Вы находитесь на странице: 1из 1000

#

FortiOS - CLIReference
VERSION 5.4.1

FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com

FORTINETVIDEOGUIDE
http://video.fortinet.com

FORTINETBLOG
https://blog.fortinet.com

CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATECOOKBOOK
http://cookbook.fortinet.com

FORTINETTRAININGSERVICES
http://www.fortinet.com/training

FORTIGUARDCENTER
http://www.fortiguard.com

ENDUSER LICENSE AGREEMENT


http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdocs@fortinet.com

June 3, 2016
FortiOS - CLIReference
01-541-99686-20160603

Change Log

Change Log
Date

Change Description

June 3, 2016

Updated for FortiOS 5.4.1.

December 16, 2015

New FortiOS 5.4.0 release.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

How this guide is organized

Introduction

Introduction
This document describes FortiOS 5.4 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI).

How this guide is organized


This document contains the following sections:
Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGate
unit boot-up.
config describes the commands for each configuration branch of the FortiOS CLI. The command branches and
commands are in alphabetical order. The information in this section has been extracted and formatted from
FortiOS source code. The extracted information includes the command syntax, command descriptions (extracted
from CLI help)and default values. This is the first version of this content produced in this way. You can send
comments about this content to techdoc@fortinet.com.
execute describes execute commands.
get describes get commands.
tree describes the tree command.

Availability of commands and options


Some FortiOS CLI commands and options are not available on all FortiGate units. The CLI displays an error
message if you attempt to enter a command or option that is not available. You can use the question mark ? to
verify the commands and options that are available.
Commands and options may not be available for the following reasons:

FortiGate model
All commands are not available on all FortiGate models. For example, low-end FortiGate models do not support
the aggregate interface type option of the config system interface command.

Hardware configuration
For example, some AMC module commands are only available when an AMC module is installed.

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc


Commands for extended functionality are not available on all FortiGate models. The CLI Reference includes
commands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Managing Firmware with the FortiGate BIOS

Accessing the BIOS

Managing Firmware with the FortiGate BIOS


FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the webbased manager or by using the CLI execute restore command. From the console, you can also interrupt the
FortiGate units boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.
Using the BIOS, you can:
l

view system information

format the boot device

load firmware and reboot (see )

reboot the FortiGate unit from the backup firmware, which then becomes the default firmware (see )

Accessing the BIOS


The BIOS menu is available only through direct connection to the FortiGate units Console port. During boot-up,
Press any key appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOS
menu appears. If you are too late, the boot-up process continues as usual.

Navigating the menu


The main BIOS menu looks like this:
[C]:
[R]:
[T]:
[F]:
[Q]:
[I]:
[B]:
[Q]:
[H]:

Configure TFTP parameters


Review TFTP paramters
Initiate TFTP firmware transfer
Format boot device
Quit menu and continue to boot
System Information
Boot with backup firmare and set as default
Quit menu and continue to boot
Display this list of options

Enter C,R,T,F,I,B,Q,or H:

Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. An
option value in square brackets at the end of the Enter line is the default value which you can enter simply by
pressing Return. For example,
Enter image download port number [WAN1]:

In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.

Loading firmware
The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.
You need to know the IP address of the server and the name of the firmware file to download.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Loading firmware

Managing Firmware with the FortiGate BIOS

The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot the
downloaded firmware without saving it.

Configuring TFTP parameters


Starting from the main BIOS menu
[C]: Configure TFTP parameters.

Selecting the VLAN (if VLANs are used)


[V]: Set local VLAN ID.

Choose port and whether to use DHCP


[P]: Set firmware download port.

The options listed depend on the FortiGate model. Choose the network interface through which the TFTP
server can be reached. For example:
[0]: Any of port 1 - 7
[1]: WAN1
[2]: WAN2
Enter image download port number [WAN1]:
[D]: Set DHCP mode.
Please select DHCP setting
[1]: Enable DHCP
[2]: Disable DHCP

If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].

Non-DHCP steps
[I]: Set local IP address.
Enter local IP address [192.168.1.188]:

This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the same
subnet to which the network interface connects.
[S]: Set local subnet mask.
Enter local subnet mask [255.255.252.0]:
[G]: Set local gateway.

The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which the
FortiGate unit is connected.

TFTP and filename


[T]: Set
Enter
[F]: Set
Enter

remote TFTP server IP address.


remote TFTP server IP address [192.168.1.145]:
firmware file name.
firmware file name [image.out]:

Enter [Q] to return to the main menu.

Initiating TFTP firmware transfer


Starting from the main BIOS menu
[T]: Initiate TFTP firmware transfer.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Managing Firmware with the FortiGate BIOS

Booting the backup firmware

Please connect TFTP server to Ethernet port 'WAN1'.


MAC: 00:09:0f:b5:55:28
Connect to tftp server 192.168.1.145 ...
##########################################################
Image Received.
Checking image... OK
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]?

After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while the
firmware is copied:
Programming the boot device now.
................................................................
................................................................

Booting the backup firmware


You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.
Starting from the main BIOS menu
[B]: Boot with backup firmware and set as default.

If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:
Failed to mount filesystem. . .
Mount back up partition failed.
Back up image open failed.
Press Y or y to boot default image.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Booting the backup firmware

config

config
Use the config commands to change your FortiGate's configuration.
The command branches and commands are in alphabetical order. The information in this section has been
extracted and formatted from FortiOS source code. The extracted information includes the command syntax,
command descriptions (extracted from CLI help)and default values. This is the first version of this content
produced in this way. You can send comments about this content to techdoc@fortinet.com

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

alertemail/setting
CLI Syntax
config alertemail setting
edit <name_str>
set username <string>
set mailto1 <string>
set mailto2 <string>
set mailto3 <string>
set filter-mode {category | threshold}
set email-interval <integer>
set IPS-logs {enable | disable}
set firewall-authentication-failure-logs {enable | disable}
set HA-logs {enable | disable}
set IPsec-errors-logs {enable | disable}
set FDS-update-logs {enable | disable}
set PPP-errors-logs {enable | disable}
set sslvpn-authentication-errors-logs {enable | disable}
set antivirus-logs {enable | disable}
set webfilter-logs {enable | disable}
set configuration-changes-logs {enable | disable}
set violation-traffic-logs {enable | disable}
set admin-login-logs {enable | disable}
set FDS-license-expiring-warning {enable | disable}
set log-disk-usage-warning {enable | disable}
set fortiguard-log-quota-warning {enable | disable}
set amc-interface-bypass-mode {enable | disable}
set FIPS-CC-errors {enable | disable}
set FDS-license-expiring-days <integer>
set local-disk-usage <integer>
set emergency-interval <integer>
set alert-interval <integer>
set critical-interval <integer>
set error-interval <integer>
set warning-interval <integer>
set notification-interval <integer>
set information-interval <integer>
set debug-interval <integer>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Description
Configuration

Description

Default Value

username

Email from address.

(Empty)

mailto1

Destination email address 1.

(Empty)

mailto2

Destination email address 2.

(Empty)

mailto3

Destination email address 3.

(Empty)

filter-mode

Filter mode.

category

email-interval

Interval between each email.

IPS-logs

Enable/disable IPS Logs.

disable

firewall-authenticationfailure-logs

Enable/disable logging of firewall authentication


failures.

disable

HA-logs

Enable/disable HA Logs.

disable

IPsec-errors-logs

Enable/disable IPsec errors logs.

disable

FDS-update-logs

Enable/disable FortiGuard update logs.

disable

PPP-errors-logs

Enable/disable PPP errors logs.

disable

sslvpn-authenticationerrors-logs

Enable/disable logging of SSL-VPN


authentication error.

disable

antivirus-logs

Enable/disable antivirus logs.

disable

webfilter-logs

Enable/disable web filter logging.

disable

configuration-changeslogs

Enable/disable logging of configuration changes.

disable

violation-traffic-logs

Enable/disable logging of violation traffic.

disable

admin-login-logs

Enable/disable logging of administrator


login/logouts.

disable

FDS-license-expiringwarning

Enable/disable FortiGuard license expiration


warning.

disable

log-disk-usage-warning

Enable/disable logging of disk usage warning.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

10

fortiguard-log-quotawarning

Enable/disable warning of FortiCloud log quota.

disable

amc-interface-bypassmode

Enable/disable Fortinet Advanced Mezzanine


Card (AMC) interface bypass mode.

disable

FIPS-CC-errors

Enable/disable FIPS and Common Criteria errors.

disable

FDS-license-expiringdays

Number of days to end alert email prior to


FortiGuard license expiration (1 - 100 days).

15

local-disk-usage

Percentage at which to send alert email prior to


disk usage exceeding this threshold (1 - 99
percent).

75

emergency-interval

Emergency alert interval in minutes.

alert-interval

Alert alert interval in minutes.

critical-interval

Critical alert interval in minutes.

error-interval

Error alert interval in minutes.

warning-interval

Warning alert interval in minutes.

10

notification-interval

Notification alert interval in minutes.

20

information-interval

Information alert interval in minutes.

30

debug-interval

Debug alert interval in minutes.

60

severity

Lowest severity level to log.

alert

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

11

antivirus/heuristic
CLI Syntax
config antivirus heuristic
edit <name_str>
set mode {pass | block | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

12

Description
Configuration

Description

Default Value

mode

Mode to use for heuristics.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

13

antivirus/profile
CLI Syntax
config antivirus profile
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set inspection-mode {proxy | flow-based}
set ftgd-analytics {disable | suspicious | everything}
set analytics-max-upload <integer>
set analytics-wl-filetype <integer>
set analytics-bl-filetype <integer>
set analytics-db {disable | enable}
set mobile-malware-db {disable | enable}
config http
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
end
config ftp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
end
config imap
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config pop3
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

| mailbomb | unh
mailbomb | unhan

| mailbomb | unh
mailbomb | unhan

| mailbomb | unh
mailbomb | unhan

| mailbomb | unh
mailbomb | unhan
14

set emulator {enable | disable}


set executables {default | virus}
end
config smtp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config mapi
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config nntp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
end
config smb
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested
andled}
set archive-log {encrypted | corrupted | multipart | nested |
dled}
set emulator {enable | disable}
end
config nac-quar
edit <name_str>
set infected {none | quar-src-ip | quar-interface}
set expiry <user>
set log {enable | disable}
end
set av-virus-log {enable | disable}
set av-block-log {enable | disable}
set scan-mode {quick | full}
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

| mailbomb | unh
mailbomb | unhan

| mailbomb | unh
mailbomb | unhan

| mailbomb | unh
mailbomb | unhan

| mailbomb | unh
mailbomb | unhan

15

Description
Configuration

Description

Default Value

name

Profile name.

(Empty)

comment

Comment.

(Empty)

replacemsg-group

Replacement message group.

(Empty)

inspection-mode

Inspection mode.

flow-based

ftgd-analytics

Submit suspicious or supposedly clean files to


FortiSandbox.

disable

analytics-max-upload

Maximum upload size to FortiSandbox (in MB).

10

analytics-wl-filetype

Do not submit files matching this file-pattern table


to the FortiSandbox.

analytics-bl-filetype

Only submit files matching this file-pattern table


to the FortiSandbox.

analytics-db

Use signature database from FortiSandbox to


supplement the AV signature databases.

disable

mobile-malware-db

Use mobile malware signature database.

enable

http

HTTP.

Details below

Configuration
options
archive-block
archive-log
emulator
ftp

Default Value
(Empty)
(Empty)
(Empty)
enable
FTP.

Configuration
options
archive-block
archive-log
emulator
imap

Default Value
(Empty)
(Empty)
(Empty)
enable
IMAP.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Details below

Details below

16

Configuration
options
archive-block
archive-log
emulator
executables
pop3

Default Value
(Empty)
(Empty)
(Empty)
enable
default
POP3.

Configuration
options
archive-block
archive-log
emulator
executables
smtp

Details below
Default Value
(Empty)
(Empty)
(Empty)
enable
default

SMTP.

Configuration
options
archive-block
archive-log
emulator
executables
mapi

Details below
Default Value
(Empty)
(Empty)
(Empty)
enable
default

MAPI.

Configuration
options
archive-block
archive-log
emulator
executables
nntp

Details below
Default Value
(Empty)
(Empty)
(Empty)
enable
default

NNTP.

Configuration
options
archive-block
archive-log
emulator
smb

Default Value
(Empty)
(Empty)
(Empty)
enable
SMB.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Details below

Details below

17

Configuration
options
archive-block
archive-log
emulator
nac-quar
Configuration
infected
expiry
log

Default Value
(Empty)
(Empty)
(Empty)
enable
Quarantine settings.

Details below

Default Value
none
5m
disable

av-virus-log

Enable/disable logging for antivirus scanning.

enable

av-block-log

Enable/disable logging for antivirus file blocking.

enable

scan-mode

Choose between full scan mode and quick scan


mode.

full

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

18

antivirus/quarantine
CLI Syntax
config antivirus quarantine
edit <name_str>
set agelimit <integer>
set maxfilesize <integer>
set quarantine-quota <integer>
set drop-infected {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-infected {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s |
ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-heuristic {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-heuristic {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3
s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set lowspace {drop-new | ovrw-old}
set destination {NULL | disk | FortiAnalyzer}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

19

Description
Configuration

Description

Default Value

agelimit

Age limit for quarantined files.

maxfilesize

Maximum file size to quarantine.

quarantine-quota

Quarantine quota.

drop-infected

Ignore infected files from a protocol.

(Empty)

store-infected

Quarantine infected files from a protocol.

imap smtp pop3 http ftp


nntp imaps smtps
pop3s https ftps mapi

drop-blocked

Drop blocked files from a protocol.

(Empty)

store-blocked

Quarantine blocked files from a protocol.

imap smtp pop3 http ftp


nntp imaps smtps
pop3s ftps mapi

drop-heuristic

Ignore heuristically caught files from a protocol.

(Empty)

store-heuristic

Quarantine heuristically caught files from a


protocol.

imap smtp pop3 http ftp


nntp imaps smtps
pop3s https ftps mapi

lowspace

Action when the disk is almost full.

ovrw-old

destination

Quarantine destination: disk/FortiAnalyzer.

disk

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

20

antivirus/settings
CLI Syntax
config antivirus settings
edit <name_str>
set default-db {normal | extended | extreme}
set grayware {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

21

Description
Configuration

Description

Default Value

default-db

Select AV database to be used for AV scanning.

extended

grayware

Enable/disable detection of grayware.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

22

application/custom
CLI Syntax
config application custom
edit <name_str>
set tag <string>
set name <string>
set id <integer>
set comment <string>
set signature <string>
set category <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

23

Description
Configuration

Description

Default Value

tag

Signature tag.

(Empty)

name

Application name.

(Empty)

id

Application ID.

comment

Comment.

(Empty)

signature

Signature text.

(Empty)

category

Application category ID.

protocol

Application protocol.

(Empty)

technology

Application technology.

(Empty)

behavior

Application behavior.

(Empty)

vendor

Application vendor.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

24

application/list
CLI Syntax
config application list
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set other-application-action {pass | block}
set app-replacemsg {disable | enable}
set other-application-log {disable | enable}
set unknown-application-action {pass | block}
set unknown-application-log {disable | enable}
set p2p-black-list {skype | edonkey | bittorrent}
set deep-app-inspection {disable | enable}
set options {allow-dns | allow-icmp | allow-http | allow-ssl}
config entries
edit <name_str>
set id <integer>
config risk
edit <name_str>
set level <integer>
end
config category
edit <name_str>
set id <integer>
end
config sub-category
edit <name_str>
set id <integer>
end
config application
edit <name_str>
set id <integer>
end
set protocols <user>
set vendor <user>
set technology <user>
set behavior <user>
set popularity {1 | 2 | 3 | 4 | 5}
config tags
edit <name_str>
set name <string>
end
config parameters
edit <name_str>
set id <integer>
set value <string>
end
set action {pass | block | reset}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

25

set
set
set
set
set
set
set
set
set
set
set
set
set
end

log {disable | enable}


log-packet {disable | enable}
rate-count <integer>
rate-duration <integer>
rate-mode {periodical | continuous}
rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
session-ttl <integer>
shaper <string>
shaper-reverse <string>
per-ip-shaper <string>
quarantine {none | attacker | both | interface}
quarantine-expiry <user>
quarantine-log {disable | enable}

end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

26

Description
Configuration

Description

Default Value

name

List name.

(Empty)

comment

comments

(Empty)

replacemsg-group

Replacement message group.

(Empty)

other-application-action

Action for other applications.

pass

app-replacemsg

Enable/disable replacement messages for


blocked applications.

enable

other-application-log

Enable/disable logging of other applications.

disable

unknown-applicationaction

Action for unknown applications.

pass

unknown-applicationlog

Enable/disable logging of unknown applications.

disable

p2p-black-list

Action for p2p black list.

(Empty)

deep-app-inspection

Enable/disable deep application inspection.

disable

options

Options.

allow-dns

entries

Application list entries.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

27

application/name
CLI Syntax
config application name
edit <name_str>
set name <string>
set id <integer>
set category <integer>
set sub-category <integer>
set popularity <integer>
set risk <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
set parameter <string>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

28

Description
Configuration

Description

Default Value

name

Application name.

(Empty)

id

Application ID.

category

Application category ID.

sub-category

Application sub-category ID.

popularity

Application popularity.

risk

Application risk.

protocol

Application protocol.

(Empty)

technology

Application technology.

(Empty)

behavior

Application behavior.

(Empty)

vendor

Application vendor.

(Empty)

parameter

Application parameter name.

(Empty)

metadata

Meta data.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

29

application/rule-settings
CLI Syntax
config application rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

30

Description
Configuration

Description

Default Value

id

Rule ID.

tags

Applied object tags.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

31

certificate/ca
CLI Syntax
config certificate ca
edit <name_str>
set name <string>
set ca <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set trusted {enable | disable}
set scep-url <string>
set auto-update-days <integer>
set auto-update-days-warning <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

32

Description
Configuration

Description

Default Value

name

Name.

(Empty)

ca

CA certificate.

(Empty)

range

CA certificate range.

global

source

CA certificate source.

user

trusted

Enable/disable trusted CA.

enable

scep-url

URL of SCEP server.

(Empty)

auto-update-days

Days to auto-update before expired, 0=disabled.

auto-update-dayswarning

Days to send update before auto-update


(0=disabled).

source-ip

Source IP for communications to SCEP server.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

33

certificate/crl
CLI Syntax
config certificate crl
edit <name_str>
set name <string>
set crl <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set update-vdom <string>
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set http-url <string>
set scep-url <string>
set scep-cert <string>
set update-interval <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

34

Description
Configuration

Description

Default Value

name

Name.

(Empty)

crl

Certificate Revocation List.

(Empty)

range

CRL range.

global

source

CRL source.

user

update-vdom

Virtual domain for CRL update.

root

ldap-server

LDAP server.

(Empty)

ldap-username

Login name for LDAP server.

(Empty)

ldap-password

Login password for LDAP server.

(Empty)

http-url

URL of HTTP server for CRL update.

(Empty)

scep-url

URL of CA server for CRL update via SCEP.

(Empty)

scep-cert

Local certificate used for CRL update via SCEP.

Fortinet_CA_SSL

update-interval

Second between updates, 0=disabled.

source-ip

Source IP for communications to CA


(HTTP/SCEP) server.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

35

certificate/local
CLI Syntax
config certificate local
edit <name_str>
set name <string>
set password <password>
set comments <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set scep-url <string>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set source-ip <ipv4-address>
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

36

Description
Configuration

Description

Default Value

name

Name.

(Empty)

password

Password.

(Empty)

comments

Comment.

(Empty)

private-key

Private key.

(Empty)

certificate

Certificate.

(Empty)

csr

Certificate Signing Request.

(Empty)

state

Certificate Signing Request State.

(Empty)

scep-url

URL of SCEP server.

(Empty)

range

Certificate range.

global

source

Certificate source.

user

auto-regenerate-days

Days to auto-regenerate before expired,


0=disabled.

auto-regenerate-dayswarning

Days to send warning before auto-regeneration,


0=disabled.

scep-password

SCEP server challenge password for autoregeneration.

(Empty)

ca-identifier

CA identifier of the CA server for signing via


SCEP.

(Empty)

name-encoding

Name encoding for auto-regeneration.

printable

source-ip

Source IP for communications to SCEP server.

0.0.0.0

ike-localid

IKE local ID.

(Empty)

ike-localid-type

IKE local ID type.

asn1dn

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

37

dlp/filepattern
CLI Syntax
config dlp filepattern
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set filter-type {pattern | type}
set pattern <string>
set file-type {7z | arj | cab | lzh | rar | tar | zip | bzip | gzip | bzip2 |
xz | bat | msc | uue | mime | base64 | binhex | bin | elf | exe | hta | html | jad | c
lass | cod | javascript | msoffice | msofficex | fsg | upx | petite | aspack | prc | s
is | hlp | activemime | jpeg | gif | tiff | png | bmp | ignored | unknown | mpeg | mov
| mp3 | wma | wav | pdf | avi | rm | torrent | hibun}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

38

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

entries

Configure file patterns used by DLP blocking.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

39

dlp/fp-doc-source
CLI Syntax
config dlp fp-doc-source
edit <name_str>
set name <string>
set server-type {samba}
set server <string>
set period {none | daily | weekly | monthly}
set vdom {mgmt | current}
set scan-subdirectories {enable | disable}
set scan-on-creation {enable | disable}
set remove-deleted {enable | disable}
set keep-modified {enable | disable}
set username <string>
set password <password>
set file-path <string>
set file-pattern <string>
set sensitivity <string>
set tod-hour <integer>
set tod-min <integer>
set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set date <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

40

Description
Configuration

Description

Default Value

name

DLP Server.

(Empty)

server-type

DLP Server.

samba

server

Server location (can be IP or IPv6 address).

(Empty)

period

Select periodic server checking.

none

vdom

Select source on management or current VDOM.

mgmt

scan-subdirectories

Enable/disable scanning of subdirectories.

enable

scan-on-creation

Enable/disable force scan of server to happen


when document source is created or edited.

enable

remove-deleted

Enable/disable removing chunks of files deleted


from the server.

enable

keep-modified

Enable/disable retaining old chunks of modified


files.

enable

username

Login username.

(Empty)

password

Login password.

(Empty)

file-path

File path on server.

(Empty)

file-pattern

File patterns to fingerprint (wildcard).

sensitivity

DLP fingerprint sensitivity defined for these files.

(Empty)

tod-hour

Time of day to run scans (hour part, 24 hour


clock).

tod-min

Time of day to run scans (min).

weekday

Day of week to run scans.

sunday

date

Date within a month to run scans.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

41

dlp/fp-sensitivity
CLI Syntax
config dlp fp-sensitivity
edit <name_str>
set name <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

42

Description
Configuration

Description

Default Value

name

DLP Sensitivity Levels.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

43

dlp/sensor
CLI Syntax
config dlp sensor
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
config filter
edit <name_str>
set id <integer>
set name <string>
set severity {info | low | medium | high | critical}
set type {file | message}
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi | mm1
| mm3 | mm4 | mm7}
set filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprin
t | watermark | encrypted}
set file-size <integer>
set company-identifier <string>
config fp-sensitivity
edit <name_str>
set name <string>
end
set match-percentage <integer>
set file-type <integer>
set regexp <string>
set archive {disable | enable}
set action {allow | log-only | block | ban | quarantine-ip | quarantine-port}
set expiry <user>
end
set dlp-log {enable | disable}
set nac-quar-log {enable | disable}
set flow-based {enable | disable}
set options {}
set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | m
api | mm1 | mm3 | mm4 | mm7}
set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi |
mm1 | mm3 | mm4 | mm7}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

44

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comment

Comment.

(Empty)

replacemsg-group

Replacement message group.

(Empty)

filter

Configure DLP filters.

(Empty)

dlp-log

Enable/disable logging for data leak prevention.

enable

nac-quar-log

Enable/disable logging for NAC quarantine


creation.

disable

flow-based

Enable/disable flow-based data leak prevention.

disable

options

options

full-archive-proto

Protocols to always content archive.

(Empty)

summary-proto

Protocols to always log summary.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

45

dlp/settings
CLI Syntax
config dlp settings
edit <name_str>
set storage-device <string>
set size <integer>
set db-mode {stop-adding | remove-modified-then-oldest | remove-oldest}
set cache-mem-percent <integer>
set chunk-size <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

46

Description
Configuration

Description

Default Value

storage-device

Storage name.

(Empty)

size

Maximum total size of files within the storage


(MB).

16

db-mode

Method of maintaining database size.

stop-adding

cache-mem-percent

Maximum percentage of available memory


allocated to caching (1 - 15%).

chunk-size

Maximum fingerprint chunk size. **Changing will


flush the entire database**.

2800

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

47

dnsfilter/profile
CLI Syntax
config dnsfilter profile
edit <name_str>
set name <string>
set comment <var-string>
config urlfilter
edit <name_str>
set urlfilter-table <integer>
end
config ftgd-dns
edit <name_str>
set options {error-allow | ftgd-disable}
config filters
edit <name_str>
set id <integer>
set category <integer>
set action {block | monitor}
set log {enable | disable}
end
end
set log-all-url {enable | disable}
set sdns-ftgd-err-log {enable | disable}
set sdns-url-log {enable | disable}
set block-action {block | redirect}
set redirect-portal <ipv4-address>
set block-botnet {disable | enable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

48

Description
Configuration

Description

Default Value

name

Profile name.

