL port the SIP proxy will monitor for SIP
traffic.
5061
sccp-port
2000
multicast-forward
enable
multicast-ttl-notchange
disable
multicast-skip-policy
disable
allow-subnet-overlap
disable
deny-tcp-with-icmp
disable
ecmp-max-paths
10
discovered-devicetimeout
28
email-portal-check-dns
enable
default-voip-alg-mode
proxy-based
gui-icap
disable
gui-nat46-64
disable
gui-implicit-policy
enable
gui-dns-database
disable
gui-load-balance
disable
gui-multicast-policy
disable
608
gui-dos-policy
enable
gui-object-colors
enable
gui-replacementmessage-groups
disable
gui-voip-profile
disable
gui-ap-profile
enable
gui-dynamic-profiledisplay
disable
gui-ipsec-manual-key
disable
gui-local-in-policy
disable
gui-local-reports
disable
gui-wanopt-cache
disable
gui-explicit-proxy
disable
gui-dynamic-routing
enable
gui-dlp
disable
gui-sslvpn-personalbookmarks
disable
gui-sslvpn-realms
disable
gui-policy-based-ipsec
disable
gui-threat-weight
enable
gui-multiple-utmprofiles
enable
gui-spamfilter
disable
gui-application-control
enable
609
gui-casi
enable
gui-ips
enable
gui-endpoint-control
enable
gui-endpoint-on-net
disable
gui-dhcp-advanced
enable
gui-vpn
enable
gui-wireless-controller
enable
gui-switch-controller
enable
gui-fortiap-splittunneling
disable
gui-webfilter-advanced
disable
gui-traffic-shaping
enable
gui-wan-load-balancing
enable
gui-antivirus
enable
gui-webfilter
enable
gui-dnsfilter
enable
gui-waf-profile
disable
gui-fortiextendercontroller
disable
gui-advanced-policy
disable
gui-allow-unnamedpolicy
disable
gui-email-collection
disable
610
gui-domain-ipreputation
disable
gui-multiple-interfacepolicy
disable
gui-policy-learning
enable
compliance-check
disable
ike-session-resume
disable
ike-quick-crash-detect
disable
611
system/sflow
CLI Syntax
config system sflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end
612
Description
Configuration
Description
Default Value
collector-ip
Collector IP.
0.0.0.0
collector-port
6343
source-ip
0.0.0.0
613
system/sit-tunnel
CLI Syntax
config system sit-tunnel
edit <name_str>
set name <string>
set source <ipv4-address>
set destination <ipv4-address>
set ip6 <ipv6-prefix>
set interface <string>
set auto-asic-offload {enable | disable}
end
614
Description
Configuration
Description
Default Value
name
Tunnel name.
(Empty)
source
0.0.0.0
destination
0.0.0.0
ip6
::/0
interface
Interface name.
(Empty)
auto-asic-offload
enable
615
system/sms-server
CLI Syntax
config system sms-server
edit <name_str>
set name <string>
set mail-server <string>
end
616
Description
Configuration
Description
Default Value
name
(Empty)
mail-server
(Empty)
617
system/storage
CLI Syntax
config system storage
edit <name_str>
set name <string>
set partition <string>
set media-type <string>
set device <string>
set size <integer>
end
618
Description
Configuration
Description
Default Value
name
Storage name.
default_n
partition
<unknown>
media-type
device
Partition device.
size
Partition size.
619
system/switch-interface
CLI Syntax
config system switch-interface
edit <name_str>
set name <string>
set vdom <string>
set span-dest-port <string>
config span-source-port
edit <name_str>
set interface-name <string>
end
config member
edit <name_str>
set interface-name <string>
end
set type {switch | hub}
set intra-switch-policy {implicit | explicit}
set span {disable | enable}
set span-direction {rx | tx | both}
end
620
Description
Configuration
Description
Default Value
name
Interface name.
(Empty)
vdom
VDOM.
(Empty)
span-dest-port
(Empty)
span-source-port
(Empty)
member
(Empty)
type
Type.
switch
intra-switch-policy
implicit
span
disable
span-direction
SPAN direction.
both
621
system/tos-based-priority
CLI Syntax
config system tos-based-priority
edit <name_str>
set id <integer>
set tos <integer>
set priority {low | medium | high}
end
622
Description
Configuration
Description
Default Value
id
Item ID.
tos
priority
high
623
system/vdom
CLI Syntax
config system vdom
edit <name_str>
set name <string>
set vcluster-id <integer>
set temporary <integer>
end
624
Description
Configuration
Description
Default Value
name
VDOM name.
(Empty)
vcluster-id
temporary
Temporary.
625
system/vdom-dns
CLI Syntax
config system vdom-dns
edit <name_str>
set vdom-dns {enable | disable}
set primary <ipv4-address>
set secondary <ipv4-address>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set source-ip <ipv4-address>
end
626
Description
Configuration
Description
Default Value
vdom-dns
disable
primary
0.0.0.0
secondary
0.0.0.0
ip6-primary
::
ip6-secondary
::
source-ip
0.0.0.0
627
system/vdom-link
CLI Syntax
config system vdom-link
edit <name_str>
set name <string>
set vcluster {vcluster1 | vcluster2}
set type {ppp | ethernet}
end
628
Description
Configuration
Description
Default Value
name
(Empty)
vcluster
Virtual cluster.
vcluster1
type
Type.
ppp
629
system/vdom-netflow
CLI Syntax
config system vdom-netflow
edit <name_str>
set vdom-netflow {enable | disable}
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end
630
Description
Configuration
Description
Default Value
vdom-netflow
disable
collector-ip
Collector IP.
0.0.0.0
collector-port
2055
source-ip
0.0.0.0
631
system/vdom-property
CLI Syntax
config system vdom-property
edit <name_str>
set name <string>
set description <string>
set snmp-index <integer>
set session <user>
set ipsec-phase1 <user>
set ipsec-phase2 <user>
set dialup-tunnel <user>
set firewall-policy <user>
set firewall-address <user>
set firewall-addrgrp <user>
set custom-service <user>
set service-group <user>
set onetime-schedule <user>
set recurring-schedule <user>
set user <user>
set user-group <user>
set sslvpn <user>
set proxy <user>
set log-disk-quota <user>
end
632
Description
Configuration
Description
Default Value
name
VDOM name.
(Empty)
description
Description.
(Empty)
snmp-index
session
00
ipsec-phase1
00
ipsec-phase2
00
dialup-tunnel
00
firewall-policy
00
firewall-address
00
firewall-addrgrp
00
custom-service
00
service-group
00
onetime-schedule
00
recurring-schedule
00
user
00
633
user-group
00
sslvpn
00
proxy
00
log-disk-quota
00
634
system/vdom-radius-server
CLI Syntax
config system vdom-radius-server
edit <name_str>
set name <string>
set status {enable | disable}
set radius-server-vdom <string>
end
635
Description
Configuration
Description
Default Value
name
(Empty)
status
disable
radius-server-vdom
(Empty)
636
system/vdom-sflow
CLI Syntax
config system vdom-sflow
edit <name_str>
set vdom-sflow {enable | disable}
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end
637
Description
Configuration
Description
Default Value
vdom-sflow
disable
collector-ip
Collector IP.
0.0.0.0
collector-port
6343
source-ip
0.0.0.0
638
system/virtual-wan-link
CLI Syntax
config system virtual-wan-link
edit <name_str>
set status {disable | enable}
set load-balance-mode {source-ip-based | weight-based | usage-based | source-destip-based | measured-volume-based}
set fail-detect {enable | disable}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
config members
edit <name_str>
set seq-num <integer>
set interface <string>
set gateway <ipv4-address>
set weight <integer>
set priority <integer>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set volume-ratio <integer>
set status {disable | enable}
end
config health-check
edit <name_str>
set name <string>
set server <string>
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set security-mode {none | authentication}
set password <password>
set packet-size <integer>
set http-get <string>
set http-match <string>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set threshold-warning-packetloss <integer>
set threshold-alert-packetloss <integer>
set threshold-warning-latency <integer>
set threshold-alert-latency <integer>
set threshold-warning-jitter <integer>
set threshold-alert-jitter <integer>
end
config service
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
639
edit <name_str>
set name <string>
set id <integer>
set mode {auto | manual | priority}
set quality-link <integer>
set member <integer>
set tos <user>
set tos-mask <user>
set protocol <integer>
set start-port <integer>
set end-port <integer>
config dst
edit <name_str>
set name <string>
end
config src
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set internet-service {enable | disable}
config internet-service-custom
edit <name_str>
set name <string>
end
config internet-service-id
edit <name_str>
set id <integer>
end
set health-check <string>
set link-cost-factor {latency | jitter | packet-loss}
set link-cost-threshold <integer>
config priority-members
edit <name_str>
set seq-num <integer>
end
set status {disable | enable}
end
end
640
Description
Configuration
Description
Default Value
status
disable
load-balance-mode
source-ip-based
fail-detect
disable
fail-alert-interfaces
(Empty)
members
(Empty)
health-check
Health check.
(Empty)
service
Service to be distributed.
(Empty)
641
system/virtual-wire-pair
CLI Syntax
config system virtual-wire-pair
edit <name_str>
set name <string>
config member
edit <name_str>
set interface-name <string>
end
set wildcard-vlan {enable | disable}
end
642
Description
Configuration
Description
Default Value
name
virtual-wire-pair name.
(Empty)
member
(Empty)
wildcard-vlan
disable
643
system/wccp
CLI Syntax
config system wccp
edit <name_str>
set service-id <string>
set router-id <ipv4-address>
set cache-id <ipv4-address>
set group-address <ipv4-address-multicast>
set server-list <user>
set router-list <user>
set ports-defined {source | destination}
set ports <user>
set authentication {enable | disable}
set password <password>
set forward-method {GRE | L2 | any}
set cache-engine-method {GRE | L2}
set service-type {auto | standard | dynamic}
set primary-hash {src-ip | dst-ip | src-port | dst-port}
set priority <integer>
set protocol <integer>
set assignment-weight <integer>
set assignment-bucket-format {wccp-v2 | cisco-implementation}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
end
644
Description
Configuration
Description
Default Value
service-id
Service ID.
(Empty)
router-id
0.0.0.0
cache-id
0.0.0.0
group-address
IP multicast address.
0.0.0.0
server-list
(Empty)
router-list
(Empty)
ports-defined
Match method.
(Empty)
ports
Service ports.
(Empty)
authentication
disable
password
(Empty)
forward-method
GRE
cache-engine-method
GRE
service-type
auto
primary-hash
Hash method.
dst-ip
priority
Service priority.
protocol
Service protocol.
assignment-weight
assignment-bucketformat
cisco-implementation
return-method
GRE
assignment-method
HASH
645
system/zone
CLI Syntax
config system zone
edit <name_str>
set name <string>
set intrazone {allow | deny}
config interface
edit <name_str>
set interface-name <string>
end
end
646
Description
Configuration
Description
Default Value
name
Zone name.
(Empty)
intrazone
Intra-zone traffic.
deny
interface
(Empty)
647
user/adgrp
CLI Syntax
config user adgrp
edit <name_str>
set name <string>
set server-name <string>
set polling-id <integer>
end
648
Description
Configuration
Description
Default Value
name
Name.
(Empty)
server-name
(Empty)
polling-id
649
user/device
CLI Syntax
config user device
edit <name_str>
set alias <string>
set mac <mac-address>
set user <string>
set master-device <string>
set comment <var-string>
set avatar <var-string>
set type {android-phone | android-tablet | blackberry-phone | blackberry-playbook
| forticam | fortifone | fortinet-device | gaming-console | ip-phone | ipad | iphone |
linux-pc | mac | media-streaming | printer | router-nat-device | windows-pc | windows
-phone | windows-tablet | other-network-device}
end
650
Description
Configuration
Description
Default Value
alias
Device alias.
(Empty)
mac
00:00:00:00:00:00
user
User name.
(Empty)
master-device
(Empty)
comment
Comment.
(Empty)
avatar
(Empty)
type
Device type.
other-network-device
651
user/device-access-list
CLI Syntax
config user device-access-list
edit <name_str>
set name <string>
set default-action {accept | deny}
config device-list
edit <name_str>
set id <integer>
set device <string>
set action {accept | deny}
end
end
652
Description
Configuration
Description
Default Value
name
(Empty)
default-action
accept
device-list
Device list.
(Empty)
653
user/device-category
CLI Syntax
config user device-category
edit <name_str>
set name <string>
set desc <var-string>
set comment <var-string>
end
654
Description
Configuration
Description
Default Value
name
(Empty)
desc
(Empty)
comment
Comment.
(Empty)
655
user/device-group
CLI Syntax
config user device-group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set comment <var-string>
end
656
Description
Configuration
Description
Default Value
name
(Empty)
member
(Empty)
comment
Comment.
(Empty)
657
user/fortitoken
CLI Syntax
config user fortitoken
edit <name_str>
set serial-number <string>
set status {active | lock}
set seed <string>
set comments <var-string>
set license <string>
set activation-code <string>
set activation-expire <integer>
end
658
Description
Configuration
Description
Default Value
serial-number
Serial number.
(Empty)
status
Status
active
seed
Token seed.
(Empty)
comments
Comment.
(Empty)
license
(Empty)
activation-code
(Empty)
activation-expire
659
user/fsso
CLI Syntax
config user fsso
edit <name_str>
set name <string>
set server <string>
set port <integer>
set password <password>
set server2 <string>
set port2 <integer>
set password2 <password>
set server3 <string>
set port3 <integer>
set password3 <password>
set server4 <string>
set port4 <integer>
set password4 <password>
set server5 <string>
set port5 <integer>
set password5 <password>
set ldap-server <string>
set source-ip <ipv4-address>
end
660
Description
Configuration
Description
Default Value
name
Name.
(Empty)
server
(Empty)
port
8000
password
(Empty)
server2
(Empty)
port2
8000
password2
(Empty)
server3
(Empty)
port3
8000
password3
(Empty)
server4
(Empty)
port4
8000
password4
(Empty)
server5
(Empty)
port5
8000
password5
(Empty)
ldap-server
(Empty)
source-ip
0.0.0.0
661
user/fsso-polling
CLI Syntax
config user fsso-polling
edit <name_str>
set id <integer>
set status {enable | disable}
set server <string>
set default-domain <string>
set port <integer>
set user <string>
set password <password>
set ldap-server <string>
set logon-history <integer>
set polling-frequency <integer>
config adgrp
edit <name_str>
set name <string>
end
end
662
Description
Configuration
Description
Default Value
id
status
enable
server
(Empty)
default-domain
(Empty)
port
user
(Empty)
password
(Empty)
ldap-server
(Empty)
logon-history
polling-frequency
10
adgrp
(Empty)
663
user/group
CLI Syntax
664
665
Description
Configuration
Description
Default Value
name
Group name.
(Empty)
group-type
firewall
authtimeout
Authentication timeout.
auth-concurrentoverride
disable
auth-concurrent-value
http-digest-realm
(Empty)
sso-attribute-value
(Empty)
member
Group members.
(Empty)
match
Group matches.
(Empty)
user-id
User ID.
password
Password.
auto-generate
user-name
disable
sponsor
Sponsor.
optional
company
Company.
optional
enable
mobile-phone
disable
sms-server
fortiguard
sms-custom-server
SMS server.
(Empty)
expire-type
immediately
expire
14400
666
max-accounts
multiple-guest-add
disable
guest
Guest User.
(Empty)
667
user/ldap
CLI Syntax
config user ldap
edit <name_str>
set name <string>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set source-ip <ipv4-address>
set cnid <string>
set dn <string>
set type {simple | anonymous | regular}
set username <string>
set password <password>
set group-member-check {user-attr | group-object | posix-group-object}
set group-object-filter <string>
set group-object-search-base <string>
set secure {disable | starttls | ldaps}
set ca-cert <string>
set port <integer>
set password-expiry-warning {enable | disable}
set password-renewal {enable | disable}
set member-attr <string>
set search-type {nested}
end
668
Description
Configuration
Description
Default Value
name
(Empty)
server
(Empty)
secondary-server
(Empty)
tertiary-server
(Empty)
source-ip
0.0.0.0
cnid
cn
dn
Distinguished Name.
(Empty)
type
simple
username
(Empty)
password
(Empty)
group-member-check
user-attr
group-object-filter
(&
(objectcategory=group)
(member=*))
group-object-searchbase
(Empty)
secure
SSL connection.
disable
ca-cert
CA certificate name.
(Empty)
port
389
password-expirywarning
disable
password-renewal
disable
member-attr
memberOf
search-type
Search type.
(Empty)
669
user/local
CLI Syntax
config user local
edit <name_str>
set name <string>
set status {enable | disable}
set type {password | radius | tacacs+ | ldap}
set passwd <password>
set ldap-server <string>
set radius-server <string>
set tacacs+-server <string>
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set passwd-policy <string>
set passwd-time <user>
set authtimeout <integer>
set workstation <string>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
end
670
Description
Configuration
Description
Default Value
name
User name.
(Empty)
status
Enable/disable user.
enable
type
Authentication type.
(Empty)
passwd
User password.
(Empty)
ldap-server
(Empty)
radius-server
(Empty)
tacacs+-server
(Empty)
two-factor
disable
fortitoken
(Empty)
email-to
(Empty)
sms-server
fortiguard
sms-custom-server
(Empty)
sms-phone
(Empty)
passwd-policy
Password policy.
(Empty)
passwd-time
0000-00-00 00:00:00
authtimeout
Authentication timeout.
workstation
(Empty)
auth-concurrentoverride
disable
auth-concurrent-value
671
user/password-policy
CLI Syntax
config user password-policy
edit <name_str>
set name <string>
set expire-days <integer>
set warn-days <integer>
end
672
Description
Configuration
Description
Default Value
name
(Empty)
expire-days
180
warn-days
15
673
user/peer
CLI Syntax
config user peer
edit <name_str>
set name <string>
set mandatory-ca-verify {enable | disable}
set ca <string>
set subject <string>
set cn <string>
set cn-type {string | email | FQDN | ipv4 | ipv6}
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set ldap-mode {password | principal-name}
set ocsp-override-server <string>
set two-factor {enable | disable}
set passwd <password>
end
674
Description
Configuration
Description
Default Value
name
Peer name.
(Empty)
mandatory-ca-verify
enable
ca
(Empty)
subject
(Empty)
cn
(Empty)
cn-type
string
ldap-server
(Empty)
ldap-username
(Empty)
ldap-password
(Empty)
ldap-mode
password
ocsp-override-server
OSCP server.
(Empty)
two-factor
disable
passwd
User password.
(Empty)
675
user/peergrp
CLI Syntax
config user peergrp
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
end
676
Description
Configuration
Description
Default Value
name
(Empty)
member
(Empty)
677
user/pop3
CLI Syntax
config user pop3
edit <name_str>
set name <string>
set server <string>
set port <integer>
set secure {none | starttls | pop3s}
end
678
Description
Configuration
Description
Default Value
name
(Empty)
server
(Empty)
port
secure
SSL connection.
starttls
679
user/radius
CLI Syntax
config user radius
edit <name_str>
set name <string>
set server <string>
set secret <password>
set secondary-server <string>
set secondary-secret <password>
set tertiary-server <string>
set tertiary-secret <password>
set timeout <integer>
set all-usergroup {disable | enable}
set use-management-vdom {enable | disable}
set nas-ip <ipv4-address>
set acct-interim-interval <integer>
set radius-coa {enable | disable}
set radius-port <integer>
set h3c-compatibility {enable | disable}
set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}
set source-ip <ipv4-address>
set username-case-sensitive {enable | disable}
config class
edit <name_str>
set name <string>
end
set password-renewal {enable | disable}
set rsso {enable | disable}
set rsso-radius-server-port <integer>
set rsso-radius-response {enable | disable}
set rsso-validate-request-secret {enable | disable}
set rsso-secret <password>
set rsso-endpoint-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Ad
dress | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netm
ask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | L
ogin-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed
-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termina
tion-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State |
Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | FramedAppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | AcctInput-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Ti
me | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sess
ion-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Por
t}
set rsso-endpoint-block-attribute {User-Name | User-Password | CHAP-Password | NAS
-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-I
P-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Ho
st | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id |
Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | T
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
680
681
Description
Configuration
Description
Default Value
name
(Empty)
server
(Empty)
secret
(Empty)
secondary-server
(Empty)
secondary-secret
(Empty)
tertiary-server
(Empty)
tertiary-secret
(Empty)
timeout
Authentication time-out.
all-usergroup
disable
use-managementvdom
disable
nas-ip
NAS IP address.
0.0.0.0
acct-interim-interval
radius-coa
disable
radius-port
h3c-compatibility
disable
auth-type
Authentication Protocol.
auto
source-ip
0.0.0.0
username-casesensitive
disable
682
class
Class name(s).
(Empty)
password-renewal
disable
rsso
disable
rsso-radius-server-port
1813
rsso-radius-response
disable
rsso-validate-requestsecret
disable
rsso-secret
(Empty)
rsso-endpoint-attribute
Calling-Station-Id
rsso-endpoint-blockattribute
(Empty)
sso-attribute
Class
sso-attribute-key
(Empty)
sso-attribute-valueoverride
enable
rsso-context-timeout
28800
rsso-log-period
rsso-log-flags
Events to log.
683
rsso-flush-ip-session
disable
accounting-server
(Empty)
684
user/security-exempt-list
CLI Syntax
config user security-exempt-list
edit <name_str>
set name <string>
set description <string>
config rule
edit <name_str>
set id <integer>
config srcaddr
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
end
end
685
Description
Configuration
Description
Default Value
name
(Empty)
description
Description.
(Empty)
rule
Exempt rules.
(Empty)
686
user/setting
CLI Syntax
config user setting
edit <name_str>
set auth-type {http | https | ftp | telnet}
set auth-cert <string>
set auth-ca-cert <string>
set auth-secure-http {enable | disable}
set auth-http-basic {enable | disable}
set auth-multi-group {enable | disable}
set auth-timeout <integer>
set auth-timeout-type {idle-timeout | hard-timeout | new-session}
set auth-portal-timeout <integer>
set radius-ses-timeout-act {hard-timeout | ignore-timeout}
set auth-blackout-time <integer>
set auth-invalid-max <integer>
set auth-lockout-threshold <integer>
set auth-lockout-duration <integer>
config auth-ports
edit <name_str>
set id <integer>
set type {http | https | ftp | telnet}
set port <integer>
end
end
687
Description
Configuration
Description
Default Value
auth-type
auth-cert
(Empty)
auth-ca-cert
(Empty)
auth-secure-http
disable
auth-http-basic
disable
auth-multi-group
enable
auth-timeout
auth-timeout-type
idle-timeout
auth-portal-timeout
radius-ses-timeout-act
hard-timeout
auth-blackout-time
auth-invalid-max
auth-lockout-threshold
auth-lockout-duration
auth-ports
(Empty)
688
user/tacacs+
CLI Syntax
config user tacacs+
edit <name_str>
set name <string>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set port <integer>
set key <password>
set secondary-key <password>
set tertiary-key <password>
set authen-type {mschap | chap | pap | ascii | auto}
set authorization {enable | disable}
set source-ip <ipv4-address>
end
689
Description
Configuration
Description
Default Value
name
(Empty)
server
(Empty)
secondary-server
(Empty)
tertiary-server
(Empty)
port
49
key
(Empty)
secondary-key
(Empty)
tertiary-key
(Empty)
authen-type
auto
authorization
disable
source-ip
0.0.0.0
690
voip/profile
CLI Syntax
config voip profile
edit <name_str>
set name <string>
set comment <var-string>
config sip
edit <name_str>
set status {disable | enable}
set rtp {disable | enable}
set open-register-pinhole {disable | enable}
set open-contact-pinhole {disable | enable}
set strict-register {disable | enable}
set register-rate <integer>
set invite-rate <integer>
set max-dialogs <integer>
set max-line-length <integer>
set block-long-lines {disable | enable}
set block-unknown {disable | enable}
set call-keepalive <integer>
set block-ack {disable | enable}
set block-bye {disable | enable}
set block-cancel {disable | enable}
set block-info {disable | enable}
set block-invite {disable | enable}
set block-message {disable | enable}
set block-notify {disable | enable}
set block-options {disable | enable}
set block-prack {disable | enable}
set block-publish {disable | enable}
set block-refer {disable | enable}
set block-register {disable | enable}
set block-subscribe {disable | enable}
set block-update {disable | enable}
set register-contact-trace {disable | enable}
set open-via-pinhole {disable | enable}
set open-record-route-pinhole {disable | enable}
set rfc2543-branch {disable | enable}
set log-violations {disable | enable}
set log-call-summary {disable | enable}
set nat-trace {disable | enable}
set subscribe-rate <integer>
set message-rate <integer>
set notify-rate <integer>
set refer-rate <integer>
set update-rate <integer>
set options-rate <integer>
set ack-rate <integer>
set prack-rate <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
691
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
info-rate <integer>
publish-rate <integer>
bye-rate <integer>
cancel-rate <integer>
preserve-override {disable | enable}
no-sdp-fixup {disable | enable}
contact-fixup {disable | enable}
max-idle-dialogs <integer>
block-geo-red-options {disable | enable}
hosted-nat-traversal {disable | enable}
hnt-restrict-source-ip {disable | enable}
max-body-length <integer>
unknown-header {discard | pass | respond}
malformed-request-line {discard | pass | respond}
malformed-header-via {discard | pass | respond}
malformed-header-from {discard | pass | respond}
malformed-header-to {discard | pass | respond}
malformed-header-call-id {discard | pass | respond}
malformed-header-cseq {discard | pass | respond}
malformed-header-rack {discard | pass | respond}
malformed-header-rseq {discard | pass | respond}
malformed-header-contact {discard | pass | respond}
malformed-header-record-route {discard | pass | respond}
malformed-header-route {discard | pass | respond}
malformed-header-expires {discard | pass | respond}
malformed-header-content-type {discard | pass | respond}
malformed-header-content-length {discard | pass | respond}
malformed-header-max-forwards {discard | pass | respond}
malformed-header-allow {discard | pass | respond}
malformed-header-p-asserted-identity {discard | pass | respond}
malformed-header-sdp-v {discard | pass | respond}
malformed-header-sdp-o {discard | pass | respond}
malformed-header-sdp-s {discard | pass | respond}
malformed-header-sdp-i {discard | pass | respond}
malformed-header-sdp-c {discard | pass | respond}
malformed-header-sdp-b {discard | pass | respond}
malformed-header-sdp-z {discard | pass | respond}
malformed-header-sdp-k {discard | pass | respond}
malformed-header-sdp-a {discard | pass | respond}
malformed-header-sdp-t {discard | pass | respond}
malformed-header-sdp-r {discard | pass | respond}
malformed-header-sdp-m {discard | pass | respond}
provisional-invite-expiry-time <integer>
ips-rtp {disable | enable}
ssl-mode {off | full}
ssl-send-empty-frags {enable | disable}
ssl-client-renegotiation {allow | deny | secure}
ssl-algorithm {high | medium | low}
ssl-pfs {require | deny | allow}
ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
ssl-client-certificate <string>
ssl-server-certificate <string>
692
693
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
sip
SIP.