(Empty)

comment

Comment.

(Empty)

urlfilter

URL filter settings.

Details below

Configuration
urlfilter-table
ftgd-dns
Configuration
options
filters

Default Value
0
FortiGuard DNS Filter settings.

Details below

Default Value
(Empty)
(Empty)

log-all-url

Enable/disable log all URLs visited.

disable

sdns-ftgd-err-log

Enable/disable logging of FortiGuard SDNS


rating errors.

enable

sdns-url-log

Enable/disable logging of URL filtering and botnet


domains.

enable

block-action

Action to take for blocked domains.

redirect

redirect-portal

IP address of the SDNS portal.

0.0.0.0

block-botnet

Enable/disable block of botnet C&C.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

49

dnsfilter/urlfilter
CLI Syntax
config dnsfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {block | allow | monitor}
set status {enable | disable}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

50

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

entries

DNS URL filter.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

51

endpoint-control/client
CLI Syntax
config endpoint-control client
edit <name_str>
set id <integer>
set ftcl-uid <string>
set src-ip <ipv4-address-any>
set src-mac <mac-address>
set info <user>
set ad-groups <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

52

Description
Configuration

Description

Default Value

id

Endpoint client ID.

ftcl-uid

Endpoint FortiClient UID.

(Empty)

src-ip

Endpoint client IP address.

0.0.0.0

src-mac

Endpoint client MAC address.

00:00:00:00:00:00

info

Endpoint client information.

(Empty)

ad-groups

Endpoint client AD logon groups.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

53

endpoint-control/forticlient-registration-sync
CLI Syntax
config endpoint-control forticlient-registration-sync
edit <name_str>
set peer-name <string>
set peer-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

54

Description
Configuration

Description

Default Value

peer-name

Peer name.

(Empty)

peer-ip

Peer connecting IP.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

55

endpoint-control/profile
CLI Syntax
config endpoint-control profile
edit <name_str>
set profile-name <string>
config forticlient-winmac-settings
edit <name_str>
set compliance-action {block | warning | auto-update}
set forticlient-av {enable | disable}
set av-realtime-protection {enable | disable}
set av-signature-up-to-date {enable | disable}
set sandbox-analysis {enable | disable}
set sandbox-address <string>
set forticlient-application-firewall {enable | disable}
set forticlient-application-firewall-list <string>
set forticlient-system-compliance {enable | disable}
set forticlient-minimum-software-version {enable | disable}
set forticlient-win-ver <string>
set forticlient-mac-ver <string>
set os-av-software-installed {enable | disable}
config forticlient-operating-system
edit <name_str>
set id <integer>
set os-type {custom | mac_os | win_10 | win_svr_10 | win_81 | win_svr_2012
_r2 | win_80 | win_svr_2012 | win_7 | win_svr_2008_r2 | win_vista | win_svr_2008 | win
_svr_2003_r2 | win_sto_svr_2003 | win_home_svr | win_svr_2003 | win_xp | win_2000}
set os-name <string>
end
config forticlient-running-app
edit <name_str>
set id <integer>
set app-name <string>
set process-name <string>
set app-sha256-signature <string>
set process-name2 <string>
set app-sha256-signature2 <string>
set process-name3 <string>
set app-sha256-signature3 <string>
set process-name4 <string>
set app-sha256-signature4 <string>
end
config forticlient-registry-entry
edit <name_str>
set id <integer>
set registry-entry <string>
end
config forticlient-own-file
edit <name_str>
set id <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

56

set file <string>


end
set forticlient-log-upload {enable | disable}
set forticlient-log-upload-level {traffic | vulnerability | event}
set forticlient-log-upload-server <string>
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set forticlient-vuln-scan {enable | disable}
set forticlient-vuln-scan-enforce {critical | high | medium | low}
set forticlient-vuln-scan-enforce-grace <integer>
end
config forticlient-android-settings
edit <name_str>
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set disable-wf-when-protected {enable | disable}
set forticlient-vpn-provisioning {enable | disable}
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <var-string>
config forticlient-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set remote-gw <string>
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
end
config forticlient-ios-settings
edit <name_str>
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set disable-wf-when-protected {enable | disable}
set client-vpn-provisioning {enable | disable}
config client-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set vpn-configuration-name <string>
set vpn-configuration-content <var-string>
set remote-gw <string>
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
set distribute-configuration-profile {enable | disable}
set configuration-name <string>
set configuration-content <var-string>
end
set description <var-string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

57

set description <var-string>


config src-addr
edit <name_str>
set name <string>
end
config device-groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config user-groups
edit <name_str>
set name <string>
end
config on-net-addr
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

58

Description
Configuration

Description

Default Value

profile-name

Profile name.

(Empty)

forticlient-winmacsettings

FortiClient settings for Windows/Mac platform.

Details below

Configuration
compliance-action
forticlient-av
av-realtime-protection
av-signature-up-to-date
sandbox-analysis
sandbox-address
forticlient-application-firewall
forticlient-application-firewall-list
forticlient-system-compliance
forticlient-minimum-software-version
forticlient-win-ver
forticlient-mac-ver
os-av-software-installed
forticlient-operating-system
forticlient-running-app
forticlient-registry-entry
forticlient-own-file
forticlient-log-upload
forticlient-log-upload-level
forticlient-log-upload-server
forticlient-wf
forticlient-wf-profile
forticlient-vuln-scan
forticlient-vuln-scan-enforce
forticlient-vuln-scan-enforce-grace
forticlient-androidsettings

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
auto-update
disable
disable
disable
disable
(Empty)
disable
(Empty)
enable
disable
5.4.1
5.4.1
disable
(Empty)
(Empty)
(Empty)
(Empty)
enable
traffic vulnerability event
(Empty)
disable
default
enable
high
1

FortiClient settings for Android platform.

Details below

59

Configuration
forticlient-wf
forticlient-wf-profile
disable-wf-when-protected
forticlient-vpn-provisioning
forticlient-advanced-vpn
forticlient-advanced-vpn-buffer
forticlient-vpn-settings
forticlient-ios-settings

Default Value
disable
(Empty)
enable
disable
disable
(Empty)
(Empty)

FortiClient settings for iOS platform.

Configuration
forticlient-wf
forticlient-wf-profile
disable-wf-when-protected
client-vpn-provisioning
client-vpn-settings
distribute-configuration-profile
configuration-name
configuration-content

Details below

Default Value
disable
(Empty)
enable
disable
(Empty)
disable
(Empty)
(Empty)

description

Description.

(Empty)

src-addr

Source addresses.

(Empty)

device-groups

Device groups.

(Empty)

users

Users.

(Empty)

user-groups

User groups.

(Empty)

on-net-addr

Addresses for on-net detection.

(Empty)

replacemsg-overridegroup

Specify endpoint control replacement message


override group.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

60

endpoint-control/registered-forticlient
CLI Syntax
config endpoint-control registered-forticlient
edit <name_str>
set uid <string>
set vdom <string>
set ip <ipv4-address-any>
set mac <mac-address>
set status <integer>
set flag <integer>
set reg-fortigate <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

61

Description
Configuration

Description

Default Value

uid

FortiClient UID.

(Empty)

vdom

Registering vdom.

(Empty)

ip

Endpoint IP address.

0.0.0.0

mac

Endpoint MAC address.

00:00:00:00:00:00

status

FortiClient registration status.

flag

FortiClient registration flag.

reg-fortigate

Registering FortiGate SN.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

62

endpoint-control/settings
CLI Syntax
config endpoint-control settings
edit <name_str>
set forticlient-reg-key-enforce {enable | disable}
set forticlient-reg-key <password>
set forticlient-reg-timeout <integer>
set download-custom-link <string>
set download-location {fortiguard | custom}
set forticlient-keepalive-interval <integer>
set forticlient-sys-update-interval <integer>
set forticlient-avdb-update-interval <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

63

Description
Configuration

Description

Default Value

forticlient-reg-keyenforce

Enable/disable enforcement of FortiClient


registration key.

disable

forticlient-reg-key

FortiClient registration key.

(Empty)

forticlient-reg-timeout

FortiClient registration license timeout (days, min


= 1, max = 180, 0 = unlimited).

download-custom-link

Customized URL for downloading FortiClient.

(Empty)

download-location

FortiClient download location.

fortiguard

forticlient-keepaliveinterval

Interval between two KeepAlive messages from


FortiClient (in seconds).

60

forticlient-sys-updateinterval

Interval between two system update messages


from FortiClient (in minutes).

720

forticlient-avdb-updateinterval

Hours between FortiClient AntiVirus database


updates (0 - 24, default = 8)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

64

extender-controller/extender
CLI Syntax
config extender-controller extender
edit <name_str>
set id <string>
set admin {disable | discovered | enable}
set ifname <string>
set vdom <integer>
set role {none | primary | secondary}
set mode {standalone | redundant}
set dial-mode {dial-on-demand | always-connect}
set redial {none | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10}
set redundant-intf <string>
set dial-status <integer>
set conn-status <integer>
set ext-name <string>
set description <string>
set quota-limit-mb <integer>
set billing-start-day <integer>
set at-dial-script <string>
set modem-passwd <password>
set initiated-update {enable | disable}
set modem-type {cdma | gsm/lte | wimax}
set ppp-username <string>
set ppp-password <password>
set ppp-auth-protocol {auto | pap | chap}
set ppp-echo-request {enable | disable}
set wimax-carrier <string>
set wimax-realm <string>
set wimax-auth-protocol {tls | ttls}
set sim-pin <password>
set access-point-name <string>
set multi-mode {auto | auto-3g | force-lte | force-3g | force-2g}
set roaming {enable | disable}
set cdma-nai <string>
set aaa-shared-secret <password>
set ha-shared-secret <password>
set primary-ha <string>
set secondary-ha <string>
set cdma-aaa-spi <string>
set cdma-ha-spi <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

65

Description
Configuration

Description

Default Value

id

FortiExtender serial number.

(Empty)

admin

FortiExtender Administration (enable or disable).

disable

ifname

FortiExtender interface name.

(Empty)

vdom

VDOM

role

FortiExtender work role(Primary, Secondary,


None).

none

mode

FortiExtender mode.

standalone

dial-mode

Dial mode (dial-on-demand or always-connect).

always-connect

redial

Number of redials allowed based on failed


attempts.

none

redundant-intf

Redundant interface.

(Empty)

dial-status

Dial status.

conn-status

Connection status.

ext-name

FortiExtender name.

(Empty)

description

Description.

(Empty)

quota-limit-mb

Monthly quota limit (MB).

billing-start-day

Billing start day.

at-dial-script

Initialization AT commands specific to the


MODEM.

(Empty)

modem-passwd

MODEM password.

(Empty)

initiated-update

Allow/disallow network initiated updates to the


MODEM.

disable

modem-type

MODEM type (CDMA, GSM/LTE or WIMAX).

gsm/lte

ppp-username

PPP username.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

66

ppp-password

PPP password.

(Empty)

ppp-auth-protocol

PPP authentication protocol (PAP,CHAP or auto).

auto

ppp-echo-request

Enable/disable PPP echo request.

disable

wimax-carrier

WiMax carrier.

(Empty)

wimax-realm

WiMax realm.

(Empty)

wimax-auth-protocol

WiMax authentication protocol(TLS or TTLS).

tls

sim-pin

SIM PIN.

(Empty)

access-point-name

Access point name(APN).

(Empty)

multi-mode

MODEM mode of operation(3G,LTE,etc).

auto

roaming

Enable/disable MODEM roaming.

disable

cdma-nai

NAI for CDMA MODEMS.

(Empty)

aaa-shared-secret

AAA shared secret.

(Empty)

ha-shared-secret

HA shared secret.

(Empty)

primary-ha

Primary HA.

(Empty)

secondary-ha

Secondary HA.

(Empty)

cdma-aaa-spi

CDMA AAA SPI.

(Empty)

cdma-ha-spi

CDMA HA SPI.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

67

firewall.ipmacbinding/setting
CLI Syntax
config firewall.ipmacbinding setting
edit <name_str>
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

68

Description
Configuration

Description

Default Value

bindthroughfw

Enable/disable going through firewall.

disable

bindtofw

Enable/disable going to firewall.

disable

undefinedhost

Allow/block traffic for undefined hosts.

block

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

69

firewall.ipmacbinding/table
CLI Syntax
config firewall.ipmacbinding table
edit <name_str>
set seq-num <integer>
set ip <ipv4-address>
set mac <mac-address>
set name <string>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

70

Description
Configuration

Description

Default Value

seq-num

Entry number.

ip

IP address.

0.0.0.0

mac

MAC address.

00:00:00:00:00:00

name

Name (optional, default = no name).

noname

status

Enable/disable IP-mac binding.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

71

firewall.schedule/group
CLI Syntax
config firewall.schedule group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set color <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

72

Description
Configuration

Description

Default Value

name

Schedule group name.

(Empty)

member

Schedule group member.

(Empty)

color

GUI icon color.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

73

firewall.schedule/onetime
CLI Syntax
config firewall.schedule onetime
edit <name_str>
set name <string>
set start <user>
set end <user>
set color <integer>
set expiration-days <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

74

Description
Configuration

Description

Default Value

name

Onetime schedule name.

(Empty)

start

Start time and date.

00:00 2001/01/01

end

End time and date.

00:00 2001/01/01

color

GUI icon color.

expiration-days

Generate event log before schedule expires (1100 days, 0 = disable).

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

75

firewall.schedule/recurring
CLI Syntax
config firewall.schedule recurring
edit <name_str>
set name <string>
set start <user>
set end <user>
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | no
ne}
set color <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

76

Description
Configuration

Description

Default Value

name

Recurring schedule name.

(Empty)

start

Start time.

00:00

end

End time.

00:00

day

weekday

none

color

GUI icon color.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

77

firewall.service/category
CLI Syntax
config firewall.service category
edit <name_str>
set name <string>
set comment <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

78

Description
Configuration

Description

Default Value

name

Service category name.

(Empty)

comment

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

79

firewall.service/custom
CLI Syntax
config firewall.service custom
edit <name_str>
set name <string>
set explicit-proxy {enable | disable}
set category <string>
set protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP | HTTP | FTP | CONNECT | SOCKS | SO
CKS-TCP | SOCKS-UDP | ALL}
set iprange <user>
set fqdn <string>
set protocol-number <integer>
set icmptype <integer>
set icmpcode <integer>
set tcp-portrange <user>
set udp-portrange <user>
set sctp-portrange <user>
set tcp-halfclose-timer <integer>
set tcp-halfopen-timer <integer>
set tcp-timewait-timer <integer>
set udp-idle-timer <integer>
set session-ttl <integer>
set check-reset-range {disable | strict | default}
set comment <var-string>
set color <integer>
set visibility {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

80

Description
Configuration

Description

Default Value

name

Custom service name.

(Empty)

explicit-proxy

Enable/disable explicit web proxy service.

disable

category

Service category.

(Empty)

protocol

Protocol type.

TCP/UDP/SCTP

iprange

Start IP-End IP.

0.0.0.0

fqdn

Fully qualified domain name.

(Empty)

protocol-number

IP protocol number.

icmptype

ICMP type.

(Empty)

icmpcode

ICMP code.

(Empty)

tcp-portrange

Multiple TCP port ranges.

(Empty)

udp-portrange

Multiple UDP port ranges.

(Empty)

sctp-portrange

Multiple SCTP port ranges.

(Empty)

tcp-halfclose-timer

TCP half close timeout (1 - 86400 sec, 0 =


default).

tcp-halfopen-timer

TCP half close timeout (1 - 86400 sec, 0 =


default).

tcp-timewait-timer

TCP half close timeout (1 - 300 sec, 0 = default).

udp-idle-timer

TCP half close timeout (0 - 86400 sec, 0 =


default).

session-ttl

Session TTL (300 - 604800, 0 = default).

check-reset-range

Enable/disable RST check.

default

comment

Comment.

(Empty)

color

GUI icon color.

visibility

Enable/disable service visibility.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

81

firewall.service/group
CLI Syntax
config firewall.service group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set explicit-proxy {enable | disable}
set comment <var-string>
set color <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

82

Description
Configuration

Description

Default Value

name

Address group name.

(Empty)

member

Address group member.

(Empty)

explicit-proxy

Enable/disable explicit web proxy service group.

disable

comment

Comment.

(Empty)

color

GUI icon color.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

83

firewall.shaper/per-ip-shaper
CLI Syntax
config firewall.shaper per-ip-shaper
edit <name_str>
set name <string>
set max-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set max-concurrent-session <integer>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

84

Description
Configuration

Description

Default Value

name

Traffic shaper name.

(Empty)

max-bandwidth

Maximum bandwidth value (0 - 16776000).

bandwidth-unit

Bandwidth unit (default = kbps).

kbps

max-concurrentsession

Maximum concurrent session (0 - 2097000).

diffserv-forward

Forward (original) traffic DiffServ.

disable

diffserv-reverse

Reverse (reply) traffic DiffServ.

disable

diffservcode-forward

Forward (original) traffic DiffServ code point


value.

000000

diffservcode-rev

Reverse (reply) traffic DiffServ code point value.

000000

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

85

firewall.shaper/traffic-shaper
CLI Syntax
config firewall.shaper traffic-shaper
edit <name_str>
set name <string>
set guaranteed-bandwidth <integer>
set maximum-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set priority {low | medium | high}
set per-policy {disable | enable}
set diffserv {enable | disable}
set diffservcode <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

86

Description
Configuration

Description

Default Value

name

Traffic shaper name.

(Empty)

guaranteed-bandwidth

Guaranteed bandwidth value (0 - 16776000).

maximum-bandwidth

Maximum bandwidth value (0 - 16776000).

bandwidth-unit

Bandwidth unit (default = kbps).

kbps

priority

Traffic priority.

high

per-policy

Enable/disable use a separate shaper for each


policy.

disable

diffserv

Enable/disable traffic DiffServ.

disable

diffservcode

Traffic DiffServ code point value.

000000

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

87

firewall.ssl/setting
CLI Syntax
config firewall.ssl setting
edit <name_str>
set proxy-connect-timeout <integer>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-send-empty-frags {enable | disable}
set no-matching-cipher-action {bypass | drop}
set cert-cache-capacity <integer>
set cert-cache-timeout <integer>
set session-cache-capacity <integer>
set session-cache-timeout <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

88

Description
Configuration

Description

Default Value

proxy-connect-timeout

Time limit to make an internal connection to the


appropriate proxy process (1 - 60 sec).

30

ssl-dh-bits

Size of Diffie-Hellman prime used in DHE-RSA


negotiation.

2048

ssl-send-empty-frags

Send empty fragments to avoid attack on CBC IV


(SSL 3.0 & TLS 1.0 only).

enable

no-matching-cipheraction

Bypass or drop the connection when no matching


cipher was found.

bypass

cert-cache-capacity

Maximum capacity of the host certificate cache (0


- 500).

200

cert-cache-timeout

Minutes to keep certificate cache (1 - 120 min).

10

session-cache-capacity

Obsolete.

500

session-cache-timeout

Number of minutes to keep SSL session state.

20

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

89

firewall/address
CLI Syntax
config firewall address
edit <name_str>
set name <string>
set uuid <uuid>
set subnet <ipv4-classnet-any>
set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set fqdn <string>
set country <string>
set wildcard-fqdn <string>
set cache-ttl <integer>
set wildcard <ipv4-classnet-any>
set comment <var-string>
set visibility {enable | disable}
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

90

Description
Configuration

Description

Default Value

name

Address name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

subnet

IP address and netmask.

0.0.0.0 0.0.0.0

type

Type.

ipmask

start-ip

Start IP.

0.0.0.0

end-ip

End IP.

0.0.0.0

fqdn

Fully qualified domain name.

(Empty)

country

Country name.

(Empty)

wildcard-fqdn

Wildcard FQDN.

(Empty)

cache-ttl

Minimal TTL of individual IP addresses in FQDN


cache.

wildcard

IP address and wildcard netmask.

0.0.0.0 0.0.0.0

comment

Comment.

(Empty)

visibility

Enable/disable address visibility.

enable

associated-interface

Associated interface name.

(Empty)

color

GUI icon color.

tags

Applied object tags.

(Empty)

allow-routing

Enable/disable use of this address in the static


route configuration.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

91

firewall/address6
CLI Syntax
config firewall address6
edit <name_str>
set name <string>
set uuid <uuid>
set type {ipprefix | iprange}
set ip6 <ipv6-network>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

92

Description
Configuration

Description

Default Value

name

Address name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

type

Type.

ipprefix

ip6

IPv6 address prefix.

::/0

start-ip

Start IP.

::

end-ip

End IP.

::

visibility

Enable/disable address visibility.

enable

color

GUI icon color.

tags

Applied object tags.

(Empty)

comment

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

93

firewall/addrgrp
CLI Syntax
config firewall addrgrp
edit <name_str>
set name <string>
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

94

Description
Configuration

Description

Default Value

name

Address group name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

member

Address group member.

(Empty)

comment

Comment.

(Empty)

visibility

Enable/disable address group visibility.

enable

color

GUI icon color.

tags

Applied object tags.

(Empty)

allow-routing

Enable/disable use of this group in the static route disable


configuration.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

95

firewall/addrgrp6
CLI Syntax
config firewall addrgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set visibility {enable | disable}
set color <integer>
set comment <var-string>
config member
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

96

Description
Configuration

Description

Default Value

name

IPv6 address group name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

visibility

Enable/disable address group6 visibility.

enable

color

GUI icon color.

comment

Comment.

(Empty)

member

IPv6 address group member.

(Empty)

tags

Applied object tags.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

97

firewall/auth-portal
CLI Syntax
config firewall auth-portal
edit <name_str>
config groups
edit <name_str>
set name <string>
end
set portal-addr <string>
set portal-addr6 <string>
set identity-based-route <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

98

Description
Configuration

Description

Default Value

groups

Group name.

(Empty)

portal-addr

Address (or domain name) of authentication


portal.

(Empty)

portal-addr6

IPv6 address (or domain name) of authentication


portal.

(Empty)

identity-based-route

Name of identity-based routing rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

99

firewall/central-snat-map
CLI Syntax
config firewall central-snat-map
edit <name_str>
set policyid <integer>
set status {enable | disable}
config orig-addr
edit <name_str>
set name <string>
end
config dst-addr
edit <name_str>
set name <string>
end
config nat-ippool
edit <name_str>
set name <string>
end
set protocol <integer>
set orig-port <integer>
set nat-port <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

100

Description
Configuration

Description

Default Value

policyid

Policy ID.

status

Enable/disable policy status.

enable

orig-addr

Original address.

(Empty)

dst-addr

Destination address.

(Empty)

nat-ippool

IP pool names for translated address.

(Empty)

protocol

Protocol (0 - 255).

orig-port

Original port.

nat-port

Translated port or port range.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

101

firewall/dnstranslation
CLI Syntax
config firewall dnstranslation
edit <name_str>
set id <integer>
set src <ipv4-address>
set dst <ipv4-address>
set netmask <ipv4-netmask>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

102

Description
Configuration

Description

Default Value

id

ID.

src

Source IP.

0.0.0.0

dst

Destination IP.

0.0.0.0

netmask

Network mask.

255.255.255.255

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

103

firewall/DoS-policy
CLI Syntax
config firewall DoS-policy
edit <name_str>
set policyid <integer>
set status {enable | disable}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

104

Description
Configuration

Description

Default Value

policyid

Policy ID.

status

Enable/disable policy status.

enable

interface

Interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

service

Service name.

(Empty)

anomaly

Anomaly.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

105

firewall/DoS-policy6
CLI Syntax
config firewall DoS-policy6
edit <name_str>
set policyid <integer>
set status {enable | disable}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

106

Description
Configuration

Description

Default Value

policyid

Policy ID.

status

Enable/disable policy status.

enable

interface

Interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

service

Service name.

(Empty)

anomaly

Anomaly.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

107

firewall/explicit-proxy-address
CLI Syntax
config firewall explicit-proxy-address
edit <name_str>
set name <string>
set uuid <uuid>
set type {host-regex | url | category | method | ua | header | src-advanced | dstadvanced}
set host <string>
set host-regex <string>
set path <string>
config category
edit <name_str>
set id <integer>
end
set method {get | post | put | head | connect | trace | options | delete}
set ua {chrome | ms | firefox | safari | other}
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
config header-group
edit <name_str>
set id <integer>
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

108

Description
Configuration

Description

Default Value

name

Address name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

type

Address type.

url

host

Host address

(Empty)

host-regex

Host regular expression.

(Empty)

path

URL path regular expression.

(Empty)

category

FortiGuard category ID.

(Empty)

method

HTTP methods.

(Empty)

ua

User agent.

(Empty)

header-name

HTTP header.

(Empty)

header

HTTP header regular expression.

(Empty)

case-sensitivity

Case sensitivity in pattern.

disable

header-group

HTTP header group.

(Empty)

color

GUI icon color.

tags

Applied object tags.

(Empty)

comment

Comment.

(Empty)

visibility

Enable/disable address visibility.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

109

firewall/explicit-proxy-addrgrp
CLI Syntax
config firewall explicit-proxy-addrgrp
edit <name_str>
set name <string>
set type {src | dst}
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

110

Description
Configuration

Description

Default Value

name

Address group name.

(Empty)

type

Address group type.

src

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

member

Address group members.

(Empty)

color

GUI icon color.

tags

Applied object tags.

(Empty)

comment

Comment.

(Empty)

visibility

Enable/disable address visibility.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

111

firewall/explicit-proxy-policy
CLI Syntax
config firewall explicit-proxy-policy
edit <name_str>
set uuid <uuid>
set policyid <integer>
set proxy {web | ftp | wanopt}
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set action {accept | deny}
set status {enable | disable}
set schedule <string>
set logtraffic {all | utm | disable}
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
set identity-based {enable | disable}
set ip-based {enable | disable}
set active-auth-method {ntlm | basic | digest | form | negotiate | none}
set sso-auth-method {fsso | rsso | none}
set require-tfa {enable | disable}
set web-auth-cookie {enable | disable}
set transaction-based {enable | disable}
config identity-based-policy
edit <name_str>
set id <integer>
set schedule <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

112

set logtraffic {all | utm | disable}


set logtraffic-start {enable | disable}
set scan-botnet-connections {disable | block | monitor}
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
set disclaimer {disable | domain | policy | user}
set replacemsg-override-group <string>
end
set webproxy-forward-server <string>
set webproxy-profile <string>
set transparent {enable | disable}
set webcache {enable | disable}
set webcache-https {disable | any | enable}
set disclaimer {disable | domain | policy | user}
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set replacemsg-override-group <string>
set logtraffic-start {enable | disable}
config tags
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

113

set name <string>


end
set label <string>
set global-label <string>
set scan-botnet-connections {disable | block | monitor}
set comments <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

114

Description
Configuration

Description

Default Value

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

policyid

Policy ID.

proxy

Explicit proxy type.

(Empty)

dstintf

Destination interface name.

(Empty)

srcaddr

Source address name. [srcaddr or srcaddr6(web


proxy only) must be set].

(Empty)

dstaddr

Destination address name. [dstaddr or


dstaddr6(web proxy only) must be set].

(Empty)

service

Service name.

(Empty)

srcaddr-negate

Enable/disable negated source address match.

disable

dstaddr-negate

Enable/disable negated destination address


match.

disable

service-negate

Enable/disable negated service match.

disable

action

Policy action.

deny

status

Enable/disable policy status.

enable

schedule

Schedule name.

(Empty)

logtraffic

Enable/disable policy log traffic.

utm

srcaddr6

IPv6 source address (web proxy only). [srcaddr6


or srcaddr must be set].

(Empty)

dstaddr6

IPv6 destination address (web proxy only).


[dstaddr6 or dstaddr must be set].

(Empty)

identity-based

Enable/disable identity-based policy.

disable

ip-based

Enable/disable IP-based authentication.

disable

active-auth-method

Active authentication method.

basic

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

115

sso-auth-method

SSO authentication method.

none

require-tfa

Enable/disable requirement of 2-factor


authentication.

disable

web-auth-cookie

Enable/disable Web authentication cookie.

disable

transaction-based

Enable/disable transaction based authentication.

disable

identity-based-policy

Identity-based policy.

(Empty)

webproxy-forwardserver

Web proxy forward server.

(Empty)

webproxy-profile

Web proxy profile.

(Empty)

transparent

Use IP address of client to connect to server.

disable

webcache

Enable/disable web cache.

disable

webcache-https

Enable/disable web cache for HTTPS.

disable

disclaimer

Web proxy disclaimer setting.

disable

utm-status

Enable AV/web/IPS protection profile.

disable

profile-type

profile type

single

profile-group

profile group

(Empty)

av-profile

Antivirus profile.

(Empty)

webfilter-profile

Web filter profile.

(Empty)

spamfilter-profile

Spam filter profile.

(Empty)

dlp-sensor

DLP sensor.

(Empty)

ips-sensor

IPS sensor.

(Empty)

application-list

Application list.

(Empty)

casi-profile

CASI profile.

(Empty)

icap-profile

ICAP profile.

(Empty)

waf-profile

Web application firewall profile.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

116

profile-protocol-options

Profile protocol options.

(Empty)

ssl-ssh-profile

SSL SSH Profile.

(Empty)

replacemsg-overridegroup

Specify authentication replacement message


override group.

(Empty)

logtraffic-start

Enable/disable policy log traffic start.

disable

tags

Applied object tags.

(Empty)

label

Label for section view.

(Empty)

global-label

Label for global view.

(Empty)

scan-botnetconnections

Enable/disable scanning of connections to Botnet


servers.

disable

comments

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

117

firewall/identity-based-route
CLI Syntax
config firewall identity-based-route
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set gateway <ipv4-address>
set device <string>
config groups
edit <name_str>
set name <string>
end
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

118

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comments

Description/comments.

(Empty)

rule

Rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

119

firewall/interface-policy
CLI Syntax
config firewall interface-policy
edit <name_str>
set policyid <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set address-type {ipv4 | ipv6}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set scan-botnet-connections {disable | block | monitor}
set label <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

120

Description
Configuration

Description

Default Value

policyid

Policy ID.

status

Enable/disable policy status.

enable

logtraffic

Enable/disable interface log traffic.

utm

address-type

Policy address type.

ipv4

interface

Interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

service

Service name.

(Empty)

application-list-status

Enable/disable application control.

disable

application-list

Application list name.

(Empty)

casi-profile-status

Enable/disable CASI.

disable

casi-profile

CASI profile name.

(Empty)

ips-sensor-status

Enable/disable IPS sensor.

disable

ips-sensor

IPS sensor name.

(Empty)

dsri

Enable/disable DSRI.

disable

av-profile-status

Enable/disable antivirus.

disable

av-profile

Antivirus profile.

(Empty)

webfilter-profile-status

Enable/disable web filter profile.

disable

webfilter-profile

Web filter profile.

(Empty)

spamfilter-profile-status

Enable/disable spam filter.

disable

spamfilter-profile

Spam filter profile.

(Empty)

dlp-sensor-status

Enable/disable DLP sensor.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

121

dlp-sensor

DLP sensor.

(Empty)

scan-botnetconnections

Enable/disable scanning of connections to Botnet


servers.

disable

label

Label.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

122

firewall/interface-policy6
CLI Syntax
config firewall interface-policy6
edit <name_str>
set policyid <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set address-type {ipv4 | ipv6}
set interface <string>
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service6
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set scan-botnet-connections {disable | block | monitor}
set label <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

123

Description
Configuration

Description

Default Value

policyid

Policy ID.

status

Enable/disable policy status.

enable

logtraffic

Enable/disable interface log traffic.

utm

address-type

Policy address type.

ipv6

interface

Interface name.

(Empty)

srcaddr6

IPv6 source address name.

(Empty)

dstaddr6

IPv6 destination address name.

(Empty)

service6

Service name.

(Empty)

application-list-status

Enable/disable application control.

disable

application-list

Application list name.

(Empty)

casi-profile-status

Enable/disable CASI.

disable

casi-profile

CASI profile name.

(Empty)

ips-sensor-status

Enable/disable IPS sensor.

disable

ips-sensor

IPS sensor name.

(Empty)

dsri

Enable/disable DSRI.

disable

av-profile-status

Enable/disable antivirus.

disable

av-profile

Antivirus profile.

(Empty)

webfilter-profile-status

Enable/disable web filter profile.

disable

webfilter-profile

Web filter profile.

(Empty)

spamfilter-profile-status

Enable/disable spam filter.

disable

spamfilter-profile

Spam filter profile.

(Empty)

dlp-sensor-status

Enable/disable DLP sensor.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

124

dlp-sensor

DLP sensor.

(Empty)

scan-botnetconnections

Enable/disable scanning of connections to Botnet


servers.

disable

label

Label.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

125

firewall/ip-translation
CLI Syntax
config firewall ip-translation
edit <name_str>
set transid <integer>
set type {SCTP}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set map-startip <ipv4-address-any>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

126

Description
Configuration

Description

Default Value

transid

IP translation ID.

type

IP translation type.

SCTP

startip

Start IP.

0.0.0.0

endip

End IP.

0.0.0.0

map-startip

Mapped start IP.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

127

firewall/ippool
CLI Syntax
config firewall ippool
edit <name_str>
set name <string>
set type {overload | one-to-one | fixed-port-range | port-block-allocation}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set source-startip <ipv4-address-any>
set source-endip <ipv4-address-any>
set block-size <integer>
set num-blocks-per-user <integer>
set permit-any-host {disable | enable}
set arp-reply {disable | enable}
set arp-intf <string>
set comments <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

128

Description
Configuration

Description

Default Value

name

IP pool name.

(Empty)

type

IP pool type.

overload

startip

Start IP.

0.0.0.0

endip

End IP.

0.0.0.0

source-startip

Source start IP.

0.0.0.0

source-endip

Source end IP.

0.0.0.0

block-size

Block size.

128

num-blocks-per-user

Number of blocks per user (1 - 128).

permit-any-host

Enable/disable full cone.

disable

arp-reply

Enable/disable ARP reply.

enable

arp-intf

ARP reply interface. Any if unset.

(Empty)

comments

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

129

firewall/ippool6
CLI Syntax
config firewall ippool6
edit <name_str>
set name <string>
set startip <ipv6-address>
set endip <ipv6-address>
set comments <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

130

Description
Configuration

Description

Default Value

name

IPv6 pool name.

(Empty)

startip

Start IP.

::

endip

End IP.

::

comments

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

131

firewall/ipv6-eh-filter
CLI Syntax
config firewall ipv6-eh-filter
edit <name_str>
set hop-opt {enable | disable}
set dest-opt {enable | disable}
set hdopt-type <integer>
set routing {enable | disable}
set routing-type <integer>
set fragment {enable | disable}
set auth {enable | disable}
set no-next {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

132

Description
Configuration

Description

Default Value

hop-opt

Block packets with Hop-by-Hop Options header.

disable

dest-opt

Block packets with Destination Options header.

disable

hdopt-type

Block specific Hop-by-Hop and/or Destination


Option types (maximum 7 types, each between 0
and 255).

(Empty)

routing

Block packets with Routing header.

enable

routing-type

Block specific Routing header types (maximum 7


types, each between 0 and 255).

fragment

Block packets with Fragment header.

disable

auth

Block packets with Authentication header.

disable

no-next

Block packets with No Next header.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

133

firewall/ldb-monitor
CLI Syntax
config firewall ldb-monitor
edit <name_str>
set name <string>
set type {ping | tcp | http | passive-sip}
set interval <integer>
set timeout <integer>
set retry <integer>
set port <integer>
set http-get <string>
set http-match <string>
set http-max-redirects <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

134

Description
Configuration

Description

Default Value

name

Monitor name.

(Empty)

type

Monitor type.

(Empty)

interval

Detect interval.

10

timeout

Detect request timeout.

retry

Number of detect tries before bring server down.

port

Service port.

http-get

HTTP get URL string.

(Empty)

http-match

String for matching HTTP-get response.

(Empty)

http-max-redirects

The maximum number of HTTP redirects to be


allowed.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

135

firewall/local-in-policy
CLI Syntax
config firewall local-in-policy
edit <name_str>
set policyid <integer>
set ha-mgmt-intf-only {enable | disable}
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
config service
edit <name_str>
set name <string>
end
set schedule <string>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

136

Description
Configuration

Description

Default Value

policyid

User defined local in policy ID.

ha-mgmt-intf-only

Enable/disable dedication of HA management


interface only for local-in policy.

disable

intf

Source interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

action

Local-In policy action.

deny

service

Service name.

(Empty)

schedule

Schedule name.

(Empty)

status

Enable/disable policy status.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

137

firewall/local-in-policy6
CLI Syntax
config firewall local-in-policy6
edit <name_str>
set policyid <integer>
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
config service
edit <name_str>
set name <string>
end
set schedule <string>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

138

Description
Configuration

Description

Default Value

policyid

User defined local in policy ID.

intf

Source interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

action

Local-In policy action.

deny

service

Service name.

(Empty)

schedule

Schedule name.

(Empty)

status

Enable/disable policy status.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

139

firewall/multicast-address
CLI Syntax
config firewall multicast-address
edit <name_str>
set name <string>
set type {multicastrange | broadcastmask}
set subnet <ipv4-classnet-any>
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set comment <var-string>
set visibility {enable | disable}
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

140

Description
Configuration

Description

Default Value

name

Multicast address name.

(Empty)

type

type

multicastrange

subnet

Broadcast address and subnet.

0.0.0.0 0.0.0.0

start-ip

Start IP.

0.0.0.0

end-ip

End IP.

0.0.0.0

comment

Comment.

(Empty)

visibility

Enable/disable multicast address visibility.

enable

associated-interface

Associated interface name.

(Empty)

color

GUI icon color.

tags

Applied object tags.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

141

firewall/multicast-address6
CLI Syntax
config firewall multicast-address6
edit <name_str>
set name <string>
set ip6 <ipv6-network>
set comment <var-string>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

142

Description
Configuration

Description

Default Value

name

IPv6 multicast address name.

(Empty)

ip6

IPv6 address prefix.

::/0

comment

Comment.

(Empty)

visibility

Enable/disable multicast address visibility.

enable

color

GUI icon color.

tags

Applied object tags.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

143

firewall/multicast-policy
CLI Syntax
config firewall multicast-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set snat {enable | disable}
set snat-ip <ipv4-address>
set dnat <ipv4-address-any>
set action {accept | deny}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

144

Description
Configuration

Description

Default Value

id

Policy ID.

status

Enable/disable policy status.

enable

logtraffic

Enable/disable policy log traffic.

disable

srcintf

Source interface name.

(Empty)

dstintf

Destination interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

snat

Enable/disable NAT source address.

disable

snat-ip

NAT source address.

0.0.0.0

dnat

NAT destination address.

0.0.0.0

action

Policy action.

accept

protocol

Protocol number.

start-port

Start port number.

end-port

End port number.

65535

auto-asic-offload

Enable/disable policy traffic ASIC offloading.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

145

firewall/multicast-policy6
CLI Syntax
config firewall multicast-policy6
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

146

Description
Configuration

Description

Default Value

id

Policy ID.

status

Enable/disable multicast IPv6 policy status.

enable

logtraffic

Enable/disable multicast IPv6 policy log traffic.

disable

srcintf

IPv6 source interface name.

(Empty)

dstintf

IPv6 destination interface name.

(Empty)

srcaddr

IPv6 source address name.

(Empty)

dstaddr

IPv6 destination address name.

(Empty)

action

Policy action.

accept

protocol

Protocol number.

start-port

Start port number.

end-port

End port number.

65535

auto-asic-offload

Enable/disable policy traffic ASIC offloading.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

147

firewall/policy
CLI Syntax
config firewall policy
edit <name_str>
set policyid <integer>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set rtp-nat {disable | enable}
config rtp-addr
edit <name_str>
set name <string>
end
set learning-mode {enable | disable}
set action {accept | deny | ipsec | ssl-vpn}
set send-deny-packet {disable | enable}
set firewall-session-dirty {check-all | check-new}
set status {enable | disable}
set schedule <string>
set schedule-timeout {enable | disable}
config service
edit <name_str>
set name <string>
end
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set dnsfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

148

set casi-profile <string>


set voip-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
set capture-packet {enable | disable}
set auto-asic-offload {enable | disable}
set wanopt {enable | disable}
set wanopt-detection {active | passive | off}
set wanopt-passive-opt {default | transparent | non-transparent}
set wanopt-profile <string>
set wanopt-peer <string>
set webcache {enable | disable}
set webcache-https {disable | ssl-server | any | enable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set nat {enable | disable}
set permit-any-host {enable | disable}
set permit-stun-host {enable | disable}
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set session-ttl <integer>
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set wccp {enable | disable}
set ntlm {enable | disable}
set ntlm-guest {enable | disable}
config ntlm-enabled-browsers
edit <name_str>
set user-agent-string <string>
end
set fsso {enable | disable}
set wsso {enable | disable}
set rsso {enable | disable}
set fsso-agent-for-ntlm <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

149

edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
set auth-path {enable | disable}
set disclaimer {enable | disable}
set vpntunnel <string>
set natip <ipv4-classnet>
set match-vip {enable | disable}
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
set label <string>
set global-label <string>
set auth-cert <string>
set auth-redirect-addr <string>
set redirect-url <string>
set identity-based-route <string>
set block-notification {enable | disable}
config custom-log-fields
edit <name_str>
set field-id <string>
end
config tags
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set timeout-send-rst {enable | disable}
set captive-portal-exempt {enable | disable}
set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
set scan-botnet-connections {disable | block | monitor}
set dsri {enable | disable}
set delay-tcp-npu-sessoin {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

150

Description
Configuration

Description

Default Value

policyid

Policy ID.

name

Policy name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

srcintf

Source interface name.

(Empty)

dstintf

Destination interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

rtp-nat

Enable/disable use of this policy for RTP NAT.

disable

rtp-addr

RTP NAT address name.

(Empty)

learning-mode

Enable/disable learning mode for policy.

disable

action

Policy action.

deny

send-deny-packet

Enable/disable deny-packet sending.

disable

firewall-session-dirty

Packet session management.

check-all

status

Enable/disable policy status.

enable

schedule

Schedule name.

(Empty)

schedule-timeout

Enable/disable schedule timeout.

disable

service

Service name.

(Empty)

utm-status

Enable AV/web/IPS protection profile.

disable

profile-type

profile type

single

profile-group

profile group

(Empty)

av-profile

Antivirus profile.

(Empty)

webfilter-profile

Web filter profile.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

151

dnsfilter-profile

DNS filter profile.

(Empty)

spamfilter-profile

Spam filter profile.

(Empty)

dlp-sensor

DLP sensor.

(Empty)

ips-sensor

IPS sensor.

(Empty)

application-list

Application list.

(Empty)

casi-profile

CASI profile.

(Empty)

voip-profile

VoIP profile.

(Empty)

icap-profile

ICAP profile.

(Empty)

waf-profile

Web application firewall profile.

(Empty)

profile-protocol-options

Profile protocol options.

(Empty)

ssl-ssh-profile

SSL SSH Profile.

(Empty)

logtraffic

Enable/disable policy log traffic.

utm

logtraffic-start

Enable/disable policy log traffic start.

disable

capture-packet

Enable/disable capture packets.

disable

auto-asic-offload

Enable/disable policy traffic ASIC offloading.

enable

wanopt

Enable/disable WAN optimization.

disable

wanopt-detection

WAN optimization auto-detection mode.

active

wanopt-passive-opt

WAN optimization passive mode options. This


option decides what IP address will be used to
connect server.

default

wanopt-profile

WAN optimization profile.

(Empty)

wanopt-peer

WAN optimization peer.

(Empty)

webcache

Enable/disable web cache.

disable

webcache-https

Enable/disable web cache for HTTPS.

disable

traffic-shaper

Traffic shaper.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

152

traffic-shaper-reverse

Traffic shaper.

(Empty)

per-ip-shaper

Per-IP shaper.

(Empty)

nat

Enable/disable policy NAT.

disable

permit-any-host

Enable/disable permit any host in.

disable

permit-stun-host

Enable/disable permit stun host in.

disable

fixedport

Enable/disable policy fixed port.

disable

ippool

Enable/disable policy IP pool.

disable

poolname

Policy IP pool names.

(Empty)

session-ttl

Session TTL.

vlan-cos-fwd

VLAN forward direction user priority.

255

vlan-cos-rev

VLAN reverse direction user priority.

255

inbound

Enable/disable policy inbound.

disable

outbound

Enable/disable policy outbound.

disable

natinbound

Enable/disable policy NAT inbound.

disable

natoutbound

Enable/disable policy NAT outbound.

disable

wccp

Enable/disable Web Cache Coordination Protocol


(WCCP).

disable

ntlm

Enable/disable NTLM authentication.

disable

ntlm-guest

Enable/disable guest user for NTLM


authentication.

disable

ntlm-enabled-browsers

User agent strings for NTLM enabled browsers.

(Empty)

fsso

Enable/disable Fortinet Single Sign-On.

disable

wsso

Enable/disable WiFi Single Sign-On.

enable

rsso

Enable/disable RADIUS Single Sign-On.

disable

fsso-agent-for-ntlm

Specify FSSO agent for NTLM authentication.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

153

groups

User authentication groups.

(Empty)

users

User name.

(Empty)

devices

Devices or device groups.

(Empty)

auth-path

Enable/disable authentication-based routing.

disable

disclaimer

Enable/disable user authentication disclaimer.

disable

vpntunnel

Policy VPN tunnel.

(Empty)

natip

NAT address.

0.0.0.0 0.0.0.0

match-vip

Enable/disable match DNATed packet.

disable

diffserv-forward

Enable/disable forward (original) traffic DiffServ.

disable

diffserv-reverse

Enable/disable reverse (reply) traffic DiffServ.

disable

diffservcode-forward

Forward (original) traffic DiffServ code point


value.

000000

diffservcode-rev

Reverse (reply) traffic DiffServ code point value.

000000

tcp-mss-sender

TCP MSS value of sender.

tcp-mss-receiver

TCP MSS value of receiver.

comments

Comment.

(Empty)

label

Label for section view.

(Empty)

global-label

Label for global view.

(Empty)

auth-cert

HTTPS server certificate for policy authentication.

(Empty)

auth-redirect-addr

HTTP-to-HTTPS redirect address for firewall


authentication.

(Empty)

redirect-url

URL redirection after disclaimer/authentication.

(Empty)

identity-based-route

Name of identity-based routing rule.

(Empty)

block-notification

Enable/disable block notification.

disable

custom-log-fields

Custom log fields.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

154

tags

Applied object tags.

(Empty)

replacemsg-overridegroup

Specify authentication replacement message


override group.

(Empty)

srcaddr-negate

Enable/disable negated source address match.

disable

dstaddr-negate

Enable/disable negated destination address


match.

disable

service-negate

Enable/disable negated service match.

disable

timeout-send-rst

Enable/disable sending of RST packet upon TCP


session expiration.

disable

captive-portal-exempt

Enable/disable exemption of captive portal.

disable

ssl-mirror

Enable/disable SSL mirror.

disable

ssl-mirror-intf

Mirror interface name.

(Empty)

scan-botnetconnections

Enable/disable scanning of connections to Botnet


servers.

disable

dsri

Enable/disable DSRI.

disable

delay-tcp-npu-sessoin

Enable/disable TCP NPU session delay in order


to guarantee packet order of 3-way handshake.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

155

firewall/policy46
CLI Syntax
config firewall policy46
edit <name_str>
set permit-any-host {enable | disable}
set policyid <integer>
set uuid <uuid>
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set status {enable | disable}
set schedule <string>
config service
edit <name_str>
set name <string>
end
set logtraffic {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set fixedport {enable | disable}
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

156

Description
Configuration

Description

Default Value

permit-any-host

Enable/disable permit any host in.

disable

policyid

Policy ID.

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

srcintf

Source interface name.

(Empty)

dstintf

Destination interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

action

Policy action.

deny

status

Policy status.

enable

schedule

Schedule name.

(Empty)

service

Service name.

(Empty)

logtraffic

Enable/disable traffic log.

disable

traffic-shaper

Traffic shaper.

(Empty)

traffic-shaper-reverse

Reverse traffic shaper.

(Empty)

per-ip-shaper

Per IP traffic shaper.

(Empty)

fixedport

Enable/disable policy fixed port.

disable

tcp-mss-sender

TCP MSS value of sender.

tcp-mss-receiver

TCP MSS value of receiver.

comments

Comment.

(Empty)

tags

Applied object tags.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

157

firewall/policy6
CLI Syntax
config firewall policy6
edit <name_str>
set policyid <integer>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny | ipsec | ssl-vpn}
set firewall-session-dirty {check-all | check-new}
set status {enable | disable}
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
set schedule <string>
config service
edit <name_str>
set name <string>
end
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set voip-profile <string>
set icap-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

158

set auto-asic-offload {enable | disable}


set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set nat {enable | disable}
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set session-ttl <integer>
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set send-deny-packet {enable | disable}
set vpntunnel <string>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
set label <string>
set global-label <string>
set rsso {enable | disable}
config custom-log-fields
edit <name_str>
set field-id <string>
end
config tags
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
set timeout-send-rst {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

159

set timeout-send-rst {enable | disable}


set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
set dsri {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

160

Description
Configuration

Description

Default Value

policyid

Policy ID.

name

Policy name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

srcintf

Source interface name.

(Empty)

dstintf

Destination interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

action

Policy action.

deny

firewall-session-dirty

Packet session management.

check-all

status

Enable/disable policy status.

enable

vlan-cos-fwd

VLAN forward direction user priority.

255

vlan-cos-rev

VLAN reverse direction user priority.

255

schedule

Schedule name.

(Empty)

service

Service name.

(Empty)

utm-status

Enable AV/web/ips protection profile.

disable

profile-type

profile type

single

profile-group

profile group

(Empty)

av-profile

Antivirus profile.

(Empty)

webfilter-profile

Web filter profile.