Details below
Configuration
status
rtp
open-register-pinhole
open-contact-pinhole
strict-register
register-rate
invite-rate
max-dialogs
max-line-length
block-long-lines
block-unknown
call-keepalive
block-ack
block-bye
block-cancel
block-info
block-invite
block-message
block-notify
block-options
block-prack
block-publish
block-refer
block-register
block-subscribe
block-update
register-contact-trace
open-via-pinhole
open-record-route-pinhole
rfc2543-branch
log-violations
log-call-summary
nat-trace
subscribe-rate
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
Default Value
enable
enable
enable
enable
disable
0
0
0
998
enable
enable
0
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
enable
disable
disable
enable
enable
0
694
message-rate
notify-rate
refer-rate
update-rate
options-rate
ack-rate
prack-rate
info-rate
publish-rate
bye-rate
cancel-rate
preserve-override
no-sdp-fixup
contact-fixup
max-idle-dialogs
block-geo-red-options
hosted-nat-traversal
hnt-restrict-source-ip
max-body-length
unknown-header
malformed-request-line
malformed-header-via
malformed-header-from
malformed-header-to
malformed-header-call-id
malformed-header-cseq
malformed-header-rack
malformed-header-rseq
malformed-header-contact
malformed-header-record-route
malformed-header-route
malformed-header-expires
malformed-header-content-type
malformed-header-content-length
malformed-header-max-forwards
malformed-header-allow
malformed-header-p-asserted-identity
malformed-header-sdp-v
malformed-header-sdp-o
malformed-header-sdp-s
malformed-header-sdp-i
malformed-header-sdp-c
malformed-header-sdp-b
malformed-header-sdp-z
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
0
0
0
0
0
0
0
0
0
0
0
disable
disable
enable
0
disable
disable
disable
0
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
695
malformed-header-sdp-k
malformed-header-sdp-a
malformed-header-sdp-t
malformed-header-sdp-r
malformed-header-sdp-m
provisional-invite-expiry-time
ips-rtp
ssl-mode
ssl-send-empty-frags
ssl-client-renegotiation
ssl-algorithm
ssl-pfs
ssl-min-version
ssl-max-version
ssl-client-certificate
ssl-server-certificate
ssl-auth-client
ssl-auth-server
sccp
pass
pass
pass
pass
pass
210
enable
off
enable
allow
high
allow
tls-1.0
tls-1.2
(Empty)
(Empty)
(Empty)
(Empty)
SCCP.
Configuration
status
block-mcast
verify-header
log-call-summary
log-violations
max-calls
Details below
Default Value
enable
disable
disable
disable
disable
0
696
vpn.certificate/ca
CLI Syntax
config vpn.certificate ca
edit <name_str>
set name <string>
set ca <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set trusted {enable | disable}
set scep-url <string>
set auto-update-days <integer>
set auto-update-days-warning <integer>
set source-ip <ipv4-address>
end
697
Description
Configuration
Description
Default Value
name
Name.
(Empty)
ca
CA certificate.
(Empty)
range
CA certificate range.
vdom
source
CA certificate source.
user
trusted
enable
scep-url
(Empty)
auto-update-days
auto-update-dayswarning
source-ip
0.0.0.0
698
vpn.certificate/crl
CLI Syntax
config vpn.certificate crl
edit <name_str>
set name <string>
set crl <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set update-vdom <string>
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set http-url <string>
set scep-url <string>
set scep-cert <string>
set update-interval <integer>
set source-ip <ipv4-address>
end
699
Description
Configuration
Description
Default Value
name
Name.
(Empty)
crl
(Empty)
range
CRL range.
vdom
source
CRL source.
user
update-vdom
root
ldap-server
LDAP server.
(Empty)
ldap-username
(Empty)
ldap-password
(Empty)
http-url
(Empty)
scep-url
(Empty)
scep-cert
Fortinet_CA_SSL
update-interval
source-ip
0.0.0.0
700
vpn.certificate/local
CLI Syntax
config vpn.certificate local
edit <name_str>
set name <string>
set password <password>
set comments <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set scep-url <string>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set source-ip <ipv4-address>
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end
701
Description
Configuration
Description
Default Value
name
Name.
(Empty)
password
Password.
(Empty)
comments
Comment.
(Empty)
private-key
Private key.
(Empty)
certificate
Certificate.
(Empty)
csr
(Empty)
state
(Empty)
scep-url
(Empty)
range
Certificate range.
vdom
source
Certificate source.
user
auto-regenerate-days
auto-regenerate-dayswarning
scep-password
(Empty)
ca-identifier
(Empty)
name-encoding
printable
source-ip
0.0.0.0
ike-localid
(Empty)
ike-localid-type
asn1dn
702
vpn.certificate/ocsp-server
CLI Syntax
config vpn.certificate ocsp-server
edit <name_str>
set name <string>
set url <string>
set cert <string>
set secondary-url <string>
set secondary-cert <string>
set unavail-action {revoke | ignore}
set source-ip <ipv4-address>
end
703
Description
Configuration
Description
Default Value
name
(Empty)
url
(Empty)
cert
(Empty)
secondary-url
(Empty)
secondary-cert
(Empty)
unavail-action
revoke
source-ip
0.0.0.0
704
vpn.certificate/remote
CLI Syntax
config vpn.certificate remote
edit <name_str>
set name <string>
set remote <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
end
705
Description
Configuration
Description
Default Value
name
Name.
(Empty)
remote
Remote certificate.
(Empty)
range
vdom
source
user
706
vpn.certificate/setting
CLI Syntax
config vpn.certificate setting
edit <name_str>
set ocsp-status {enable | disable}
set ocsp-default-server <string>
set check-ca-cert {enable | disable}
set strict-crl-check {enable | disable}
set strict-ocsp-check {enable | disable}
end
707
Description
Configuration
Description
Default Value
ocsp-status
OCSP status.
disable
ocsp-default-server
(Empty)
check-ca-cert
enable
strict-crl-check
disable
strict-ocsp-check
disable
708
vpn.ipsec/concentrator
CLI Syntax
config vpn.ipsec concentrator
edit <name_str>
set name <string>
set src-check {disable | enable}
config member
edit <name_str>
set name <string>
end
end
709
Description
Configuration
Description
Default Value
name
Concentrator name.
(Empty)
src-check
disable
member
Concentrator members.
(Empty)
710
vpn.ipsec/forticlient
CLI Syntax
config vpn.ipsec forticlient
edit <name_str>
set realm <string>
set usergroupname <string>
set phase2name <string>
set status {enable | disable}
end
711
Description
Configuration
Description
Default Value
realm
(Empty)
usergroupname
(Empty)
phase2name
(Empty)
status
enable
712
vpn.ipsec/manualkey
CLI Syntax
config vpn.ipsec manualkey
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set authentication {null | md5 | sha1 | sha256 | sha384 | sha512}
set encryption {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 |
aria256 | seed}
set authkey <user>
set enckey <user>
set localspi <user>
set remotespi <user>
set npu-offload {enable | disable}
end
713
Description
Configuration
Description
Default Value
name
(Empty)
interface
Interface name.
(Empty)
remote-gw
Peer gateway.
0.0.0.0
local-gw
Local gateway.
0.0.0.0
authentication
Authentication algorithm.
null
encryption
Encryption algorithm.
null
authkey
Authentication key.
enckey
Encryption key.
localspi
Local SPI.
0x100
remotespi
Remote SPI.
0x100
npu-offload
enable
714
vpn.ipsec/manualkey-interface
CLI Syntax
config vpn.ipsec manualkey-interface
edit <name_str>
set name <string>
set interface <string>
set ip-version {4 | 6}
set addr-type {4 | 6}
set remote-gw <ipv4-address>
set remote-gw6 <ipv6-address>
set local-gw <ipv4-address-any>
set local-gw6 <ipv6-address>
set auth-alg {null | md5 | sha1 | sha256 | sha384 | sha512}
set enc-alg {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 | ar
ia256 | seed}
set auth-key <user>
set enc-key <user>
set local-spi <user>
set remote-spi <user>
set npu-offload {enable | disable}
end
715
Description
Configuration
Description
Default Value
name
(Empty)
interface
Interface name.
(Empty)
ip-version
addr-type
remote-gw
0.0.0.0
remote-gw6
::
local-gw
0.0.0.0
local-gw6
::
auth-alg
Authentication algorithm.
null
enc-alg
Encryption algorithm.
null
auth-key
Authentication key.
enc-key
Encryption key.
local-spi
Local SPI.
0x100
remote-spi
Remote SPI.
0x100
npu-offload
enable
716
vpn.ipsec/phase1
CLI Syntax
config vpn.ipsec phase1
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set interface <string>
set ike-version {1 | 2}
set remote-gw <ipv4-address>
set local-gw <ipv4-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set usrgrp <string>
set peer <string>
set peergrp <string>
set autoconfig {disable | client | gateway}
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-start-ip <ipv4-address>
set ipv4-end-ip <ipv4-address>
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
set ipv4-dns-server1 <ipv4-address>
set ipv4-dns-server2 <ipv4-address>
set ipv4-dns-server3 <ipv4-address>
set ipv4-wins-server1 <ipv4-address>
set ipv4-wins-server2 <ipv4-address>
config ipv4-exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
set ipv4-split-include <string>
set split-include-service <string>
set ipv6-start-ip <ipv6-address>
set ipv6-end-ip <ipv6-address>
set ipv6-prefix <integer>
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
717
718
719
Description
Configuration
Description
Default Value
name
(Empty)
type
static
interface
(Empty)
ike-version
remote-gw
0.0.0.0
local-gw
0.0.0.0
remotegw-ddns
(Empty)
keylife
Phase1 keylife.
86400
certificate
(Empty)
authmethod
Authentication method.
psk
mode
Mode.
main
peertype
Peer type.
any
peerid
Peer ID.
(Empty)
usrgrp
User group.
(Empty)
peer
(Empty)
peergrp
(Empty)
autoconfig
Auto-configuration type.
mode-cfg
disable
assign-ip
enable
assign-ip-from
range
ipv4-start-ip
0.0.0.0
720
ipv4-end-ip
0.0.0.0
ipv4-netmask
IPv4 Netmask.
255.255.255.255
dns-mode
manual
ipv4-dns-server1
0.0.0.0
ipv4-dns-server2
0.0.0.0
ipv4-dns-server3
0.0.0.0
ipv4-wins-server1
WINS server 1.
0.0.0.0
ipv4-wins-server2
WINS server 2.
0.0.0.0
ipv4-exclude-range
(Empty)
ipv4-split-include
(Empty)
split-include-service
Split-include services.
(Empty)
ipv6-start-ip
::
ipv6-end-ip
::
ipv6-prefix
IPv6 prefix.
128
ipv6-dns-server1
::
ipv6-dns-server2
::
ipv6-dns-server3
::
ipv6-exclude-range
(Empty)
ipv6-split-include
(Empty)
unity-support
enable
domain
(Empty)
banner
(Empty)
721
include-local-lan
disable
save-password
disable
client-auto-negotiate
disable
client-keep-alive
disable
backup-gateway
(Empty)
proposal
Phase1 proposal.
aes128-sha256
aes256-sha256 3dessha256 aes128-sha1
aes256-sha1 3dessha1
add-route
disable
exchange-interface-ip
disable
add-gw-route
disable
psksecret
(Empty)
keepalive
10
distance
15
priority
localid
Local ID.
(Empty)
localid-type
Local ID type.
auto
auto-negotiate
enable
722
negotiate-timeout
30
fragmentation
enable
dpd
on-demand
dpd-retrycount
dpd-retryinterval
20
forticlient-enforcement
disable
comments
Comment.
(Empty)
npu-offload
enable
send-cert-chain
enable
dhgrp
DH group.
14 5
suite-b
Use Suite-B.
disable
eap
disable
eap-identity
use-id-payload
acct-verify
disable
wizard-type
custom
xauthtype
XAuth type.
disable
reauth
disable
authusr
(Empty)
authpasswd
(Empty)
authusrgrp
(Empty)
mesh-selector-type
disable
idle-timeout
disable
723
idle-timeoutinterval
15
ha-sync-esp-seqno
enable
nattraversal
enable
esn
disable
724
vpn.ipsec/phase1-interface
CLI Syntax
config vpn.ipsec phase1-interface
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set interface <string>
set ip-version {4 | 6}
set ike-version {1 | 2}
set local-gw <ipv4-address>
set local-gw6 <ipv6-address>
set remote-gw <ipv4-address>
set remote-gw6 <ipv6-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set default-gw <ipv4-address>
set default-gw-priority <integer>
set usrgrp <string>
set peer <string>
set peergrp <string>
set monitor <string>
set monitor-hold-down-type {immediate | delay | time}
set monitor-hold-down-delay <integer>
set monitor-hold-down-weekday {everyday | sunday | monday | tuesday | wednesday |
thursday | friday | saturday}
set monitor-hold-down-time <user>
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-start-ip <ipv4-address>
set ipv4-end-ip <ipv4-address>
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
set ipv4-dns-server1 <ipv4-address>
set ipv4-dns-server2 <ipv4-address>
set ipv4-dns-server3 <ipv4-address>
set ipv4-wins-server1 <ipv4-address>
set ipv4-wins-server2 <ipv4-address>
config ipv4-exclude-range
edit <name_str>
set id <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
725
726
727
Description
Configuration
Description
Default Value
name
(Empty)
type
static
interface
(Empty)
ip-version
ike-version
local-gw
0.0.0.0
local-gw6
::
remote-gw
0.0.0.0
remote-gw6
::
remotegw-ddns
(Empty)
keylife
Phase1 keylife.
86400
certificate
(Empty)
authmethod
Authentication method.
psk
mode
Mode.
main
peertype
Peer type.
any
peerid
Peer ID.
(Empty)
default-gw
0.0.0.0
default-gw-priority
usrgrp
User group.
(Empty)
peer
(Empty)
peergrp
(Empty)
728
monitor
(Empty)
monitor-hold-down-type
immediate
monitor-hold-downdelay
monitor-hold-downweekday
sunday
monitor-hold-down-time
00:00
mode-cfg
disable
assign-ip
enable
assign-ip-from
range
ipv4-start-ip
0.0.0.0
ipv4-end-ip
0.0.0.0
ipv4-netmask
IPv4 Netmask.
255.255.255.255
dns-mode
manual
ipv4-dns-server1
0.0.0.0
ipv4-dns-server2
0.0.0.0
ipv4-dns-server3
0.0.0.0
ipv4-wins-server1
WINS server 1.
0.0.0.0
ipv4-wins-server2
WINS server 2.
0.0.0.0
ipv4-exclude-range
(Empty)
ipv4-split-include
(Empty)
split-include-service
Split-include services.
(Empty)
ipv6-start-ip
::
729
ipv6-end-ip
::
ipv6-prefix
IPv6 prefix.
128
ipv6-dns-server1
::
ipv6-dns-server2
::
ipv6-dns-server3
::
ipv6-exclude-range
(Empty)
ipv6-split-include
(Empty)
unity-support
enable
domain
(Empty)
banner
(Empty)
include-local-lan
disable
save-password
disable
client-auto-negotiate
disable
client-keep-alive
disable
backup-gateway
(Empty)
proposal
Phase1 proposal.
aes128-sha256
aes256-sha256 3dessha256 aes128-sha1
aes256-sha1 3dessha1
add-route
enable
730
exchange-interface-ip
disable
add-gw-route
disable
psksecret
(Empty)
keepalive
10
distance
15
priority
localid
Local ID.
(Empty)
localid-type
Local ID type.
auto
auto-negotiate
enable
negotiate-timeout
30
fragmentation
enable
dpd
on-demand
dpd-retrycount
dpd-retryinterval
20
forticlient-enforcement
disable
comments
Comment.
(Empty)
npu-offload
enable
send-cert-chain
enable
dhgrp
DH group.
14 5
suite-b
Use Suite-B.
disable
eap
disable
731
eap-identity
use-id-payload
acct-verify
disable
wizard-type
custom
xauthtype
XAuth type.
disable
reauth
disable
authusr
(Empty)
authpasswd
(Empty)
authusrgrp
(Empty)
mesh-selector-type
disable
idle-timeout
disable
idle-timeoutinterval
15
ha-sync-esp-seqno
enable
auto-discovery-sender
disable
auto-discovery-receiver
disable
auto-discoveryforwarder
disable
auto-discovery-psk
disable
encapsulation
none
encapsulation-address
ike
encap-local-gw4
0.0.0.0
encap-local-gw6
::
732
encap-remote-gw4
0.0.0.0
encap-remote-gw6
::
nattraversal
enable
esn
disable
733
vpn.ipsec/phase2
CLI Syntax
config vpn.ipsec phase2
edit <name_str>
set name <string>
set phase1name <string>
set dhcp-ipsec {enable | disable}
set use-natip {enable | disable}
set selector-match {exact | subset | auto}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set auto-negotiate {enable | disable}
set add-route {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set comments <var-string>
set protocol <integer>
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set src-port <integer>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name}
set dst-start-ip <ipv4-address-any>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
734
set
set
set
set
set
set
end
dst-start-ip6 <ipv6-address>
dst-end-ip <ipv4-address-any>
dst-end-ip6 <ipv6-address>
dst-subnet <ipv4-classnet-any>
dst-subnet6 <ipv6-prefix>
dst-port <integer>
735
Description
Configuration
Description
Default Value
name
(Empty)
phase1name
(Empty)
dhcp-ipsec
Enable/disable DHCP-IPsec.
disable
use-natip
enable
selector-match
auto
proposal
Phase2 proposal.
pfs
enable
dhgrp
Phase2 DH group.
14 5
replay
enable
keepalive
disable
auto-negotiate
disable
add-route
phase1
keylifeseconds
43200
keylifekbs
5120
keylife-type
Keylife type.
seconds
single-source
disable
route-overlap
use-new
encapsulation
tunnel-mode
l2tp
disable
736
comments
Comment.
(Empty)
protocol
src-name
(Empty)
src-name6
(Empty)
src-addr-type
subnet
src-start-ip
0.0.0.0
src-start-ip6
::
src-end-ip
0.0.0.0
src-end-ip6
::
src-subnet
0.0.0.0 0.0.0.0
src-subnet6
::/0
src-port
dst-name
(Empty)
dst-name6
(Empty)
dst-addr-type
subnet
dst-start-ip
0.0.0.0
dst-start-ip6
::
dst-end-ip
0.0.0.0
dst-end-ip6
::
dst-subnet
0.0.0.0 0.0.0.0
dst-subnet6
::/0
dst-port
737
vpn.ipsec/phase2-interface
CLI Syntax
config vpn.ipsec phase2-interface
edit <name_str>
set name <string>
set phase1name <string>
set dhcp-ipsec {enable | disable}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set auto-negotiate {enable | disable}
set add-route {phase1 | enable | disable}
set auto-discovery-sender {phase1 | enable | disable}
set auto-discovery-forwarder {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set comments <var-string>
set protocol <integer>
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set src-port <integer>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set dst-start-ip <ipv4-address-any>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
738
set
set
set
set
set
set
end
dst-start-ip6 <ipv6-address>
dst-end-ip <ipv4-address-any>
dst-end-ip6 <ipv6-address>
dst-subnet <ipv4-classnet-any>
dst-subnet6 <ipv6-prefix>
dst-port <integer>
739
Description
Configuration
Description
Default Value
name
(Empty)
phase1name
(Empty)
dhcp-ipsec
Enable/disable DHCP-IPsec.
disable
proposal
Phase2 proposal.
pfs
enable
dhgrp
Phase2 DH group.
14 5
replay
enable
keepalive
disable
auto-negotiate
disable
add-route
phase1
auto-discovery-sender
phase1
auto-discoveryforwarder
phase1
keylifeseconds
43200
keylifekbs
5120
keylife-type
Keylife type.
seconds
single-source
disable
route-overlap
use-new
encapsulation
tunnel-mode
740
l2tp
disable
comments
Comment.
(Empty)
protocol
src-name
(Empty)
src-name6
(Empty)
src-addr-type
subnet
src-start-ip
0.0.0.0
src-start-ip6
::
src-end-ip
0.0.0.0
src-end-ip6
::
src-subnet
0.0.0.0 0.0.0.0
src-subnet6
::/0
src-port
dst-name
(Empty)
dst-name6
(Empty)
dst-addr-type
subnet
dst-start-ip
0.0.0.0
dst-start-ip6
::
dst-end-ip
0.0.0.0
dst-end-ip6
::
dst-subnet
0.0.0.0 0.0.0.0
dst-subnet6
::/0
dst-port
741
vpn.ssl.web/host-check-software
CLI Syntax
config vpn.ssl.web host-check-software
edit <name_str>
set name <string>
set type {av | fw}
set version <string>
set guid <user>
config check-item-list
edit <name_str>
set id <integer>
set action {require | deny}
set type {file | registry | process}
set target <string>
set version <string>
config md5s
edit <name_str>
set id <string>
end
end
end
742
Description
Configuration
Description
Default Value
name
Name.
(Empty)
type
Type.
av
version
Version.
(Empty)
guid
"00000000-0000-00000000-000000000000"
check-item-list
(Empty)
743
vpn.ssl.web/portal
CLI Syntax
config vpn.ssl.web portal
edit <name_str>
set name <string>
set tunnel-mode {enable | disable}
set ip-mode {range | user-group}
set auto-connect {enable | disable}
set keep-alive {enable | disable}
set save-password {enable | disable}
config ip-pools
edit <name_str>
set name <string>
end
set exclusive-routing {enable | disable}
set service-restriction {enable | disable}
set split-tunneling {enable | disable}
config split-tunneling-routing-address
edit <name_str>
set name <string>
end
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set ipv6-tunnel-mode {enable | disable}
config ipv6-pools
edit <name_str>
set name <string>
end
set ipv6-exclusive-routing {enable | disable}
set ipv6-service-restriction {enable | disable}
set ipv6-split-tunneling {enable | disable}
config ipv6-split-tunneling-routing-address
edit <name_str>
set name <string>
end
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
set ipv6-wins-server1 <ipv6-address>
set ipv6-wins-server2 <ipv6-address>
set web-mode {enable | disable}
set display-bookmark {enable | disable}
set user-bookmark {enable | disable}
set user-group-bookmark {enable | disable}
config bookmark-group
edit <name_str>
set name <string>
config bookmarks
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
744
edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | te
lnet | vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set listening-port <integer>
set remote-port <integer>
set show-status-window {enable | disable}
set description <var-string>
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwer
ty | sv-se-qwerty | failsafe}
set security {rdp | nla | tls | any}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end
set display-connection-tools {enable | disable}
set display-history {enable | disable}
set display-status {enable | disable}
set heading <string>
set redir-url <var-string>
set theme {blue | green | red | melongene | mariner}
set custom-lang <string>
set host-check {none | av | fw | av-fw | custom}
set host-check-interval <integer>
config host-check-policy
edit <name_str>
set name <string>
end
set limit-user-logins {enable | disable}
set mac-addr-check {enable | disable}
set mac-addr-action {allow | deny}
config mac-addr-check-rule
edit <name_str>
set name <string>
set mac-addr-mask <integer>
config mac-addr-list
edit <name_str>
set addr <mac-address>
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
745
end
end
set os-check {enable | disable}
config os-check-list
edit <name_str>
set name <string>
set action {deny | allow | check-up-to-date}
set tolerance <integer>
set latest-patch-level <user>
end
set virtual-desktop {enable | disable}
set virtual-desktop-app-list <string>
set virtual-desktop-clipboard-share {enable | disable}
set virtual-desktop-desktop-switch {enable | disable}
set virtual-desktop-logout-when-browser-close {enable | disable}
set virtual-desktop-network-share-access {enable | disable}
set virtual-desktop-printing {enable | disable}
set virtual-desktop-removable-media-access {enable | disable}
set skip-check-for-unsupported-os {enable | disable}
set skip-check-for-unsupported-browser {enable | disable}
end
746
Description
Configuration
Description
Default Value
name
Portal name.