(Empty)

spamfilter-profile

Spam filter profile.

(Empty)

dlp-sensor

DLP sensor.

(Empty)

ips-sensor

IPS sensor.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

161

application-list

Application list.

(Empty)

casi-profile

CASI profile.

(Empty)

voip-profile

VoIP profile.

(Empty)

icap-profile

ICAP profile.

(Empty)

profile-protocol-options

Profile protocol options.

(Empty)

ssl-ssh-profile

SSL SSH Profile.

(Empty)

logtraffic

Enable/disable policy log traffic.

utm

logtraffic-start

Enable/disable policy log traffic start.

disable

auto-asic-offload

Enable/disable policy traffic ASIC offloading.

enable

traffic-shaper

Traffic shaper.

(Empty)

traffic-shaper-reverse

Traffic shaper.

(Empty)

per-ip-shaper

Per-IP shaper.

(Empty)

nat

Enable/disable policy NAT.

disable

fixedport

Enable/disable policy fixed port.

disable

ippool

Enable/disable policy IP pool.

disable

poolname

Policy IP pool names.

(Empty)

session-ttl

Session TTL.

inbound

Enable/disable policy inbound.

disable

outbound

Enable/disable policy outbound.

disable

natinbound

Enable/disable policy NAT inbound.

disable

natoutbound

Enable/disable policy NAT outbound.

disable

send-deny-packet

Enable/disable return of deny-packet.

disable

vpntunnel

Policy VPN tunnel.

(Empty)

diffserv-forward

Enable/disable forward (original) traffic DiffServ.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

162

diffserv-reverse

Enable/disable reverse (reply) traffic DiffServ.

disable

diffservcode-forward

Forward (original) Traffic DiffServ code point


value.

000000

diffservcode-rev

Reverse (reply) Traffic DiffServ code point value.

000000

tcp-mss-sender

TCP MSS value of sender.

tcp-mss-receiver

TCP MSS value of receiver.

comments

Comment.

(Empty)

label

Label for section view.

(Empty)

global-label

Label for global view.

(Empty)

rsso

Enable/disable RADIUS Single Sign-On.

disable

custom-log-fields

Custom log fields.

(Empty)

tags

Applied object tags.

(Empty)

replacemsg-overridegroup

Specify authentication replacement message


override group.

(Empty)

srcaddr-negate

Enable/disable negated source address match.

disable

dstaddr-negate

Enable/disable negated destination address


match.

disable

service-negate

Enable/disable negated service match.

disable

groups

User authentication groups.

(Empty)

users

User name.

(Empty)

devices

Devices or device groups.

(Empty)

timeout-send-rst

Enable/disable sending of RST packet upon TCP


session expiration.

disable

ssl-mirror

Enable/disable SSL mirror.

disable

ssl-mirror-intf

Mirror interface name.

(Empty)

dsri

Enable/disable DSRI.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

163

firewall/policy64
CLI Syntax
config firewall policy64
edit <name_str>
set policyid <integer>
set uuid <uuid>
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set status {enable | disable}
set schedule <string>
config service
edit <name_str>
set name <string>
end
set logtraffic {enable | disable}
set permit-any-host {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

164

Description
Configuration

Description

Default Value

policyid

Policy ID.

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

srcintf

Source interface name.

(Empty)

dstintf

Destination interface name.

(Empty)

srcaddr

Source address name.

(Empty)

dstaddr

Destination address name.

(Empty)

action

Policy action.

deny

status

Enable/disable policy status.

enable

schedule

Schedule name.

(Empty)

service

Service name.

(Empty)

logtraffic

Enable/disable policy log traffic.

disable

permit-any-host

Enable/disable permit any host in.

disable

traffic-shaper

Traffic shaper.

(Empty)

traffic-shaper-reverse

Reverse traffic shaper.

(Empty)

per-ip-shaper

Per-IP traffic shaper.

(Empty)

fixedport

Enable/disable policy fixed port.

disable

ippool

Enable/disable policy64 IP pool.

disable

poolname

Policy IP pool names.

(Empty)

tcp-mss-sender

TCP MSS value of sender.

tcp-mss-receiver

TCP MSS value of receiver.

comments

Comment.

(Empty)

tags

Applied object tags.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

165

firewall/profile-group
CLI Syntax
config firewall profile-group
edit <name_str>
set name <string>
set av-profile <string>
set webfilter-profile <string>
set dnsfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set voip-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

166

Description
Configuration

Description

Default Value

name

Profile group name.

(Empty)

av-profile

Antivirus profile.

(Empty)

webfilter-profile

Web filter profile.

(Empty)

dnsfilter-profile

DNS filter profile.

(Empty)

spamfilter-profile

Spam filter profile.

(Empty)

dlp-sensor

DLP sensor.

(Empty)

ips-sensor

IPS sensor.

(Empty)

application-list

Application list.

(Empty)

casi-profile

CASI profile.

(Empty)

voip-profile

VoIP profile.

(Empty)

icap-profile

ICAP profile.

(Empty)

waf-profile

Web application firewall profile.

(Empty)

profile-protocol-options

Profile protocol options.

(Empty)

ssl-ssh-profile

SSL SSH Profile.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

167

firewall/profile-protocol-options
CLI Syntax
config firewall profile-protocol-options
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set oversize-log {disable | enable}
set switching-protocols-log {disable | enable}
config http
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {clientcomfort | servercomfort | oversize | no-content-summary | c
hunkedbypass}
set comfort-interval <integer>
set comfort-amount <integer>
set range-block {disable | enable}
set post-lang {jisx0201 | jisx0208 | jisx0212 | gb2312 | ksc5601-ex | euc-jp |
sjis | iso2022-jp | iso2022-jp-1 | iso2022-jp-2 | euc-cn | ces-gbk | hz | ces-big5 |
euc-kr | iso2022-jp-3 | iso8859-1 | tis620 | cp874 | cp1252 | cp1251}
set fortinet-bar {enable | disable}
set fortinet-bar-port <integer>
set streaming-content-bypass {enable | disable}
set switching-protocols {bypass | block}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set block-page-status-code <integer>
set retry-count <integer>
end
config ftp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {clientcomfort | oversize | no-content-summary | splice | bypass-r
est-command | bypass-mode-command}
set comfort-interval <integer>
set comfort-amount <integer>
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config imap
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

168

set ports <integer>


set status {enable | disable}
set inspect-all {enable | disable}
set options {fragmail | oversize | no-content-summary}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config mapi
edit <name_str>
set ports <integer>
set status {enable | disable}
set options {fragmail | oversize | no-content-summary}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config pop3
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {fragmail | oversize | no-content-summary}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config smtp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {fragmail | oversize | no-content-summary | splice}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set server-busy {enable | disable}
end
config nntp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {oversize | no-content-summary | splice}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

169

end
config dns
edit <name_str>
set ports <integer>
set status {enable | disable}
end
config mail-signature
edit <name_str>
set status {disable | enable}
set signature <string>
end
set rpc-over-http {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

170

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comment

Comment.

(Empty)

replacemsg-group

Replacement message group.

(Empty)

oversize-log

Enable/disable logging for antivirus oversize file


blocking.

disable

switching-protocols-log

Enable/disable logging of HTTP/HTTPS switching


protocols.

disable

http

HTTP.

Details below

Configuration
ports
status
inspect-all
options
comfort-interval
comfort-amount
range-block
post-lang
fortinet-bar
fortinet-bar-port
streaming-content-bypass
switching-protocols
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
block-page-status-code
retry-count
ftp

FTP.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
(Empty)
enable
disable
(Empty)
10
1
disable
(Empty)
disable
8011
enable
bypass
10
10
12
enable
200
0
Details below

171

Configuration
ports
status
inspect-all
options
comfort-interval
comfort-amount
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
imap

Default Value
(Empty)
enable
disable
(Empty)
10
1
10
10
12
enable

IMAP.

Configuration
ports
status
inspect-all
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
mapi

Details below
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable

MAPI

Configuration
ports
status
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
pop3

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

POP3.

Details below
Default Value
(Empty)
enable
(Empty)
10
10
12
enable
Details below

172

Configuration
ports
status
inspect-all
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
smtp

Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable

SMTP.

Configuration
ports
status
inspect-all
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
server-busy
nntp

Details below
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable
disable

NNTP.

Configuration
ports
status
inspect-all
options
oversize-limit
uncompressed-oversize-limit
uncompressed-nest-limit
scan-bzip2
dns

Details below
Default Value
(Empty)
enable
disable
(Empty)
10
10
12
enable

DNS.

Configuration
ports
status
mail-signature

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Details below
Default Value
(Empty)
enable

Mail signature.

Details below

173

Configuration
status
signature
rpc-over-http

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
disable
(Empty)
Enable/disable inspection of RPC over HTTP.

enable

174

firewall/shaping-policy
CLI Syntax
config firewall shaping-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set ip-version {4 | 6}
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
config application
edit <name_str>
set id <integer>
end
config app-category
edit <name_str>
set id <integer>
end
config url-category
edit <name_str>
set id <integer>
end
config dstintf
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

175

set name <string>


end
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

176

Description
Configuration

Description

Default Value

id

Shaping policy ID.

status

Enable/disable traffic shaping policy.

enable

ip-version

IP version.

srcaddr

Source address.

(Empty)

dstaddr

Destination address.

(Empty)

srcaddr6

IPv6 source address.

(Empty)

dstaddr6

IPv6 destination address.

(Empty)

service

Service name.

(Empty)

users

User name.

(Empty)

groups

User authentication groups.

(Empty)

application

Application ID list.

(Empty)

app-category

Application category ID list.

(Empty)

url-category

URL category ID list.

(Empty)

dstintf

Destination interface list.

(Empty)

traffic-shaper

Forward traffic shaper.

(Empty)

traffic-shaper-reverse

Reverse traffic shaper.

(Empty)

per-ip-shaper

Per IP shaper.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

177

firewall/sniffer
CLI Syntax
config firewall sniffer
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set ipv6 {enable | disable}
set non-ip {enable | disable}
set interface <string>
set host <string>
set port <string>
set protocol <string>
set vlan <string>
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set ips-dos-status {enable | disable}
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
set scan-botnet-connections {disable | block | monitor}
set max-packet-count <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

178

Description
Configuration

Description

Default Value

id

Sniffer ID.

status

Enable/disable sniffer status.

enable

logtraffic

Enable/disable sniffer log traffic.

utm

ipv6

Enable/disable sniffer for IPv6 packets.

disable

non-ip

Enable/disable sniffer for non-IP packets.

disable

interface

Interface name.

(Empty)

host

Host list (IP or IP/mask or IP range).

(Empty)

port

Port list.

(Empty)

protocol

IP protocol list.

(Empty)

vlan

VLAN list.

(Empty)

application-list-status

Enable/disable application control.

disable

application-list

Application list name.

(Empty)

casi-profile-status

Enable/disable CASI.

disable

casi-profile

CASI profile name.

(Empty)

ips-sensor-status

Enable/disable IPS sensor.

disable

ips-sensor

IPS sensor name.

(Empty)

dsri

Enable/disable DSRI.

disable

av-profile-status

Enable/disable antivirus.

disable

av-profile

Antivirus profile.

(Empty)

webfilter-profile-status

Enable/disable web filter.

disable

webfilter-profile

Web filter profile.

(Empty)

spamfilter-profile-status

Enable/disable spam filter.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

179

spamfilter-profile

Spam filter profile.

(Empty)

dlp-sensor-status

Enable/disable DLP sensor.

disable

dlp-sensor

DLP sensor.

(Empty)

ips-dos-status

Enable/disable IPS DoS anomaly detection.

disable

anomaly

Configure anomaly.

(Empty)

scan-botnetconnections

Enable/disable scanning of connections to Botnet


servers.

disable

max-packet-count

Maximum packet count.

4000

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

180

firewall/ssl-server
CLI Syntax
config firewall ssl-server
edit <name_str>
set name <string>
set ip <ipv4-address-any>
set port <integer>
set ssl-mode {half | full}
set add-header-x-forwarded-proto {enable | disable}
set mapped-port <integer>
set ssl-cert <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-algorithm {high | medium | low}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-send-empty-frags {enable | disable}
set url-rewrite {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

181

Description
Configuration

Description

Default Value

name

Server name.

(Empty)

ip

Server IP address.

0.0.0.0

port

Server service port.

443

ssl-mode

SSL/TLS mode for encryption & decryption of


traffic.

full

add-header-xforwarded-proto

Enable/disable add X-Forwarded-Proto header to


forwarded requests.

enable

mapped-port

Mapped server service port.

80

ssl-cert

Name of certificate for SSL connections to this


server.

Fortinet_CA_SSL

ssl-dh-bits

Size of Diffie-Hellman prime used in DHE-RSA


negotiation.

2048

ssl-algorithm

Relative strength of encryption algorithms


accepted in negotiation.

high

ssl-client-renegotiation

Allow/block client renegotiation by server.

allow

ssl-min-version

Lowest SSL/TLS version to negotiate.

tls-1.0

ssl-max-version

Highest SSL/TLS version to negotiate.

tls-1.2

ssl-send-empty-frags

Enable/disable send empty fragments to avoid


attack on CBC IV.

enable

url-rewrite

Enable/disable rewrite URL.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

182

firewall/ssl-ssh-profile
CLI Syntax
config firewall ssl-ssh-profile
edit <name_str>
set name <string>
set comment <var-string>
config ssl
edit <name_str>
set inspect-all {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config https
edit <name_str>
set ports <integer>
set status {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config ftps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config imaps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config pop3s
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

183

end
config smtps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config ssh
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set inspect-all {disable | deep-inspection | enable}
set block {x11-filter | ssh-shell | exec | port-forward}
set log {x11-filter | ssh-shell | exec | port-forward}
end
set whitelist {enable | disable}
config ssl-exempt
edit <name_str>
set id <integer>
set type {fortiguard-category | address | address6}
set fortiguard-category <integer>
set address <string>
set address6 <string>
end
set server-cert-mode {re-sign | replace}
set use-ssl-server {disable | enable}
set caname <string>
set untrusted-caname <string>
set certname <string>
set server-cert <string>
config ssl-server
edit <name_str>
set id <integer>
set ip <ipv4-address-any>
set https-client-cert-request {bypass | inspect | block}
set smtps-client-cert-request {bypass | inspect | block}
set pop3s-client-cert-request {bypass | inspect | block}
set imaps-client-cert-request {bypass | inspect | block}
set ftps-client-cert-request {bypass | inspect | block}
set ssl-other-client-cert-request {bypass | inspect | block}
end
set ssl-invalid-server-cert-log {disable | enable}
set rpc-over-https {enable | disable}
set mapi-over-https {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

184

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comment

Comment.

(Empty)

ssl

ssl

Details below

Configuration
inspect-all
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
https

Default Value
disable
bypass
bypass
disable
allow
https

Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
ftps

Details below
Default Value
(Empty)
deep-inspection
bypass
bypass
disable
allow

ftps

Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
imaps
Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

Details below
Default Value
(Empty)
deep-inspection
bypass
bypass
disable
allow

imaps

Details below
Default Value
(Empty)
deep-inspection
inspect
bypass
disable
allow
185

pop3s

pop3s

Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
smtps

Default Value
(Empty)
deep-inspection
inspect
bypass
disable
allow
smtps

Configuration
ports
status
client-cert-request
unsupported-ssl
allow-invalid-server-cert
untrusted-cert
ssh

Details below

Details below
Default Value
(Empty)
deep-inspection
inspect
bypass
disable
allow

ssh

Configuration
ports
status
inspect-all
block
log

Details below
Default Value
(Empty)
deep-inspection
disable
(Empty)
(Empty)

whitelist

Enable/disable exempt servers by FortiGuard


whitelist.

disable

ssl-exempt

Servers to exempt from SSL inspection.

(Empty)

server-cert-mode

Re-sign or replace the server's certificate.

re-sign

use-ssl-server

Enable/disable to use SSL server table for SSL


offloading.

disable

caname

CA certificate used by SSL Inspection.

Fortinet_CA_SSL

untrusted-caname

Untrusted CA certificate used by SSL Inspection.

Fortinet_CA_Untrusted

certname

Certificate containing the key to use when resigning server certificates for SSL inspection.

Fortinet_SSL

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

186

server-cert

Certificate used by SSL Inspection to replace


server certificate.

Fortinet_SSL

ssl-server

SSL servers.

(Empty)

ssl-invalid-server-certlog

Enable/disable SSL server certificate validation


logging.

disable

rpc-over-https

Enable/disable inspection of RPC over HTTPS.

enable

mapi-over-https

Enable/disable inspection of MAPI over HTTPS.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

187

firewall/ttl-policy
CLI Syntax
config firewall ttl-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set action {accept | deny}
set srcintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set schedule <string>
set ttl <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

188

Description
Configuration

Description

Default Value

id

ID.

status

status

enable

action

Action.

deny

srcintf

Source interface name.

(Empty)

srcaddr

Source address name.

(Empty)

service

Service name.

(Empty)

schedule

Schedule name.

(Empty)

ttl

TTL range.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

189

firewall/vip
CLI Syntax
config firewall vip
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
set type {static-nat | load-balance | server-load-balance | dns-translation | fqdn
}
set dns-mapping-ttl <integer>
set ldb-method {static | round-robin | weighted | least-session | least-rtt | firs
t-alive | http-host}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
config mappedip
edit <name_str>
set range <string>
end
set mapped-addr <string>
set extintf <string>
set arp-reply {disable | enable}
set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip}
set persistence {none | http-cookie | ssl-session-id}
set nat-source-vip {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp | icmp}
set extport <user>
set mappedport <user>
set gratuitous-arp-interval <integer>
config srcintf-filter
edit <name_str>
set interface-name <string>
end
set portmapping-type {1-to-1 | m-to-n}
config realservers
edit <name_str>
set id <integer>
set ip <ipv4-address-any>
set port <integer>
set status {active | standby | disable}
set weight <integer>
set holddown-interval <integer>
set healthcheck {disable | enable | vip}
set http-host <string>
set max-connections <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

190

set monitor <string>


set client-ip <user>
end
set http-cookie-domain-from-host {disable | enable}
set http-cookie-domain <string>
set http-cookie-path <string>
set http-cookie-generation <integer>
set http-cookie-age <integer>
set http-cookie-share {disable | same-ip}
set https-cookie-secure {disable | enable}
set http-multiplex {enable | disable}
set http-ip-header {enable | disable}
set http-ip-header-name <string>
set outlook-web-access {disable | enable}
set weblogic-server {disable | enable}
set websphere-server {disable | enable}
set ssl-mode {half | full}
set ssl-certificate <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048 | 3072 | 4096}
set ssl-algorithm {high | medium | low | custom}
config ssl-cipher-suites
edit <name_str>
set priority <integer>
set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH
-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WI
TH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-S
HA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TL
S-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WIT
H-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM
-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 |
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE
-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH
-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES
-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GC
M-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITHAES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256
| TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITHCAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-25
6-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-S
HA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | T
LS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WIT
H-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 |
TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DH
E-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5
| TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBCSHA | TLS-RSA-WITH-DES-CBC-SHA}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

191

SHA | TLS-RSA-WITH-DES-CBC-SHA}
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
set ssl-server-algorithm {high | medium | low | custom | client}
config ssl-server-cipher-suites
edit <name_str>
set priority <integer>
set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH
-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WI
TH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-S
HA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TL
S-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WIT
H-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM
-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 |
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE
-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH
-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES
-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GC
M-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITHAES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256
| TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITHCAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-25
6-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-S
HA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | T
LS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLSDHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WIT
H-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 |
TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBCSHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DH
E-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5
| TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBCSHA | TLS-RSA-WITH-DES-CBC-SHA}
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
set ssl-pfs {require | deny | allow}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-server-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}
set ssl-server-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}
set ssl-send-empty-frags {enable | disable}
set ssl-client-fallback {disable | enable}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-client-session-state-type {disable | time | count | both}
set ssl-client-session-state-timeout <integer>
set ssl-client-session-state-max <integer>
set ssl-server-session-state-type {disable | time | count | both}
set ssl-server-session-state-timeout <integer>
set ssl-server-session-state-max <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

192

set
set
set
set
set
set
end

ssl-server-session-state-max <integer>
ssl-http-location-conversion {enable | disable}
ssl-http-match-host {enable | disable}
monitor <string>
max-embryonic-connections <integer>
color <integer>

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

193

Description
Configuration

Description

Default Value

name

Virtual IP name.

(Empty)

id

Custom defined ID.

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

comment

Comment.

(Empty)

type

VIP type: static NAT, load balance., server load


balance

static-nat

dns-mapping-ttl

DNS mapping TTL (Set to zero to use TTL in


DNS response, default = 0).

ldb-method

Load balance method.

static

src-filter

Source IP filter (x.x.x.x/x x.x.x.x-y.y.y.y).

(Empty)

extip

Start external IP - end external IP.

0.0.0.0

mappedip

Mapped IP (x.x.x.x/x x.x.x.x-y.y.y.y).

(Empty)

mapped-addr

Mapped address.

(Empty)

extintf

External interface.

(Empty)

arp-reply

Enable/disable ARP reply.

enable

server-type

Server type.

(Empty)

persistence

Persistence.

none

nat-source-vip

Enable/disable force NAT as VIP when server


goes out.

disable

portforward

Enable/disable port forward.

disable

protocol

Mapped port protocol.

tcp

extport

External service port.

mappedport

Mapped service port.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

194

gratuitous-arp-interval

Interval between sending gratuitous ARPs in


seconds (0 = disable).

srcintf-filter

Source interface filter.

(Empty)

portmapping-type

Port mapping type.

1-to-1

realservers

Real servers.

(Empty)

http-cookie-domainfrom-host

Enable/disable use of HTTP cookie domain from


host field in HTTP.

disable

http-cookie-domain

HTTP cookie domain.

(Empty)

http-cookie-path

HTTP cookie path.

(Empty)

http-cookie-generation

Generation of HTTP cookie to be accepted.


Changing invalidates all existing cookies.

http-cookie-age

Number of minutes the web browser should keep


cookie (0 = forever).

60

http-cookie-share

Share HTTP cookies across different virtual


servers.

same-ip

https-cookie-secure

Enable/disable verification of cookie inserted into


HTTPS is marked as secure.

disable

http-multiplex

Enable/disable multiplex HTTP


requests/responses over a single TCP
connection.

disable

http-ip-header

Add additional HTTP header containing client's


original IP address.

disable

http-ip-header-name

Name of HTTP header containing client's IP


address (X-Forwarded-For is used if empty).

(Empty)

outlook-web-access

Enable/disable adding HTTP header indicating


SSL offload for Outlook Web Access server.

disable

weblogic-server

Enable/disable adding HTTP header indicating


SSL offload for WebLogic server.

disable

websphere-server

Enable/disable adding HTTP header indicating


SSL offload for WebSphere server.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

195

ssl-mode

SSL/TLS mode for encryption & decryption of


traffic.

half

ssl-certificate

Name of Certificate to offer in every SSL


connection.

(Empty)

ssl-dh-bits

Size of Diffie-Hellman prime used in DHE-RSA


negotiation.

2048

ssl-algorithm

Relative strength of encryption algorithms


accepted in negotiation with client.

high

ssl-cipher-suites

SSL/TLS cipher suites acceptable from a client,


ordered by priority.

(Empty)

ssl-server-algorithm

Relative strength of encryption algorithms


accepted in negotiation with server.

client

ssl-server-cipher-suites

SSL/TLS cipher suites to offer to a server,


ordered by priority.

(Empty)

ssl-pfs

SSL Perfect Forward Secrecy.

allow

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

tls-1.0

ssl-max-version

Highest SSL/TLS version acceptable from a


client.

tls-1.2

ssl-server-min-version

Lowest SSL/TLS version acceptable from a


server.

client

ssl-server-max-version

Highest SSL/TLS version acceptable from a


server.

client

ssl-send-empty-frags

Send empty fragments to avoid attack on CBC IV


(SSL 3.0 & TLS 1.0 only).

enable

ssl-client-fallback

Enable/disable support for preventing Downgrade


Attacks on client connections (RFC 7507).

enable

ssl-client-renegotiation

Allow/block client renegotiation by server.

allow

ssl-client-session-statetype

Control Client to FortiGate SSL session state


preservation.

both

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

196

ssl-client-session-statetimeout

Number of minutes to keep client to FortiGate


SSL session state.

30

ssl-client-session-statemax

Maximum number of client to FortiGate SSL


session states to keep.

1000

ssl-server-sessionstate-type

Control FortiGate to server SSL session state


preservation.

both

ssl-server-sessionstate-timeout

Number of minutes to keep FortiGate to Server


SSL session state.

60

ssl-server-sessionstate-max

Maximum number of FortiGate to Server SSL


session states to keep.

100

ssl-http-locationconversion

Enable/disable location conversion on HTTP


response header.

disable

ssl-http-match-host

Enable/disable HTTP host matching for location


conversion.

disable

monitor

Health monitors.

(Empty)

max-embryonicconnections

Maximum number of incomplete connections.

1000

color

GUI icon color.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

197

firewall/vip46
CLI Syntax
config firewall vip46
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp}
set extport <user>
set mappedport <user>
set color <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

198

Description
Configuration

Description

Default Value

name

VIP46 name.