(Empty)
tunnel-mode
disable
ip-mode
range
auto-connect
disable
keep-alive
disable
save-password
disable
ip-pools
Tunnel IP pools.
(Empty)
exclusive-routing
disable
service-restriction
disable
split-tunneling
enable
split-tunneling-routingaddress
(Empty)
dns-server1
DNS server 1.
0.0.0.0
dns-server2
DNS server 2.
0.0.0.0
wins-server1
WINS server 1.
0.0.0.0
wins-server2
WINS server 2.
0.0.0.0
ipv6-tunnel-mode
disable
ipv6-pools
Tunnel IP pools.
(Empty)
ipv6-exclusive-routing
disable
ipv6-service-restriction
disable
ipv6-split-tunneling
enable
747
ipv6-split-tunnelingrouting-address
(Empty)
ipv6-dns-server1
::
ipv6-dns-server2
::
ipv6-wins-server1
::
ipv6-wins-server2
::
web-mode
disable
display-bookmark
enable
user-bookmark
enable
user-group-bookmark
enable
bookmark-group
(Empty)
display-connectiontools
enable
display-history
enable
display-status
enable
heading
SSL-VPN Portal
redir-url
(Empty)
theme
blue
custom-lang
(Empty)
host-check
none
host-check-interval
host-check-policy
(Empty)
limit-user-logins
disable
mac-addr-check
disable
748
mac-addr-action
allow
mac-addr-check-rule
(Empty)
os-check
disable
os-check-list
(Empty)
virtual-desktop
disable
virtual-desktop-app-list
(Empty)
virtual-desktopclipboard-share
disable
virtual-desktopdesktop-switch
enable
virtual-desktop-logoutwhen-browser-close
disable
virtual-desktopnetwork-share-access
disable
virtual-desktop-printing
disable
virtual-desktopremovable-mediaaccess
disable
skip-check-forunsupported-os
enable
skip-check-forunsupported-browser
enable
749
vpn.ssl.web/realm
CLI Syntax
config vpn.ssl.web realm
edit <name_str>
set url-path <string>
set max-concurrent-user <integer>
set login-page <var-string>
set virtual-host <var-string>
end
750
Description
Configuration
Description
Default Value
url-path
(Empty)
max-concurrent-user
login-page
(Empty)
virtual-host
(Empty)
751
vpn.ssl.web/user-bookmark
CLI Syntax
config vpn.ssl.web user-bookmark
edit <name_str>
set name <string>
set custom-lang <string>
config bookmarks
edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | telnet
| vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set listening-port <integer>
set remote-port <integer>
set show-status-window {enable | disable}
set description <var-string>
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwerty |
sv-se-qwerty | failsafe}
set security {rdp | nla | tls | any}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end
752
Description
Configuration
Description
Default Value
name
(Empty)
custom-lang
Personal language.
(Empty)
bookmarks
Bookmark table.
(Empty)
753
vpn.ssl.web/virtual-desktop-app-list
CLI Syntax
config vpn.ssl.web virtual-desktop-app-list
edit <name_str>
set name <string>
set action {allow | block}
config apps
edit <name_str>
set name <string>
config md5s
edit <name_str>
set id <string>
end
end
end
754
Description
Configuration
Description
Default Value
name
(Empty)
action
Action.
allow
apps
Applications.
(Empty)
755
vpn.ssl/settings
CLI Syntax
config vpn.ssl settings
edit <name_str>
set reqclientcert {enable | disable}
set sslv3 {enable | disable}
set tlsv1-0 {enable | disable}
set tlsv1-1 {enable | disable}
set tlsv1-2 {enable | disable}
set banned-cipher {RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CA
MELLIA | 3DES | SHA1 | SHA256 | SHA384}
set ssl-big-buffer {enable | disable}
set ssl-insert-empty-fragment {enable | disable}
set https-redirect {enable | disable}
set ssl-client-renegotiation {disable | enable}
set force-two-factor-auth {enable | disable}
set unsafe-legacy-renegotiation {enable | disable}
set servercert <string>
set algorithm {high | medium | default | low}
set idle-timeout <integer>
set auth-timeout <integer>
config tunnel-ip-pools
edit <name_str>
set name <string>
end
config tunnel-ipv6-pools
edit <name_str>
set name <string>
end
set dns-suffix <var-string>
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
set ipv6-wins-server1 <ipv6-address>
set ipv6-wins-server2 <ipv6-address>
set route-source-interface {enable | disable}
set url-obscuration {enable | disable}
set http-compression {enable | disable}
set http-only-cookie {enable | disable}
set deflate-compression-level <integer>
set deflate-min-data-size <integer>
set port <integer>
set port-precedence {enable | disable}
set auto-tunnel-static-route {enable | disable}
set header-x-forwarded-for {pass | add | remove}
config source-interface
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
756
edit <name_str>
set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
set default-portal <string>
config authentication-rule
edit <name_str>
set id <integer>
config source-interface
edit <name_str>
set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set portal <string>
set realm <string>
set client-cert {enable | disable}
set cipher {any | high | medium}
set auth {any | local | radius | tacacs+ | ldap}
end
set dtls-tunnel {enable | disable}
set check-referer {enable | disable}
end
757
Description
Configuration
Description
Default Value
reqclientcert
disable
sslv3
Enable/disable SSLv3.
disable
tlsv1-0
Enable/disable TLSv1.0.
disable
tlsv1-1
Enable/disable TLSv1.1.
enable
tlsv1-2
Enable/disable TLSv1.2.
enable
banned-cipher
(Empty)
ssl-big-buffer
disable
ssl-insert-emptyfragment
enable
https-redirect
disable
ssl-client-renegotiation
disable
force-two-factor-auth
disable
unsafe-legacyrenegotiation
disable
servercert
Server certificate.
Fortinet_Factory
algorithm
Allow algorithms.
high
idle-timeout
300
auth-timeout
28800
tunnel-ip-pools
Tunnel IP pools.
(Empty)
tunnel-ipv6-pools
(Empty)
dns-suffix
DNS suffix.
(Empty)
dns-server1
DNS server 1.
0.0.0.0
dns-server2
DNS server 2.
0.0.0.0
758
wins-server1
WINS server 1.
0.0.0.0
wins-server2
WINS server 2.
0.0.0.0
ipv6-dns-server1
::
ipv6-dns-server2
::
ipv6-wins-server1
::
ipv6-wins-server2
::
route-source-interface
disable
url-obscuration
disable
http-compression
disable
http-only-cookie
enable
deflate-compressionlevel
deflate-min-data-size
300
port
10443
port-precedence
enable
auto-tunnel-static-route
enable
header-x-forwarded-for
add
source-interface
(Empty)
source-address
(Empty)
source-address-negate
disable
source-address6
(Empty)
source-address6negate
disable
759
default-portal
(Empty)
authentication-rule
(Empty)
dtls-tunnel
enable
check-referer
disable
760
vpn/l2tp
CLI Syntax
config vpn l2tp
edit <name_str>
set eip <ipv4-address>
set sip <ipv4-address>
set status {enable | disable}
set usrgrp <string>
end
761
Description
Configuration
Description
Default Value
eip
End IP.
0.0.0.0
sip
Start IP.
0.0.0.0
status
disable
usrgrp
User group.
(Empty)
762
vpn/pptp
CLI Syntax
config vpn pptp
edit <name_str>
set status {enable | disable}
set ip-mode {range | usrgrp}
set eip <ipv4-address>
set sip <ipv4-address>
set local-ip <ipv4-address>
set usrgrp <string>
end
763
Description
Configuration
Description
Default Value
status
disable
ip-mode
range
eip
End IP.
0.0.0.0
sip
Start IP.
0.0.0.0
local-ip
0.0.0.0
usrgrp
User group.
(Empty)
764
waf/main-class
CLI Syntax
config waf main-class
edit <name_str>
set name <string>
set id <integer>
end
765
Description
Configuration
Description
Default Value
name
(Empty)
id
766
waf/profile
CLI Syntax
config waf profile
edit <name_str>
set name <string>
set external {disable | enable}
config signature
edit <name_str>
config main-class
edit <name_str>
set id <integer>
set status {enable | disable}
set action {allow | block | erase}
set log {enable | disable}
set severity {high | medium | low}
end
config disabled-sub-class
edit <name_str>
set id <integer>
end
config disabled-signature
edit <name_str>
set id <integer>
end
set credit-card-detection-threshold <integer>
config custom-signature
edit <name_str>
set name <string>
set status {enable | disable}
set action {allow | block | erase}
set log {enable | disable}
set severity {high | medium | low}
set direction {request | response}
set case-sensitivity {disable | enable}
set pattern <string>
set target {arg | arg-name | req-body | req-cookie | req-cookie-name | req
-filename | req-header | req-header-name | req-raw-uri | req-uri | resp-body | resp-hd
r | resp-status}
end
end
config constraint
edit <name_str>
config header-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
767
end
config content-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config param-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config line-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config url-param-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config version
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config method
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config hostname
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
low}
low}
low}
low}
low}
low}
low}
768
769
set
set
set
set
set
set
set
set
end
end
config method
edit <name_str>
set status {enable | disable}
set log {enable | disable}
set severity {high | medium | low}
set default-allowed-methods {get | post | put | head | connect | trace | optio
ns | delete | others}
config method-policy
edit <name_str>
set id <integer>
set pattern <string>
set regex {enable | disable}
set address <string>
set allowed-methods {get | post | put | head | connect | trace | options |
delete | others}
end
end
config address-list
edit <name_str>
set status {enable | disable}
set blocked-log {enable | disable}
set severity {high | medium | low}
config trusted-address
edit <name_str>
set name <string>
end
config blocked-address
edit <name_str>
set name <string>
end
end
config url-access
edit <name_str>
set id <integer>
set address <string>
set action {bypass | permit | block}
set log {enable | disable}
set severity {high | medium | low}
config access-pattern
edit <name_str>
set id <integer>
set srcaddr <string>
set pattern <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
770
771
Description
Configuration
Description
Default Value
name
(Empty)
external
disable
signature
WAF signatures.
Details below
Configuration
main-class
disabled-sub-class
disabled-signature
credit-card-detection-threshold
custom-signature
constraint
Default Value
(Empty)
(Empty)
(Empty)
3
(Empty)
Details below
772
Configuration
header-length
content-length
param-length
line-length
url-param-length
version
method
hostname
malformed
max-cookie
max-header-line
max-url-param
max-range-segment
exception
method
Configuration
status
log
severity
default-allowed-methods
method-policy
address-list
Default Value
{"status":"disable","length":8192,"action":"allow","log":"disable",
"severity":"medium"}
{"status":"disable","length":67108864,"action":"allow","log":"disa
ble","severity":"medium"}
{"status":"disable","length":8192,"action":"allow","log":"disable",
"severity":"medium"}
{"status":"disable","length":1024,"action":"allow","log":"disable",
"severity":"medium"}
{"status":"disable","length":8192,"action":"allow","log":"disable",
"severity":"medium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
dium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
dium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
dium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
dium"}
{"status":"disable","maxcookie":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-headerline":32,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-urlparam":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-rangesegment":5,"action":"allow","log":"disable","severity":"medium"}
(Empty)
Method restriction.
Details below
Default Value
disable
disable
medium
(Empty)
(Empty)
Black address list and white address list.
Details below
773
Configuration
status
blocked-log
severity
trusted-address
blocked-address
Default Value
disable
disable
medium
(Empty)
(Empty)
url-access
(Empty)
comment
Comment.
(Empty)
774
waf/signature
CLI Syntax
config waf signature
edit <name_str>
set desc <string>
set id <integer>
end
775
Description
Configuration
Description
Default Value
desc
Signature description.
(Empty)
id
Signature ID.
776
waf/sub-class
CLI Syntax
config waf sub-class
edit <name_str>
set name <string>
set id <integer>
end
777
Description
Configuration
Description
Default Value
name
(Empty)
id
778
wanopt/auth-group
CLI Syntax
config wanopt auth-group
edit <name_str>
set name <string>
set auth-method {cert | psk}
set psk <password>
set cert <string>
set peer-accept {any | defined | one}
set peer <string>
end
779
Description
Configuration
Description
Default Value
name
Auth-group name.
(Empty)
auth-method
cert
psk
(Empty)
cert
(Empty)
peer-accept
any
peer
(Empty)
780
wanopt/peer
CLI Syntax
config wanopt peer
edit <name_str>
set peer-host-id <string>
set ip <ipv4-address-any>
end
781
Description
Configuration
Description
Default Value
peer-host-id
(Empty)
ip
Peer IP address.
0.0.0.0
782
wanopt/profile
CLI Syntax
config wanopt profile
edit <name_str>
set name <string>
set transparent {enable | disable}
set comments <var-string>
set auth-group <string>
config http
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
set ssl {enable | disable}
set ssl-port <integer>
set unknown-http-version {reject | tunnel | best-effort}
set tunnel-non-http {enable | disable}
end
config cifs
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
end
config mapi
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
end
config ftp
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
783
784
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
transparent
enable
comments
Comment.
(Empty)
auth-group
(Empty)
http
Details below
Configuration
status
secure-tunnel
byte-caching
prefer-chunking
tunnel-sharing
log-traffic
port
ssl
ssl-port
unknown-http-version
tunnel-non-http
cifs
Default Value
disable
disable
enable
fix
private
enable
80
disable
443
tunnel
disable
CIFS protocol settings.
Configuration
status
secure-tunnel
byte-caching
prefer-chunking
tunnel-sharing
log-traffic
port
mapi
Default Value
disable
disable
enable
fix
private
enable
445
MAPI protocol settings.
Details below
Details below
785
Configuration
status
secure-tunnel
byte-caching
tunnel-sharing
log-traffic
port
ftp
Default Value
disable
disable
enable
private
enable
135
FTP protocol settings.
Configuration
status
secure-tunnel
byte-caching
prefer-chunking
tunnel-sharing
log-traffic
port
tcp
Default Value
disable
disable
enable
fix
private
enable
21
TCP protocol settings.
Configuration
status
secure-tunnel
byte-caching
byte-caching-opt
tunnel-sharing
log-traffic
port
ssl
ssl-port
Details below
Details below
Default Value
disable
disable
disable
mem-only
private
enable
1-65535
disable
443 990 995 465 993
786
wanopt/settings
CLI Syntax
config wanopt settings
edit <name_str>
set host-id <string>
set tunnel-ssl-algorithm {high | medium | low}
set auto-detect-algorithm {simple | diff-req-resp}
end
787
Description
Configuration
Description
Default Value
host-id
Host identity.
default-id
tunnel-ssl-algorithm
high
auto-detect-algorithm
simple
788
wanopt/storage
CLI Syntax
config wanopt storage
edit <name_str>
set name <string>
set size <integer>
set webcache-storage-percentage <integer>
set webcache-storage-size <user>
set wan-optimization-cache-storage-size <user>
end
789
Description
Configuration
Description
Default Value
name
Storage name.
(Empty)
size
1024
webcache-storagepercentage
50
webcache-storage-size
(Empty)
wan-optimizationcache-storage-size
(Empty)
790
wanopt/webcache
CLI Syntax
config wanopt webcache
edit <name_str>
set max-object-size <integer>
set neg-resp-time <integer>
set fresh-factor <integer>
set max-ttl <integer>
set min-ttl <integer>
set default-ttl <integer>
set ignore-ims {enable | disable}
set ignore-conditional {enable | disable}
set ignore-pnc {enable | disable}
set ignore-ie-reload {enable | disable}
set cache-expired {enable | disable}
set cache-cookie {enable | disable}
set reval-pnc {enable | disable}
set always-revalidate {enable | disable}
set cache-by-default {enable | disable}
set host-validate {enable | disable}
set external {enable | disable}
end
791
Description
Configuration
Description
Default Value
max-object-size
512000
neg-resp-time
fresh-factor
100
max-ttl
7200
min-ttl
default-ttl
1440
ignore-ims
disable
ignore-conditional
disable
ignore-pnc
disable
ignore-ie-reload
enable
cache-expired
disable
cache-cookie
disable
reval-pnc
disable
always-revalidate
disable
cache-by-default
disable
host-validate
disable
external
disable
792
web-proxy/debug-url
CLI Syntax
config web-proxy debug-url
edit <name_str>
set name <string>
set url-pattern <string>
set status {enable | disable}
set exact {enable | disable}
end
793
Description
Configuration
Description
Default Value
name
(Empty)
url-pattern
(Empty)
status
enable
exact
enable
794
web-proxy/explicit
CLI Syntax
config web-proxy explicit
edit <name_str>
set status {enable | disable}
set ftp-over-http {enable | disable}
set socks {enable | disable}
set http-incoming-port <integer>
set https-incoming-port <integer>
set ftp-incoming-port <integer>
set socks-incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set ipv6-status {enable | disable}
set incoming-ip6 <ipv6-address>
set outgoing-ip6 <ipv6-address>
set strict-guest {enable | disable}
set pref-dns-result {ipv4 | ipv6}
set unknown-http-version {reject | best-effort}
set realm <string>
set sec-default-action {accept | deny}
set https-replacement-message {enable | disable}
set message-upon-server-error {enable | disable}
set pac-file-server-status {enable | disable}
set pac-file-server-port <integer>
set pac-file-name <string>
set pac-file-data <user>
set pac-file-url <user>
set ssl-algorithm {high | medium | low}
end
795
Description
Configuration
Description
Default Value
status
disable
ftp-over-http
Enable/disable FTP-over-HTTP.
disable
socks
disable
http-incoming-port
8080
https-incoming-port
ftp-incoming-port
socks-incoming-port
incoming-ip
0.0.0.0
outgoing-ip
(Empty)
ipv6-status
disable
incoming-ip6
::
outgoing-ip6
(Empty)
strict-guest
disable
pref-dns-result
ipv4
unknown-http-version
reject
realm
Authentication realm.
default
sec-default-action
deny
796
https-replacementmessage
enable
message-upon-servererror
enable
pac-file-server-status
disable
pac-file-server-port
pac-file-name
proxy.pac
pac-file-data
(Empty)
pac-file-url
(Empty)
ssl-algorithm
low
797
web-proxy/forward-server
CLI Syntax
config web-proxy forward-server
edit <name_str>
set name <string>
set ip <ipv4-address-any>
set fqdn <string>
set addr-type {ip | fqdn}
set port <integer>
set healthcheck {disable | enable}
set monitor <string>
set server-down-option {block | pass}
set comment <string>
end
798
Description
Configuration
Description
Default Value
name
Server name.
(Empty)
ip
0.0.0.0
fqdn
(Empty)
addr-type
Address type.
ip
port
3128
healthcheck
disable
monitor
http://www.google.com
server-down-option
block
comment
Comment.
(Empty)
799
web-proxy/forward-server-group
CLI Syntax
config web-proxy forward-server-group
edit <name_str>
set name <string>
set affinity {enable | disable}
set ldb-method {weighted | least-session}
set group-down-option {block | pass}
config server-list
edit <name_str>
set name <string>
set weight <integer>
end
end
800
Description
Configuration
Description
Default Value
name
(Empty)
affinity
Enable/disable affinity.
enable
ldb-method
weighted
group-down-option
block
server-list
(Empty)
801
web-proxy/global
CLI Syntax
config web-proxy global
edit <name_str>
set proxy-fqdn <string>
set max-request-length <integer>
set max-message-length <integer>
set strict-web-check {enable | disable}
set forward-proxy-auth {enable | disable}
set tunnel-non-http {enable | disable}
set unknown-http-version {reject | tunnel | best-effort}
set forward-server-affinity-timeout <integer>
set max-waf-body-cache-length <integer>
set webproxy-profile <string>
end
802
Description
Configuration
Description
Default Value
proxy-fqdn
Proxy FQDN.
default.fqdn
max-request-length
max-message-length
32
strict-web-check
disable
forward-proxy-auth
disable
tunnel-non-http
enable
unknown-http-version
best-effort
forward-server-affinitytimeout
30
max-waf-body-cachelength
100
webproxy-profile
(Empty)
803
web-proxy/profile
CLI Syntax
config web-proxy profile
edit <name_str>
set name <string>
set header-client-ip {pass | add | remove}
set header-via-request {pass | add | remove}
set header-via-response {pass | add | remove}
set header-x-forwarded-for {pass | add | remove}
set header-front-end-https {pass | add | remove}
config headers
edit <name_str>
set id <integer>
set name <string>
set action {add-to-request | add-to-response | remove-from-request | remove-fr
om-response}
set content <string>
end
end
804
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
header-client-ip
pass
header-via-request
pass
header-via-response
pass
header-x-forwarded-for
pass
header-front-end-https
pass
headers
(Empty)
805
web-proxy/url-match
CLI Syntax
config web-proxy url-match
edit <name_str>
set name <string>
set status {enable | disable}
set url-pattern <string>
set forward-server <string>
set cache-exemption {enable | disable}
set comment <var-string>
end
806
Description
Configuration
Description
Default Value
name
(Empty)
status
enable
url-pattern
URL pattern.
(Empty)
forward-server
(Empty)
cache-exemption
disable
comment
Comment.
(Empty)
807
webfilter/content
CLI Syntax
config webfilter content
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set name <string>
set pattern-type {wildcard | regexp}
set status {enable | disable}
set lang {western | simch | trach | japanese | korean | french | thai | spanis
h | cyrillic}
set score <integer>
set action {block | exempt}
end
end
808
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
(Empty)
809
webfilter/content-header
CLI Syntax
config webfilter content-header
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set pattern <string>
set action {block | allow | exempt}
set category <user>
end
end
810
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
entries
(Empty)
811
webfilter/cookie-ovrd
CLI Syntax
config webfilter cookie-ovrd
edit <name_str>
set auth-epoch <integer>
set redir-host <string>
set redir-port <integer>
set cookie-name <string>
end
812
Description
Configuration
Description
Default Value
auth-epoch
redir-host
(Empty)
redir-port
20080
cookie-name
wfovrdZnkHSb2CESh
813
webfilter/fortiguard
CLI Syntax
config webfilter fortiguard
edit <name_str>
set cache-mode {ttl | db-ver}
set cache-prefix-match {enable | disable}
set cache-mem-percent <integer>
set ovrd-auth-port-http <integer>
set ovrd-auth-port-https <integer>
set ovrd-auth-port-warning <integer>
set ovrd-auth-https {enable | disable}
set warn-auth-https {enable | disable}
set close-ports {enable | disable}
set request-packet-size-limit <integer>
set ovrd-auth-port <integer>
end
814
Description
Configuration
Description
Default Value
cache-mode
ttl
cache-prefix-match
enable
cache-mem-percent
ovrd-auth-port-http
8008
ovrd-auth-port-https
8010
ovrd-auth-port-warning
8020
ovrd-auth-https
enable
warn-auth-https
enable
close-ports
disable
request-packet-sizelimit
ovrd-auth-port
8008
815
webfilter/ftgd-local-cat
CLI Syntax
config webfilter ftgd-local-cat
edit <name_str>
set id <integer>
set desc <string>
end
816
Description
Configuration
Description
Default Value
id
desc
(Empty)
817
webfilter/ftgd-local-rating
CLI Syntax
config webfilter ftgd-local-rating
edit <name_str>
set url <string>
set status {enable | disable}
set rating <user>
end
818
Description
Configuration
Description
Default Value
url
(Empty)
status
enable
rating
Local rating.