(Empty)

id

Custom defined id.

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

comment

Comment.

(Empty)

src-filter

Source IP filter (x.x.x.x/x).

(Empty)

extip

Start-external-IP [-end-external-IP].

0.0.0.0

mappedip

Start-mapped-IP [-end mapped-IP].

::

arp-reply

Enable ARP reply.

enable

portforward

Enable port forward.

disable

protocol

Mapped port protocol.

tcp

extport

External service port.

mappedport

Mapped service port.

color

GUI icon color.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

199

firewall/vip6
CLI Syntax
config firewall vip6
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
set type {static-nat}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp}
set extport <user>
set mappedport <user>
set color <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

200

Description
Configuration

Description

Default Value

name

Virtual ip6 name.

(Empty)

id

Custom defined ID.

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

comment

Comment.

(Empty)

type

VIP type: static NAT.

static-nat

src-filter

Source IP6 filter (x:x:x:x:x:x:x:x/x).

(Empty)

extip

Start external IP - end external IP.

::

mappedip

Start mapped IP -end mapped IP.

::

arp-reply

Enable/disable ARP reply.

enable

portforward

Enable/disable port forward.

disable

protocol

Mapped port protocol.

tcp

extport

External service port.

mappedport

Mapped service port.

color

GUI icon color.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

201

firewall/vip64
CLI Syntax
config firewall vip64
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp}
set extport <user>
set mappedport <user>
set color <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

202

Description
Configuration

Description

Default Value

name

VIP64 name.

(Empty)

id

Custom defined id.

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

comment

Comment.

(Empty)

src-filter

Source IP6 filter (x:x:x:x:x:x:x:x/x).

(Empty)

extip

Start-external-IP [-End-external-IP].

::

mappedip

Start-mapped-IP [-End-mapped-IP].

0.0.0.0

arp-reply

Enable ARP reply.

enable

portforward

Enable port forward.

disable

protocol

Mapped port protocol.

tcp

extport

External service port.

mappedport

Mapped service port.

color

GUI icon color.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

203

firewall/vipgrp
CLI Syntax
config firewall vipgrp
edit <name_str>
set name <string>
set uuid <uuid>
set interface <string>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

204

Description
Configuration

Description

Default Value

name

VIP group name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

interface

interface

(Empty)

color

GUI icon color.

comments

Comment.

(Empty)

member

VIP group member.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

205

firewall/vipgrp46
CLI Syntax
config firewall vipgrp46
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

206

Description
Configuration

Description

Default Value

name

VIP46 group name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

color

GUI icon color.

comments

Comment.

(Empty)

member

VIP46 group member.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

207

firewall/vipgrp6
CLI Syntax
config firewall vipgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

208

Description
Configuration

Description

Default Value

name

IPv6 VIP group name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

color

GUI icon color.

comments

Comment.

(Empty)

member

VIP group6 member.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

209

firewall/vipgrp64
CLI Syntax
config firewall vipgrp64
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

210

Description
Configuration

Description

Default Value

name

VIP64 group name.

(Empty)

uuid

Universally Unique IDentifier.

00000000-0000-00000000-000000000000

color

GUI icon color.

comments

Comment.

(Empty)

member

VIP64 group member.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

211

ftp-proxy/explicit
CLI Syntax
config ftp-proxy explicit
edit <name_str>
set status {enable | disable}
set incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set sec-default-action {accept | deny}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

212

Description
Configuration

Description

Default Value

status

Enable/disable explicit ftp proxy.

disable

incoming-port

Accept incoming FTP requests on ports other


than port 21.

21

incoming-ip

accept incoming ftp requests from this ip. An


interface must have this IP address.

0.0.0.0

outgoing-ip

outgoing FTP requests will leave this ip. An


interface must have this IP address.

(Empty)

sec-default-action

Default action to allow or deny when no ftp-proxy


firewall policy exists.

deny

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

213

gui/console
CLI Syntax
config gui console
edit <name_str>
set preferences <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

214

Description
Configuration

Description

Default Value

preferences

Preferences.

Binary file, 0 bytes.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

215

icap/profile
CLI Syntax
config icap profile
edit <name_str>
set replacemsg-group <string>
set name <string>
set request {disable | enable}
set response {disable | enable}
set streaming-content-bypass {disable | enable}
set request-server <string>
set response-server <string>
set request-failure {error | bypass}
set response-failure {error | bypass}
set request-path <string>
set response-path <string>
set methods {delete | get | head | options | post | put | trace | other}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

216

Description
Configuration

Description

Default Value

replacemsg-group

Replacement message group.

(Empty)

name

ICAP profile name.

(Empty)

request

Enable/disable whether an HTTP request is


passed to an ICAP server.

disable

response

Enable/disable whether an HTTP response is


passed to an ICAP server.

disable

streaming-contentbypass

Enable/disable bypassing of ICAP server for


streaming content.

disable

request-server

ICAP server to use for an HTTP request.

(Empty)

response-server

ICAP server to use for an HTTP response.

(Empty)

request-failure

Action to take if the ICAP server cannot be


contacted when processing an HTTP request.

error

response-failure

Action to take if the ICAP server cannot be


contacted when processing an HTTP response.

error

request-path

Path component of the ICAP URI that identifies


the HTTP request processing service.

(Empty)

response-path

Path component of the ICAP URI that identifies


the HTTP response processing service.

(Empty)

methods

The allowed HTTP methods that will be sent to


ICAP server for further processing.

delete get head options


post put trace other

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

217

icap/server
CLI Syntax
config icap server
edit <name_str>
set name <string>
set ip-version {4 | 6}
set ip-address <ipv4-address-any>
set ip6-address <ipv6-address>
set port <integer>
set max-connections <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

218

Description
Configuration

Description

Default Value

name

Server name.

(Empty)

ip-version

IP version.

ip-address

IPv4 address of the ICAP server.

0.0.0.0

ip6-address

IPv6 address of the ICAP server.

::

port

ICAP server port.

1344

max-connections

Maximum number of concurrent connections to


ICAP server.

100

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

219

ips/custom
CLI Syntax
config ips custom
edit <name_str>
set tag <string>
set signature <string>
set sig-name <string>
set rule-id <integer>
set severity <user>
set location <user>
set os <user>
set application <user>
set protocol <user>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block}
set comment <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

220

Description
Configuration

Description

Default Value

tag

Signature tag.

(Empty)

signature

Signature text.

(Empty)

sig-name

Signature name.

(Empty)

rule-id

Signature ID.

severity

severity

(Empty)

location

Vulnerable location.

(Empty)

os

Vulnerable operating systems.

(Empty)

application

Vulnerable applications.

(Empty)

protocol

Vulnerable service.

(Empty)

status

Enable/disable status.

enable

log

Enable/disable logging.

enable

log-packet

Enable/disable packet logging.

disable

action

Action.

pass

comment

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

221

ips/dbinfo
CLI Syntax
config ips dbinfo
edit <name_str>
set version <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

222

Description
Configuration

Description

Default Value

version

Internal category version.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

223

ips/decoder
CLI Syntax
config ips decoder
edit <name_str>
set name <string>
config parameter
edit <name_str>
set name <string>
set value <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

224

Description
Configuration

Description

Default Value

name

Decoder name.

(Empty)

parameter

IPS group parameters.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

225

ips/global
CLI Syntax
config ips global
edit <name_str>
set fail-open {enable | disable}
set database {regular | extended}
set traffic-submit {enable | disable}
set anomaly-mode {periodical | continuous}
set session-limit-mode {accurate | heuristic}
set intelligent-mode {enable | disable}
set socket-size <integer>
set engine-count <integer>
set algorithm {engine-pick | low | high | super}
set sync-session-ttl {enable | disable}
set np-accel-mode {none | basic}
set ips-reserve-cpu {disable | enable}
set cp-accel-mode {none | basic | advanced}
set skype-client-public-ipaddr <var-string>
set default-app-cat-mask <user>
set deep-app-insp-timeout <integer>
set deep-app-insp-db-limit <integer>
set exclude-signatures {none | industrial}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

226

Description
Configuration

Description

Default Value

fail-open

Enable/disable IPS fail open option.

disable

database

IPS database selection.

extended

traffic-submit

Enable/disable submit attack characteristics to


FortiGuard Service.

disable

anomaly-mode

Blocking mode for rate-based anomaly.

continuous

session-limit-mode

Counter mode for session-limit anomaly.

heuristic

intelligent-mode

Enable/disable intelligent scan mode.

enable

socket-size

IPS socket buffer size.

128

engine-count

Number of engines (0: use recommended


setting).

algorithm

Signature matching algorithm.

engine-pick

sync-session-ttl

Enable/disable use of kernel session TTL for IPS


sessions.

disable

np-accel-mode

Network Processor acceleration mode.

basic

ips-reserve-cpu

Enable/disable IPS daemon's use of CPUs other


than CPU 0

disable

cp-accel-mode

Content Processor acceleration mode.

advanced

skype-client-publicipaddr

Comma-separated client external IP address for


decrypting Skype protocol.

(Empty)

default-app-cat-mask

Default enabled application category mask.

1844674407370955161
5

deep-app-insp-timeout

Timeout for Deep application inspection (1 2147483647 sec., 0 = use recommended setting).

deep-app-insp-db-limit

Limit on number of entries in deep application


inspection database (1 - 2147483647, 0 = use
recommended setting)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

227

exclude-signatures

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Excluded signatures.

industrial

228

ips/rule
CLI Syntax
config ips rule
edit <name_str>
set name <string>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block}
set group <string>
set severity {}
set location {}
set os <user>
set application <user>
set service <user>
set rule-id <integer>
set rev <integer>
set date <integer>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

229

Description
Configuration

Description

Default Value

name

Rule name.

(Empty)

status

Enable/disable status.

enable

log

Enable/disable logging.

enable

log-packet

Enable/disable packet logging.

disable

action

Action.

pass

group

Group.

(Empty)

severity

Severity.

(Empty)

location

Vulnerable location.

(Empty)

os

Vulnerable operation systems.

(Empty)

application

Vulnerable applications.

(Empty)

service

Vulnerable service.

(Empty)

rule-id

Rule ID.

rev

Revision.

date

Date.

metadata

Meta data.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

230

ips/rule-settings
CLI Syntax
config ips rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

231

Description
Configuration

Description

Default Value

id

Rule ID.

tags

Applied object tags.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

232

ips/sensor
CLI Syntax
config ips sensor
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set block-malicious-url {disable | enable}
config entries
edit <name_str>
set id <integer>
config rule
edit <name_str>
set id <integer>
end
set location <user>
set severity <user>
set protocol <user>
set os <user>
set application <user>
config tags
edit <name_str>
set name <string>
end
set status {disable | enable | default}
set log {disable | enable}
set log-packet {disable | enable}
set log-attack-context {disable | enable}
set action {pass | block | reset | default}
set rate-count <integer>
set rate-duration <integer>
set rate-mode {periodical | continuous}
set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
end
config filter
edit <name_str>
set name <string>
set location <user>
set severity <user>
set protocol <user>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

233

set os <user>
set application <user>
set status {disable | enable | default}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block | reset | default}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <integer>
set quarantine-log {disable | enable}
end
config override
edit <name_str>
set rule-id <integer>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block | reset}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <integer>
set quarantine-log {disable | enable}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

234

Description
Configuration

Description

Default Value

name

Sensor name.

(Empty)

comment

Comment.

(Empty)

replacemsg-group

Replacement message group.

(Empty)

block-malicious-url

Enable/disable malicious URL blocking.

disable

entries

IPS sensor filter.

(Empty)

filter

IPS sensor filter.

(Empty)

override

IPS override rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

235

ips/settings
CLI Syntax
config ips settings
edit <name_str>
set packet-log-history <integer>
set packet-log-post-attack <integer>
set packet-log-memory <integer>
set ips-packet-quota <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

236

Description
Configuration

Description

Default Value

packet-log-history

Number of packets to be recorded before alert (1


- 255).

packet-log-post-attack

Number of packets to be recorded after attack (0


- 255).

packet-log-memory

Maximum memory can be used by packet log (64


- 8192 kB).

256

ips-packet-quota

IPS packet quota.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

237

log.disk/filter
CLI Syntax
config log.disk filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set auth {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

238

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

dlp-archive

Enable/disable log DLP archive.

enable

gtp

Enable/disable log GTP messages.

enable

event

Enable/disable log event messages.

enable

system

Enable/disable log system activity messages.

enable

radius

Enable/disable log RADIUS messages.

enable

ipsec

Enable/disable log IPsec negotiation messages.

enable

dhcp

Enable/disable log DHCP service messages.

enable

ppp

Enable/disable log L2TP/PPTP/PPPoE


messages.

enable

admin

Enable/disable log admin login/logout messages.

enable

ha

Enable/disable log HA activity messages.

enable

auth

Enable/disable log firewall authentication


messages.

enable

pattern

Enable/disable log pattern update messages.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

239

sslvpn-log-auth

Enable/disable log SSL user authentication.

enable

sslvpn-log-adm

Enable/disable log SSL administration.

enable

sslvpn-log-session

Enable/disable log SSL session.

enable

vip-ssl

Enable/disable log VIP SSL messages.

enable

ldb-monitor

Enable/disable log VIP real server health


monitoring messages.

enable

wan-opt

Enable/disable log WAN optimization messages.

enable

wireless-activity

Enable/disable log wireless activity.

enable

cpu-memory-usage

Enable/disable log CPU & memory usage every 5


minutes.

disable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

240

log.disk/setting
CLI Syntax
config log.disk setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set max-log-file-size <integer>
set max-policy-packet-capture-size <integer>
set roll-schedule {daily | weekly}
set roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday
}
set roll-time <user>
set diskfull {overwrite | nolog}
set log-quota <integer>
set dlp-archive-quota <integer>
set report-quota <integer>
set maximum-log-age <integer>
set upload {enable | disable}
set upload-destination {ftp-server}
set uploadip <ipv4-address>
set uploadport <integer>
set source-ip <ipv4-address>
set uploaduser <string>
set uploadpass <password>
set uploaddir <string>
set uploadtype {traffic | event | virus | webfilter | IPS | spamfilter | dlp-archi
ve | anomaly | voip | dlp | app-ctrl | waf | netscan | gtp}
set uploadzip {disable | enable}
set uploadsched {disable | enable}
set uploadtime <integer>
set upload-delete-files {enable | disable}
set upload-ssl-conn {default | high | low | disable}
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

241

Description
Configuration

Description

Default Value

status

Enable/disable local disk log.

disable

ips-archive

Enable/disable IPS packet archive.

enable

max-log-file-size

Maximum log file size in MB before rolling.

20

max-policy-packetcapture-size

Maximum size of policy sniffer in MB (0 =


unlimited).

10

roll-schedule

Frequency to check log file for rolling.

daily

roll-day

Days of week to roll logs.

sunday

roll-time

Time to roll logs (hh:mm).

00:00

diskfull

Policy to apply when disk is full.

overwrite

log-quota

Disk log quota (MB).

dlp-archive-quota

DLP archive quota (MB).

report-quota

Report quota (MB).

maximum-log-age

Delete log files older than (days).

upload

Enable/disable upload of log files upon rolling.

disable

upload-destination

Server type.

ftp-server

uploadip

IP address of log uploading server.

0.0.0.0

uploadport

Port of the log uploading server.

21

source-ip

Source IP address of the disk log uploading.

0.0.0.0

uploaduser

User account in the uploading server.

(Empty)

uploadpass

Password of the user account in the uploading


server.

(Empty)

uploaddir

Log file uploading remote directory.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

242

uploadtype

Types of log files that need to be uploaded.

traffic event virus


webfilter IPS spamfilter
dlp-archive anomaly
voip dlp app-ctrl waf
netscan gtp

uploadzip

Enable/disable compression of uploaded logs.

disable

uploadsched

Scheduled upload (disable = upload when


rolling).

disable

uploadtime

Time of scheduled upload.

upload-delete-files

Delete log files after uploading (default=enable).

enable

upload-ssl-conn

Enable/disable SSL communication when


uploading.

default

full-first-warningthreshold

Log full first warning threshold (1 - 98, default =


75).

75

full-second-warningthreshold

Log full second warning threshold (2 - 99, default


= 90).

90

full-final-warningthreshold

Log full final warning threshold (3 - 100, default =


95).

95

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

243

log.fortianalyzer/filter
CLI Syntax
config log.fortianalyzer filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

244

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

dlp-archive

Enable/disable log DLP archive.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

245

log.fortianalyzer/override-filter
CLI Syntax
config log.fortianalyzer override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

246

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

dlp-archive

Enable/disable log DLP archive.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

247

log.fortianalyzer/override-setting
CLI Syntax
config log.fortianalyzer override-setting
edit <name_str>
set override {enable | disable}
set use-management-vdom {enable | disable}
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

248

Description
Configuration

Description

Default Value

override

Enable/disable override FortiAnalyzer settings or


use the global settings.

disable

use-managementvdom

Enable/disable use of management VDOM IP


address as source IP for logs sent to
FortiAnalyzer.

disable

status

Enable/disable FortiAnalyzer.

disable

ips-archive

Enable/disable IPS packet archive.

enable

server

IPv4 or IPv6 address of the remote FortiAnalyzer.

(Empty)

hmac-algorithm

FortiAnalyzer IPsec tunnel HMAC algorithm.

sha256

enc-algorithm

Enable/disable sending of FortiAnalyzer log data


with SSL encryption.

high

conn-timeout

FortiAnalyzer connection time-out in seconds (for


status and log buffer).

10

monitor-keepaliveperiod

Time between OFTP keepalives in seconds (for


status and log buffer).

monitor-failure-retryperiod

Time between FortiAnalyzer connection retries in


seconds (for status and log buffer).

mgmt-name

Hidden management name of FortiAnalyzer.

(Empty)

faz-type

Hidden setting index of FortiAnalyzer.

source-ip

Source IPv4 or IPv6 address used to


communicate with FortiAnalyzer.

(Empty)

__change_ip

Hidden attribute.

upload-option

Enable/disable logging to hard disk and then


upload to FortiAnalyzer.

realtime

upload-interval

Frequency to check log file for upload.

daily

upload-day

Days of week (month) to upload logs.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

249

upload-time

Time to upload logs (hh:mm).

00:59

reliable

Enable/disable reliable logging to FortiAnalyzer.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

250

log.fortianalyzer/setting
CLI Syntax
config log.fortianalyzer setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

251

Description
Configuration

Description

Default Value

status

Enable/disable FortiAnalyzer.

disable

ips-archive

Enable/disable IPS packet archive.

enable

server

IPv4 or IPv6 address of the remote FortiAnalyzer.

(Empty)

hmac-algorithm

FortiAnalyzer IPsec tunnel HMAC algorithm.

sha256

enc-algorithm

Enable/disable sending of FortiAnalyzer log data


with SSL encryption.

high

conn-timeout

FortiAnalyzer connection time-out in seconds (for


status and log buffer).

10

monitor-keepaliveperiod

Time between OFTP keepalives in seconds (for


status and log buffer).

monitor-failure-retryperiod

Time between FortiAnalyzer connection retries in


seconds (for status and log buffer).

mgmt-name

Hidden management name of FortiAnalyzer.

FGh_Log1

faz-type

Hidden setting index of FortiAnalyzer.

source-ip

Source IPv4 or IPv6 address used to


communicate with FortiAnalyzer.

(Empty)

__change_ip

Hidden attribute.

upload-option

Enable/disable logging to hard disk and then


upload to FortiAnalyzer.

realtime

upload-interval

Frequency to check log file for upload.

daily

upload-day

Days of week (month) to upload logs.

(Empty)

upload-time

Time to upload logs (hh:mm).

00:59

reliable

Enable/disable reliable logging to FortiAnalyzer.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

252

log.fortianalyzer2/filter
CLI Syntax
config log.fortianalyzer2 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

253

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

dlp-archive

Enable/disable log DLP archive.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

254

log.fortianalyzer2/setting
CLI Syntax
config log.fortianalyzer2 setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

255

Description
Configuration

Description

Default Value

status

Enable/disable FortiAnalyzer.

disable

ips-archive

Enable/disable IPS packet archive.

enable

server

IPv4 or IPv6 address of the remote FortiAnalyzer.

(Empty)

hmac-algorithm

FortiAnalyzer IPsec tunnel HMAC algorithm.

sha256

enc-algorithm

Enable/disable sending of FortiAnalyzer log data


with SSL encryption.

high

conn-timeout

FortiAnalyzer connection time-out in seconds (for


status and log buffer).

10

monitor-keepaliveperiod

Time between OFTP keepalives in seconds (for


status and log buffer).

monitor-failure-retryperiod

Time between FortiAnalyzer connection retries in


seconds (for status and log buffer).

mgmt-name

Hidden management name of FortiAnalyzer.

FGh_Log2

faz-type

Hidden setting index of FortiAnalyzer.

source-ip

Source IPv4 or IPv6 address used to


communicate with FortiAnalyzer.

(Empty)

__change_ip

Hidden attribute.

upload-option

Enable/disable logging to hard disk and then


upload to FortiAnalyzer.

realtime

upload-interval

Frequency to check log file for upload.

daily

upload-day

Days of week (month) to upload logs.

(Empty)

upload-time

Time to upload logs (hh:mm).

00:59

reliable

Enable/disable reliable logging to FortiAnalyzer.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

256

log.fortianalyzer3/filter
CLI Syntax
config log.fortianalyzer3 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

257

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

258

log.fortianalyzer3/setting
CLI Syntax
config log.fortianalyzer3 setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

259

Description
Configuration

Description

Default Value

status

Enable/disable FortiAnalyzer.

disable

ips-archive

Enable/disable IPS packet archive.

enable

server

IPv4 or IPv6 address of the remote FortiAnalyzer.

(Empty)

hmac-algorithm

FortiAnalyzer IPsec tunnel HMAC algorithm.

sha256

enc-algorithm

Enable/disable sending of FortiAnalyzer log data


with SSL encryption.

high

conn-timeout

FortiAnalyzer connection time-out in seconds (for


status and log buffer).

10

monitor-keepaliveperiod

Time between OFTP keepalives in seconds (for


status and log buffer).

monitor-failure-retryperiod

Time between FortiAnalyzer connection retries in


seconds (for status and log buffer).

mgmt-name

Hidden management name of FortiAnalyzer.

FGh_Log3

faz-type

Hidden setting index of FortiAnalyzer.

source-ip

Source IPv4 or IPv6 address used to


communicate with FortiAnalyzer.

(Empty)

__change_ip

Hidden attribute.

upload-option

Enable/disable logging to hard disk and then


upload to FortiAnalyzer.

realtime

upload-interval

Frequency to check log file for upload.

daily

upload-day

Days of week (month) to upload logs.

(Empty)

upload-time

Time to upload logs (hh:mm).

00:59

reliable

Enable/disable reliable logging to FortiAnalyzer.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

260

log.fortiguard/filter
CLI Syntax
config log.fortiguard filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

261

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

dlp-archive

Enable/disable log DLP archive.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

262

log.fortiguard/override-filter
CLI Syntax
config log.fortiguard override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

263

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

dlp-archive

Enable/disable log DLP archive.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

264

log.fortiguard/override-setting
CLI Syntax
config log.fortiguard override-setting
edit <name_str>
set override {enable | disable}
set status {enable | disable}
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

265

Description
Configuration

Description

Default Value

override

Enable/disable override FortiGuard settings or


use the global settings.

disable

status

Enable FortiCloud.

disable

upload-option

Enable/disable logging to hard disk and then


upload to FortiCloud.

realtime

upload-interval

Frequency to check log file for upload.

daily

upload-day

Days of week to roll logs.

(Empty)

upload-time

Time to roll logs (hh:mm).

00:00

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

266

log.fortiguard/setting
CLI Syntax
config log.fortiguard setting
edit <name_str>
set status {enable | disable}
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set enc-algorithm {default | high | low | disable}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

267

Description
Configuration

Description

Default Value

status

Enable FortiCloud.

disable

upload-option

Enable/disable logging to hard disk and then


upload to FortiCloud.

realtime

upload-interval

Frequency to check log file for upload.

daily

upload-day

Days of week to roll logs.

(Empty)

upload-time

Time to roll logs (hh:mm).

00:00

enc-algorithm

Enable/disable sending of FortiCloud log data


with SSL encryption.

high

source-ip

Source IP address used to connect FortiCloud.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

268

log.memory/filter
CLI Syntax
config log.memory filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set auth {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

269

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

gtp

Enable/disable log GTP messages.

enable

event

Enable/disable log event messages.

enable

system

Enable/disable log system activity messages.

enable

radius

Enable/disable log RADIUS messages.

enable

ipsec

Enable/disable log IPsec negotiation messages.

enable

dhcp

Enable/disable log DHCP service messages.

enable

ppp

Enable/disable log L2TP/PPTP/PPPoE


messages.

enable

admin

Enable/disable log admin login/logout messages.

enable

ha

Enable/disable log HA activity messages.

enable

auth

Enable/disable log firewall authentication


messages.

enable

pattern

Enable/disable log pattern update messages.

enable

sslvpn-log-auth

Enable/disable log SSL user authentication.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

270

sslvpn-log-adm

Enable/disable log SSL administration.

enable

sslvpn-log-session

Enable/disable log SSL session.

enable

vip-ssl

Enable/disable log VIP SSL messages.

enable

ldb-monitor

Enable/disable log VIP real server health


monitoring messages.

enable

wan-opt

Enable/disable log WAN optimization messages.

enable

wireless-activity

Enable/disable log wireless activity.

enable

cpu-memory-usage

Enable/disable log CPU & memory usage every 5


minutes.

disable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

271

log.memory/global-setting
CLI Syntax
config log.memory global-setting
edit <name_str>
set max-size <integer>
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

272

Description
Configuration

Description

Default Value

max-size

Maximum memory buffer size for log (byte).

163840

full-first-warningthreshold

Log full first warning threshold (1 - 98, default =


75).

75

full-second-warningthreshold

Log full second warning threshold (2 - 99, default


= 90).

90

full-final-warningthreshold

Log full final warning threshold (3 - 100, default =


95).

95

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

273

log.memory/setting
CLI Syntax
config log.memory setting
edit <name_str>
set status {enable | disable}
set diskfull {overwrite}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

274

Description
Configuration

Description

Default Value

status

Enable/disable memory buffer log.

enable

diskfull

Action when memory is full.

overwrite

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

275

log.syslogd/filter
CLI Syntax
config log.syslogd filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

276

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

277

log.syslogd/override-filter
CLI Syntax
config log.syslogd override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

278

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

279

log.syslogd/override-setting
CLI Syntax
config log.syslogd override-setting
edit <name_str>
set override {enable | disable}
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

280

Description
Configuration

Description

Default Value

override

Enable/disable override syslog settings.

disable

status

Enable/disable remote syslog logging.

disable

server

Address of remote syslog server.

(Empty)

reliable

Enable/disable reliable logging (RFC3195).

disable

port

Server listen port.

514

csv

Enable/disable CSV formatting of logs.

disable

facility

Remote syslog facility.

local7

source-ip

Source IP address of syslog.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

281

log.syslogd/setting
CLI Syntax
config log.syslogd setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

282

Description
Configuration

Description

Default Value

status

Enable/disable remote syslog logging.

disable

server

Address of remote syslog server.

(Empty)

reliable

Enable/disable reliable logging (RFC3195).

disable

port

Server listen port.

514

csv

Enable/disable CSV formatting of logs.

disable

facility

Remote syslog facility.

local7

source-ip

Source IP address of syslog.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

283

log.syslogd2/filter
CLI Syntax
config log.syslogd2 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

284

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

285

log.syslogd2/setting
CLI Syntax
config log.syslogd2 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

286

Description
Configuration

Description

Default Value

status

Enable/disable remote syslog logging.

disable

server

Address of remote syslog server.

(Empty)

reliable

Enable/disable reliable logging (RFC3195).

disable

port

Server listen port.

514

csv

Enable/disable CSV formatting of logs.

disable

facility

Remote syslog facility.

local7

source-ip

Source IP address of syslog.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

287

log.syslogd3/filter
CLI Syntax
config log.syslogd3 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

288

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

289

log.syslogd3/setting
CLI Syntax
config log.syslogd3 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

290

Description
Configuration

Description

Default Value

status

Enable/disable remote syslog logging.

disable

server

Address of remote syslog server.

(Empty)

reliable

Enable/disable reliable logging (RFC3195).

disable

port

Server listen port.

514

csv

Enable/disable CSV formatting of logs.

disable

facility

Remote syslog facility.

local7

source-ip

Source IP address of syslog.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

291

log.syslogd4/filter
CLI Syntax
config log.syslogd4 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

292

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

293

log.syslogd4/setting
CLI Syntax
config log.syslogd4 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

294

Description
Configuration

Description

Default Value

status

Enable/disable remote syslog logging.

disable

server

Address of remote syslog server.

(Empty)

reliable

Enable/disable reliable logging (RFC3195).

disable

port

Server listen port.

514

csv

Enable/disable CSV formatting of logs.

disable

facility

Remote syslog facility.

local7

source-ip

Source IP address of syslog.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

295

log.webtrends/filter
CLI Syntax
config log.webtrends filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {}
set netscan-vulnerability {}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

296

Description
Configuration

Description

Default Value

severity

Lowest severity level to log.

information

forward-traffic

Enable/disable log through traffic messages.

enable

local-traffic

Enable/disable log local in or out traffic


messages.

enable

multicast-traffic

Enable/disable log multicast traffic messages.

enable

sniffer-traffic

Enable/disable log sniffer traffic messages.

enable

anomaly

Enable/disable log anomaly messages.

enable

netscan-discovery

Enable/disable log netscan discovery events.

netscan-vulnerability

Enable/disable log netscan vulnerability events.

voip

Enable/disable log VoIP messages.

enable

gtp

Enable/disable log GTP messages.

enable

filter

Log filter for the log device.

(Empty)

filter-type

Include/exclude logs that match the filter setting.

include

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

297

log.webtrends/setting
CLI Syntax
config log.webtrends setting
edit <name_str>
set status {enable | disable}
set server <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

298

Description
Configuration

Description

Default Value

status

Enable/disable WebTrends logging.

disable

server

Address of the remote WebTrends.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

299

log/custom-field
CLI Syntax
config log custom-field
edit <name_str>
set id <string>
set name <string>
set value <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

300

Description
Configuration

Description

Default Value

id

ID.

(Empty)

name

Field name.

(Empty)

value

Field value.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

301

log/eventfilter
CLI Syntax
config log eventfilter
edit <name_str>
set event {enable | disable}
set system {enable | disable}
set vpn {enable | disable}
set user {enable | disable}
set router {enable | disable}
set wireless-activity {enable | disable}
set wan-opt {enable | disable}
set endpoint {enable | disable}
set ha {enable | disable}
set compliance-check {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

302

Description
Configuration

Description

Default Value

event

Enable/disable log event messages.

enable

system

Enable/disable log system activity messages.

enable

vpn

Enable/disable log VPN messages.

enable

user

Enable/disable log user activity messages.

enable

router

Enable/disable log router activity.

enable

wireless-activity

Enable/disable log wireless activity.

enable

wan-opt

Enable/disable log WAN optimization messages.

enable

endpoint

Enable/disable log for endpoint events.

enable

ha

Enable/disable log for ha events.

enable

compliance-check

Enable/disable log for PCI DSS compliance


check.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

303

log/gui-display
CLI Syntax
config log gui-display
edit <name_str>
set resolve-hosts {enable | disable}
set resolve-apps {enable | disable}
set fortiview-unscanned-apps {enable | disable}
set fortiview-local-traffic {enable | disable}
set location {memory | disk | fortianalyzer | fortiguard}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

304

Description
Configuration

Description

Default Value

resolve-hosts

Resolve IP addresses to hostnames on the GUI


using reverse DNS lookup.

enable

resolve-apps

Resolve unknown applications on the GUI using


remote application database.

enable

fortiview-unscannedapps

Enable/disable inclusion of unscanned traffic in


FortiView application charts.

disable

fortiview-local-traffic

Enable/disable inclusion of local-in traffic in


FortiView realtime charts.

disable

location

GUI log location display.

memory

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

305

log/setting
CLI Syntax
config log setting
edit <name_str>
set resolve-ip {enable | disable}
set resolve-port {enable | disable}
set log-user-in-upper {enable | disable}
set fwpolicy-implicit-log {enable | disable}
set fwpolicy6-implicit-log {enable | disable}
set log-invalid-packet {enable | disable}
set local-in-allow {enable | disable}
set local-in-deny-unicast {enable | disable}
set local-in-deny-broadcast {enable | disable}
set local-out {enable | disable}
set daemon-log {enable | disable}
set neighbor-event {enable | disable}
set brief-traffic-format {enable | disable}
set user-anonymize {enable | disable}
set fortiview-weekly-data {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

306

Description
Configuration

Description

Default Value

resolve-ip

Add resolved domain name into traffic log if


possible.

disable

resolve-port

Add resolved service name into traffic log if


possible.

enable

log-user-in-upper

Enable/disable collect log with user-in-upper.

disable

fwpolicy-implicit-log

Enable/disable collect firewall implicit policy log.

disable

fwpolicy6-implicit-log

Enable/disable collect firewall implicit policy6 log.

disable

log-invalid-packet

Enable/disable collect invalid packet traffic log.

disable

local-in-allow

Enable/disable collect local-in-allow log.

disable

local-in-deny-unicast

Enable/disable collect local-in-deny-unicast log.

disable

local-in-deny-broadcast

Enable/disable collect local-in-deny-broadcast


log.

disable

local-out

Enable/disable collect local-out log.

disable

daemon-log

Enable/disable collect daemon log.

disable

neighbor-event

Enable/disable collect neighbor event log.

disable

brief-traffic-format

Enable/disable use of brief format for traffic log.

disable

user-anonymize

Enable/disable anonymize log user name.

disable

fortiview-weekly-data

Enable/disable FortiView weekly data.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

307

log/threat-weight
CLI Syntax
config log threat-weight
edit <name_str>
set status {enable | disable}
config level
edit <name_str>
set low <integer>
set medium <integer>
set high <integer>
set critical <integer>
end
set blocked-connection {disable | low | medium | high | critical}
set failed-connection {disable | low | medium | high | critical}
set malware-detected {disable | low | medium | high | critical}
set url-block-detected {disable | low | medium | high | critical}
set botnet-connection-detected {disable | low | medium | high | critical}
config ips
edit <name_str>
set info-severity {disable | low | medium | high | critical}
set low-severity {disable | low | medium | high | critical}
set medium-severity {disable | low | medium | high | critical}
set high-severity {disable | low | medium | high | critical}
set critical-severity {disable | low | medium | high | critical}
end
config web
edit <name_str>
set id <integer>
set category <integer>
set level {disable | low | medium | high | critical}
end
config geolocation
edit <name_str>
set id <integer>
set country <string>
set level {disable | low | medium | high | critical}
end
config application
edit <name_str>
set id <integer>
set category <integer>
set level {disable | low | medium | high | critical}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

308

Description
Configuration

Description

Default Value

status

Enable/disable threat weight status.

enable

level

Level to score mapping.

Details below

Configuration
low
medium
high
critical

Default Value
5
10
30
50

blocked-connection

Score level for blocked connections for threat


weight.

high

failed-connection

Score level for failed connections for threat


weight.

low

malware-detected

Score level for detected malware for threat


weight.

critical

url-block-detected

Score level for URL blocking for threat weight.

high

botnet-connectiondetected

Score level for detected botnet connection for


threat weight.

critical

ips

IPS reputation settings.

Details below

Configuration
info-severity
low-severity
medium-severity
high-severity
critical-severity

Default Value
disable
low
medium
high
critical

web

Web-based threat weight settings.

(Empty)

geolocation

Geolocation-based threat weight settings.

(Empty)

application

Application-control based threat weight settings.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

309

netscan/assets
CLI Syntax
config netscan assets
edit <name_str>
set asset-id <integer>
set name <string>
set scheduled {disable | enable}
set addr-type {ip | range}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set auth-windows {disable | enable}
set auth-unix {disable | enable}
set win-username <string>
set win-password <password>
set unix-username <string>
set unix-password <password>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

310

Description
Configuration

Description

Default Value

asset-id

Asset ID.

name

Name of this asset.

(Empty)

scheduled

Enable/disable including this asset in scheduled


vulnerability scan.

disable

addr-type

IP address or range.

ip

start-ip

IP address of asset or start of asset range.

0.0.0.0

end-ip

End of asset range.

0.0.0.0

auth-windows

Enable/disable authentication on Windows hosts.

disable

auth-unix

Enable/disable authentication on UNIX hosts.

disable

win-username

User name for Windows hosts.

(Empty)

win-password

Password for Windows hosts.

(Empty)

unix-username

User name for Unix hosts.

(Empty)

unix-password

Password for Unix hosts.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

311

netscan/settings
CLI Syntax
config netscan settings
edit <name_str>
set scan-mode {quick | standard | full}
set scheduled-pause {disable | enable}
set time <user>
set pause-from <user>
set pause-to <user>
set recurrence {daily | weekly | monthly}
set day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | satur
day}
set day-of-month <integer>
set tcp-ports <user>
set udp-ports <user>
set tcp-scan {auto | enable | disable}
set udp-scan {auto | enable | disable}
set service-detection {auto | enable | disable}
set os-detection {auto | enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

312

Description
Configuration

Description

Default Value

scan-mode

Level of vulnerability scanning to perform on


ports.

quick

scheduled-pause

Enable/disable set time during which scanning


should pause.

disable

time

Time of day to start the scan.

00:00

pause-from

Time of day to pause scanning.

00:00

pause-to

Time of day to resume scanning.

00:00

recurrence

Frequency at which the scans should recur.

weekly

day-of-week

Day of the week on which to run the scan.

sunday

day-of-month

Day of the month on which to run the scan.

tcp-ports

TCP ports scanned.

(Empty)

udp-ports

UDP ports scanned.

(Empty)

tcp-scan

Enable/disable TCP port scan.

auto

udp-scan

Enable/disable UDP port scan.

auto

service-detection

Enable/disable service detection.

auto

os-detection

Enable/disable OS detection.

auto

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

313

report/chart
CLI Syntax
config report chart
edit <name_str>
set name <string>
set policy <integer>
set type {graph | table}
set period {last24h | last7d}
config drill-down-charts
edit <name_str>
set id <integer>
set chart-name <string>
set status {enable | disable}
end
set comments <string>
set dataset <string>
set category {misc | traffic | event | virus | webfilter | attack | spam | dlp | a
pp-ctrl | vulnerability}
set favorite {no | yes}
set graph-type {none | bar | pie | line | flow}
set style {auto | manual}
set dimension {2D | 3D}
config x-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set is-category {yes | no}
set scale-unit {minute | hour | day | month | year}
set scale-step <integer>
set scale-direction {decrease | increase}
set scale-format {YYYY-MM-DD-HH-MM | YYYY-MM-DD HH | YYYY-MM-DD | YYYY-MM | YY
YY | HH-MM | MM-DD}
set unit <string>
end
config y-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set group <string>
set unit <string>
set extra-y {enable | disable}
set extra-databind <string>
set y-legend <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

314

set extra-y-legend <string>


end
config category-series
edit <name_str>
set databind <string>
set font-size <integer>
end
config value-series
edit <name_str>
set databind <string>
end
set title <string>
set title-font-size <integer>
set background <string>
set color-palette <string>
set legend {enable | disable}
set legend-font-size <integer>
config column
edit <name_str>
set id <integer>
set header-value <string>
set detail-value <string>
set footer-value <string>
set detail-unit <string>
set footer-unit <string>
config mapping
edit <name_str>
set id <integer>
set op {none | greater | greater-equal | less | less-equal | equal | betwe
en}
set
set
set
set
end

value-type {integer | string}


value1 <string>
value2 <string>
displayname <string>

end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

315

Description
Configuration

Description

Default Value

name

Chart Widget Name

(Empty)

policy

Used by monitor policy.

type

Chart type.

graph

period

Time period.

last24h

drill-down-charts

Drill down charts.

(Empty)

comments

Comment.

(Empty)

dataset

Bind dataset to chart.

(Empty)

category

Category.

misc

favorite

Favorite.

no

graph-type

Graph type.

none

style

Style.

auto

dimension

Dimension.

3D

x-series

X-series of chart.

Details below

Configuration
databind
caption
caption-font-size
font-size
label-angle
is-category
scale-unit
scale-step
scale-direction
scale-format
unit
y-series

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
(Empty)
(Empty)
0
0
45-degree
yes
day
1
decrease
YYYY-MM-DD-HH-MM
(Empty)
Y-series of chart.

Details below

316

Configuration
databind
caption
caption-font-size
font-size
label-angle
group
unit
extra-y
extra-databind
y-legend
extra-y-legend
category-series

Default Value
(Empty)
(Empty)
0
0
horizontal
(Empty)
(Empty)
disable
(Empty)
(Empty)
(Empty)
Category series of pie chart.

Configuration
databind
font-size
value-series

Details below

Default Value
(Empty)
0
Value series of pie chart.

Configuration
databind

Details below

Default Value
(Empty)

title

Chart title.

(Empty)

title-font-size

Font size of chart title.

background

Chart background.

(Empty)

color-palette

Color palette (system will pick color automatically


by default).

(Empty)

legend

Enable/Disable Legend area.

enable

legend-font-size

Font size of legend area.

column

Table column definition.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

317

report/dataset
CLI Syntax
config report dataset
edit <name_str>
set name <string>
set policy <integer>
set query <string>
config field
edit <name_str>
set id <integer>
set type {text | integer | double}
set name <string>
set displayname <string>
end
config parameters
edit <name_str>
set id <integer>
set display-name <string>
set field <string>
set data-type {text | integer | double | long-integer | date-time}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

318

Description
Configuration

Description

Default Value

name

Name.

(Empty)

policy

Used by monitor policy.

query

SQL query statement.

(Empty)

field

Fields.

(Empty)

parameters

Parameters.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

319

report/layout
CLI Syntax
config report layout
edit <name_str>
set name <string>
set title <string>
set subtitle <string>
set description <string>
set style-theme <string>
set options {include-table-of-content | auto-numbering-heading | view-chart-as-hea
ding | show-html-navbar-before-heading | dummy-option}
set format {html | pdf}
set schedule-type {demand | daily | weekly}
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set time <user>
set cutoff-option {run-time | custom}
set cutoff-time <user>
set email-send {enable | disable}
set email-recipients <string>
set max-pdf-report <integer>
config page
edit <name_str>
set paper {a4 | letter}
set column-break-before {heading1 | heading2 | heading3}
set page-break-before {heading1 | heading2 | heading3}
set options {header-on-first-page | footer-on-first-page}
config header
edit <name_str>
set style <string>
config header-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image}
set style <string>
set content <string>
set img-src <string>
end
end
config footer
edit <name_str>
set style <string>
config footer-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image}
set style <string>
set content <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

320

set img-src <string>


end
end
end
config body-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image | chart | misc}
set style <string>
set top-n <integer>
set hide {enable | disable}
config parameters
edit <name_str>
set id <integer>
set name <string>
set value <string>
end
set text-component {text | heading1 | heading2 | heading3}
set content <string>
set img-src <string>
set list-component {bullet | numbered}
config list
edit <name_str>
set id <integer>
set content <string>
end
set chart <string>
set chart-options {include-no-data | hide-title | show-caption}
set drill-down-items <string>
set drill-down-types <string>
set table-column-widths <string>
set table-caption-style <string>
set table-head-style <string>
set table-odd-row-style <string>
set table-even-row-style <string>
set misc-component {hline | page-break | column-break | section-start}
set column <integer>
set title <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

321

Description
Configuration

Description

Default Value

name

Report layout name.

(Empty)

title

Report title.

(Empty)

subtitle

Report subtitle.

(Empty)

description

Description.

(Empty)

style-theme

Report style theme.

(Empty)

options

Report layout options.

include-table-of-content
auto-numberingheading view-chart-asheading

format

Report format.

html

schedule-type

Report schedule type.

daily

day

Schedule days of week to generate report.

sunday

time

Schedule time to generate report [hh:mm].

00:00

cutoff-option

Cutoff-option is either run-time or custom.

run-time

cutoff-time

Custom cutoff time to generate report [hh:mm].

00:00

email-send

Enable/disable sending emails after reports are


generated.

disable

email-recipients

Email recipients for generated reports.

(Empty)

max-pdf-report

Maximum number of PDF reports to keep at one


time (oldest report is overwritten).

31

page

Configure report page.

Details below

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

322

Configuration
paper
column-break-before
page-break-before
options
header
footer

body-item

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
a4
(Empty)
(Empty)
(Empty)
{"style":"","header-item":[]}
{"style":"","footer-item":[]}

Configure report body item.

(Empty)

323

report/setting
CLI Syntax
config report setting
edit <name_str>
set pdf-report {enable | disable}
set fortiview {enable | disable}
set report-source {forward-traffic | sniffer-traffic}
set web-browsing-threshold <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

324

Description
Configuration

Description

Default Value

pdf-report

Enable/disable PDF report.

enable

fortiview

Enable/disable historical FortiView.

enable

report-source

Report log source.

forward-traffic

web-browsingthreshold

Web browsing time calculation threshold (3 - 15


min).

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

325

report/style
CLI Syntax
config report style
edit <name_str>
set name <string>
set options {font | text | color | align | size | margin | border | padding | colu
mn}
set font-family {Verdana | Arial | Helvetica | Courier | Times}
set font-style {normal | italic}
set font-weight {normal | bold}
set font-size <string>
set line-height <string>
set fg-color <string>
set bg-color <string>
set align {left | center | right | justify}
set width <string>
set height <string>
set margin-top <string>
set margin-right <string>
set margin-bottom <string>
set margin-left <string>
set border-top <user>
set border-right <user>
set border-bottom <user>
set border-left <user>
set padding-top <string>
set padding-right <string>
set padding-bottom <string>
set padding-left <string>
set column-span {none | all}
set column-gap <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

326

Description
Configuration

Description

Default Value

name

Report style name.

(Empty)

options

Report style options.

(Empty)

font-family

Font family.

(Empty)

font-style

Font style.

normal

font-weight

Font weight.

normal

font-size

Font size.

(Empty)

line-height

Text line height.

(Empty)

fg-color

Foreground color.

(Empty)

bg-color

Background color.

(Empty)

align

Alignment.

(Empty)

width

Width.

(Empty)

height

Height.

(Empty)

margin-top

Margin top.

(Empty)

margin-right

Margin right.

(Empty)

margin-bottom

Margin bottom.

(Empty)

margin-left

Margin left.

(Empty)

border-top

Border top.

" none "

border-right

Border right.

" none "

border-bottom

Border bottom.

" none "

border-left

Border left.

" none "

padding-top

Padding top.

(Empty)

padding-right

Padding right.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

327

padding-bottom

Padding bottom.

(Empty)

padding-left

Padding left.

(Empty)

column-span

Column span.

none

column-gap

Column gap.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

328

report/theme
CLI Syntax
config report theme
edit <name_str>
set name <string>
set page-orient {portrait | landscape}
set column-count {1 | 2 | 3}
set default-html-style <string>
set default-pdf-style <string>
set page-style <string>
set page-header-style <string>
set page-footer-style <string>
set report-title-style <string>
set report-subtitle-style <string>
set toc-title-style <string>
set toc-heading1-style <string>
set toc-heading2-style <string>
set toc-heading3-style <string>
set toc-heading4-style <string>
set heading1-style <string>
set heading2-style <string>
set heading3-style <string>
set heading4-style <string>
set normal-text-style <string>
set bullet-list-style <string>
set numbered-list-style <string>
set image-style <string>
set hline-style <string>
set graph-chart-style <string>
set table-chart-style <string>
set table-chart-caption-style <string>
set table-chart-head-style <string>
set table-chart-odd-row-style <string>
set table-chart-even-row-style <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

329

Description
Configuration

Description

Default Value

name

Report theme name.

(Empty)

page-orient

Report page orientation.

portrait

column-count

Report page column count.

default-html-style

Default HTML report style.

(Empty)

default-pdf-style

Default PDF report style.

(Empty)

page-style

Report page style.

(Empty)

page-header-style

Report page header style.

(Empty)

page-footer-style

Report page footer style.

(Empty)

report-title-style

Report title style.

(Empty)

report-subtitle-style

Report subtitle style.

(Empty)

toc-title-style

Table of contents title style.

(Empty)

toc-heading1-style

Table of contents heading style.

(Empty)

toc-heading2-style

Table of contents heading style.

(Empty)

toc-heading3-style

Table of contents heading style.

(Empty)

toc-heading4-style

Table of contents heading style.

(Empty)

heading1-style

Report heading style.

(Empty)

heading2-style

Report heading style.

(Empty)

heading3-style

Report heading style.

(Empty)

heading4-style

Report heading style.

(Empty)

normal-text-style

Normal text style.

(Empty)

bullet-list-style

Bullet list style.

(Empty)

numbered-list-style

Numbered list style.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

330

image-style

Image style.

(Empty)

hline-style

Horizontal line style.

(Empty)

graph-chart-style

Graph chart style.

(Empty)

table-chart-style

Table chart style.

(Empty)

table-chart-captionstyle

Table chart caption style.

(Empty)

table-chart-head-style

Table chart head row style.

(Empty)

table-chart-odd-rowstyle

Table chart odd row style.

(Empty)

table-chart-even-rowstyle

Table chart even row style.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

331

router/access-list
CLI Syntax
config router access-list
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set wildcard <user>
set exact-match {enable | disable}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

332

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comments

Comment.

(Empty)

rule

Rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

333

router/access-list6
CLI Syntax
config router access-list6
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix6 <user>
set exact-match {enable | disable}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

334

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comments

Comment.

(Empty)

rule

Rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

335

router/aspath-list
CLI Syntax
config router aspath-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

336

Description
Configuration

Description

Default Value

name

AS path list name.

(Empty)

rule

AS path list rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

337

router/auth-path
CLI Syntax
config router auth-path
edit <name_str>
set name <string>
set device <string>
set gateway <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

338

Description
Configuration

Description

Default Value

name

Name of the entry.

(Empty)

device

Output interface.