819
webfilter/ftgd-warning
CLI Syntax
config webfilter ftgd-warning
edit <name_str>
set id <integer>
set status {enable | disable}
set scope {user | user-group | ip | ip6}
set ip <ipv4-address>
set user <string>
set user-group <string>
set old-profile <string>
set expires <user>
set rating <integer>
end
820
Description
Configuration
Description
Default Value
id
status
disable
scope
user
ip
0.0.0.0
user
(Empty)
user-group
(Empty)
old-profile
(Empty)
expires
1969/12/31 17:00:00
rating
821
webfilter/ips-urlfilter-cache-setting
CLI Syntax
config webfilter ips-urlfilter-cache-setting
edit <name_str>
set dns-retry-interval <integer>
set extended-ttl <integer>
end
822
Description
Configuration
Description
Default Value
dns-retry-interval
extended-ttl
823
webfilter/ips-urlfilter-setting
CLI Syntax
config webfilter ips-urlfilter-setting
edit <name_str>
set device <string>
set distance <integer>
set gateway <ipv4-address>
end
824
Description
Configuration
Description
Default Value
device
(Empty)
distance
gateway
0.0.0.0
825
webfilter/override
CLI Syntax
config webfilter override
edit <name_str>
set id <integer>
set status {enable | disable}
set scope {user | user-group | ip | ip6}
set ip <ipv4-address>
set user <string>
set user-group <string>
set old-profile <string>
set new-profile <string>
set ip6 <ipv6-address>
set expires <user>
set initiator <string>
end
826
Description
Configuration
Description
Default Value
id
status
disable
scope
user
ip
0.0.0.0
user
(Empty)
user-group
(Empty)
old-profile
(Empty)
new-profile
(Empty)
ip6
::
expires
1969/12/31 17:00:00
initiator
(Empty)
827
webfilter/override-user
CLI Syntax
config webfilter override-user
edit <name_str>
set id <integer>
set status {enable | disable}
set scope {user | user-group | ip | ip6}
set ip <ipv4-address>
set user <string>
set user-group <string>
set old-profile <string>
set new-profile <string>
set ip6 <ipv6-address>
set expires <user>
set initiator <string>
end
828
Description
Configuration
Description
Default Value
id
status
disable
scope
user
ip
0.0.0.0
user
(Empty)
user-group
(Empty)
old-profile
(Empty)
new-profile
(Empty)
ip6
::
expires
1969/12/31 17:00:00
initiator
(Empty)
829
webfilter/profile
CLI Syntax
config webfilter profile
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set inspection-mode {proxy | flow-based | dns}
set options {rangeblock | activexfilter | cookiefilter | javafilter | block-invali
d-url | jscript | js | vbs | unknown | intrinsic | wf-referer | wf-cookie | https-urlscan | per-user-bwl}
set https-replacemsg {enable | disable}
set ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override |
contenttype-check-override}
set post-action {normal | comfort | block}
config override
edit <name_str>
set ovrd-cookie {allow | deny}
set ovrd-scope {user | user-group | ip | browser | ask}
set profile-type {list | radius}
set ovrd-dur-mode {constant | ask}
set ovrd-dur <user>
set profile-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Addr
ess | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmas
k | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Log
in-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-R
oute | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Terminati
on-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Lo
gin-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-Ap
pleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-In
put-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time
| Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sessio
n-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
config ovrd-user-group
edit <name_str>
set name <string>
end
config profile
edit <name_str>
set name <string>
end
end
config web
edit <name_str>
set bword-threshold <integer>
set bword-table <integer>
set urlfilter-table <integer>
set content-header-list <integer>
set blacklist {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
830
831
end
set wisp-algorithm {primary-secondary | round-robin | auto-learning}
set log-all-url {enable | disable}
set web-content-log {enable | disable}
set web-filter-activex-log {enable | disable}
set web-filter-command-block-log {enable | disable}
set web-filter-cookie-log {enable | disable}
set web-filter-applet-log {enable | disable}
set web-filter-jscript-log {enable | disable}
set web-filter-js-log {enable | disable}
set web-filter-vbs-log {enable | disable}
set web-filter-unknown-log {enable | disable}
set web-filter-referer-log {enable | disable}
set web-filter-cookie-removal-log {enable | disable}
set web-url-log {enable | disable}
set web-invalid-domain-log {enable | disable}
set web-ftgd-err-log {enable | disable}
set web-ftgd-quota-usage {enable | disable}
end
832
Description
Configuration
Description
Default Value
name
Profile name.
(Empty)
comment
Comment.
(Empty)
replacemsg-group
(Empty)
inspection-mode
proxy
options
Options.
(Empty)
https-replacemsg
enable
ovrd-perm
(Empty)
post-action
normal
override
Details below
Configuration
ovrd-cookie
ovrd-scope
profile-type
ovrd-dur-mode
ovrd-dur
profile-attribute
ovrd-user-group
profile
web
Default Value
deny
user
list
constant
15m
Login-LAT-Service
(Empty)
(Empty)
Web settings.
Configuration
bword-threshold
bword-table
urlfilter-table
content-header-list
blacklist
whitelist
safe-search
youtube-edu-filter-id
log-search
keyword-match
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
Details below
Default Value
10
0
0
0
disable
(Empty)
(Empty)
(Empty)
disable
(Empty)
833
ftgd-wf
Configuration
options
category-override
exempt-quota
ovrd
filters
quota
max-quota-timeout
rate-image-urls
rate-javascript-urls
rate-css-urls
rate-crl-urls
Details below
Default Value
ftgd-disable
17
(Empty)
(Empty)
300
enable
enable
enable
enable
wisp
disable
wisp-servers
WISP servers.
(Empty)
wisp-algorithm
auto-learning
log-all-url
disable
web-content-log
enable
web-filter-activex-log
enable
web-filter-commandblock-log
enable
web-filter-cookie-log
enable
web-filter-applet-log
enable
web-filter-jscript-log
enable
web-filter-js-log
enable
web-filter-vbs-log
enable
834
web-filter-unknown-log
enable
web-filter-referer-log
enable
web-filter-cookieremoval-log
enable
web-url-log
enable
web-invalid-domain-log
enable
web-ftgd-err-log
enable
web-ftgd-quota-usage
enable
835
webfilter/search-engine
CLI Syntax
config webfilter search-engine
edit <name_str>
set name <string>
set hostname <string>
set url <string>
set query <string>
set safesearch {disable | url | header}
set charset {utf-8 | gb2312}
set safesearch-str <string>
end
836
Description
Configuration
Description
Default Value
name
(Empty)
hostname
(Empty)
url
(Empty)
query
(Empty)
safesearch
disable
charset
utf-8
safesearch-str
(Empty)
837
webfilter/urlfilter
CLI Syntax
config webfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
set one-arm-ips-urlfilter {enable | disable}
set ip-addr-block {enable | disable}
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {exempt | block | allow | monitor}
set status {enable | disable}
set exempt {av | filepattern | web-content | activex-java-cookie | dlp | forti
guard | range-block | pass | all}
set web-proxy-profile <string>
set referrer-host <string>
end
end
838
Description
Configuration
Description
Default Value
id
ID.
name
Name of table.
(Empty)
comment
Comment.
(Empty)
one-arm-ips-urlfilter
disable
ip-addr-block
disable
entries
(Empty)
839
wireless-controller/ap-status
CLI Syntax
config wireless-controller ap-status
edit <name_str>
set id <integer>
set bssid <mac-address>
set ssid <string>
set status {rogue | accepted | suppressed}
end
840
Description
Configuration
Description
Default Value
id
AP ID.
bssid
AP's BSSID.
00:00:00:00:00:00
ssid
AP's SSID.
(Empty)
status
AP status.
rogue
841
wireless-controller/global
CLI Syntax
config wireless-controller global
edit <name_str>
set name <string>
set location <string>
set max-retransmit <integer>
set data-ethernet-II {enable | disable}
set link-aggregation {enable | disable}
set mesh-eth-type <integer>
set fiapp-eth-type <integer>
set discovery-mc-addr <ipv4-address-multicast>
set max-clients <integer>
set rogue-scan-mac-adjacency <integer>
set ap-log-server {enable | disable}
set ap-log-server-ip <ipv4-address>
set ap-log-server-port <integer>
end
842
Description
Configuration
Description
Default Value
name
Name.
(Empty)
location
Location.
(Empty)
max-retransmit
data-ethernet-II
disable
link-aggregation
disable
mesh-eth-type
8755
fiapp-eth-type
5252
discovery-mc-addr
224.0.1.140
max-clients
rogue-scan-macadjacency
ap-log-server
disable
ap-log-server-ip
0.0.0.0
ap-log-server-port
843
wireless-controller/setting
CLI Syntax
config wireless-controller setting
edit <name_str>
set account-id <string>
set country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | BZ |
BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG |
SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN | I
D | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU | MO
| MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA | PG
| PY | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA |
ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY |
UZ | VE | VN | YE | ZW | JP | AU | CA}
end
844
Description
Configuration
Description
Default Value
account-id
(Empty)
country
Country.
US
845
wireless-controller/timers
CLI Syntax
config wireless-controller timers
edit <name_str>
set echo-interval <integer>
set discovery-interval <integer>
set client-idle-timeout <integer>
set rogue-ap-log <integer>
set fake-ap-log <integer>
set darrp-optimize <integer>
set darrp-day {sunday | monday | tuesday | wednesday | thursday | friday | saturda
y}
config darrp-time
edit <name_str>
set time <string>
end
set sta-stats-interval <integer>
set vap-stats-interval <integer>
set radio-stats-interval <integer>
set sta-capability-interval <integer>
set sta-locate-timer <integer>
end
846
Description
Configuration
Description
Default Value
echo-interval
30
discovery-interval
client-idle-timeout
300
rogue-ap-log
fake-ap-log
darrp-optimize
1800
darrp-day
(Empty)
darrp-time
(Empty)
sta-stats-interval
vap-stats-interval
WTP interval for which vap statistics are sent (1 255, default = 15 sec).
15
radio-stats-interval
15
sta-capability-interval
30
sta-locate-timer
1800
847
wireless-controller/vap
CLI Syntax
config wireless-controller vap
edit <name_str>
set name <string>
set vdom <string>
set fast-roaming {enable | disable}
set external-fast-roaming {enable | disable}
set mesh-backhaul {enable | disable}
set max-clients <integer>
set max-clients-ap <integer>
set ssid <string>
set broadcast-ssid {enable | disable}
set security-obsolete-option {enable | disable}
set security {open | captive-portal | wep64 | wep128 | wpa-personal | wpa-personal
+captive-portal | wpa-enterprise | wpa-only-personal | wpa-only-personal+captive-porta
l | wpa-only-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa
2-only-enterprise}
set pmf {disable | enable | optional}
set pmf-assoc-comeback-timeout <integer>
set pmf-sa-query-retry-timeout <integer>
set okc {disable | enable}
set tkip-counter-measure {enable | disable}
set external-web <string>
set external-logout <string>
set radius-mac-auth {enable | disable}
set radius-mac-auth-server <string>
set auth {psk | radius | usergroup}
set encrypt {TKIP | AES | TKIP-AES}
set keyindex <integer>
set key <password>
set passphrase <password>
set radius-server <string>
set acct-interim-interval <integer>
config usergroup
edit <name_str>
set name <string>
end
set portal-message-override-group <string>
config portal-message-overrides
edit <name_str>
set auth-disclaimer-page <string>
set auth-reject-page <string>
set auth-login-page <string>
set auth-login-failed-page <string>
end
set portal-type {auth | auth+disclaimer | disclaimer | email-collect}
config selected-usergroups
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
848
849
850
Description
Configuration
Description
Default Value
name
Virtual AP name.
(Empty)
vdom
Owning VDOM.
(Empty)
fast-roaming
enable
external-fast-roaming
disable
mesh-backhaul
disable
max-clients
max-clients-ap
ssid
fortinet
broadcast-ssid
enable
security-obsoleteoption
disable
security
wpa2-only-personal
pmf
disable
pmf-assoc-comebacktimeout
pmf-sa-query-retrytimeout
okc
enable
tkip-counter-measure
enable
external-web
(Empty)
external-logout
(Empty)
851
radius-mac-auth
disable
radius-mac-auth-server
(Empty)
auth
Authentication protocol.
psk
encrypt
Data encryption.
AES
keyindex
key
WEP Key.
(Empty)
passphrase
(Empty)
radius-server
(Empty)
acct-interim-interval
WiFi RADIUS accounting interim interval (60 86400 sec, default = 0).
usergroup
(Empty)
portal-messageoverride-group
(Empty)
portal-messageoverrides
Details below
Configuration
auth-disclaimer-page
auth-reject-page
auth-login-page
auth-login-failed-page
Default Value
(Empty)
(Empty)
(Empty)
(Empty)
portal-type
auth
selected-usergroups
(Empty)
security-exempt-list
(Empty)
security-redirect-url
(Empty)
intra-vap-privacy
disable
schedule
(Empty)
local-standalone
disable
852
local-standalone-nat
disable
ip
0.0.0.0 0.0.0.0
local-bridging
disable
split-tunneling
disable
local-authentication
disable
vlanid
vlan-auto
disable
dynamic-vlan
disable
alias
Alias.
(Empty)
multicast-rate
multicast-enhance
disable
broadcast-suppression
dhcp-up arp-known
me-disable-thresh
32
probe-respsuppression
disable
probe-resp-threshold
-80
vlan-pooling
disable
vlan-pool
VLAN pool.
(Empty)
ptk-rekey
disable
ptk-rekey-intv
86400
853
gtk-rekey
disable
gtk-rekey-intv
86400
eap-reauth
disable
eap-reauth-intv
86400
rates-11a
(Empty)
rates-11bg
(Empty)
rates-11n-ss12
rates-11n-ss34
rates-11ac-ss12
(Empty)
rates-11ac-ss34
(Empty)
mac-filter
disable
mac-filter-policy-other
allow
mac-filter-list
(Empty)
854
wireless-controller/vap-group
CLI Syntax
config wireless-controller vap-group
edit <name_str>
set name <string>
set comment <var-string>
config vaps
edit <name_str>
set name <string>
end
end
855
Description
Configuration
Description
Default Value
name
Group Name
(Empty)
comment
Comment.
(Empty)
vaps
(Empty)
856
wireless-controller/wids-profile
CLI Syntax
config wireless-controller wids-profile
edit <name_str>
set name <string>
set comment <string>
set ap-scan {disable | enable}
set ap-bgscan-period <integer>
set ap-bgscan-intv <integer>
set ap-bgscan-duration <integer>
set ap-bgscan-idle <integer>
set ap-bgscan-report-intv <integer>
set ap-bgscan-disable-day {sunday | monday | tuesday | wednesday | thursday | frid
ay | saturday}
set ap-bgscan-disable-start <user>
set ap-bgscan-disable-end <user>
set ap-fgscan-report-intv <integer>
set ap-scan-passive {enable | disable}
set rogue-scan {enable | disable}
set ap-auto-suppress {enable | disable}
set wireless-bridge {enable | disable}
set deauth-broadcast {enable | disable}
set null-ssid-probe-resp {enable | disable}
set long-duration-attack {enable | disable}
set long-duration-thresh <integer>
set invalid-mac-oui {enable | disable}
set weak-wep-iv {enable | disable}
set auth-frame-flood {enable | disable}
set auth-flood-time <integer>
set auth-flood-thresh <integer>
set assoc-frame-flood {enable | disable}
set assoc-flood-time <integer>
set assoc-flood-thresh <integer>
set spoofed-deauth {enable | disable}
set asleap-attack {enable | disable}
set eapol-start-flood {enable | disable}
set eapol-start-thresh <integer>
set eapol-start-intv <integer>
set eapol-logoff-flood {enable | disable}
set eapol-logoff-thresh <integer>
set eapol-logoff-intv <integer>
set eapol-succ-flood {enable | disable}
set eapol-succ-thresh <integer>
set eapol-succ-intv <integer>
set eapol-fail-flood {enable | disable}
set eapol-fail-thresh <integer>
set eapol-fail-intv <integer>
set eapol-pre-succ-flood {enable | disable}
set eapol-pre-succ-thresh <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
857
set
set
set
set
set
end
eapol-pre-succ-intv <integer>
eapol-pre-fail-flood {enable | disable}
eapol-pre-fail-thresh <integer>
eapol-pre-fail-intv <integer>
deauth-unknown-src-thresh <integer>
858
Description
Configuration
Description
Default Value
name
(Empty)
comment
Comment.
(Empty)
ap-scan
Enable/disable AP scan.
disable
ap-bgscan-period
600
ap-bgscan-intv
ap-bgscan-duration
20
ap-bgscan-idle
ap-bgscan-report-intv
30
ap-bgscan-disable-day
(Empty)
ap-bgscan-disable-start
00:00
ap-bgscan-disable-end
00:00
ap-fgscan-report-intv
15
ap-scan-passive
disable
rogue-scan
disable
ap-auto-suppress
disable
wireless-bridge
disable
deauth-broadcast
disable
null-ssid-probe-resp
disable
859
long-duration-attack
disable
long-duration-thresh
8200
invalid-mac-oui
disable
weak-wep-iv
disable
auth-frame-flood
disable
auth-flood-time
10
auth-flood-thresh
30
assoc-frame-flood
disable
assoc-flood-time
10
assoc-flood-thresh
30
spoofed-deauth
disable
asleap-attack
disable
eapol-start-flood
disable
eapol-start-thresh
10
eapol-start-intv
eapol-logoff-flood
disable
eapol-logoff-thresh
10
860
eapol-logoff-intv
eapol-succ-flood
disable
eapol-succ-thresh
10
eapol-succ-intv
eapol-fail-flood
disable
eapol-fail-thresh
10
eapol-fail-intv
eapol-pre-succ-flood
disable
eapol-pre-succ-thresh
10
eapol-pre-succ-intv
eapol-pre-fail-flood
disable
eapol-pre-fail-thresh
10
eapol-pre-fail-intv
deauth-unknown-srcthresh
10
861
wireless-controller/wtp
CLI Syntax
config wireless-controller wtp
edit <name_str>
set wtp-id <string>
set index <integer>
set admin {discovered | disable | enable}
set name <string>
set location <string>
set wtp-mode {normal | remote}
set wtp-profile <string>
set override-led-state {enable | disable}
set led-state {enable | disable}
set override-wan-port-mode {enable | disable}
set wan-port-mode {wan-lan | wan-only}
set override-ip-fragment {enable | disable}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set override-split-tunnel {enable | disable}
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set override-lan {enable | disable}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port1-ssid <string>
set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port2-ssid <string>
set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port3-ssid <string>
set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port4-ssid <string>
set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port5-ssid <string>
set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port6-ssid <string>
set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port7-ssid <string>
set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port8-ssid <string>
end
set override-allowaccess {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
862
863
edit <name_str>
set chan <string>
end
end
set image-download {enable | disable}
set mesh-bridge-enable {default | enable | disable}
set coordinate-enable {enable | disable}
set coordinate-x <string>
set coordinate-y <string>
end
864
Description
Configuration
Description
Default Value
wtp-id
WTP ID.
(Empty)
index
Index (0 - 4294967295).
admin
Admin status.
enable
name
WTP name.
(Empty)
location
WTP location.
(Empty)
wtp-mode
WTP mode.
normal
wtp-profile
(Empty)
override-led-state
disable
led-state
enable
override-wan-portmode
disable
wan-port-mode
wan-only
override-ip-fragment
disable
ip-fragment-preventing
tcp-mss-adjust
tun-mtu-uplink
tun-mtu-downlink
override-split-tunnel
disable
split-tunneling-acllocal-ap-subnet
disable
split-tunneling-acl
(Empty)
override-lan
disable
lan
Details below
865
Configuration
port-mode
port-ssid
port1-mode
port1-ssid
port2-mode
port2-ssid
port3-mode
port3-ssid
port4-mode
port4-ssid
port5-mode
port5-ssid
port6-mode
port6-ssid
port7-mode
port7-ssid
port8-mode
port8-ssid
Default Value
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
override-allowaccess
disable
allowaccess
(Empty)
override-login-passwdchange
disable
login-passwd-change
no
login-passwd
(Empty)
radio-1
Radio 1.
Details below
866
Configuration
radio-id
override-band
band
override-analysis
spectrum-analysis
override-txpower
auto-power-level
auto-power-high
auto-power-low
power-level
override-vaps
vap-all
vaps
override-channel
channel
radio-2
Configuration
radio-id
override-band
band
override-analysis
spectrum-analysis
override-txpower
auto-power-level
auto-power-high
auto-power-low
power-level
override-vaps
vap-all
vaps
override-channel
channel
Default Value
0
disable
(Empty)
disable
disable
disable
disable
17
10
100
disable
enable
(Empty)
disable
(Empty)
Radio 2.
Details below
Default Value
1
disable
(Empty)
disable
disable
disable
disable
17
10
100
disable
enable
(Empty)
disable
(Empty)
image-download
enable
mesh-bridge-enable
default
coordinate-enable
disable
coordinate-x
X axis coordinate.
867
coordinate-y
Y axis coordinate.
868
wireless-controller/wtp-profile
CLI Syntax
config wireless-controller wtp-profile
edit <name_str>
set name <string>
set comment <var-string>
config platform
edit <name_str>
set type {AP-11N | 220A | 220B | 223B | 210B | 222B | 112B | 320B | 11C | 14C
| 28C | 320C | 221C | 25D | 222C | 224D | 214B | 21D | 24D | 112D | 223C | 321C | S321
C | S322C | S323C | S311C | S313C | S321CR | S322CR | S323CR | S421E | S422E | S423E}
end
set wan-port-mode {wan-lan | wan-only}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port1-ssid <string>
set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port2-ssid <string>
set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port3-ssid <string>
set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port4-ssid <string>
set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port5-ssid <string>
set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port6-ssid <string>
set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port7-ssid <string>
set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port8-ssid <string>
end
set led-state {enable | disable}
set dtls-policy {clear-text | dtls-enabled}
set dtls-in-kernel {enable | disable}
set max-clients <integer>
set handoff-rssi <integer>
set handoff-sta-thresh <integer>
set handoff-roaming {enable | disable}
config deny-mac-list
edit <name_str>
set id <integer>
set mac <mac-address>
end
set ap-country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | B
Z | BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG
| SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
869
| ID | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU |
MO | MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA |
PG | PY | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | Z
A | ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY
| UZ | VE | VN | YE | ZW | JP | AU | CA}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set allowaccess {telnet | http | https | ssh}
set login-passwd-change {yes | default | no}
set login-passwd <password>
set lldp {enable | disable}
config radio-1
edit <name_str>
set radio-id <integer>
set mode {disabled | ap | monitor | sniffer}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.
11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11a
c-only}
set protection-mode {rtscts | ctsonly | disable}
set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate
-follow}
set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}
set amsdu {enable | disable}
set coexistence {enable | disable}
set short-guard-interval {enable | disable}
set channel-bonding {80MHz | 40MHz | 20MHz}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set dtim <integer>
set beacon-interval <integer>
set rts-threshold <integer>
set frag-threshold <integer>
set ap-sniffer-bufsize <integer>
set ap-sniffer-chan <integer>
set ap-sniffer-addr <mac-address>
set ap-sniffer-mgmt-beacon {enable | disable}
set ap-sniffer-mgmt-probe {enable | disable}
set ap-sniffer-mgmt-other {enable | disable}
set ap-sniffer-ctl {enable | disable}
set ap-sniffer-data {enable | disable}
set spectrum-analysis {enable | disable}
set wids-profile <string>
set darrp {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.
870
871
872
Description
Configuration
Description
Default Value
name
(Empty)
comment
Comment.
(Empty)
platform
WTP platform.
Details below
Configuration
type
Default Value
220B
wan-port-mode
wan-only
lan
Details below
Configuration
port-mode
port-ssid
port1-mode
port1-ssid
port2-mode
port2-ssid
port3-mode
port3-ssid
port4-mode
port4-ssid
port5-mode
port5-ssid
port6-mode
port6-ssid
port7-mode
port7-ssid
port8-mode
port8-ssid
Default Value
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
led-state
enable
dtls-policy
clear-text
dtls-in-kernel
disable
max-clients
873
handoff-rssi
25
handoff-sta-thresh
30
handoff-roaming
enable
deny-mac-list
(Empty)
ap-country
AP country code.
NA
ip-fragment-preventing
tcp-mss-adjust
tun-mtu-uplink
tun-mtu-downlink
split-tunneling-acllocal-ap-subnet
disable
split-tunneling-acl
(Empty)
allowaccess
(Empty)
login-passwd-change
no
login-passwd
(Empty)
lldp
Enable/disable LLDP.
disable
radio-1
Radio 1.
Details below
874
Configuration
radio-id
mode
band
protection-mode
powersave-optimize
transmit-optimize
amsdu
coexistence
short-guard-interval
channel-bonding
auto-power-level
auto-power-high
auto-power-low
power-level
dtim
beacon-interval
rts-threshold
frag-threshold
ap-sniffer-bufsize
ap-sniffer-chan
ap-sniffer-addr
ap-sniffer-mgmt-beacon
ap-sniffer-mgmt-probe
ap-sniffer-mgmt-other
ap-sniffer-ctl
ap-sniffer-data
spectrum-analysis
wids-profile
darrp
max-clients
max-distance
frequency-handoff
ap-handoff
vap-all
vaps
channel
radio-2
Default Value
0
ap
(Empty)
disable
(Empty)
power-save aggr-limit retry-limit send-bar
enable
enable
disable
20MHz
disable
17
10
100
1
100
2346
2346
16
36
00:00:00:00:00:00
enable
enable
enable
enable
enable
disable
(Empty)
disable
0
0
disable
disable
enable
(Empty)
(Empty)
Radio 2.
Details below
875
Configuration
radio-id
mode
band
protection-mode
powersave-optimize
transmit-optimize
amsdu
coexistence
short-guard-interval
channel-bonding
auto-power-level
auto-power-high
auto-power-low
power-level
dtim
beacon-interval
rts-threshold
frag-threshold
ap-sniffer-bufsize
ap-sniffer-chan
ap-sniffer-addr
ap-sniffer-mgmt-beacon
ap-sniffer-mgmt-probe
ap-sniffer-mgmt-other
ap-sniffer-ctl
ap-sniffer-data
spectrum-analysis
wids-profile
darrp
max-clients
max-distance
frequency-handoff
ap-handoff
vap-all
vaps
channel
lbs
Default Value
1
ap
(Empty)
disable
(Empty)
power-save aggr-limit retry-limit send-bar
enable
enable
disable
20MHz
disable
17
10
100
1
100
2346
2346
16
6
00:00:00:00:00:00
enable
enable
enable
enable
enable
disable
(Empty)
disable
0
0
disable
disable
enable
(Empty)
(Empty)
Location based service.
Details below
876
Configuration
ekahau-blink-mode
ekahau-tag
erc-server-ip
erc-server-port
aeroscout
aeroscout-server-ip
aeroscout-server-port
aeroscout-mu-factor
aeroscout-mu-timeout
fortipresence
fortipresence-server
fortipresence-port
fortipresence-secret
fortipresence-project
fortipresence-frequency
fortipresence-rogue
fortipresence-unassoc
station-locate
Default Value
disable
01:18:8e:00:00:00
0.0.0.0
8569
disable
0.0.0.0
0
20
5
disable
0.0.0.0
3000
fortinet
fortipresence
30
disable
disable
disable
877
execute
backup
execute
The execute commands perform immediate operations on the FortiGate unit, including:
l
Maintenance operations, such as back up and restore the system configuration, reset the configuration to factory
settings, update antivirus and attack definitions, view and delete log messages, set the date and time.
Network operations, such as view and clear DHCP leases, clear arp table entries, use ping or traceroute to diagnose
network problems.
Generate certificate requests and install certificates for VPN authentication.
backup
Back up the FortiGate configuration files, logs, or IPS user-defined signatures file to a TFTP or FTP server, USB
disk, or a management station. Management stations can either be a FortiManager unit, or FortiGuard Analysis
and Management Service. For more information, see "fortiguard" on page 1 or "central-management" on page 1.
When virtual domain configuration is enabled (in global, vdom-admin is enabled), the content of the backup file
depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settings
for all of the VDOMs. Only the super admin can restore the configuration from this file.
When you back up the system configuration from a regular administrator account, the backup file contains the
global settings and the settings for the VDOM to which the administrator belongs. Only a regular administrator
account can restore the configuration from this file.
Syntax
execute backup config flash <comment>
execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup config management-station <comment_str>
execute backup config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute backup config usb <filename_str> [<backup_password_str>]
execute backup config-with-forticlient-info usb-mode [<backup_password_str>]
execute backup config-with-forticlient-info ftp <filename_str> <server_ipv4[:port_int]
| server_fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup config-with-forticlient-info tftp <filename_str> <server_ipv4> [<backup_
password_str>]
execute backup config-with-forticlient-info usb [<backup_password_str>]
execute backup config-with-forticlient-info usb-mode [<backup_password_str>]
execute backup full-config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute backup full-config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute backup full-config usb <filename_str> [<backup_password_str>]
execute backup full-config usb-mode <filename_str> [<backup_password_str>]
execute backup ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] | server_fqdn
[:port_int]> [<username_str> [<password_str>]]
execute backup ipsuserdefsig tftp tftp <filename_str> <server_ipv4>
execute backup {disk|memory} alllogs ftp <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<username_str> <password_str>]
878
backup
execute
Variable
Description
config-with-forticlient-info ftp
<filename_str> <server_ipv4[:port_
int] | server_fqdn[:port_int]>
[<username_str> [<password_str>]]
[<backup_password_str>]
config-with-forticlient-info tftp
<filename_str> <server_ipv4>
[<backup_password_str>]
879
execute
backup
Variable
Description
config-with-forticlient-info usb
[<backup_password_str>]
Back up either all memory or all hard disk log files for this
VDOM to an FTP server. The disk option is available on
FortiGate models that log to a hard disk.
The file name has the form: <log_file_name>_
<VDOM>_<date>_<time>
Back up either all memory or all hard disk log files for this
VDOM to a TFTP server. he disk option is available on
FortiGate models that log to a hard disk.
The file name has the form: <log_file_name>_
<VDOM>_<date>_<time>
880
batch
execute
Variable
Description
Back up either all memory or all hard disk log files for this
VDOM to a USB disk. he disk option is available on
FortiGate models that log to a hard disk.
The file name has the form: <log_file_name>_
<VDOM>_<date>_<time>
Example
This example shows how to backup the FortiGate unit system configuration to a file named fgt.cfg on a
TFTP server at IP address 192.168.1.23.
execute backup config tftp fgt.cfg 192.168.1.23
batch
Execute a series of CLI commands. execute batch commands are controlled by the Maintenance (mntgrp)
access control group.
Syntax
execute batch [<cmd_cue>]
881
execute
bypass-mode
Example
To start batch mode:
execute batch start
Enter batch mode...
bypass-mode
Use this command to manually switch a FortiGate-600C or FortiGate-1000C into bypass mode. This is available
in transparent mode only. If manually switched to bypass mode, the unit remains in bypass-mode until bypass
mode is disabled.
Syntax
execute bypass-mode {enable|disable}
carrier-license
Use this command to enter a l FortiOS Carrier license key if you have installed a FortiOS Carrier build on a
FortiGate unit and need to enter a license key to enable FortiOS Carrier functionality.
Contact Fortinet Support for more information about this command.
Syntax
execute carrier-license <license_key>
Variable
Description
<license_key>
central-mgmt
Update Central Management Service account information. Also used receive configuration file updates from an
attached FortiManager unit.
Syntax
execute central-mgmt set-mgmt-id <management_id>
882
cfg reload
execute
set-mgmt-id is used to change or initially set the management ID, or your account number for Central
Management Services. This account ID must be set for the service to be enabled.
register-device registers the FortiGate unit with a specific FortiManager unit specified by serial number.
You must also specify the administrator name and password that the FortiManager unit uses to log on to the
FortiGate unit.
unregister-device removes the FortiGate unit from the specified FortiManager units device list.
update is used to update your Central Management Service contract with your new management account ID.
This command is to be used if there are any changes to your management service account.
Example
If you are registering with the Central Management Service for the first time, and your account number is 123456,
you would enter the following:
execute central-mgmt set-mgmt-id 123456
cfg reload
Use this command to restore the saved configuration when the configuration change mode is manual or
revert. This command has no effect if the mode is automatic, the default. The setcfg-save command
in systemglobal sets the configuration change mode.
When you reload the saved system configuration, the your session ends and the FortiGate unit restarts.
In the default configuration change mode, automatic, CLI commands become part of the saved unit
configuration when you execute them by entering either next or end.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute
the executecfgsave command. When the FortiGate unit restarts, the saved configuration is loaded.
Configuration changes that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are saved automatically if the
administrative session is idle for more than a specified timeout period. This provides a way to recover from an
erroneous configuration change, such as changing the IP address of the interface you are using for
administration. You set the timeout in systemglobal using the setcfg-revert-timeout command.
Syntax
execute cfg reload
Example
This is sample output from the command when successful:
# execute cfg reload
configs reloaded. system will reboot.This is sample output from the command when not in
runtime-only configuration mode:
# execute cfg reload
no config to be reloaded.
883
execute
cfg save
cfg save
Use this command to save configuration changes when the configuration change mode is manual or revert. If
the mode is automatic, the default, all changes are added to the saved configuration as you make them and
this command has no effect. The set cfg-save command in system global sets the configuration change
mode.
In manual mode, commands take effect but do not become part of the saved configuration unless you execute
the execute cfg save command. When the FortiGate unit restarts, the saved configuration is loaded.
Configuration changes that were not saved are lost.
The revert mode is similar to manual mode, except that configuration changes are reverted automatically if
the administrative session is idle for more than a specified timeout period. This provides a way to recover from an
erroneous configuration change, such as changing the IP address of the interface you are using for
administration. To change the timeout from the default of 600 seconds, go to system global and use the
set cfg-revert-timeout command.
Syntax
execute cfg save
Example
This is sample output from the command:
# execute cfg save
config saved.
This is sample output when not in runtime-only configuration mode. It also occurs when in runtime-only
configuration mode and no changes have been made:
# execute cfg save
no config to be saved.
Syntax
execute clear system arp table
cli check-template-status
Reports the status of the secure copy protocol (SCP) script template.
Syntax
execute cli check-template-status
884
cli status-msg-only
execute
cli status-msg-only
Enable or disable displaying standardized CLI error output messages. If executed, this command stops other
debug messages from displaying in the current CLI session. This command is used for compatibility with
FortiManager.
Syntax
execute cli status-msg-only [enable|disable]
Variable
Description
status-msg-only
[enable|disable]
Default
enable
client-reputation
Use these commands to retrieve or remove client reputation information.
Syntax
To erase all client reputation data
execute client-reputation erase
date
Get or set the system date.
885
execute
disk
Syntax
execute date [<date_str>]
Example
This example sets the date to 17 September 2004:
execute date 2004-09-17
disk
Use this command to list and format hard disks installed in FortiGate units or individual partitions on these hard
disks.
Syntax
execute disk format <partition1_ref_int> [...<partitionn_ref_int>]
execute disk list
execute disk scan <ref_int>
Variable
Description
Format the referenced disk partitions or disks. Separate
reference numbers with spaces.
format
list
List the disks and partitions and the reference number for each
one.
scan
<ref_int>
The execute disk format command formats the specified partitions or disks and then reboots the system if
a reboot is required.
In most cases you need to format the entire disk only if there is a problem with the partition. Formatting the
partition removes all data from the partition. Formatting the disk removes all data from the entire disk and creates
a single partition on the disk.
886
disk raid
execute
Examples
Use the following command to list the disks and partitions.
execute disk list
Disk Internal(boot) ref: 14.9GB type: SSD [ATA SanDisk SSD U100] dev: /dev/sda
partition ref: 3 14.4GB, 14.4GB free mounted: Y label: 7464A257123E07BB dev: /dev/sda3
In this example, there is only one partition and its reference number is 3.
Enter the following command to format the partition.
execute disk format 3
After a confirmation message the FortiGate unit formats the partition and restarts. This can take a few minutes.
disk raid
Use this command to view information about and change the raid settings on FortiGate units that support RAID.
Syntax
execute
execute
execute
execute
disk
disk
disk
disk
raid
raid
raid
raid
disable
enable {Raid-0 | Raid-1 | Raid-5}
rebuild
status
Variable
Description
disable
rebuild
Rebuild RAID on the FortiGate unit at the same RAID level. You can only
execute this command if a RAID error has been detected. Changing the
RAID level takes a while and deletes all data on the disk array.
status
Display information about the RAID disk array in the FortiGate unit.
Examples
Use the following command to display information about the RAID disk array in a FortiGate-82C.
execute disk raid status
RAID Level: Raid-1
RAID Status: OK
RAID Size: 1000GB
Disk
Disk
Disk
Disk
1:
2:
3:
4:
OK Used 1000GB
OK Used 1000GB
OK Used 1000GB
Unavailable Not-Used 0GB
887
execute
disk scan
disk scan
Use this command to run a disk check operation.
Syntax
execute disk scan <ref_int>
where n is the partition "ref:" number for the disk, shown by execute disk list.
The operation requires the FortiGate unit to reboot. The command responds:
Example
# execute disk scan 3
scan requested for: 3/Internal (device=/dev/sda3)
This action requires the unit to reboot.
Do you want to continue? (y/n)
dhcp lease-clear
Clear all DHCP address leases.
Syntax
For IPv4:
execute dhcp lease-clear
For IPv6
execute dhcp6 lease-clear
dhcp lease-list
Display DHCP leases on a given interface
Syntax
For IPv4:
execute dhcp lease-list [interface_name]
For IPv6:
execute dhcp6 lease-list [interface_name]
If you specify an interface, the command lists only the leases issued on that interface. Otherwise, the list includes
all leases issued by DHCP servers on the FortiGate unit.
If there are no DHCP leases in user on the FortiGate unit, an error will be returned.
888
disconnect-admin-session
execute
disconnect-admin-session
Disconnect an administrator who is logged in.
Syntax
execute disconnect-admin-session <index_number>
To determine the index of the administrator that you want to disconnect, view the list of logged-in administrators
by using the following command:
executedisconnect-admin-session ?
Example
This example shows how to disconnect the logged administrator admin2 from the above list.
execute disconnect-admin-session 1
enter
Use this command to go from global commands to a specific virtual domain (VDOM).
Only available when virtual domains are enabled and you are in config global.
After you enter the VDOM, the prompt will not change from (global). However you will be in the VDOM with
all the commands that are normally available in VDOMs.
Syntax
execute enter <vdom>
erase-disk
Use this command to reformat the boot device or an attached hard disk. Optionally, this command can restore
the image from a TFTP server after erasing.
Syntax
execute erase-disk <disk_name>
889
execute
factoryreset
factoryreset
Reset the FortiGate configuration to factory default settings.
Syntax
execute factoryreset [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.
Apart from the keepvmlicense option, this procedure deletes all changes that you have made to the FortiGate
configuration and reverts the system to its original configuration, including resetting interface addresses.
factoryreset2
Reset the FortiGate configuration to factory default settings except VDOM and interface settings.
Syntax
execute factoryreset2 [keepvmlicense]
If keepvmlicense is specified (VM models only), the VM license is retained after reset.
formatlogdisk
Format the FortiGate hard disk to enhance performance for logging.
Syntax
execute formatlogdisk
In addition to deleting logs, this operation will erase all other data on the
disk, including system configuration, quarantine files, and databases for
antivirus and IPS.
forticarrier-license
Use this command to perform a FortiCarrier license upgrade.
Syntax
execute forticarrier-license <activation-code>
forticlient
Use these commands to manage FortiClient licensing.
890
FortiClient-NAC
execute
Syntax
To view FortiClient license information
execute forticlient info
FortiClient-NAC
Use the following command to load a FortiClient license onto a FortiGate unit.
Syntax
execute FortiClient-NAC update-registration-license <code>
fortiguard-log
Use this to manage FortiGuard Analysis and Management Service (FortiCloud) operation.
Syntax
To create a FortiCloud account
execute fortiguard-log create-account
891
execute
fortitoken
To join FortiCloud
execute fortiguard-log join
fortitoken
Use these commands to activate and synchronize a FortiToken device. FortiToken devices are used in two-factor
authentication of administrator and user account logons. The device generates a random six-digit code that you
enter during the logon process along with user name and password.
Before they can be used to authenticate account logins, FortiToken devices must be activated with the
FortiGuard service. When successfully activated, the status of the FortiToken device will change from New to
Active.
Synchronization is sometimes needed due to the internal clock drift of the FortiToken device. It is not unusual for
new FortiToken units to require synchronization before being put into service. Synchronization is accomplished by
entering two sequential codes provided by the FortiToken.
Syntax
To activate one or more FortiToken devices
execute fortitoken activate <serial_number> [serial_number2 ... serial_numbern]
FortiCare returns a set of 200 serial numbers that are in the same serial number range as the specified
FortiToken device.
892
fortitoken-mobile
execute
fortitoken-mobile
Use these commands to activate and synchronize a FortiToken Mobile card. FortiToken Mobile cards are used in
two-factor authentication of administrator and user account logons. The FortiGate unit sends a random six-digit
code to the mobile device by email or SMS that the user enters during the logon process along with user name
and password.
Syntax
To import the FortiToken Mobile card serial number
execute fortitoken-mobile import <activation_code>
fsso refresh
Use this command to manually refresh user group information from Directory Service servers connected to the
FortiGate unit using the Fortinet Single Sign On (FSSO) agent.
Syntax
execute fsso refresh
ha disconnect
Use this command to disconnect a FortiGate unit from a functioning cluster. You must specify the serial number
of the unit to be disconnected. You must also specify an interface name and assign an IP address and netmask to
this interface of the disconnected unit. You can disconnect any unit from the cluster even the primary unit. After
the unit is disconnected the cluster responds as if the disconnected unit has failed. The cluster may renegotiate
and may select a new primary unit.
To disconnect the unit from the cluster, the execute ha disconnect command sets the HA mode of the
disconnected unit to standalone. In addition, all interface IP addresses of the disconnected unit are set to 0.0.0.0.
The interface specified in the command is set to the IP address and netmask that you specify in the command. In
addition all management access to this interface is enabled. Once the FortiGate unit is disconnected you can use
SSH, telnet, HTTPS, or HTTP to connect to and manage the FortiGate unit.
Syntax
execute ha disconnect <cluster-member-serial_str> <interface_str> <address_ipv4>
<address_ipv4mask>
893
execute
ha ignore-hardware-revision
Variable
Description
cluster-memberserial_str
interface_str
Example
This example shows how to disconnect a cluster unit with serial number FGT5002803033050. The internal
interface of the disconnected unit is set to IP address 1.1.1.1 and netmask 255.255.255.0.
execute ha disconnect FGT5002803033050 internal 1.1.1.1 255.255.255.0
ha ignore-hardware-revision
Use this command to set ignore-hardware-revision status.
Syntax
To view ignore-hardware-revision status
execute ha ignore-hardware-revision status
ha manage
Use this command from the CLI of a FortiGate unit in an HA cluster to log into the CLI of another unit in the
cluster. Usually you would use this command from the CLI of the primary unit to log into the CLI of a subordinate
unit. However, if you have logged into a subordinate unit CLI, you can use this command to log into the primary
unit CLI, or the CLI of another subordinate unit.
You can use CLI commands to manage the cluster unit that you have logged into. If you make changes to the
configuration of any cluster unit (primary or subordinate unit) these changes are synchronized to all cluster units.
Syntax
execute ha manage <cluster-index>
894
ha synchronize
Variable
execute
Description
cluster-index
Example
This example shows how to log into a subordinate unit in a cluster of three FortiGate units. In this example you
have already logged into the primary unit. The primary unit has serial number FGT3082103000056. The
subordinate units have serial numbers FGT3012803021709 and FGT3082103021989.
execute ha manage ?
<id>please input slave cluster index.
<0>Subsidary unit FGT3012803021709
<1>Subsidary unit FGT3082103021989
Type 0 and press enter to connect to the subordinate unit with serial number FGT3012803021709. The CLI
prompt changes to the host name of this unit. To return to the primary unit, type exit.
From the subordinate unit you can also use the execute ha manage command to log into the primary unit or
into another subordinate unit. Enter the following command:
execute ha manage ?
<id>please input slave cluster index.
<1>Subsidary unit FGT3082103021989
<2>Subsidary unit FGT3082103000056
Type 2 and press enter to log into the primary unit or type 1 and press enter to log into the other subordinate unit.
The CLI prompt changes to the host name of this unit.
ha synchronize
Use this command from a subordinate unit in an HA cluster to manually synchronize its configuration with the
primary unit or to stop a synchronization process that is in progress.
Syntax
execute ha synchronize {start | stop}
Variable
Description
start
stop
895
execute
interface dhcpclient-renew
interface dhcpclient-renew
Renew the DHCP client for the specified DHCP interface and close the CLI session. If there is no DHCP
connection on the specified port, there is no output.
Syntax
execute interface dhcpclient-renew <port>
Example
This is the output for renewing the DHCP client on port1 before the session closes:
# execute interface dhcpclient-renew port1
renewing dhcp lease on port1
interface pppoe-reconnect
Reconnect to the PPPoE service on the specified PPPoE interface and close the CLI session. If there is no PPPoE
connection on the specified port, there is no output.
Syntax
execute interface pppoe-reconnect <port>
log backup
Use this command to back up all logs, index files, and report databases. The files are compressed and combined
into a TAR archive.
Syntax
execute log backup <file name>
log client-reputation-report
Use these commands to control client-reputation log actions.
Syntax
To accept a host so that it has its own baselines
execute log client-reputation-report accept <policy-id> <host>
896
log client-reputation-report
execute
897
execute
log convert-oldlogs
log convert-oldlogs
Use this command to convert old compact logs to the new format. This command is available only if you have
upgraded from an earlier version of FortiOS and have old compact logs on your system.
Syntax
execute log convert-oldlogs
log delete-all
Use this command to clear all log entries for this VDOM in memory and current log files on hard disk. If your
FortiGate unit has no hard disk, only log entries in system memory will be cleared. You will be prompted to
confirm the command.
Syntax
execute log delete-all
log delete-oldlogs
Use this command to delete old compact logs. This command is available only if you have upgraded from an
earlier version of FortiOS and have old compact logs on your system.
Syntax
execute log delete-oldlogs
log detail
Display UTM-related log entries for traffic log entries in this VDOM.
Syntax
execute log detail <category> <utm-ref>
898
log display
execute
You can obtain <utm-ref> from the execute log display output.
log display
Use this command to display log messages for this VDOM that you have selected with the execute log
filter command.
Syntax
execute log display
The console displays the first 10 log messages. To view more messages, run the command again. You can do
this until you have seen all of the selected log messages. To restart viewing the list from the beginning, use the
commands
execute log filter start-line 1
execute log display
You can restore the log filters to their default values using the command
execute log filter reset
log downgrade-log
Use this command to downgrade existing logs to v5.0 format prior to a firmware downgrade to FortiOS v5.0.
Syntax
execute log downgrade-log
log filter
Use this command to select log messages in this VDOM for viewing or deletion. You can view one log category on
one device at a time. Optionally, you can filter the messages to select only specified date ranges or severities of
log messages. For traffic logs, you can filter log messages by source or destination IP address.
Commands are cumulative. If you omit a required variable, the command displays the current setting.
Use as many execute log filter commands as you need to define the log messages that you want to
view.
Syntax
execute
execute
execute
execute
execute
execute
execute
execute
execute
log
log
log
log
log
log
log
log
log
filter
filter
filter
filter
filter
filter
filter
filter
filter
category <category_name>
device {disk |memory}
dump
field <name> <value> [<value2>,...<valuen>] [not]
ha-member <unitsn_str>
reset [all | field]
rolled_number <number>
sortby <field> [max-sort-lines]
start-line <line_number>
899
execute
Variable
Description
category
<category_name>
Default
event
device {disk
|memory}
disk
dump
No
default.
field <name>
<value>
[<value2>,...<value
n>] [not]
No
default.
No
default.
rolled_number
<number>
sortby <field>
[max-sort-lines]
No
default.
start-line <line_
number>
view-lines <count>
10
Syntax
execute log fortianalyzer test-connectivity
Example
When FortiAnalyzer is connected, the output looks like this:
FortiAnalyzer Host Name: FortiAnalyzer-800B
900
log list
execute
log list
You can view the list of current and rolled log files for this VDOM on the console. The list shows the file name,
size and timestamp.
Syntax
execute log list <category>
Example
The output looks like this:
elog 8704 Fri March 6 14:24:35 2009
elog.1 1536 Thu March 5 18:02:51 2009
elog.2 35840 Wed March 4 22:22:47 2009
At the end of the list, the total number of files in the category is displayed. For example:
501 event log file(s) found.
log rebuild-sqldb
Use this command to rebuild the SQL database from log files.
If run in the VDOM context, only this VDOMs SQL database is rebuilt. If run in the global context, the SQL
database is rebuilt for all VDOMs.
If SQL logging is disabled, this command is unavailable.
Syntax
execute log rebuild-sqldb
log recreate-sqldb
Use this command to recreate SQL log database.
901
execute
log-report reset
Syntax
execute log recreate-sqldb
log-report reset
Use this command to delete all logs, archives and user configured report templates.
Syntax
execute log-report reset
log restore
Use this command to restore up all logs, index files, and report databases from a backup file created with the "log
backup" on page 27 command.
This command will wipe out all existing logs and report database for the vdom. It is only available for debug
firmware builds.
It is recommended to kill reportd and miglogd prior to running this command.
kill -3 1
killall miglogd
killall reportd
Syntax
execute log restore <file name>
log roll
Use this command to roll all log files.