(Empty)

gateway

Gateway IP address.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

339

router/bfd
CLI Syntax
config router bfd
edit <name_str>
config neighbor
edit <name_str>
set ip <ipv4-address>
set interface <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

340

Description
Configuration

Description

Default Value

neighbor

neighbor

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

341

router/bgp
CLI Syntax
config router bgp
edit <name_str>
set as <integer>
set router-id <ipv4-address-any>
set keepalive-timer <integer>
set holdtime-timer <integer>
set always-compare-med {enable | disable}
set bestpath-as-path-ignore {enable | disable}
set bestpath-cmp-confed-aspath {enable | disable}
set bestpath-cmp-routerid {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set client-to-client-reflection {enable | disable}
set dampening {enable | disable}
set deterministic-med {enable | disable}
set ebgp-multipath {enable | disable}
set ibgp-multipath {enable | disable}
set enforce-first-as {enable | disable}
set fast-external-failover {enable | disable}
set log-neighbour-changes {enable | disable}
set network-import-check {enable | disable}
set ignore-optional-capability {enable | disable}
set cluster-id <ipv4-address-any>
set confederation-identifier <integer>
config confederation-peers
edit <name_str>
set peer <string>
end
set dampening-route-map <string>
set dampening-reachability-half-life <integer>
set dampening-reuse <integer>
set dampening-suppress <integer>
set dampening-max-suppress-time <integer>
set dampening-unreachability-half-life <integer>
set default-local-preference <integer>
set scan-time <integer>
set distance-external <integer>
set distance-internal <integer>
set distance-local <integer>
set synchronization {enable | disable}
set graceful-restart {enable | disable}
set graceful-restart-time <integer>
set graceful-stalepath-time <integer>
set graceful-update-delay <integer>
config aggregate-address
edit <name_str>
set id <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

342

set prefix <ipv4-classnet-any>


set as-set {enable | disable}
set summary-only {enable | disable}
end
config aggregate-address6
edit <name_str>
set id <integer>
set prefix6 <ipv6-prefix>
set as-set {enable | disable}
set summary-only {enable | disable}
end
config neighbor
edit <name_str>
set ip <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set allowas-in6 <integer>
set attribute-unchanged {as-path | med | next-hop}
set attribute-unchanged6 {as-path | med | next-hop}
set activate {enable | disable}
set activate6 {enable | disable}
set bfd {enable | disable}
set capability-dynamic {enable | disable}
set capability-orf {none | receive | send | both}
set capability-orf6 {none | receive | send | both}
set capability-graceful-restart {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-route-refresh {enable | disable}
set capability-default-originate {enable | disable}
set capability-default-originate6 {enable | disable}
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self6 {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}
set remove-private-as {enable | disable}
set remove-private-as6 {enable | disable}
set route-reflector-client {enable | disable}
set route-reflector-client6 {enable | disable}
set route-server-client {enable | disable}
set route-server-client6 {enable | disable}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set soft-reconfiguration6 {enable | disable}
set as-override {enable | disable}
set as-override6 {enable | disable}
set strict-capability-match {enable | disable}
set default-originate-routemap <string>
set default-originate-routemap6 <string>
set description <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

343

set description <string>


set distribute-list-in <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set ebgp-multihop-ttl <integer>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set interface <string>
set maximum-prefix <integer>
set maximum-prefix6 <integer>
set maximum-prefix-threshold <integer>
set maximum-prefix-threshold6 <integer>
set maximum-prefix-warning-only {enable | disable}
set maximum-prefix-warning-only6 {enable | disable}
set prefix-list-in <string>
set prefix-list-in6 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set holdtime-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set weight <integer>
set restart-time <integer>
set password <password>
config conditional-advertise
edit <name_str>
set advertise-routemap <string>
set condition-routemap <string>
set condition-type {exist | non-exist}
end
end
config neighbor-group
edit <name_str>
set name <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set allowas-in6 <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

344

set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

allowas-in6 <integer>
attribute-unchanged {as-path | med | next-hop}
attribute-unchanged6 {as-path | med | next-hop}
activate {enable | disable}
activate6 {enable | disable}
bfd {enable | disable}
capability-dynamic {enable | disable}
capability-orf {none | receive | send | both}
capability-orf6 {none | receive | send | both}
capability-graceful-restart {enable | disable}
capability-graceful-restart6 {enable | disable}
capability-route-refresh {enable | disable}
capability-default-originate {enable | disable}
capability-default-originate6 {enable | disable}
dont-capability-negotiate {enable | disable}
ebgp-enforce-multihop {enable | disable}
next-hop-self {enable | disable}
next-hop-self6 {enable | disable}
override-capability {enable | disable}
passive {enable | disable}
remove-private-as {enable | disable}
remove-private-as6 {enable | disable}
route-reflector-client {enable | disable}
route-reflector-client6 {enable | disable}
route-server-client {enable | disable}
route-server-client6 {enable | disable}
shutdown {enable | disable}
soft-reconfiguration {enable | disable}
soft-reconfiguration6 {enable | disable}
as-override {enable | disable}
as-override6 {enable | disable}
strict-capability-match {enable | disable}
default-originate-routemap <string>
default-originate-routemap6 <string>
description <string>
distribute-list-in <string>
distribute-list-in6 <string>
distribute-list-out <string>
distribute-list-out6 <string>
ebgp-multihop-ttl <integer>
filter-list-in <string>
filter-list-in6 <string>
filter-list-out <string>
filter-list-out6 <string>
interface <string>
maximum-prefix <integer>
maximum-prefix6 <integer>
maximum-prefix-threshold <integer>
maximum-prefix-threshold6 <integer>
maximum-prefix-warning-only {enable | disable}
maximum-prefix-warning-only6 {enable | disable}
prefix-list-in <string>
prefix-list-in6 <string>

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

345

set prefix-list-in6 <string>


set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set holdtime-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set weight <integer>
set restart-time <integer>
end
config neighbor-range
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set max-neighbor-num <integer>
set neighbor-group <string>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set backdoor {enable | disable}
set route-map <string>
end
config network6
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set backdoor {enable | disable}
set route-map <string>
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set route-map <string>
end
config redistribute6
edit <name_str>
set name <string>
set status {enable | disable}
set route-map <string>
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

346

end
config admin-distance
edit <name_str>
set id <integer>
set neighbour-prefix <ipv4-classnet>
set route-list <string>
set distance <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

347

Description
Configuration

Description

Default Value

as

Router AS number.

router-id

Router ID.

0.0.0.0

keepalive-timer

Frequency to send keep alive requests.

60

holdtime-timer

Number of seconds to mark peer as dead.

180

always-compare-med

Enable/disable always compare MED.

disable

bestpath-as-pathignore

Enable/disable ignore AS path.

disable

bestpath-cmp-confedaspath

Enable/disable compare federation AS path


length.

disable

bestpath-cmp-routerid

Enable/disable compare router ID for identical


EBGP paths.

disable

bestpath-med-confed

Enable/disable compare MED among


confederation paths.

disable

bestpath-med-missingas-worst

Enable/disable treat missing MED as least


preferred.

disable

client-to-clientreflection

Enable/disable client-to-client route reflection.

enable

dampening

Enable/disable route-flap dampening.

disable

deterministic-med

Enable/disable enforce deterministic comparison


of MED.

disable

ebgp-multipath

Enable/disable EBGP multi-path.

disable

ibgp-multipath

Enable/disable IBGP multi-path.

disable

enforce-first-as

Enable/disable enforce first AS for EBGP routes.

enable

fast-external-failover

Enable/disable reset peer BGP session if link


goes down.

enable

log-neighbour-changes

Enable logging of BGP neighbour's changes

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

348

network-import-check

Enable/disable ensure BGP network route exists


in IGP.

enable

ignore-optionalcapability

Don't send unknown optional capability


notification message

enable

cluster-id

Route reflector cluster ID.

0.0.0.0

confederation-identifier

Confederation identifier.

confederation-peers

Confederation peers.

(Empty)

dampening-route-map

Criteria for dampening.

(Empty)

dampeningreachability-half-life

Reachability half-life time for penalty (min).

15

dampening-reuse

Threshold to reuse routes.

750

dampening-suppress

Threshold to suppress routes.

2000

dampening-maxsuppress-time

Maximum minutes a route can be suppressed.

60

dampeningunreachability-half-life

Unreachability half-life time for penalty (min).

15

default-localpreference

Default local preference.

100

scan-time

Background scanner interval (sec).

60

distance-external

Distance for routes external to the AS.

20

distance-internal

Distance for routes internal to the AS.

200

distance-local

Distance for routes local to the AS.

200

synchronization

Enable/disable only advertise routes from iBGP if


routes present in an IGP.

disable

graceful-restart

Enable/disable BGP graceful restart capabilities.

disable

graceful-restart-time

Time needed for neighbors to restart (sec).

120

graceful-stalepath-time

Time to hold stale paths of restarting neighbor


(sec).

360

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

349

graceful-update-delay

Route advertisement/selection delay after restart


(sec).

120

aggregate-address

BGP aggregate address table.

(Empty)

aggregate-address6

BGP IPv6 aggregate address table.

(Empty)

neighbor

BGP neighbor table.

(Empty)

neighbor-group

BGP neighbor group table.

(Empty)

neighbor-range

BGP neighbor range table.

(Empty)

network

BGP network table.

(Empty)

network6

BGP IPv6 network table.

(Empty)

redistribute

BGP IPv4 redistribute table.

(Empty)

redistribute6

BGP IPv6 redistribute table.

(Empty)

admin-distance

Administrative distance modifications.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

350

router/community-list
CLI Syntax
config router community-list
edit <name_str>
set name <string>
set type {standard | expanded}
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
set match <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

351

Description
Configuration

Description

Default Value

name

Community list name.

(Empty)

type

Community list type.

standard

rule

Community list rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

352

router/isis
CLI Syntax
config router isis
edit <name_str>
set is-type {level-1-2 | level-1 | level-2-only}
set auth-mode-l1 {password | md5}
set auth-mode-l2 {password | md5}
set auth-password-l1 <password>
set auth-password-l2 <password>
set auth-keychain-l1 <string>
set auth-keychain-l2 <string>
set auth-sendonly-l1 {enable | disable}
set auth-sendonly-l2 {enable | disable}
set ignore-lsp-errors {enable | disable}
set lsp-gen-interval-l1 <integer>
set lsp-gen-interval-l2 <integer>
set lsp-refresh-interval <integer>
set max-lsp-lifetime <integer>
set spf-interval-exp-l1 <user>
set spf-interval-exp-l2 <user>
set dynamic-hostname {enable | disable}
set adjacency-check {enable | disable}
set overload-bit {enable | disable}
set overload-bit-suppress {external | interlevel}
set overload-bit-on-startup <integer>
set default-originate {enable | disable}
set metric-style {narrow | narrow-transition | narrow-transition-l1 | narrow-trans
ition-l2 | wide | wide-l1 | wide-l2 | wide-transition | wide-transition-l1 | wide-tran
sition-l2 | transition | transition-l1 | transition-l2}
set redistribute-l1 {enable | disable}
set redistribute-l1-list <string>
set redistribute-l2 {enable | disable}
set redistribute-l2-list <string>
config isis-net
edit <name_str>
set id <integer>
set net <user>
end
config isis-interface
edit <name_str>
set name <string>
set status {enable | disable}
set network-type {broadcast | point-to-point}
set circuit-type {level-1-2 | level-1 | level-2}
set csnp-interval-l1 <integer>
set csnp-interval-l2 <integer>
set hello-interval-l1 <integer>
set hello-interval-l2 <integer>
set hello-multiplier-l1 <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

353

set hello-multiplier-l2 <integer>


set hello-padding {enable | disable}
set lsp-interval <integer>
set lsp-retransmit-interval <integer>
set metric-l1 <integer>
set metric-l2 <integer>
set wide-metric-l1 <integer>
set wide-metric-l2 <integer>
set auth-password-l1 <password>
set auth-password-l2 <password>
set auth-keychain-l1 <string>
set auth-keychain-l2 <string>
set auth-send-only-l1 {enable | disable}
set auth-send-only-l2 {enable | disable}
set auth-mode-l1 {md5 | password}
set auth-mode-l2 {md5 | password}
set priority-l1 <integer>
set priority-l2 <integer>
set mesh-group {enable | disable}
set mesh-group-id <integer>
end
config summary-address
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set level {level-1-2 | level-1 | level-2}
end
config redistribute
edit <name_str>
set protocol <string>
set status {enable | disable}
set metric <integer>
set metric-type {external | internal}
set level {level-1-2 | level-1 | level-2}
set routemap <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

354

Description
Configuration

Description

Default Value

is-type

IS type.

level-1-2

auth-mode-l1

Level 1 authentication mode.

password

auth-mode-l2

Level 2 authentication mode.

password

auth-password-l1

Authentication password for level 1 PDUs.

(Empty)

auth-password-l2

Authentication password for level 2 PDUs.

(Empty)

auth-keychain-l1

Authentication key-chain for level 1 PDUs.

(Empty)

auth-keychain-l2

Authentication key-chain for level 2 PDUs.

(Empty)

auth-sendonly-l1

Enable/disable level 1 authentication send-only.

disable

auth-sendonly-l2

Enable/disable level 2 authentication send-only.

disable

ignore-lsp-errors

Enable/disable ignoring of LSP errors with bad


checksums.

disable

lsp-gen-interval-l1

Minimum interval for level 1 LSP regenerating.

30

lsp-gen-interval-l2

Minimum interval for level 2 LSP regenerating.

30

lsp-refresh-interval

LSP refresh time in seconds.

900

max-lsp-lifetime

Maximum LSP lifetime in seconds.

1200

spf-interval-exp-l1

Level 1 SPF calculation delay.

500 50000

spf-interval-exp-l2

Level 2 SPF calculation delay.

500 50000

dynamic-hostname

Enable/disable dynamic hostname.

disable

adjacency-check

Enable/disable adjacency check.

disable

overload-bit

Enable/disable signal other routers not to use us


in SPF.

disable

overload-bit-suppress

Suppress overload-bit for the specific prefixes.

(Empty)

overload-bit-on-startup

Overload-bit only temporarily after reboot.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

355

default-originate

Enable/disable control distribution of default


information.

disable

metric-style

Use old-style (ISO 10589) or new-style packet


formats

narrow

redistribute-l1

Enable/disable redistribute level 1 routes into


level 2.

disable

redistribute-l1-list

Access-list for redistribute l1 to l2.

(Empty)

redistribute-l2

Enable/disable redistribute level 2 routes into


level 1.

disable

redistribute-l2-list

Access-list for redistribute l2 to l1.

(Empty)

isis-net

IS-IS net configuration.

(Empty)

isis-interface

IS-IS interface configuration.

(Empty)

summary-address

IS-IS summary addresses.

(Empty)

redistribute

IS-IS redistribute protocols.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

356

router/key-chain
CLI Syntax
config router key-chain
edit <name_str>
set name <string>
config key
edit <name_str>
set id <integer>
set accept-lifetime <user>
set send-lifetime <user>
set key-string <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

357

Description
Configuration

Description

Default Value

name

Key-chain name.

(Empty)

key

Key.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

358

router/multicast
CLI Syntax
config router multicast
edit <name_str>
set route-threshold <integer>
set route-limit <integer>
set multicast-routing {enable | disable}
config pim-sm-global
edit <name_str>
set message-interval <integer>
set join-prune-holdtime <integer>
set accept-register-list <string>
set bsr-candidate {enable | disable}
set bsr-interface <string>
set bsr-priority <integer>
set bsr-hash <integer>
set bsr-allow-quick-refresh {enable | disable}
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <string>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <string>
set register-source-ip <ipv4-address>
set register-supression <integer>
set null-register-retries <integer>
set rp-register-keepalive <integer>
set spt-threshold {enable | disable}
set spt-threshold-group <string>
set ssm {enable | disable}
set ssm-range <string>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip-address <ipv4-address>
set group <string>
end
end
config interface
edit <name_str>
set name <string>
set ttl-threshold <integer>
set pim-mode {sparse-mode | dense-mode}
set passive {enable | disable}
set bfd {enable | disable}
set neighbour-filter <string>
set hello-interval <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

359

set hello-holdtime <integer>


set cisco-exclude-genid {enable | disable}
set dr-priority <integer>
set propagation-delay <integer>
set state-refresh-interval <integer>
set rp-candidate {enable | disable}
set rp-candidate-group <string>
set rp-candidate-priority <integer>
set rp-candidate-interval <integer>
set multicast-flow <string>
set static-group <string>
config join-group
edit <name_str>
set address <ipv4-address-any>
end
config igmp
edit <name_str>
set access-group <string>
set version {3 | 2 | 1}
set immediate-leave-group <string>
set last-member-query-interval <integer>
set last-member-query-count <integer>
set query-max-response-time <integer>
set query-interval <integer>
set query-timeout <integer>
set router-alert-check {enable | disable}
end
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

360

Description
Configuration

Description

Default Value

route-threshold

Generate warnings when number of multicast


routes exceeds this number.

2147483647

route-limit

Maximum number of multicast routes.

2147483647

multicast-routing

Enable/disable multicast routing.

disable

pim-sm-global

PIM sparse-mode global settings.

Details below

Configuration
message-interval
join-prune-holdtime
accept-register-list
bsr-candidate
bsr-interface
bsr-priority
bsr-hash
bsr-allow-quick-refresh
cisco-register-checksum
cisco-register-checksum-group
cisco-crp-prefix
cisco-ignore-rp-set-priority
register-rp-reachability
register-source
register-source-interface
register-source-ip
register-supression
null-register-retries
rp-register-keepalive
spt-threshold
spt-threshold-group
ssm
ssm-range
register-rate-limit
rp-address
interface

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
60
210
(Empty)
disable
(Empty)
0
10
disable
disable
(Empty)
disable
disable
enable
disable
(Empty)
0.0.0.0
60
1
185
enable
(Empty)
disable
(Empty)
0
(Empty)

PIM interfaces.

(Empty)

361

router/multicast-flow
CLI Syntax
config router multicast-flow
edit <name_str>
set name <string>
set comments <string>
config flows
edit <name_str>
set id <integer>
set group-addr <ipv4-address-any>
set source-addr <ipv4-address-any>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

362

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comments

Comment.

(Empty)

flows

Multicast-flow entries.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

363

router/multicast6
CLI Syntax
config router multicast6
edit <name_str>
set multicast-routing {enable | disable}
config interface
edit <name_str>
set name <string>
set hello-interval <integer>
set hello-holdtime <integer>
end
config pim-sm-global
edit <name_str>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip6-address <ipv6-address>
end
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

364

Description
Configuration

Description

Default Value

multicast-routing

Enable/disable multicast routing.

disable

interface

PIM interfaces.

(Empty)

pim-sm-global

PIM sparse-mode global settings.

Details below

Configuration
register-rate-limit
rp-address

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
0
(Empty)

365

router/ospf
CLI Syntax
config router ospf
edit <name_str>
set abr-type {cisco | ibm | shortcut | standard}
set auto-cost-ref-bandwidth <integer>
set distance-external <integer>
set distance-inter-area <integer>
set distance-intra-area <integer>
set database-overflow {enable | disable}
set database-overflow-max-lsas <integer>
set database-overflow-time-to-recover <integer>
set default-information-originate {enable | always | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set distance <integer>
set rfc1583-compatible {enable | disable}
set router-id <ipv4-address-any>
set spf-timers <user>
set bfd {enable | disable}
set log-neighbour-changes {enable | disable}
set distribute-list-in <string>
set distribute-route-map-in <string>
set restart-mode {none | lls | graceful-restart}
set restart-period <integer>
config area
edit <name_str>
set id <ipv4-address-any>
set shortcut {disable | enable | default}
set authentication {none | text | md5}
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | always | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set advertise {disable | enable}
set substitute <ipv4-classnet-any>
set substitute-status {enable | disable}
end
config virtual-link
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

366

edit <name_str>
set name <string>
set authentication {none | text | md5}
set authentication-key <password>
set md5-key <user>
set dead-interval <integer>
set hello-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
config filter-list
edit <name_str>
set id <integer>
set list <string>
set direction {in | out}
end
end
config ospf-interface
edit <name_str>
set name <string>
set interface <string>
set ip <ipv4-address>
set authentication {none | text | md5}
set authentication-key <password>
set md5-key <user>
set prefix-length <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set cost <integer>
set priority <integer>
set dead-interval <integer>
set hello-interval <integer>
set hello-multiplier <integer>
set database-filter-out {enable | disable}
set mtu <integer>
set mtu-ignore {enable | disable}
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
set bfd {global | enable | disable}
set status {disable | enable}
set resync-timeout <integer>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set area <ipv4-address-any>
end
config neighbor
edit <name_str>
set id <integer>
set ip <ipv4-address>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

367

set ip <ipv4-address>
set poll-interval <integer>
set cost <integer>
set priority <integer>
end
config passive-interface
edit <name_str>
set name <string>
end
config summary-address
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set tag <integer>
set advertise {disable | enable}
end
config distribute-list
edit <name_str>
set id <integer>
set access-list <string>
set protocol {connected | static | rip}
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set metric-type {1 | 2}
set tag <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

368

Description
Configuration

Description

Default Value

abr-type

Area border router type.

standard

auto-cost-ref-bandwidth

Reference bandwidth in terms of megabits per


second.

1000

distance-external

Administrative external distance.

110

distance-inter-area

Administrative inter-area distance.

110

distance-intra-area

Administrative intra-area distance.

110

database-overflow

Enable/disable database overflow.

disable

database-overflowmax-lsas

Database overflow maximum LSAs.

10000

database-overflowtime-to-recover

Database overflow time to recover (sec).

300

default-informationoriginate

Enable/disable generation of default route.

disable

default-informationmetric

Default information metric.

10

default-informationmetric-type

Default information metric type.

default-informationroute-map

Default information route map.

(Empty)

default-metric

Default metric of redistribute routes.

10

distance

Distance of the route.

110

rfc1583-compatible

Enable/disable RFC1583 compatibility.

disable

router-id

Router ID.

0.0.0.0

spf-timers

SPF calculation frequency.

5 10

bfd

Bidirectional Forwarding Detection (BFD).

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

369

log-neighbour-changes

Enable logging of OSPF neighbour's changes

enable

distribute-list-in

Filter incoming routes.

(Empty)

distribute-route-map-in

Filter incoming external routes by route-map.

(Empty)

restart-mode

OSPF restart mode (graceful or LLS).

none

restart-period

Graceful restart period.

120

area

OSPF area configuration.

(Empty)

ospf-interface

OSPF interface configuration.

(Empty)

network

OSPF network configuration.

(Empty)

neighbor

OSPF neighbor configuration are used when


OSPF runs on non-broadcast media

(Empty)

passive-interface

Passive interface configuration.

(Empty)

summary-address

IP address summary configuration.

(Empty)

distribute-list

Distribute list configuration.

(Empty)

redistribute

Redistribute configuration.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

370

router/ospf6
CLI Syntax
config router ospf6
edit <name_str>
set abr-type {cisco | ibm | standard}
set auto-cost-ref-bandwidth <integer>
set default-information-originate {enable | always | disable}
set log-neighbour-changes {enable | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set router-id <ipv4-address-any>
set spf-timers <user>
config area
edit <name_str>
set id <ipv4-address-any>
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set advertise {disable | enable}
end
config virtual-link
edit <name_str>
set name <string>
set dead-interval <integer>
set hello-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
end
config ospf6-interface
edit <name_str>
set name <string>
set area-id <ipv4-address-any>
set interface <string>
set retransmit-interval <integer>
set transmit-delay <integer>
set cost <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

371

set priority <integer>


set dead-interval <integer>
set hello-interval <integer>
set status {disable | enable}
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
config neighbor
edit <name_str>
set ip6 <ipv6-address>
set poll-interval <integer>
set cost <integer>
set priority <integer>
end
end
config passive-interface
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set metric-type {1 | 2}
end
config summary-address
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set advertise {disable | enable}
set tag <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

372

Description
Configuration

Description

Default Value

abr-type

Area border router type.

standard

auto-cost-ref-bandwidth

Reference bandwidth in terms of megabits per


second.

1000

default-informationoriginate

Enable/disable generation of default route.

disable

log-neighbour-changes

Enable logging of OSPFv3 neighbour's changes

enable

default-informationmetric

Default information metric.

10

default-informationmetric-type

Default information metric type.

default-informationroute-map

Default information route map.

(Empty)

default-metric

Default metric of redistribute routes.

20

router-id

A.B.C.D, in IPv4 address format.

0.0.0.0

spf-timers

SPF calculation frequency.

5 10

area

OSPF6 area configuration.

(Empty)

ospf6-interface

OSPF6 interface configuration.

(Empty)

passive-interface

Passive interface configuration.

(Empty)

redistribute

Redistribute configuration.

(Empty)

summary-address

IPv6 address summary configuration.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

373

router/policy
CLI Syntax
config router policy
edit <name_str>
set seq-num <integer>
config input-device
edit <name_str>
set name <string>
end
config src
edit <name_str>
set subnet <string>
end
config srcaddr
edit <name_str>
set name <string>
end
set src-negate {enable | disable}
config dst
edit <name_str>
set subnet <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set dst-negate {enable | disable}
set action {deny | permit}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set start-source-port <integer>
set end-source-port <integer>
set gateway <ipv4-address>
set output-device <string>
set tos <user>
set tos-mask <user>
set status {enable | disable}
set comments <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

374

Description
Configuration

Description

Default Value

seq-num

Sequence number.

input-device

Incoming interface name.