Syntax
execute log roll
log shift-time
Use this command in conjunction with the "log backup" on page 27 and "log restore" on page 33 commands. You
can load a log set generated previously to do demos or testing without needing to regenerate data.
902
log upload-progress
execute
Syntax
execute log shift-time <number of hours>
log upload-progress
Use this command to display the progress of the latest log upload.
Syntax
execute log upload-progress
modem dial
Dial the modem.
The dial command dials the accounts configured in config system modem until it makes a connection or it
has made the maximum configured number of redial attempts.
This command can be used if the modem is in Standalone mode.
Syntax
execute modem dial
modem hangup
Hang up the modem.
This command can be used if the modem is in Standalone mode.
Syntax
execute modem hangup
modem trigger
This command sends a signal to the modem daemon, which causes the state machine to re-evaluate its current
state. If for some reason the modem should be connected but isn't, then it will trigger a redial. If the modem
should not be connected but is, this command will cause the modem to disconnect.
Syntax
execute modem trigger
903
execute
mrouter clear
mrouter clear
Clear multicast routes, RP-sets, IGMP membership records or routing statistics.
Syntax
Clear IGMP memberships:
execute mrouter clear igmp-group {{<group-address>} <interface-name>}
execute mrouter clear igmp-interface <interface-name>
Clear statistics:
execute mrouter clear statistics {<group-address> {<source-address>}}
Variable
Description
<interface-name>
Enter the name of the interface on which you want to clear IGMP
memberships.
<group-address>
<route-type>
<source-address>
netscan
Use this command to start and stop the network vulnerability scanner and perform related functions.
Syntax
execute
execute
execute
execute
execute
netscan
netscan
netscan
netscan
netscan
import
list
start scan
status
stop
904
pbx
execute
Variable
Description
import
list
start scan
status
stop
pbx
Use this command to view active channels and to delete, list or upload music files for when music is playing while
a caller is on hold.
Syntax
execute pbx active-call <list>
execute pbx extension <list>
execute pbx ftgd-voice-pkg {sip-trunk}
execute pbx music-on-hold {delete |list |upload}
execute pbx prompt upload ftp <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx prompt upload tftp <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx prompt upload usb <file.tgz> <ftp_server_address>[:port] [<username>]
[password>]
execute pbx restore-default-prompts
execute pbx sip-trunk list
Variables
Description
active-call <list>
extension <list>
Enter to display the status of all extensions with SIP phones that
have connected to the FortiGate Voice unit.
ftgd-voice-pkg
{sip-trunk}
music-on-hold
{delete |list |upload}
Enter to either delete, list or upload music on hold files. You can
upload music on hold files using FTP, TFTP, or from a USB drive
plugged into the FortiGate Voice unit.
905
execute
pbx
Variables
Description
Upload new pbx voice prompt files using FTP. The voice prompt
files should be added to a tar file and zipped. This file would
usually have the extension tgz. You must include the filename,
FTP server address (domain name of IPv4 address) and if
required the username and password for the server.
Upload new pbx voice prompt files using TFTP. The voice
prompt files should be added to a tar file and zipped. This file
would usually have the extension tgz. You must include the
filename and TFTP server IP address.
Upload new pbx voice prompt files from a USB drive plugged into
the FortiGate Voice unit. The voice prompt files should be added
to a tar file and zipped. This file would usually have the extension
tgz. You must include the filename.
restore-defaultprompts
sip-trunk list
Enter to display the status of all SIP trunks that have been added
to the FortiGate Voice configuration.
Enter the following command to display the status of all SIP trunks
execute pbx sip-trunk list
Name
Host
Username
Provider_1 192.169.20.1+5555555
Account-Type
State
StaticN/A
906
ping
execute
ping
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and another
network device.
Syntax
execute ping {<address_ipv4> | <host-name_str>}
Example
This example shows how to ping a host with the IP address 172.20.120.16.
#execute ping 172.20.120.16
PING 172.20.120.16 (172.20.120.16): 56 data bytes
64 bytes from 172.20.120.16: icmp_seq=0 ttl=128 time=0.5
64 bytes from 172.20.120.16: icmp_seq=1 ttl=128 time=0.2
64 bytes from 172.20.120.16: icmp_seq=2 ttl=128 time=0.2
64 bytes from 172.20.120.16: icmp_seq=3 ttl=128 time=0.2
64 bytes from 172.20.120.16: icmp_seq=4 ttl=128 time=0.2
ms
ms
ms
ms
ms
--- 172.20.120.16 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.5 ms
ping-options, ping6-options
Set ICMP echo request (ping) options to control the way ping tests the network connection between the FortiGate
unit and another network device.
Syntax
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
Variable
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
data-size <bytes>
df-bit {yes | no}
pattern <2-byte_hex>
repeat-count <repeats>
source {auto | <source-intf_ip>}
timeout <seconds>
tos <service_type>
ttl <hops>
validate-reply {yes | no}
view-settings
Description
data-size
<bytes>
Default
56
907
execute
ping-options, ping6-options
Variable
Description
Default
no
pattern <2byte_hex>
No
default.
repeat-count
<repeats>
source
{auto |
<source-intf_
ip>}
auto
timeout
<seconds>
ttl <hops>
64
validate-reply
{yes | no}
no
view-settings
No
default.
Example
Use the following command to increase the number of pings sent.
execute ping-options repeat-count 10
Use the following command to send all pings from the FortiGate interface with IP address 192.168.10.23.
908
ping6
execute
ping6
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and an IPv6
capable network device.
Syntax
execute ping6 {<address_ipv6> | <host-name_str>}
Example
This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.
execute ping6 12AB:0:0:CD30:123:4567:89AB:CDEF
policy-packet-capture delete-all
Use this command to delete captured packets.
Syntax
execute policy-packet-capture delete-all
You will be asked to confirm that you want delete the packets.
reboot
Restart the FortiGate unit.
Abruptly powering off your FortiGate unit may corrupt its configuration.
Using the reboot and shutdown options here or in the web-based manager
ensure proper shutdown procedures are followed to prevent any loss of
configuration.
Syntax
execute reboot <comment comment_string>
<comment comment_string> allows you to optionally add a message that will appear in the hard disk log
indicating the reason for the reboot. If the message is more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execute reboot comment December monthly maintenance
909
execute
report
report
Use these commands to manage reports.
Syntax
To flash report caches:
execute report flash-cache
To generate a report:
execute report run [<layout_name>["start-time" "end-time"]]
The start and end times have the format yyyy-mm-dd hh:mm:ss
report-config reset
Use this command to reset report templates to the factory default. Logs are not deleted.
If SQL logging is disabled, this command is unavailable.
Syntax
execute report-config reset
restore
Use this command to
l
When virtual domain configuration is enabled (in system global, vdom-admin is enabled), the content of
the backup file depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settings
for all of the VDOMs. Only the super admin account can restore the configuration from this file.
A backup file from a regular administrator account contains the global settings and the settings for the VDOM to
which the administrator belongs. Only a regular administrator account can restore the configuration from this file.
910
restore
execute
Syntax
execute restore av ftp <filename_str> <server_ipv4[:port_int] |server_fqdn[:port_int]>
[<username_str> <password_str>]
execute restore av tftp <filename_str> <server_ipv4[:port_int]>
execute restore config flash <revision>
execute restore config ftp <filename_str> <server_ipv4[:port_int] |server_fqdn[:port_
int]> [<username_str> <password_str>] [<backup_password_str>]
execute restore config management-station {normal |template |script} <rev_int>
execute restore config tftp <filename_str> <server_ipv4> [<backup_password_str>]
execute restore config usb <filename_str> [<backup_password_str>]
execute restore config usb-mode [<backup_password_str>]
execute restore forticlient tftp <filename_str> <server_ipv4>
execute restore image flash <revision>
execute restore image ftp <filename_str> <server_ipv4[:port_int] |server_fqdn[:port_
int]> [<username_str> <password_str>]
execute restore image management-station <version_int>
execute restore image tftp <filename_str> <server_ipv4>
execute restore image usb <filename_str>
execute restore ips ftp <filename_str> <server_ipv4[:port_int] |server_fqdn[:port_
int]> [<username_str> <password_str>]
execute restore ips tftp <filename_str> <server_ipv4>
execute restore ipsuserdefsig ftp <filename_str> <server_ipv4[:port_int] |server_fqdn
[:port_int]> [<username_str> <password_str>]
execute restore ipsuserdefsig tftp <filename_str> <server_ipv4>
execute restore secondary-image ftp <filename_str> <server_ipv4[:port_int] |server_
fqdn[:port_int]> [<username_str> <password_str>]
execute restore secondary-image tftp <filename_str> <server_ipv4>
execute restore secondary-image usb <filename_str>
execute restore src-vis <src-vis-pkgfile>
execute restore vcm {ftp | tftp} <filename_str> <server_ipv4>
execute restore vmlicense {ftp | tftp} <filename_str> <server_ipv4>
Variable
Description
av ftp <filename_
str> <server_ipv4
[:port_int] |server_
fqdn[:port_int]>
[<username_str>
<password_str>]
av tftp <filename_
str> <server_ipv4
[:port_int]>
config flash
<revision>
911
execute
Variable
config ftp
<filename_str>
<server_ipv4[:port_
int] |server_fqdn
[:port_int]>
[<username_str>
<password_str>]
[<backup_
password_str>]
restore
Description
config
managementstation {normal
|template |script}
<rev_int>
config tftp
<filename_str>
<server_ipv4>
[<backup_
password_str>]
config usb
<filename_str>
[<backup_
password_str>]
config usb-mode
[<backup_
password_str>]
If the backup file was created with a password, you must specify
the password.
Restore the system configuration from a file on a USB disk. The
new configuration replaces the existing configuration, including
administrator accounts and passwords.
If the backup file was created with a password, you must specify
the password.
Restore the system configuration from a USB disk. The new
configuration replaces the existing configuration, including
administrator accounts and passwords. When the USB drive is
removed, the FortiGate unit needs to reboot and revert to the
units existing configuration.
If the backup file was created with a password, you must specify
the password.
forticlient tftp
<filename_str>
<server_ipv4>
image flash
<revision>
912
restore
Variable
image ftp
<filename_str>
<server_ipv4[:port_
int] |server_fqdn
[:port_int]>
[<username_str>
<password_str>]
image
managementstation <version_
int>
execute
Description
image tftp
<filename_str>
<server_ipv4>
image usb
<filename_str>
ipsuserdefsig ftp
<filename_str>
<server_ipv4[:port_
int] |server_fqdn
[:port_int]>
[<username_str>
<password_str>]
Restore IPS custom signature file from an FTP server. The file
will overwrite the existing IPS custom signature file.
ipsuserdefsig tftp
<filename_str>
<server_ipv4>
913
execute
revision
Variable
Description
secondary-image ftp
<filename_str>
<server_ipv4[:port_
int] |server_fqdn
[:port_int]>
[<username_str>
<password_str>]
secondary-image
tftp <filename_str>
<server_ipv4>
secondary-image
usb <filename_str>
src-vis <src-vispkgfile>
Example
This example shows how to upload a configuration file from a TFTP server to the FortiGate unit and restart the
FortiGate unit with this configuration. The name of the configuration file on the TFTP server is backupconfig.
The IP address of the TFTP server is 192.168.1.23.
execute restore config tftp backupconfig 192.168.1.23
revision
Use these commands to manage configuration and firmware image files on the local disk.
Syntax
To delete a configuration file
execute revision delete config <revision>
914
execute
Syntax
execute router clear bfd session <src_ip> <dst_ip> <interface>
Variable
Description
<src_ip>
<dst_ip>
<interface>
Syntax
execute
execute
execute
execute
execute
execute
router
router
router
router
router
router
Variable
clear
clear
clear
clear
clear
clear
bgp
bgp
bgp
bgp
bgp
bgp
Description
all
as <as_number>
dampening {ip_
address |
ip/netmask}
915
execute
Variable
Description
ip <ip_address>
peer-group
[in | out]
flap-statistics {ip_
address |
ip/netmask}
soft
Syntax
IPv4:
execute router clear ospf process
IPv6:
execute router clear ospf6 process
router restart
Use this command to restart the routing software.
Syntax
execute router restart
send-fds-statistics
Use this command to send an FDS statistics report now, without waiting for the FDS statistics report interval to
expire.
Syntax
execute send-fds-statistics
916
execute
Syntax
To clear the filter settings
execute set system session filter clear
{all|dport|dst|duration|expire|policy|proto|sport|src|vd}
To specify duration
execute set system session filter duration <duration_range>
To specify expiry
execute set system session filter expire <expire_range>
To specify protocol
execute set system session filter proto <protocol_range>
917
execute
set-next-reboot
Variable
Description
<duration_range>
<expire_range>
<ip_range>
<policy_range>
<port_range>
<protocol_range>
<vdom_index>
set-next-reboot
Use this command to start the FortiGate unit with primary or secondary firmware after the next reboot. Available
on models that can store two firmware images. By default, the FortiGate unit loads the firmware from the primary
partition.
VDOM administrators do not have permission to run this command. It must be executed by a super administrator.
Syntax
execute set-next-reboot {primary | secondary}
sfp-mode-sgmii
Change the SFP mode for an NP2 card to SGMII. By default when an AMC card is inserted the SFP mode is set
to SERDES mode by default.
If a configured NP2 card is removed and re-inserted, the SFP mode goes back to the default.
In these situations, the sfpmode-sgmii command will change the SFP mode from SERDES to SGMII for the
interface specified.
Syntax
execute sfpmode-sgmii <interface>
<interface> is the NP2 interface where you are changing the SFP mode.
shutdown
Shut down the FortiGate unit now. You will be prompted to confirm this command.
918
ssh
execute
Abruptly powering off your FortiGate unit may corrupt its configuration.
Using the reboot and shutdown options here or in the web-based manager
ensure proper shutdown procedures are followed to prevent any loss of
configuration.
Syntax
execute shutdown [comment <comment_string>]
comment is optional but you can use it to add a message that will appear in the event log message that records
the shutdown. The comment message of the does not appear on the Alert Message console. If the message is
more than one word it must be enclosed in quotes.
Example
This example shows the reboot command with a message included.
execute shutdown comment emergency facility shutdown
ssh
Use this command to establish an ssh session with another system.
Syntax
execute ssh <destination> [<port>]
<destination> - the destination in the form user@ip or user@host.
Example
execute ssh admin@172.20.120.122
sync-session
Use this command to force a session synchronization.
Syntax
execute sync-session
919
execute
Syntax
execute system custom-language import <lang_name> <file_name> <tftp_server_ip>
Syntax
execute fortisandbox test-connectivity
tac report
Use this command to create a debug report to send to Fortinet Support. Normally you would only use this
command if requested to by Fortinet Support.
Syntax
execute tac report
telnet
Use telnet client. You can use this tool to test network connectivity.
Syntax
execute telnet <telnet_ipv4>
time
Get or set the system time.
920
traceroute
execute
Syntax
execute time [<time_str>]
Example
This example sets the system time to 15:31:03:
execute time 15:31:03
traceroute
Test the connection between the FortiGate unit and another network device, and display information about the
network hops between the device and the FortiGate unit.
Syntax
execute traceroute {<ip_address> | <host-name>}
Example
This example shows how to test the connection with http://docs.forticare.com. In this example the traceroute
command times out after the first hop indicating a possible problem.
#execute traceoute docs.forticare.com
traceroute to docs.forticare.com (65.39.139.196), 30 hops max, 38 byte packets
1 172.20.120.2 (172.20.120.2) 0.324 ms 0.427 ms 0.360 ms
2* * *
If your FortiGate unit is not connected to a working DNS server, you will not be able to connect to remote hostnamed locations with traceroute.
tracert6
Test the connection between the FortiGate unit and another network device using IPv6 protocol, and display
information about the network hops between the device and the FortiGate unit.
Syntax
tracert6 [-Fdn] [-f first_ttl] [-i interface] [-m max_ttl]
[-s src_addr] [-q nprobes] [-w waittime] [-z sendwait]
host [paddatalen]
921
execute
update-av
Variable
Description
-F
-d
Enable debugging.
-n
-f <first_ttl>
Set the initial time-to-live used in the first outgoing probe packet.
-i <interface>
-m <max_ttl>
-s <src_addr>
-q <nprobes>
-w <waittime>
-z <sendwait>
host
<paddatalen>
update-av
Use this command to manually initiate the virus definitions and engines update. To update both virus and attack
definitions, use the execute update-now command.
Syntax
execute update-av
update-geo-ip
Use this command to obtain an update to the IP geography database from FortiGuard.
Syntax
execute update-geo-ip
update-ips
Use this command to manually initiate the Intrusion Prevention System (IPS) attack definitions and engine
update. To update both virus and attack definitions, use the execute update-now command.
922
update-list
execute
Syntax
execute update-ips
update-list
Use this command to download an updated FortiGuard server list.
Syntax
execute update-list
update-now
Use this command to manually initiate both virus and attack definitions and engine updates. To initiate only virus
or attack definitions, use the execute update-av or execute update-ids command respectively.
Syntax
execute update-now
update-src-vis
Use this command to trigger an FDS update of the source visibility signature package.
Syntax
execute update-src-vis
upd-vd-license
Use this command to enter a Virtual Domain (VDOM) license key.
If you have a FortiGate- unit that supports VDOM licenses, you can purchase a license key from Fortinet to
increase the maximum number of VDOMs to 25, 50, 100 or 500. By default, FortiGate units support a maximum
of 10 VDOMs.
Available on FortiGate models that can be licensed for more than 10 VDOMs.
Syntax
execute upd-vd-license <license_key>
Variable
<license_key>
Description
The license key is a 32-character string supplied by Fortinet.
Fortinet requires your unit serial number to generate the license
key.
923
execute
upload
upload
Use this command to upload system configurations and firmware images to the flash disk from FTP, TFTP, or
USB sources.
Syntax
To upload configuration files:
execute upload config ftp <filename_str> <comment> <server_ipv4[:port_int] | server_
fqdn[:port_int]> [<username_str> [<password_str>]] [<backup_password_str>]
execute upload config tftp <filename_str> <comment> <server_ipv4>
execute upload config usb <filename_str> <comment>
Variable
Description
<comment>
Comment string.
<filename_str>
Filename to upload.
<server_fqdn[:port_
int]>
<server_ipv4[:port_
int]>
<username_str>
<password_str>
<backup_password_
str>
usb-device
Use these commands to manage FortiExplorer IOS devices.
924
usb-disk
execute
Syntax
List connected FortiExplorer IOS devices
execute usb-device list
usb-disk
Use these commands to manage your USB disks.
Syntax
execute
execute
execute
execute
usb-disk
usb-disk
usb-disk
usb-disk
Variable
delete <filename>
format
list
rename <old_name> <new_name>
Description
delete <filename>
format
list
rename <old_
name> <new_
name>
vpn certificate ca
Use this command to import a CA certificate from a TFTP or SCEP server to the FortiGate unit, or to export a CA
certificate from the FortiGate unit to a TFTP server.
Before using this command you must obtain a CA certificate issued by a CA.
Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy,
prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate that
the FortiGate unit uses to authenticate itself to other devices.
VPN peers must use digital certificates that adhere to the X.509 standard.
Digital certificates are not required for configuring FortiGate VPNs. Digital
certificates are an advanced feature provided for the convenience of system
administrators. This manual assumes the user has prior knowledge of how
to configure digital certificates for their implementation.
925
execute
Syntax
execute vpn certificate ca export tftp <certificate-name_str> <file-name_str> <tftp_ip>
execute vpn certificate ca import auto <ca_server_url> <ca_identifier_str>
execute vpn certificate ca import tftp <file-name_str> <tftp_ip>
Variable
Description
import
export
<certificate-name_
str>
<file-name_str>
<tftp_ip>
auto
tftp
<ca_server_url>
<ca_identifier_str>
Examples
Use the following command to import the CA certificate named trust_ca to the FortiGate unit from a TFTP
server with the address 192.168.21.54.
execute vpn certificate ca import trust_ca 192.168.21.54
926
execute
Syntax
execute vpn certificate crl import auto <crl-name>
Variable
Description
import
<crl-name>
auto
Syntax
execute vpn certificate local export tftp <certificate-name_str> <file-name_str> <tftp_
ip>
Variable
export
Description
Export or copy the local certificate from the FortiGate unit to a
file on the TFTP server. Type ? for a list of certificates.
Enter the name of the local certificate.
<certificate-name_
str>
<file-name_str>
<tftp_ip>
Example
Use the following command to export the local certificate request generated in the above example from the
FortiGate unit to a TFTP server. The example uses the file name testcert for the downloaded file and the
927
execute
Syntax
To generate the default CA certificate used by SSL Inspection
execute vpn certificate local generate default-ssl-ca
Variable
<certificate-name_
str>
Description
Enter a name for the certificate. The name can contain numbers
(0-9), uppercase and lowercase letters (A-Z, a-z), and the special
characters - and _. Other special characters and spaces are not
allowed.
928
Variable
execute
Description
<elliptic-curvename>
<key-length>
Enter 1024, 1536 or 2048 for the size in bits of the encryption
key.
<subject_str>
[<optional_
information>]
Description
<country_code_str>
<state_name_str>
Enter the name of the state or province where the FortiGate unit
is located.
929
execute
Variable
Description
<city_name_str>
<organization-name_
str>
<organization-unit_
name_str>
<email_address_str>
<ca_server_url>
<challenge_
password>
Example
Use the following command to generate a local certificate request with the name branch_cert, the domain
name www.example.com and a key size of 1536.
execute vpn certificate local generate branch_cert 1536 www.example.com
Syntax
execute vpn certificate local import tftp <file-name_str> <tftp_ip>
Variable
<certificate-name_
str>
Description
Enter the name of the local certificate.
930
Variable
execute
Description
<file-name_str>
<tftp_ip>
Example
Use the following command to import the signed local certificate named branch_cert to the FortiGate unit
from a TFTP server with the address 192.168.21.54.
execute vpn certificate local import branch_cert 192.168.21.54
Syntax
execute vpn certificate remote import tftp <file-name_str> <tftp_ip>
execute vpn certificate remote export tftp <certificate-name_str> <file-name_str>
<tftp_ip>
Field/variable
Description
import
export
<certificate-name_
str>
<file-name_str>
<tftp_ip>
tftp
Syntax
execute vpn ipsec tunnel down <phase2> [<phase1> <phase2_serial>]
where:
931
execute
Syntax
execute vpn ipsec tunnel up <phase2> [<phase1> <phase2_serial>]
where:
Syntax
execute vpn sslvpn del-all
Syntax
execute vpn sslvpn del-tunnel <tunnel_index>
<tunnel_index> identifies which tunnel to delete if there is more than one active tunnel.
Syntax
execute vpn sslvpn del-web <web_index>
932
execute
<web_index> identifies which web connection to delete if there is more than one active connection.
Syntax
execute vpn sslvpn list {web | tunnel}
webfilter quota-reset
Use this command to reset user quota.
Syntax
execute webfilter quota-reset <wf-profile> <user_ip4addr>
execute webfilter quota-reset <wf-profile> <user_name>
wireless-controller delete-wtp-image
Use this command to delete all firmware images for WLAN Termination Points (WTPs), also known as physical
access points.
Syntax
execute wireless-controller delete-wtp-image
wireless-controller list-wtp-image
Use this command to list all firmware images for WLAN Termination Points (WTPs), also known as WiFi physical
access points.
Syntax
execute wireless-controller list-wtp-image
Example output
WTP Images on AC:
ImageName ImageSize(B) ImageInfo ImageMTime
FAP22A-IMG.wtp 3711132 FAP22A-v4.0-build212 Mon Jun 6 12:26:41 2011
933
execute
wireless-controller reset-wtp
wireless-controller reset-wtp
Use this command to reset a physical access point (WTP).
If the FortiGate unit has a more recent version of the FortiAP firmware, the FortiAP unit will download and install
it. Use the command execute wireless-controller upload-wtp-image to upload FortiAP firmware to the FortiGate
unit.
Syntax
execute wireless-controller reset-wtp {<serialNumber_str> | all}
wireless-controller restart-acd
Use this command to restart the wireless-controller daemon.
Syntax
execute wireless-controller restart-acd
wireless-controller restart-wtpd
Use this command to restart the wireless access point daemon.
Syntax
execute wireless-controller restart-wtpd
wireless-controller upload-wtp-image
Use this command to upload a FortiWiFi firmware image to the FortiGate unit. Wireless APs controlled by this
wireless controller can download the image as needed. Use the execute wireless-controller reset-wtp command
to trigger FortiAP units to update their firmware.
Syntax
FTP:
execute wireless-controller upload-wtp-image ftp <filename_str> <server_ipv4[:port_
int]> [<username_str> <password_str>]
TFTP:
execute wireless-controller upload-wtp-image tftp <filename_str> <server_ipv4>
934
get
get
The get commands retrieve information about the operation and performance of your FortiGate unit.
Syntax
get application internet-service status [<app-id>]
Example output
FG-5KD3914800284 # get application internet-service status 1245324
id: 1245324 app-name: "Fortinet-FortiGuard"
application internet-service-summary
Use this command to display information about the Internet service database.
Syntax
get application internet-service-summary
Example output
FG-5KD3914800284 # get application internet-service-summary
Version: 00002.00679
Timestamp: 201512161002
Number of Entries: 1267
certificate
Display detailed information about local and CA certificates installed on the FortiGate.This is a global level
command. At the VDOM level, use get vpn certificate.
Syntax
get certificate {local | ca} details [certificate_name]
935
get
extender modem-status
extender modem-status
Use this command to display detailed FortiExtender modem status information.
Syntax
get extender modem-status <serno>
Example output
physical_port: Internal
manufacture: Sierra Wireless, Incorporated
product: AirCard 313U
model: AirCard 313U
revision: SWI9200X_03.05.10.02AP R4684 CARMD-EN-10527 2012/02/25 11:58:38
imsi: 310410707582825
pin_status: READY
service: N/A
signal_strength: 73
RSSI: -68 dBm
connection_status: connected
Profile 1: broadband
Profile 2: broadband
Profile 13: wap.cingular
Profile 15: broadband
NAI: w.tp
Profile: 0 Disabled
home_addr: 127.219.10.128
primary_ha: 127.218.246.40
secondary_ha: 119.75.69.176
aaa_spi: 0
ha_spi: 4
esn_imei: 012615000227604
activation_status: Activated
roaming_status: N/A
usim_status: N/A
oma_dm_version: N/A
plmn: N/A
band: B17
signal_rsrq: N/A
signal_rsrp: N/A
lte_sinr: N/A
lte_rssi: N/A
lte_rs_throughput: N/A
lte_ts_throughput: N/A
lte_physical_cellid: N/A
modem_type:
drc_cdma_evdo: N/A
current_snr: N/A
wireless_operator:
operating_mode: N/A
wireless_signal: 73
usb_wan_mac: 16:78:f7:db:01:07
936
extender sys-info
get
extender sys-info
Use this command to display detailed FortiExtender system information.
Syntax
get extender sys-info
firewall dnstranslation
Use this command to display the firewall DNS translation table.
Syntax
get firewall dnstranslation
Syntax
get firewall iprope appctrl {list | status}
Example output
In this example, the FortiGate unit includes one application control list that blocks the FTP application.
get firewall iprope appctrl list
app-list=app_list_1/2000 other-action=Pass
app-id=15896 list-id=2000 action=Block
Syntax
get firewall iprope list [<group_number_hex>]
937
get
Example output
get firewall iprope list 0010000c
policy flag (8000000): pol_stats
flag2 (20): ep_block shapers: / per_ip=
imflag: sockport: 1011 action: redirect index: 0
schedule() group=0010000c av=00000000 au=00000000 host=0 split=00000000
chk_client_info=0x0 app_list=0 misc=0 grp_info=0 seq=0 hash=0
npu_sensor_id=0
tunnel=
zone(1): 0 ->zone(1): 0
source(0):
dest(0):
source wildcard(0):
destination wildcard(0):
service(1):
[6:0x8:1011/(0,65535)->(80,80)]
nat(0):
mms: 0 0
Syntax
For IPv4 policy routes:
get firewall proute
Example output
get firewall proute
list route policy info(vf=root):
iff=5 src=1.1.1.0/255.255.255.0 tos=0x00 tos_mask=0x00 dst=0.0.0.0/0.0.0.0 protocol=80
port=1:65535
oif=3 gwy=1.2.3.4
Syntax
get firewall service custom
938
firewall shaper
get
Example output
This is a partial output.
get firewall service custom
== [ALL ]
name: ALL
== [ALL_TCP ]
name: ALL_TCP
== [ALL_UDP ]
name: ALL_UDP
== [ALL_ICMP ]
name: ALL_ICMP
== [ALL_ICMP6 ]
name: ALL_ICMP6
== [GRE ]
name: GRE
== [AH ]
name: AH
== [ESP ]
name: ESP
== [AOL ]
name: AOL
== [BGP ]
name: BGP
== [DHCP ]
name: DHCP
== [DNS ]
name: DNS
== [FINGER ]
name: FINGER
firewall shaper
Use these command to retrieve information about traffic shapers.
Syntax
To get information about per-ip traffic shapers
get firewall shaper per-ip
939
get
grep
grep
In many cases the get and show (and diagnose) commands may produce a large amount of output. If you are
looking for specific information in a large get or show command output you can use the grep command to filter
the output to only display what you are looking for. The grep command is based on the standard UNIX grep,
used for searching text output based on regular expressions.
Information about how to use grep and regular expressions is available from the Internet. For example, see
http://www.opengroup.org/onlinepubs/009695399/utilities/grep.html.
Syntax
{get | show| diagnose} | grep <regular_expression>
Example output
Use the following command to display the MAC address of the FortiGate unit internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75
Use the following command to display all TCP sessions in the session list and include the session list line number
in the output
get system session list | grep -n tcp
19:tcp 1110 10.31.101.10:1862 172.20.120.122:30670 69.111.193.57:1469 27:tcp 3599 10.31.101.10:2061 - 10.31.101.100:22 38:tcp 3594 10.31.101.10:4780 172.20.120.122:49700 172.20.120.100:445 43:tcp 3582 10.31.101.10:4398 172.20.120.122:49574 24.200.188.171:48726 -
Use the following command to display all lines in HTTP replacement message commands that contain URL
(upper or lower case):
show system replacemsg http | grep -i url
set buffer "<HTML><BODY>The page you requested has been blocked because it contains a
banned word. URL = %%PROTOCOL%%%%URL%%</BODY></HTML>"
config system replacemsg http "url-block"
set buffer "<HTML><BODY>The URL you requested has been blocked. URL =
%%URL%%</BODY></HTML>"
config system replacemsg http "urlfilter-err"
.
.
.
Syntax
get gui console status
940
get
Example
The output looks like this:
Preferences:
User: admin
Colour scheme (RGB): text=FFFFFF, background=000000
Font: style=monospace, size=10pt
History buffer=50 lines, external input=disabled
Syntax
get gui topology status
Example output
Preferences:
Canvas dimensions (pixels): width=780, height=800
Colour scheme (RGB): canvas=12ff08, lines=bf0f00, exterior=ddeeee
Background image: type=none, placement: x=0, y=0
Line style: thickness=2
Custom background image file: none
Topology element database:
__FortiGate__: x=260, y=340
Office: x=22, y=105
ISPnet: x=222, y=129
__Text__: x=77, y=112: "Ottawa"
__Text__: x=276, y=139: "Internet"
hardware cpu
Use this command to display detailed information about all of the CPUs in your FortiGate unit.
Syntax
get hardware cpu
Example output
get hardware npu legacy list
No npu ports are found
620_ha_1 # get hardware cpu
processor : 0
941
get
hardware memory
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
stepping : 13
cpu MHz : 1795.545
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 est
bogomips : 3578.26
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
stepping : 13
cpu MHz : 1795.545
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush
dts acpi mmx fxsr sse sse2 ss ht tm pbe lm pni monitor ds_cpl tm2 est
bogomips : 3578.26
hardware memory
Use this command to display information about FortiGate unit memory use including the total, used, and free
memory.
Syntax
get hardware memory
Example output
get hardware memory
total: used: free: shared: buffers: cached: shm:
Mem: 3703943168 348913664 3355029504 0 192512 139943936 137314304
Swap: 0 0 0
MemTotal: 3617132 kB
942
hardware nic
get
MemFree: 3276396 kB
MemShared: 0 kB
Buffers: 188 kB
Cached: 136664 kB
SwapCached: 0 kB
Active: 22172 kB
Inactive: 114740 kB
HighTotal: 1703936 kB
HighFree: 1443712 kB
LowTotal: 1913196 kB
LowFree: 1832684 kB
SwapTotal: 0 kB
SwapFree: 0 kB
hardware nic
Use this command to display hardware and status information about each FortiGate interface. The hardware
information includes details such as the driver name and version and chip revision. Status information includes
transmitted and received packets, and different types of errors.
Syntax
get hardware nic <interface_name>
Variable
Description
<interface_name>
Example output
get hardware nic port9
Chip_Model FA2/ISCP1B-v3/256MB
FPGA_REV_TAG 06101916
Driver Name iscp1a/b-DE
Driver Version 0.1
Driver Copyright Fortinet Inc.
Link down
Speed N/A
Duplex N/A
State up
Rx_Packets 0
Tx_Packets 0
Rx_Bytes 0
Tx_Bytes 0
Current_HWaddr 00:09:0f:77:09:68
Permanent_HWaddr 00:09:0f:77:09:68
Frame_Received 0
Bad Frame Received 0
Tx Frame 0
Tx Frame Drop 0
943
get
hardware npu
Receive IP Error 0
FIFO Error 0
Small PktBuf Left 125
Normal PktBuf Left 1021
Jumbo PktBuf Left 253
NAT Anomaly 0
hardware npu
Use this command to display information about the network processor unit (NPU) hardware installed in a
FortiGate unit. The NPUs can be built-in or on an installed AMC module.
Syntax
get
get
get
get
get
Example output
get hardware npu np1 list
ID Interface
0 port9 port10
get hardware npu np1 status
ISCP1A 10ee:0702
RX SW Done 0 MTP 0x00000000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Total Number of Interfaces: 2
Number of Interface In-Use: 2
Interface[0] Tx done: 0
desc_size = 0x00004000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
TX timeout = 0x00000000 BD_empty = 0x00000000
HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000
Interface[1] Tx done: 0
desc_size = 0x00004000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
TX timeout = 0x00000000 BD_empty = 0x00000000
HRx Packets= 0x00000000 HTXBytes = 0x00000000 HRXBytes = 0x00000000
NAT Information:
head = 0x00000001 tail = 00000001
ISCP1A Performance [Top]:
Nr_int : 0x00000000 INTwoInd : 0x00000000 RXwoDone : 0x00000000
PKTwoEnd : 0x00000000 PKTCSErr : 0x00000000
PKTidErr : 0x00000000 PHY0Int : 0x00000000 PHY1INT : 0x00000000
CSUMOFF : 0x00000000 BADCSUM : 0x00000000 MSGINT : 0x00000000
IPSEC : 0x00000000 IPSVLAN : 0x00000000 SESMISS : 0x00000000
944
hardware npu
get
945
get
hardware status
hardware status
Report information about the FortiGate unit hardware including FortiASIC version, CPU type, amount of memory,
flash drive size, hard disk size (if present), USB flash size (if present), network card chipset, and WiFi chipset
(FortiWifi models). This information can be useful for troubleshooting, providing information about your FortiGate
unit to Fortinet Support, or confirming the features that your FortiGate model supports.
Syntax
get hardware status
Example output
Model name: Fortigate-620B
ASIC version: CP6
ASIC SRAM: 64M
CPU: Intel(R) Core(TM)2 Duo CPU E4300 @ 1.80GHz
RAM: 2020 MB
Compact Flash: 493 MB /dev/sda
Hard disk: 76618 MB /dev/sdb
USB Flash: not available
Network Card chipset: Broadcom 570x Tigon3 Ethernet Adapter (rev.0x5784100)
946
get
Syntax
get ips decoder status
Example output
# get ips decoder status
decoder-name: "back_orifice"
decoder-name: "dns_decoder"
port_list: 53
decoder-name: "ftp_decoder"
port_list: 21
decoder-name: "http_decoder"
decoder-name: "im_decoder"
decoder-name: "imap_decoder"
port_list: 143
Ports are shown only for decoders with configurable port settings.
Syntax
get ips rule status
Example output
# get ips rule status
rule-name: "IP.Land"
rule-id: 12588
rev: 2.464
action: pass
status: disable
log: enable
log-packet: disable
severity: 3.high
service: All
location: server, client
os: All
application: All
rule-name: "IP.Loose.Src.Record.Route.Option"
947
get
ips session
rule-id: 12805
rev: 2.464
action: pass
status: disable
log: enable
log-packet: disable
severity: 2.medium
service: All
location: server, client
os: All
application: All
ips session
Displays current IPS session status.
Syntax
get ips session
Example output
get ips session
SYSTEM:
memory capacity 279969792
memory used 5861008
recent pps\bps 0\0K
session in-use 0
TCP: in-use\active\total 0\0\0
UDP: in-use\active\total 0\0\0
ICMP: in-use\active\total 0\0\0
ips view-map
Use this command to view the policies examined by IPS. This is mainly used for debugging. If there is no ips view
map, it means IPS is not used or enabled.
Syntax
get ips view-map <id>
Example output
id : 1
id-policy-id : 0
policy-id : 2
vdom-id : 0
which : firewall
948
ipsec tunnel
Variable
get
Description
id
IPS policy ID
id-policy-id
policy-id
Policy ID
vdom-id
which
ipsec tunnel
List the current IPSec VPN tunnels and their status.
Syntax
To view details of all IPsec tunnels:
get ipsec tunnel details
mgmt-data status
Use this command to display information additional to that provided by getsystemstatus or
gethardwarestatus.
Syntax
get mgmt-data status
Sample output
FG100D3G12801361 # get mgmt-data status
Model name: FortiGate-100D
CPU: 4
RAM: 1977 MB
is_ssd_available: 0
is_logdisk_mounted: 1
949
get
pbx branch-office
is_support_log_on_boot_device: 1
is_rev_support_wanopt: 1
pbx branch-office
Use this command to list the configured branch offices.
Syntax
get pbx branch-office
Example output
== [Branch 15 ]
name: Branch 15
== [Branch 12 ]
name: Branch 12
pbx dialplan
Use this command to list the configured dial plans.
Syntax
get pbx dialplan
Example output
== [company-default ]
name: company-default
== [inbound ]
name: inbound
pbx did
Use this command to list the configured direct inward dial (DID) numbers.
Syntax
get pbx did
Example output
== [Operator ]
name: Operator
== [Emergency ]
name: Emergency
950
pbx extension
get
pbx extension
Use this command to list the configured extensions.
Syntax
get pbx extension
Example output
== [6555 ]
extension: 6555
== [6777 ]
extension: 6777
== [6111 ]
extension: 6111
pbx ftgd-voice-pkg
Use this command to display the current FortiGate Voice service package status.
Syntax
get pbx ftgd-voice-pkg status
Example output
Status: Activated
Total 1 Packages:
Package Type: B, Credit Left: 50.00, Credit Used: 0.00,
Expiration Date: 2011-01-01 12:00:00
Total 1 Dids:
12345678901
Total 1 Efaxs:
12345678902
Total 0 Tollfrees:
pbx global
Use this command to display the current global pbx settings.
Syntax
get pbx global
Example output
block-blacklist : enable
country-area : USA
country-code : 1
951
get
pbx ringgrp
efax-check-interval : 5
extension-pattern : 6XXX
fax-admin-email : faxad@example.com
ftgd-voice-server : service.fortivoice.com
local-area-code : 408
max-voicemail : 60
outgoing-prefix : 9
ring-timeout : 20
rtp-hold-timeout : 0
rtp-timeout : 60
voicemail-extension : *97
pbx ringgrp
Use this command to display the currently configured ring groups.
Syntax
get pbx ringgrp
Example output
== [6001 ]
name: 6001
== [6002 ]
name: 6002
pbx sip-trunk
Use this command to display the currently configured SIP trunks.
Syntax
get pbx sip-trunk
Example output
== [__FtgdVoice_1 ]
name: __FtgdVoice_1
pbx voice-menu
Use this command to display the current voice menu and recorder extension configuration.
Syntax
get pbx voice-menu
952
get
Example output
comment : general
password : *
press-0:
ring-group : 6001
type : ring-group
press-1:
type : voicemail
press-2:
type : directory
press-3:
type : none
press-4:
type : none
press-5:
type : none
press-6:
type : none
press-7:
type : none
press-8:
type : none
press-9:
type : none
recorder-exten : *30
Syntax
get router info bfd neighbour
Syntax
get router info bgp <keyword>
<keyword>
Description
cidr-only
community
953
get
<keyword>
Description
community-info
community-list
dampening
{dampened-paths
|flap-statistics
|parameters}
filter-list
inconsistent-as
memory
neighbors
[<address_ipv4>
|<address_ipv4>
advertised-routes
|<address_ipv4>
received prefix-filter
|<address_ipv4>
received-routes
|<address_ipv4>
routes]
network [<address_
ipv4mask>]
network-longerprefixes <address_
ipv4mask>
Show general information about the BGP route that you specify
(for example, 12.0.0.0/14) and any specific routes
associated with the prefix.
paths
prefix-list <name>
quote-regexp
<regexp_str>
954
<keyword>
get
Description
regexp <regexp_str>
route-map
scan
summary
Example output
get router info bgp memory
Memory type Alloc count Alloc bytes
=================================== ============= ===============
BGP structure : 2 1408
BGP VR structure : 2 104
BGP global structure : 1 56
BGP peer : 2 3440
BGP as list master : 1 24
Community list handler : 1 32
BGP Damp Reuse List Array : 2 4096
BGP table : 62 248
----------------------------------- ------------- --------------Temporary memory : 4223 96095
Hash : 7 140
Hash index : 7 28672
Hash bucket : 11 132
Thread master : 1 564
Thread : 4 144
Link list : 32 636
Link list node : 24 288
Show : 1 396
Show page : 1 4108
Show server : 1 36
Prefix IPv4 : 10 80
Route table : 4 32
Route node : 63 2772
Vector : 2180 26160
Vector index : 2180 18284
Host config : 1 2
Message of The Day : 1 100
IMI Client : 1 708
VTY master : 1 20
VTY if : 11 2640
VTY connected : 5 140
Message handler : 2 120
NSM Client Handler : 1 12428
NSM Client : 1 1268
Host : 1 64
Log information : 2 72
Context : 1 232
----------------------------------- ------------- --------------bgp proto specifc allocations : 9408 B
955
get
Syntax
get
get
get
get
get
get
router
router
router
router
router
router
info
info
info
info
info
info
isis
isis
isis
isis
isis
isis
interface
neighbor
is-neighbor
database
route
topology
Syntax
get router info kernel [<routing_type_int>]
Syntax
get router info multicast <keywords>
956
<keywords>
get
Description
Show Internet Group Management Protocol (IGMP) membership
information according to one of these qualifiers:
Type groups [{<interface-name> | <groupaddress>}] to show IGMP information for the multicast group
(s) associated with the specified interface or multicast group
address.
igmp
pim dense-mode
957
get
<keywords>
Description
Show information related to sparse mode operation according to
one of these qualifiers:
Type bsr-info to show Boot Strap Router (BSR) information.
Type interface to show information about PIM-enabled
interfaces.
Type interface-detail to show detailed information about
PIM-enabled interfaces.
Type neighbor to show the current status of PIM neighbors.
pim sparse-mode
table
[<group-address>]
[<source-address>]
table-count
[<group-address>]
[<source-address>]
Syntax
get router info ospf <keyword>
<keyword>
border-routers
Description
Show OSPF routing table entries that have an Area
Border Router (ABR) or Autonomous System
Boundary Router (ASBR) as a destination.
958
get
<keyword>
Description
Show information from the OSPF routing database
according to the of these qualifiers.
Some qualifiers require a target that can be one of
the following values:
Type adv_router <address_ipv4> to limit the
information to LSAs originating from the router at the
specified IP address.
database <qualifier>
asbrsummary
<target>
brief
external
<target>
max-age
network
<target>
nssaexternal
<target>
opaquearea
<address_
ipv4>
opaque-as
<address_
ipv4>
opaquelink
<address_
ipv4>
959
get
<keyword>
Description
router
<target>
selforiginate
summary
<target>
interface [<interface_name>]
route
status
virtual-links
Syntax
get router info protocols
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
960
get
Syntax
get router info rip <keyword>
<keyword>
Description
database
interface
[<interface_name>]
961
get
Syntax
get router info routing-table <keyword>
<keyword>
Description
all
bgp
connected
database
details [<address_
ipv4mask>]
ospf
rip
static
Syntax
get router info vrrp
Example output
Interface: port1, primary IP address: 9.1.1.2
VRID: 1
vrip: 9.1.1.254, priority: 100, state: BACKUP
adv_interval: 1, preempt: 1, start_time: 3
vrdst: 0.0.0.0
Syntax
get router info6 bgp <keyword>
<keyword>
community
Description
Show all BGP routes having their COMMUNITY attribute set.
962
<keyword>
community-list
get
Description
Show all routes belonging to configured BGP community lists.
Display information about dampening:
dampening
{dampened-paths
|flap-statistics
|parameters}
filter-list
inconsistent-as
neighbors
[<address_
ipv6mask>
network [<address_
ipv6mask>]
network-longerprefixes <address_
ipv6mask>
Show general information about the BGP route that you specify
(for example, 12.0.0.0/14) and any specific routes
associated with the prefix.
paths
prefix-list <name>
quote-regexp
<regexp_str>
regexp <regexp_str>
route-map
summary
963
get
Syntax
get router info6 interface <interface_name>
Example output
The command returns the status of the interface and the assigned IPv6 address.
dmz2 [administratively down/down]
2001:db8:85a3:8d3:1319:8a2e:370:7348
fe80::209:fff:fe04:4cfd
Syntax
get router info6 kernel
Syntax
get router info6 ospf
Syntax
get router info6 protocols
Syntax
get router info6 rip
964
get
Syntax
get router info6 routing-table <item>
Variable
Description
<ipv6_ip>
bgp
connected
database
ospf
rip
static
switch-controller poe
Retrieve information about PoE ports.
Syntax
get switch-controller poe <vdom-name> <fortiswitch-id>
Syntax
get system admin list
Example output
# get system admin list
usernamelocaldeviceremotestarted
adminsshv2port1:172.20.120.148:22172.20.120.16:41672006-08-0912:24:20
adminhttpsport1:172.20.120.148:443172.20.120.161:563652006-08-0912:24:20
adminhttpsport1:172.20.120.148:443172.20.120.16:42142006-08-0912:25:29
965
get
Variable
Description
username
local
device
remote
started
Syntax
get system admin status
Example
The output looks like this:
# get system admin status
username: admin
login local: sshv2
login device: port1:172.20.120.148:22
login remote: 172.20.120.16:4167
login vdom: root
login started: 2006-08-09 12:24:20
current time: 2006-08-09 12:32:12
Variable
Description
username
login local
login device
login remote
login vdom
login started
current time
966
system arp
get
system arp
View the ARP table entries on the FortiGate unit.
This command is not available in multiple VDOM mode.
Syntax
get system arp
Example output
# get system arp
Address Age(min) Hardware Addr Interface
172.20.120.16 0 00:0d:87:5c:ab:65 internal
172.20.120.138 0 00:08:9b:09:bb:01 internal
system auto-update
Use this command to display information about the status FortiGuard updates on the FortiGate unit.
Syntax
get system auto-update status
get system auto-update versions
Example output
get system auto-update status
FDN availability: available at Thu Apr 1 08:22:58 2010
Push update: disable
Scheduled update: enable
Update daily: 8:22
Virus definitions update: enable
IPS definitions update: enable
Server override: disable
Push address override: disable
Web proxy tunneling: disable
system central-management
View information about the Central Management System configuration.
Syntax
get system central-management
Example
The output looks like this:
967
get
system checksum
system checksum
View the checksums for global, root, and all configurations. These checksums are used by HA to compare the
configurations of each cluster unit.
Syntax
get system checksum status
Example output
# get system checksum status
global: 7a 87 3c 14 93 bc 98 92 b0 58 16 f2 eb bf a4 15
root: bb a4 80 07 42 33 c2 ff f1 b5 6e fe e4 bb 45 fb
all: 1c 28 f1 06 fa 2e bc 1f ed bd 6b 21 f9 4b 12 88
Syntax
get system cmdb status
Example output
# get system cmdb status
version: 1
owner id: 18
update index: 6070
config checksum: 12879299049430971535
last request pid: 68
last request type: 29
last request: 78
968
system fortianalyzer-connectivity
Variable
get
Description
version
owner id
update index
The updated index shows how many changes have been made in
cmdb.
config checksum
last request
system fortianalyzer-connectivity
Display connection and remote disk usage information about a connected FortiAnalyzer unit.
Syntax
get fortianalyzer-connectivity status
Example output
# get system fortianalyzer-connectivity status
Status: connected
Disk Usage: 0%
Syntax
get system fortiguard-log-service status
Example output
# get system fortiguard-log-service status
FortiGuard Log & Analysis Service
Expire on: 20071231
Total disk quota: 1111 MB
Max daily volume: 111 MB
Current disk quota usage: n/a
969
get
Syntax
get system fortiguard-service status
Example output
NAME VERSION LAST UPDATE METHOD EXPIRE
AV Engine2.0022006-01-26 19:45:00
Virus Definitions6.5132006-06-02 22:01:00
Attack Definitions2.2992006-06-09 19:19:00
IPS Attack Engine1.0152006-05-09 23:29:00
manual
manual
manual
manual
2006-06-12
2006-06-12
2006-06-12
2006-06-12
08:00:00
08:00:00
08:00:00
08:00:00
system ha-nonsync-csum
FortiManager uses this command to obtain a system checksum.
Syntax
get system ha-nonsync-csum
system ha status
Use this command to display information about an HA cluster. The command displays general HA configuration
settings. The command also displays information about how the cluster unit that you have logged into is
operating in the cluster.
Usually you would log into the primary unit CLI using SSH or telnet. In this case the get system ha status
command displays information about the primary unit first, and also displays the HA state of the primary unit (the
primary unit operates in the work state). However, if you log into the primary unit and then use the execute ha
manage command to log into a subordinate unit, (or if you use a console connection to log into a subordinate
unit) the get system status command displays information about this subordinate unit first, and also
displays the HA state of this subordinate unit. The state of a subordinate unit is work for an active-active cluster
and standby for an active-passive cluster.
For a virtual cluster configuration, the get system ha status command displays information about how the
cluster unit that you have logged into is operating in virtual cluster 1 and virtual cluster 2. For example, if you
connect to the cluster unit that is the primary unit for virtual cluster 1 and the subordinate unit for virtual cluster 2,
the output of the get system ha status command shows virtual cluster 1 in the work state and virtual
cluster 2 in the standby state. The get system ha status command also displays additional information
about virtual cluster 1 and virtual cluster 2.
970
system ha status
get
Syntax
get system ha status
The command display includes the following fields. For more information see the examples that follow.
Variable
Description
Model
Mode
Group
Debug
ses_pickup
load_balance
schedule
The active-active load balancing schedule. Displayed for activeactive clusters only.
Master displays the device priority, host name, serial number,
and actual cluster index of the primary (or master) unit.
Slave displays the device priority, host name, serial number,
and actual cluster index of the subordinate (or slave, or backup)
unit or units.
Master
Slave
The list of cluster units changes depending on how you log into
the CLI. Usually you would use SSH or telnet to log into the
primary unit CLI. In this case the primary unit would be at the top
the list followed by the other cluster units.
If you use execute ha manage or a console connection to log
into a subordinate unit CLI, and then enter get system ha
status the subordinate unit that you have logged into appears
at the top of the list of cluster units.
number of vcluster
971
get
system ha status
Variable
Description
The HA state (hello, work, or standby) and HA heartbeat IP
address of the cluster unit that you have logged into in virtual
cluster 1. If virtual domains are not enabled, vcluster1
displays information for the cluster. Ifvirtual domains are
enabled, vcluster1 displays information for virtual cluster 1.
The HA heartbeat IP address is 10.0.0.1 if you are logged into a
the primary unit of virtual cluster 1 and 10.0.0.2 if you are logged
into a subordinate unit of virtual cluster 1.
vcluster1 also lists the primary unit (master) and
subordinate units (slave) in virtual cluster 1. The list includes the
operating cluster index and serial number of each cluster unit in
virtual cluster 1. The cluster unit that you have logged into is at
the top of the list.
If virtual domains are not enabled and you connect to the primary
unit CLI, the HA state of the cluster unit in virtual cluster 1 is
work. The display lists the cluster units starting with the primary
unit.
vcluster 1
972
Variable
get
Description
vcluster2 only appears if virtual domains are enabled.
vcluster2 displays the HA state (hello, work, or standby) and
HA heartbeat IP address of the cluster unit that you have logged
into in virtual cluster 2. The HA heartbeat IP address is 10.0.0.2 if
you are logged into the primary unit of virtual cluster 2 and
10.0.0.1 if you are logged into a subordinate unit of virtual cluster
2.
vcluster2 also lists the primary unit (master) and
subordinate units (slave) in virtual cluster 2. The list includes the
cluster index and serial number of each cluster unit in virtual
cluster 2. The cluster unit that you have logged into is at the top
of the list.
vcluster 2
Syntax
get system info admin status
Example
This shows sample output.
Index User name Login type From
0 admin CLI ssh(172.20.120.16)
1 admin WEB 172.20.120.16
Variable
Description
Index
User name
Login type
From
973
get
Related topics
"system info admin ssh" on page 105
Syntax
get system info admin ssh
Example output
# get system info admin ssh
SSH v2 is enabled on port 22
SSH is enabled on the following 1 interfaces:
internal
SSH hostkey DSA fingerprint = cd:e1:87:70:bb:f0:9c:7d:e3:7b:73:f7:44:23:a5:99
SSH hostkey RSA fingerprint = c9:5b:49:1d:7c:ba:be:f3:9d:39:33:4d:48:9d:b8:49
Syntax
get system interface physical
974
get
speed: 100
==[wan1]
mode: pppoe
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[wan2]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
==[modem]
mode: static
ip: 0.0.0.0 0.0.0.0
status: down
speed: n/a
Syntax
get system ip-conflict status
system mgmt-csum
FortiManager uses this command to obtain checksum information from FortiGate units.
Syntax
get system mgmt-csum {global | vdom | all}
where
Syntax
get system performance firewall packet-distribution
get system performance firewall statistics
975
get
Variable
packetdistribution
Description
Display a list of packet size ranges and the number of packets of
each size accepted by the firewall since the system restarted.
You can use this information to learn about the packet size
distribution on your network.
statistics
Display a list of traffic types (browsing, email, DNS etc) and the
number of packets and number of payload bytes accepted by the
firewall for each type since the FortiGate unit was restarted.
Example output
get system performance firewall packet-distribution
getting packet distribution statistics...
0 bytes - 63 bytes: 655283 packets
64 bytes - 127 bytes: 1678278 packets
128 bytes - 255 bytes: 58823 packets
256 bytes - 383 bytes: 70432 packets
384 bytes - 511 bytes: 1610 packets
512 bytes - 767 bytes: 3238 packets
768 bytes - 1023 bytes: 7293 packets
1024 bytes - 1279 bytes: 18865 packets
1280 bytes - 1500 bytes: 58193 packets
> 1500 bytes: 0 packets
get system performance firewall statistics
getting traffic statistics...
Browsing: 623738 packets, 484357448 bytes
DNS: 5129187383836672 packets, 182703613804544 bytes
E-Mail: 23053606 packets, 2 bytes
FTP: 0 packets, 0 bytes
Gaming: 0 packets, 0 bytes
IM: 0 packets, 0 bytes
Newsgroups: 0 packets, 0 bytes
P2P: 0 packets, 0 bytes
Streaming: 0 packets, 0 bytes
TFTP: 654722117362778112 packets, 674223966126080 bytes
VoIP: 16834455 packets, 10 bytes
Generic TCP: 266287972352 packets, 8521215115264 bytes
Generic UDP: 0 packets, 0 bytes
Generic ICMP: 0 packets, 0 bytes
Generic IP: 0 packets, 0 bytes
976
get
Syntax
get system performance status
Variable
Description
The percentages of CPU cycles used by user, system, nice and
idle categories of processes. These categories are:
user -CPU usage of normal user-space processes
system -CPU usage of kernel
CPU states
Memory states
Average network
usage
Average sessions
Virus caught
The number of viruses the FortiGate unit has caught in the last 1
minute.
The number of IPS attacks that have been blocked in the last 1
minute.
Uptime
Example output
# get system performance status
CPU states: 0% user 0% system 0% nice 100% idle
Memory states: 18% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes, 1 kbps in 30 minutes
Average sessions: 5 sessions in 1 minute, 6 sessions in 10 minutes, 5 sessions in 30
minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 9days, 22 hours, 0 minutes
977
get
You can use the following commands when get system performance top is running:
Press Q or Ctrl+C to quit.
Press P to sort the processes by the amount of CPU that the processes are using.
Press M to sort the processes by the amount of memory that the processes are using.
Syntax
get system performance top [<delay_int>] <max_lines_int>]]
Variable
Description
<delay_int>
<max_lines_
int>
Syntax
get system session list
Example output
PROTOEXPIRESOURCESOURCE-NATDESTINATIONDESTINATION-NAT
tcp 0 127.0.0.1:1083 127.0.0.1:514 tcp 0 127.0.0.1:1085 127.0.0.1:514 tcp 10 127.0.0.1:1087 127.0.0.1:514 tcp 20 127.0.0.1:1089 127.0.0.1:514 tcp 30 127.0.0.1:1091 127.0.0.1:514 tcp 40 127.0.0.1:1093 127.0.0.1:514 tcp 60 127.0.0.1:1097 127.0.0.1:514 tcp 70 127.0.0.1:1099 127.0.0.1:514 tcp 80 127.0.0.1:1101 127.0.0.1:514 tcp 90 127.0.0.1:1103 127.0.0.1:514 tcp 100 127.0.0.1:1105 127.0.0.1:514 tcp 110 127.0.0.1:1107 127.0.0.1:514 tcp 103 172.20.120.16:3548 -172.20.120.133:22 tcp 3600 172.20.120.16:3550 -172.20.120.133:22 udp 175 127.0.0.1:1026 127.0.0.1:53 tcp 5 127.0.0.1:1084 127.0.0.1:514 tcp 5 127.0.0.1:1086 127.0.0.1:514 tcp 15 127.0.0.1:1088 127.0.0.1:514 tcp 25 127.0.0.1:1090 127.0.0.1:514 tcp 45 127.0.0.1:1094 127.0.0.1:514 tcp 59 127.0.0.1:1098 127.0.0.1:514 tcp 69 127.0.0.1:1100 127.0.0.1:514 tcp 79 127.0.0.1:1102 127.0.0.1:514 -
978
get
Variable
Description
PROTO
EXPIRE
SOURCE
SOURCE-NAT
DESTINATION
DESTINATION-NAT
Syntax
get system session status
Example output
The total number of sessions for the current VDOM: 3100
Syntax
get system sesion-helper-info list
Example output
list builtin help module:
mgcp
dcerpc
rsh
pmap
dns-tcp
dns-udp
rtsp
pptp
979
get
system session-info
sip
mms
tns
h245
h323
ras
tftp
ftp
list session help:
help=pmap, protocol=17 port=111
help=rtsp, protocol=6 port=8554
help=rtsp, protocol=6 port=554
help=pptp, protocol=6 port=1723
help=rtsp, protocol=6 port=7070
help=sip, protocol=17 port=5060
help=pmap, protocol=6 port=111
help=rsh, protocol=6 port=512
help=dns-udp, protocol=17 port=53
help=tftp, protocol=17 port=69
help=tns, protocol=6 port=1521
help=mgcp, protocol=17 port=2727
help=dcerpc, protocol=17 port=135
help=rsh, protocol=6 port=514
help=ras, protocol=17 port=1719
help=ftp, protocol=6 port=21
help=mgcp, protocol=17 port=2427
help=dcerpc, protocol=6 port=135
help=mms, protocol=6 port=1863
help=h323, protocol=6 port=1720
system session-info
Use this command to display session information.
Syntax
get
get
get
get
get
system
system
system
system
system
session-info
session-info
session-info
session-info
session-info
Variable
expectation
full-stat
list
statistics
ttl
Description
expectation
full-stat
980
system source-ip
Variable
get
Description
list
statistics
ttl
Display the current setting of the config system sessionttl command including the overall session timeout as well as
the timeouts for specific protocols.
Example output
get system session-info statistics
misc info: session_count=15 exp_count=0 clash=0 memory_tension_drop=0 ephemeral=1/32752
removeable=14
delete=0, flush=0, dev_down=0/0
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000001
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=227 data=0 ses=0 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
system source-ip
Use this command to list defined source-IPs.
Syntax
get system source-ip
Example output
# get sys source-ip status
The following services force their communication to use
a specific source IP address:
service=NTP source-ip=172.18.19.101
service=DNS source-ip=172.18.19.101
vdom=root service=RADIUS name=server-pc25 source-ip=10.1.100.101
vdom=root service=TACACS+ name=tac_plus_pc25 source-ip=10.1.100.101
981
get
system startup-error-log
system startup-error-log
Use this command to display information about system startup errors. This command only displays information if
an error occurs when the FortiGate unit starts up.
Syntax
get system startup-error-log
Syntax
get system stp list
system status
Use this command to display system status information including:
FortiGate firmware version, build number and branch point
virus and attack definitions version
FortiGate unit serial number and BIOS version
log hard disk availability
host name
operation mode
virtual domains status: current VDOM, max number of VDOMs, number of NAT and TP mode VDOMs and
VDOM status
current HA status
system time
the revision of the WiFi chip in a FortiWiFi unit
Syntax
get system status
982
test
get
Example output
Version: Fortigate-620B v4.0,build0271,100330 (MR2)
Virus-DB: 11.00643(2010-03-31 17:49)
Extended DB: 11.00643(2010-03-31 17:50)
Extreme DB: 0.00000(2003-01-01 00:00)
IPS-DB: 2.00778(2010-03-31 12:55)
FortiClient application signature package: 1.167(2010-04-01 10:11)
Serial-Number: FG600B3908600705
BIOS version: 04000006
Log hard disk: Available
Hostname: 620_ha_1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: a-p, master
Distribution: International
Branch point: 271
Release Version Information: MR2
System time: Thu Apr 1 15:27:29 2010
test
Use this command to display information about FortiGate applications and perform operations on FortiGate
applications. You can specify an application name and a test level. Enter ? to display the list of applications. The
test level performs various functions depending on the application but can include displaying memory usage,
dropping connections and restarting the application.
The test levels are different for different applications. In some cases when you enter the command and include
an application name but no test level (or an invalid test level) the command output includes a list of valid test
levels.
Syntax
get test <application_name_str> <test_level_int>
Example output
get test http
Proxy Worker 0 - http
[0:H] HTTP Proxy Test Usage
[0:H]
[0:H] 2: Drop all connections
[0:H] 22: Drop max idle connections
[0:H] 222: Drop all idle connections
[0:H] 4: Display connection stat
[0:H] 44: Display info per connection
[0:H] 444: Display connections per state
[0:H] 4444: Display per-VDOM statistics
[0:H] 44444: Display information about idle connections
[0:H] 55: Display tcp info per connection
983
get
test
984
user adgrp
get
user adgrp
Use this command to list Directory Service user groups.
Syntax
get user adgrp [<dsgroupname>]
If you do not specify a group name, the command returns information for all Directory Service groups. For
example:
== [DOCTEST/Cert Publishers ]
name: DOCTEST/Cert Publishers server-name: DSserv1
== [DOCTEST/Developers ]
name: DOCTEST/Developers server-name: DSserv1
== [DOCTEST/Domain Admins ]
name: DOCTEST/Domain Admins server-name: DSserv1
== [DOCTEST/Domain Computers ]
name: DOCTEST/Domain Computers server-name: DSserv1
== [DOCTEST/Domain Controllers ]
name: DOCTEST/Domain Controllers server-name: DSserv1
== [DOCTEST/Domain Guests ]
name: DOCTEST/Domain Guests server-name: DSserv1
== [DOCTEST/Domain Users ]
name: DOCTEST/Domain Users server-name: DSserv1
== [DOCTEST/Enterprise Admins ]
name: DOCTEST/Enterprise Admins server-name: DSserv1
== [DOCTEST/Group Policy Creator Owners ]
name: DOCTEST/Group Policy Creator Owners server-name: DSserv1
== [DOCTEST/Schema Admins ]
name: DOCTEST/Schema Admins server-name: DSserv1
If you specify a Directory Service group name, the command returns information for only that group. For example:
name : DOCTEST/Developers
server-name : ADserv1
The server-name is the name you assigned to the Directory Service server when you configured it in the user
fsae command.
vpn certificate
Display detailed information about local and CA certificates installed on the FortiGate. This is a VDOM level
command. The global command is get certificate.
Syntax
get vpn certificate {local | ca} details [certificate_name]
985
get
Syntax
get vpn ike gateway [<gateway_name_str>]
Syntax
get vpn ipsec tunnel details
Syntax
get vpn ipsec tunnel name <tunnel_name_str>
Syntax
get vpn ipsec tunnel summary
Syntax
get vpn ipsec stats crypto
Example output
get vpn ipsec stats crypto
IPsec crypto devices in use:
986
get
CP6 (encrypted/decrypted):
null:00
des:00
3des:00
aes:00
CP6 (generated/validated):
null:00
md5:
00
sha1:
00
sha256:00
SOFTWARE (encrypted/decrypted):
null:00
des:00
3des:00
aes:00
SOFTWARE (generated/validated):
null:00
md5:00
sha1:00
sha256:00
Syntax
get vpn ipsec stats tunnel
Example output
#get vpn ipsec stats tunnel
tunnels
total: 0
static/ddns: 0
dynamic: 0
manual: 0
errors: 0
selectors
total: 0
up: 0
987
get
Syntax
get vpn ssl monitor
Example output
Syntax
get vpn status l2tp
Syntax
get vpn status pptp
Syntax
get vpn status ssl hw-acceleration-status
get vpn status ssl list
Variable
Description
hwaccelerationstatus
list
webfilter categories
List the FortiGuard Web Filtering categories.
988
webfilter ftgd-statistics
get
Syntax
get webfilter categories
webfilter ftgd-statistics
Use this command to display FortiGuard Web Filtering rating cache and daemon statistics.
989
get
webfilter ftgd-statistics
Syntax
get webfilter ftgd-statistics
Example output
get webfilter ftgd-statistics
Rating Statistics:
=====================
DNS failures : 0
DNS lookups : 0
Data send failures : 0
Data read failures : 0
Wrong package type : 0
Hash table miss : 0
Unknown server : 0
Incorrect CRC : 0
Proxy request failures : 0
Request timeout : 0
Total requests : 0
Requests to FortiGuard servers : 0
Server errored responses : 0
Relayed rating : 0
Invalid profile : 0
Allowed : 0
Blocked : 0
Logged : 0
Errors : 0
Cache Statistics:
=====================
Maximum memory : 0
Memory usage : 0
Nodes : 0
Leaves : 0
Prefix nodes : 0
Exact nodes : 0
Requests : 0
Misses : 0
Hits : 0
Prefix hits : 0
Exact hits : 0
No cache directives : 0
Add after prefix : 0
Invalid DB put : 0
DB updates : 0
Percent full : 0%
Branches : 0%
Leaves : 0%
Prefix nodes : 0%
990
webfilter status
get
Exact nodes : 0%
Miss rate : 0%
Hit rate : 0%
Prefix hits : 0%
Exact hits : 0%
webfilter status
Use this command to display FortiGate Web Filtering rating information.
Syntax
get webfilter status [<refresh-rate_int>]
wireless-controller client-info
Use this command to get information about WiFi clients.
Syntax
get wireless-controller client-info <vfid> <interface> <client_ip>
wireless-controller rf-analysis
Use this command to show information about RF conditions at the access point.
Syntax
get wireless-controller rf-analysis [<wtp_id>]
Example output
# get wireless-controller rf-analysis
<wtp-id> wtp id
FWF60C3G11004319 (global) # get wireless-controller rf-analysis
WTP: FWF60C-WIFI0 0-127.0.0.1:15246
channel rssi-total rf-score overlap-ap interfere-ap
1 418 1 24 26
2 109 5 0 34
3 85 7 1 34
4 64 9 0 35
991
get
wireless-controller scan
5 101 6 1 35
6 307 1 8 11
7 82 7 0 16
8 69 8 1 15
9 42 10 0 15
10 53 10 0 14
11 182 1 5 6
12 43 10 0 6
13 20 10 0 5
14 8 10 0 5
Controller: FWF60C3G11004319-0
channel rssi_total
1 418
2 109
3 85
4 64
5 101
6 307
7 82
8 69
9 42
10 53
11 182
12 43
13 20
14 8
wireless-controller scan
Use this command to view the list of access points detected by wireless scanning.
Syntax
get wireless-controller scan
Example output
CMW SSID
BSSID
CHAN RATE S:N INT CAPS ACT LIVE AGE WIRED
UNN
00:0e:8f:24:18:6d 64 54M
16:0 100 Es
N 62576 1668 ?
UNN ftiguest 00:15:55:23:d8:62 157 130M
6:0 100 EPs N 98570 2554 ?
wireless-controller spectral-info
Use this command to display wireless controller spectrum analysis.
Syntax
get wireless-controller spectral-info
992
wireless-controller status
get
wireless-controller status
Use this command to view the numbers of wtp sessions and clients.
Syntax
get wireless-controller status
Example output
# get wireless-controller status
Wireless Controller :
wtp-session-count: 1
client-count : 1/0
wireless-controller vap-status
Use this command to view information about your SSIDs.
Syntax
get wireless-controller vap-status
Example output
# get wireless-controller vap-status
WLAN: mesh.root
name : mesh.root
vdom : root
ssid : fortinet.mesh.root
status : up
mesh backhaul : yes
ip : 0.0.0.0
mac : 00:ff:0a:57:95:ca
station info : 0/0
WLAN: wifi
name : wifi
vdom : root
ssid : ft-mesh
status : up
mesh backhaul : yes
ip : 10.10.80.1
mac : 00:ff:45:e1:55:81
station info : 1/0
wireless-controller wlchanlistlic
Use this command to display a list of the channels allowed in your region, including
the maximum permitted power for each channel
993
get
wireless-controller wlchanlistlic
the channels permitted for each wireless type (802.11n, for example)
The list is in XML format.
Syntax
get wireless-controller wlchanlistlic
Sample output
country name: UNITED STATES2, country code:841, iso name:US
channels on 802.11A band without channel bonding:
channel= 36 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 40 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 44 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel= 48 maxRegTxPower= 23 maxTxPower= 63/2 minTxPower= 63/2
channel=149 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=153 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=157 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=161 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channel=165 maxRegTxPower= 30 maxTxPower= 63/2 minTxPower= 63/2
channels
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channels
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channels
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channel=
63/2
63/2
63/2
63/2
63/2
63/2
63/2
63/2
994
wireless-controller wtp-status
get
channels
channel=
channel=
channel=
channel=
channel=
channel=
channel=
channels on
channel= 36
channel= 40
channel= 44
channel= 48
channel=149
channel=153
channel=157
channel=161
channel=165
63/2
63/2
63/2
63/2
63/2
63/2
63/2
63/2
63/2
channels on
channel= 36
channel= 40
channel= 44
channel= 48
channel=149
channel=153
channel=157
channel=161
63/2
63/2
63/2
63/2
63/2
63/2
63/2
63/2
wireless-controller wtp-status
Syntax
get wireless-controller wtp-status
Example output
# get wireless-controller wtp-status
995
get
wireless-controller wtp-status
996
997
tree
tree
The tree command displays FortiOS config CLI commands in a tree structure called the configuration tree.
Each configuration command forms a branch of the tree.
Syntax
tree [branch] [sub-branch]
You can enter the tree command from the top of the configuration tree the command displays the complete
configuration tree. Commands are displayed in the order that they are processed when the FortiGate unit starts
up. For example, the following output shows the first 10 lines of tree command output:
tree
-- -- system -- [vdom] --*name (12)
+- vcluster-id (0,0)
|- <global> -- language
|- gui-ipv6
|- gui-voip-profile
|- gui-lines-per-page (20,1000)
|- admintimeout (0,0)
|- admin-concurrent
|- admin-lockout-threshold (0,0)
|- admin-lockout-duration (1,2147483647)
|- refresh (0,2147483647)
|- interval (0,0)
|- failtime (0,0)
|- daily-restart
|- restart-time
...
You can include a branch name with the tree command to view the commands in that branch:
tree user
-- user -- [radius] --*name (36)
|- server (64)
|- secret
|- secondary-server (64)
|- secondary-secret
...
|- [tacacs+] --*name (36)
|- server (64)
|- secondary-server (64)
|- tertiary-server (64)
...
|- [ldap] --*name (36)
|- server (64)
|- secondary-server (64)
|- tertiary-server (64)
|- port(1,65535)
...
You can include a branch and sub branch name with the tree command to view the commands in that sub branch:
tree user local
-- [local] --*name (36)
|- status
998
tree
||||+-
type
passwd
ldap-server (36)
radius-server (36)
tacacs+-server (36)
...
If you enter the tree command from inside the configuration tree the command displays the tree for the
current command:
config user ldap
tree
-- [ldap] --*name (36)
|- server (64)
|- cnid (21)
|- dn (512)
|- port (1,65535)
|- type
...
The tree command output includes information about field limits. These apply in both the CLI and the webbased manager. For a numeric field, the two numbers in in parentheses show the lower and upper limits. For
example (0,32) indicates that values from 0 to 32 inclusive are accepted. For string values, the number in
parentheses is one more than the maximum number of characters permitted.
In the following example, the FQDN can contain up to 255 characters.
config firewall address
tree
-- [address] --*name
(64)
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn
(256)
|- country
(3)
|- cache-ttl
(0,86400)
|- wildcard
|- comment
|- visibility
|- associated-interface(36)
|- color(0,32)
+- [tags] --*name(64)
999
Copyright 2016 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims
in full any covenants,
representations,and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
1000
CLI Reference
for FortiOS
5.4
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.