(Empty)

src

Source IP and mask (x.x.x.x/x).

(Empty)

srcaddr

Source address name.

(Empty)

src-negate

Enable/disable negated source address match.

disable

dst

Destination IP and mask (x.x.x.x/x).

(Empty)

dstaddr

Destination address name.

(Empty)

dst-negate

Enable/disable negated destination address


match.

disable

action

Action of the policy route.

permit

protocol

Protocol number.

start-port

Start destination port number.

end-port

End destination port number.

65535

start-source-port

Start source port number.

end-source-port

End source port number.

65535

gateway

IP address of gateway.

0.0.0.0

output-device

Outgoing interface name.

(Empty)

tos

Type of service bit pattern.

0x00

tos-mask

Type of service evaluated bits.

0x00

status

Enable/disable policy route.

enable

comments

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

375

router/policy6
CLI Syntax
config router policy6
edit <name_str>
set seq-num <integer>
set input-device <string>
set src <ipv6-network>
set dst <ipv6-network>
set protocol <integer>
set start-port <integer>
set end-port <integer>
set gateway <ipv6-address>
set output-device <string>
set tos <user>
set tos-mask <user>
set status {enable | disable}
set comments <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

376

Description
Configuration

Description

Default Value

seq-num

Sequence number.

input-device

Incoming interface name.

(Empty)

src

Source IPv6 prefix.

::/0

dst

Destination IPv6 prefix.

::/0

protocol

Protocol number.

start-port

Start port number.

end-port

End port number.

65535

gateway

IPv6 address of gateway.

::

output-device

Outgoing interface name.

(Empty)

tos

Type of service bit pattern.

0x00

tos-mask

Type of service evaluated bits.

0x00

status

Enable/disable policy route.

enable

comments

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

377

router/prefix-list
CLI Syntax
config router prefix-list
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

378

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comments

Comment.

(Empty)

rule

Rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

379

router/prefix-list6
CLI Syntax
config router prefix-list6
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix6 <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

380

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comments

Comment.

(Empty)

rule

Rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

381

router/rip
CLI Syntax
config router rip
edit <name_str>
set default-information-originate {enable | disable}
set default-metric <integer>
set max-out-metric <integer>
set recv-buffer-size <integer>
config distance
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set distance <integer>
set access-list <string>
end
config distribute-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set listname <string>
set interface <string>
end
config neighbor
edit <name_str>
set id <integer>
set ip <ipv4-address>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
end
config offset-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set access-list <string>
set offset <integer>
set interface <string>
end
config passive-interface
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

382

set status {enable | disable}


set metric <integer>
set routemap <string>
set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
set version {1 | 2}
config interface
edit <name_str>
set name <string>
set auth-keychain <string>
set auth-mode {none | text | md5}
set auth-string <password>
set receive-version {1 | 2}
set send-version {1 | 2}
set send-version2-broadcast {disable | enable}
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

383

Description
Configuration

Description

Default Value

default-informationoriginate

Enable/disable generation of default route.

disable

default-metric

Default metric.

max-out-metric

Maximum metric allowed to output(0 means 'not


set').

recv-buffer-size

Receiving buffer size.

655360

distance

distance

(Empty)

distribute-list

Distribute list.

(Empty)

neighbor

neighbor

(Empty)

network

network

(Empty)

offset-list

Offset list.

(Empty)

passive-interface

Passive interface configuration.

(Empty)

redistribute

Redistribute configuration.

(Empty)

update-timer

Update timer.

30

timeout-timer

Timeout timer.

180

garbage-timer

Garbage timer.

120

version

RIP version.

interface

RIP interface configuration.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

384

router/ripng
CLI Syntax
config router ripng
edit <name_str>
set default-information-originate {enable | disable}
set default-metric <integer>
set max-out-metric <integer>
config distance
edit <name_str>
set id <integer>
set distance <integer>
set prefix6 <ipv6-prefix>
set access-list6 <string>
end
config distribute-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set listname <string>
set interface <string>
end
config neighbor
edit <name_str>
set id <integer>
set ip6 <ipv6-address>
set interface <string>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv6-prefix>
end
config aggregate-address
edit <name_str>
set id <integer>
set prefix6 <ipv6-prefix>
end
config offset-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set access-list6 <string>
set offset <integer>
set interface <string>
end
config passive-interface
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

385

set name <string>


end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
config interface
edit <name_str>
set name <string>
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

386

Description
Configuration

Description

Default Value

default-informationoriginate

Enable/disable generation of default route.

disable

default-metric

Default metric.

max-out-metric

Maximum metric allowed to output(0 means 'not


set').

distance

distance

(Empty)

distribute-list

Distribute list.

(Empty)

neighbor

neighbor

(Empty)

network

Network.

(Empty)

aggregate-address

Aggregate address.

(Empty)

offset-list

Offset list.

(Empty)

passive-interface

Passive interface configuration.

(Empty)

redistribute

Redistribute configuration.

(Empty)

update-timer

Update timer.

30

timeout-timer

Timeout timer.

180

garbage-timer

Garbage timer.

120

interface

RIPng interface configuration.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

387

router/route-map
CLI Syntax
config router route-map
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set match-as-path <string>
set match-community <string>
set match-community-exact {enable | disable}
set match-origin {none | egp | igp | incomplete}
set match-interface <string>
set match-ip-address <string>
set match-ip6-address <string>
set match-ip-nexthop <string>
set match-ip6-nexthop <string>
set match-metric <integer>
set match-route-type {1 | 2 | none}
set match-tag <integer>
set set-aggregator-as <integer>
set set-aggregator-ip <ipv4-address-any>
set set-aspath-action {prepend | replace}
config set-aspath
edit <name_str>
set as <string>
end
set set-atomic-aggregate {enable | disable}
set set-community-delete <string>
config set-community
edit <name_str>
set community <string>
end
set set-community-additive {enable | disable}
set set-dampening-reachability-half-life <integer>
set set-dampening-reuse <integer>
set set-dampening-suppress <integer>
set set-dampening-max-suppress <integer>
set set-dampening-unreachability-half-life <integer>
config set-extcommunity-rt
edit <name_str>
set community <string>
end
config set-extcommunity-soo
edit <name_str>
set community <string>
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

388

set
set
set
set
set
set
set
set
set
set
set
set
end

set-ip-nexthop <ipv4-address>
set-ip6-nexthop <ipv6-address>
set-ip6-nexthop-local <ipv6-address>
set-local-preference <integer>
set-metric <integer>
set-metric-type {1 | 2 | none}
set-originator-id <ipv4-address-any>
set-origin {none | egp | igp | incomplete}
set-tag <integer>
set-weight <integer>
set-flags <integer>
match-flags <integer>

end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

389

Description
Configuration

Description

Default Value

name

Name.

(Empty)

comments

Comment.

(Empty)

rule

Rule.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

390

router/setting
CLI Syntax
config router setting
edit <name_str>
set show-filter <string>
set hostname <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

391

Description
Configuration

Description

Default Value

show-filter

Prefix-list as filter for showing routes.

(Empty)

hostname

Hostname for this virtual domain router.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

392

router/static
CLI Syntax
config router static
edit <name_str>
set seq-num <integer>
set status {enable | disable}
set dst <ipv4-classnet>
set gateway <ipv4-address>
set distance <integer>
set weight <integer>
set priority <integer>
set device <string>
set comment <var-string>
set blackhole {enable | disable}
set dynamic-gateway {enable | disable}
set virtual-wan-link {enable | disable}
set dstaddr <string>
set internet-service <integer>
set internet-service-custom <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

393

Description
Configuration

Description

Default Value

seq-num

Entry number.

status

Enable/disable static route.

enable

dst

Destination IP and mask for this route.

0.0.0.0 0.0.0.0

gateway

Gateway IP for this route.

0.0.0.0

distance

Administrative distance (1 - 255).

10

weight

Administrative weight (0 - 255).

priority

Administrative priority (0 - 4294967295).

device

Enable/disable gateway out interface.

(Empty)

comment

Comment.

(Empty)

blackhole

Enable/disable black hole.

disable

dynamic-gateway

Enable use of dynamic gateway retrieved from a


DHCP or PPP server.

disable

virtual-wan-link

Enable/disable egress through the virtual-wanlink.

disable

dstaddr

Name of firewall address or address group.

(Empty)

internet-service

Application ID in the Internet service database.

internet-service-custom

Application name in the Internet service custom


database.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

394

router/static6
CLI Syntax
config router static6
edit <name_str>
set seq-num <integer>
set status {enable | disable}
set dst <ipv6-network>
set gateway <ipv6-address>
set device <string>
set devindex <integer>
set distance <integer>
set priority <integer>
set comment <var-string>
set blackhole {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

395

Description
Configuration

Description

Default Value

seq-num

Sequence number.

status

Enable/disable static route.

enable

dst

Destination IPv6 prefix for this route.

::/0

gateway

Gateway IPv6 address for this route.

::

device

Gateway out interface or tunnel.

(Empty)

devindex

Device index (0 - 4294967295).

distance

Administrative distance (1 - 255).

10

priority

Administrative priority (0 - 4294967295).

comment

Comment.

(Empty)

blackhole

Enable/disable black hole.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

396

spamfilter/bwl
CLI Syntax
config spamfilter bwl
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set type {ip | email}
set action {reject | spam | clear}
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
set pattern-type {wildcard | regexp}
set email-pattern <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

397

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

entries

Anti-spam black/white list entries.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

398

spamfilter/bword
CLI Syntax
config spamfilter bword
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set pattern <string>
set pattern-type {wildcard | regexp}
set action {spam | clear}
set where {subject | body | all}
set language {western | simch | trach | japanese | korean | french | thai | sp
anish}
set score <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

399

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

entries

Spam filter banned word.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

400

spamfilter/dnsbl
CLI Syntax
config spamfilter dnsbl
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set server <string>
set action {reject | spam}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

401

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

entries

Spam filter DNSBL and ORBL server.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

402

spamfilter/fortishield
CLI Syntax
config spamfilter fortishield
edit <name_str>
set spam-submit-srv <string>
set spam-submit-force {enable | disable}
set spam-submit-txt2htm {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

403

Description
Configuration

Description

Default Value

spam-submit-srv

Hostname of the spam submission server.

www.nospammer.net

spam-submit-force

Enable/disable force insertion of a new mime


entity for the submission text.

enable

spam-submit-txt2htm

Enable/disable conversion of text email to HTML


email.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

404

spamfilter/iptrust
CLI Syntax
config spamfilter iptrust
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

405

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

entries

Spam filter trusted IP addresses.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

406

spamfilter/mheader
CLI Syntax
config spamfilter mheader
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set fieldname <string>
set fieldbody <string>
set pattern-type {wildcard | regexp}
set action {spam | clear}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

407

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

entries

Spam filter mime header content.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

408

spamfilter/options
CLI Syntax
config spamfilter options
edit <name_str>
set dns-timeout <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

409

Description
Configuration

Description

Default Value

dns-timeout

DNS query time out (1 - 30 sec).

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

410

spamfilter/profile
CLI Syntax
config spamfilter profile
edit <name_str>
set name <string>
set comment <var-string>
set flow-based {enable | disable}
set replacemsg-group <string>
set spam-log {disable | enable}
set spam-log-fortiguard-response {disable | enable}
set spam-filtering {enable | disable}
set external {enable | disable}
set options {bannedword | spambwl | spamfsip | spamfssubmit | spamfschksum | spamf
surl | spamhelodns | spamraddrdns | spamrbl | spamhdrcheck | spamfsphish}
config imap
edit <name_str>
set log {enable | disable}
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config pop3
edit <name_str>
set log {enable | disable}
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config smtp
edit <name_str>
set log {enable | disable}
set action {pass | tag | discard}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
set hdrip {enable | disable}
set local-override {enable | disable}
end
config mapi
edit <name_str>
set log {enable | disable}
set action {pass | discard}
end
config msn-hotmail
edit <name_str>
set log {enable | disable}
end
config yahoo-mail
edit <name_str>
set log {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

411

end
config gmail
edit <name_str>
set log {enable | disable}
end
set spam-bword-threshold <integer>
set spam-bword-table <integer>
set spam-bwl-table <integer>
set spam-mheader-table <integer>
set spam-rbl-table <integer>
set spam-iptrust-table <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

412

Description
Configuration

Description

Default Value

name

Profile name.

(Empty)

comment

Comment.

(Empty)

flow-based

Enable/disable flow-based spam filtering.

disable

replacemsg-group

Replacement message group.

(Empty)

spam-log

Enable/disable spam logging for email filtering.

enable

spam-log-fortiguardresponse

Enable/disable logging FortiGuard spam


response.

disable

spam-filtering

Enable/disable spam filtering.

disable

external

Enable/disable external Email inspection.

disable

options

Options.

(Empty)

imap

IMAP.

Details below

Configuration
log
action
tag-type
tag-msg
pop3

Default Value
disable
tag
subject spaminfo
Spam
POP3.

Configuration
log
action
tag-type
tag-msg
smtp

Default Value
disable
tag
subject spaminfo
Spam
SMTP.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Details below

Details below

413

Configuration
log
action
tag-type
tag-msg
hdrip
local-override
mapi

Default Value
disable
discard
subject spaminfo
Spam
disable
disable
MAPI.

Configuration
log
action
msn-hotmail

Default Value
disable
discard
MSN Hotmail.

Configuration
log
yahoo-mail

Configuration
log

Details below
Default Value
disable

Yahoo! Mail.

Configuration
log
gmail

Details below

Details below
Default Value
disable

Gmail.

Details below
Default Value
disable

spam-bword-threshold

Spam banned word threshold.

10

spam-bword-table

Anti-spam banned word table ID.

spam-bwl-table

Anti-spam black/white list table ID.

spam-mheader-table

Anti-spam MIME header table ID.

spam-rbl-table

Anti-spam DNSBL table ID.

spam-iptrust-table

Anti-spam IP trust table ID.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

414

system.autoupdate/push-update
CLI Syntax
config system.autoupdate push-update
edit <name_str>
set status {enable | disable}
set override {enable | disable}
set address <ipv4-address-any>
set port <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

415

Description
Configuration

Description

Default Value

status

Enable/disable push updates.

disable

override

Enable/disable push update override server.

disable

address

Push update override server.

0.0.0.0

port

Push update override port.

9443

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

416

system.autoupdate/schedule
CLI Syntax
config system.autoupdate schedule
edit <name_str>
set status {enable | disable}
set frequency {every | daily | weekly}
set time <user>
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

417

Description
Configuration

Description

Default Value

status

Enable/disable scheduled updates.

enable

frequency

Update frequency.

every

time

Update time.

02:60

day

Update day.

Monday

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

418

system.autoupdate/tunneling
CLI Syntax
config system.autoupdate tunneling
edit <name_str>
set status {enable | disable}
set address <string>
set port <integer>
set username <string>
set password <password>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

419

Description
Configuration

Description

Default Value

status

Enable/disable web proxy tunnelling.

disable

address

Web proxy IP address or FQDN.

(Empty)

port

Web proxy port.

username

Web proxy username.

(Empty)

password

Web proxy password.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

420

system.dhcp/server
CLI Syntax
config system.dhcp server
edit <name_str>
set id <integer>
set status {disable | enable}
set lease-time <integer>
set mac-acl-default-action {assign | block}
set forticlient-on-net-status {disable | enable}
set dns-service {local | default | specify}
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set dns-server3 <ipv4-address>
set wifi-ac1 <ipv4-address>
set wifi-ac2 <ipv4-address>
set wifi-ac3 <ipv4-address>
set ntp-service {local | default | specify}
set ntp-server1 <ipv4-address>
set ntp-server2 <ipv4-address>
set ntp-server3 <ipv4-address>
set domain <string>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set default-gateway <ipv4-address>
set next-server <ipv4-address>
set netmask <ipv4-netmask>
set interface <string>
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
set timezone-option {disable | default | specify}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set tftp-server <string>
set filename <string>
config options
edit <name_str>
set id <integer>
set code <integer>
set type {hex | string | ip}
set value <string>
set ip <user>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

421

end
set server-type {regular | ipsec}
set ip-mode {range | usrgrp}
set conflicted-ip-timeout <integer>
set ipsec-lease-hold <integer>
set auto-configuration {disable | enable}
set ddns-update {disable | enable}
set ddns-update-override {disable | enable}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-ttl <integer>
set vci-match {disable | enable}
config vci-string
edit <name_str>
set vci-string <string>
end
config exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
config reserved-address
edit <name_str>
set id <integer>
set ip <ipv4-address>
set mac <mac-address>
set action {assign | block | reserved}
set description <var-string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

422

Description
Configuration

Description

Default Value

id

ID.

status

Enable/disable use this DHCP configuration.

enable

lease-time

Lease time in seconds.

604800

mac-acl-default-action

MAC access control default action.

assign

forticlient-on-net-status

Sending FortiGate serial number as a DHCP


option.

enable

dns-service

DNS service option.

specify

dns-server1

DNS server 1.

0.0.0.0

dns-server2

DNS server 2.

0.0.0.0

dns-server3

DNS server 3.

0.0.0.0

wifi-ac1

WiFi AC 1.

0.0.0.0

wifi-ac2

WiFi AC 2.

0.0.0.0

wifi-ac3

WiFi AC 3.

0.0.0.0

ntp-service

NTP service option.

specify

ntp-server1

NTP server 1.

0.0.0.0

ntp-server2

NTP server 2.

0.0.0.0

ntp-server3

NTP server 3.

0.0.0.0

domain

Domain name.

(Empty)

wins-server1

WINS server 1.

0.0.0.0

wins-server2

WINS server 2.

0.0.0.0

default-gateway

Enable/disable default gateway.

0.0.0.0

next-server

Next bootstrap server.

0.0.0.0

netmask

Netmask.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

423

interface

Interface name.

(Empty)

ip-range

DHCP IP range configuration.

(Empty)

timezone-option

Time zone settings.

disable

timezone

Time zone.

00

tftp-server

Hostname or IP address of the TFTP server.

(Empty)

filename

Boot file name.

(Empty)

options

DHCP options.

(Empty)

server-type

Type of DHCP service to provide.

regular

ip-mode

Method used to assign client IP.

range

conflicted-ip-timeout

Time conflicted IP is removed from the range


(seconds).

1800

ipsec-lease-hold

DHCP over IPsec leases expire this many


seconds after tunnel down (0 to disable forcedexpiry).

60

auto-configuration

Enable/disable auto configuration.

enable

ddns-update

Enable/disable DDNS update for DHCP.

disable

ddns-update-override

Enable/disable DDNS update override for DHCP.

disable

ddns-server-ip

DDNS server IP.

0.0.0.0

ddns-zone

Zone of your domain name (ex. DDNS.com).

(Empty)

ddns-auth

DDNS authentication mode.

disable

ddns-keyname

DDNS update key name.

(Empty)

ddns-key

DDNS update key (base 64 encoding).

'ENC
isr0V46YyB8yJjNbUYA
s/vUYxB1aL6ALCHlEb
Pq6PJBZtDpbY7N1pqs
liSaL2Fw4Jz0bZklu47K
49hcFNvrKsIh9YC2uAi
mJqm9qGNuxRLsBAi/
+1yyNDp0Hjjc='

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

424

ddns-ttl

TTL.

300

vci-match

Enable/disable VCI matching.

disable

vci-string

VCI strings.

(Empty)

exclude-range

DHCP exclude range configuration.

(Empty)

reserved-address

DHCP reserved IP address.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

425

system.dhcp6/server
CLI Syntax
config system.dhcp6 server
edit <name_str>
set id <integer>
set status {disable | enable}
set rapid-commit {disable | enable}
set lease-time <integer>
set dns-service {delegated | default | specify}
set dns-server1 <ipv6-address>
set dns-server2 <ipv6-address>
set dns-server3 <ipv6-address>
set domain <string>
set subnet <ipv6-prefix>
set interface <string>
set option1 <user>
set option2 <user>
set option3 <user>
set upstream-interface <string>
set ip-mode {range | delegated}
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

426

Description
Configuration

Description

Default Value

id

ID.

status

Enable/disable use this DHCP configuration.

enable

rapid-commit

Enable/disable allow/disallow rapid commit.

disable

lease-time

Lease time in seconds.

604800

dns-service

DNS service option.

specify

dns-server1

DNS server 1.

::

dns-server2

DNS server 2.

::

dns-server3

DNS server 3.

::

domain

Domain name.

(Empty)

subnet

Subnet or subnet-id if the IP mode is delegated.

::/0

interface

Interface name.

(Empty)

option1

Option 1.

option2

Option 2.

option3

Option 3.

upstream-interface

Interface name from where delegated information


is provided.

(Empty)

ip-mode

Method used to assign client IP.

range

ip-range

DHCP IP range configuration.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

427

system.replacemsg/admin
CLI Syntax
config system.replacemsg admin
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

428

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

429

system.replacemsg/alertmail
CLI Syntax
config system.replacemsg alertmail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

430

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

431

system.replacemsg/auth
CLI Syntax
config system.replacemsg auth
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

432

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

433

system.replacemsg/device-detection-portal
CLI Syntax
config system.replacemsg device-detection-portal
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

434

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

435

system.replacemsg/ec
CLI Syntax
config system.replacemsg ec
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

436

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

437

system.replacemsg/fortiguard-wf
CLI Syntax
config system.replacemsg fortiguard-wf
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

438

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

439

system.replacemsg/ftp
CLI Syntax
config system.replacemsg ftp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

440

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

441

system.replacemsg/http
CLI Syntax
config system.replacemsg http
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

442

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

443

system.replacemsg/mail
CLI Syntax
config system.replacemsg mail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

444

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

445

system.replacemsg/nac-quar
CLI Syntax
config system.replacemsg nac-quar
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

446

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

447

system.replacemsg/nntp
CLI Syntax
config system.replacemsg nntp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

448

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

449

system.replacemsg/spam
CLI Syntax
config system.replacemsg spam
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

450

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

451

system.replacemsg/sslvpn
CLI Syntax
config system.replacemsg sslvpn
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

452

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

453

system.replacemsg/traffic-quota
CLI Syntax
config system.replacemsg traffic-quota
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

454

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

455

system.replacemsg/utm
CLI Syntax
config system.replacemsg utm
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

456

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

457

system.replacemsg/webproxy
CLI Syntax
config system.replacemsg webproxy
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

458

Description
Configuration

Description

Default Value

msg-type

Message type.

(Empty)

buffer

Message string.

(Empty)

header

Header flag.

none

format

Format flag.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

459

system.snmp/community
CLI Syntax
config system.snmp community
edit <name_str>
set id <integer>
set name <string>
set status {enable | disable}
config hosts
edit <name_str>
set id <integer>
set source-ip <ipv4-address>
set ip <user>
set interface <string>
set ha-direct {enable | disable}
set host-type {any | query | trap}
end
config hosts6
edit <name_str>
set id <integer>
set source-ipv6 <ipv6-address>
set ipv6 <ipv6-prefix>
set ha-direct {enable | disable}
set interface <string>
set host-type {any | query | trap}
end
set query-v1-status {enable | disable}
set query-v1-port <integer>
set query-v2c-status {enable | disable}
set query-v2c-port <integer>
set trap-v1-status {enable | disable}
set trap-v1-lport <integer>
set trap-v1-rport <integer>
set trap-v2c-status {enable | disable}
set trap-v2c-lport <integer>
set trap-v2c-rport <integer>
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | avpattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

460

Description
Configuration

Description

Default Value

id

Community ID.

name

Community name.

(Empty)

status

Enable/disable this community.

enable

hosts

Allow hosts configuration.

(Empty)

hosts6

Allow hosts configuration for IPv6.

(Empty)

query-v1-status

Enable/disable SNMP v1 query.

enable

query-v1-port

SNMP v1 query port.

161

query-v2c-status

Enable/disable SNMP v2c query.

enable

query-v2c-port

SNMP v2c query port.

161

trap-v1-status

Enable/disable SNMP v1 trap.

enable

trap-v1-lport

SNMP v1 trap local port.

162

trap-v1-rport

SNMP v1 trap remote port.

162

trap-v2c-status

Enable/disable SNMP v2c trap.

enable

trap-v2c-lport

SNMP v2c trap local port.

162

trap-v2c-rport

SNMP v2c trap remote port.

162

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

461

events

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

SNMP trap events.

cpu-high mem-low logfull intf-ip vpn-tun-up


vpn-tun-down haswitch ha-hb-failure
ips-signature ipsanomaly av-virus avoversize av-pattern avfragmented fm-ifchange bgpestablished bgpbackward-transition hamember-up hamember-down entconf-change avconserve av-bypass
av-oversize-passed avoversize-blocked ipspkg-update ips-failopen temperature-high
voltage-alert powersupply-failure fazdisconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-realserver-down

462

system.snmp/sysinfo
CLI Syntax
config system.snmp sysinfo
edit <name_str>
set status {enable | disable}
set engine-id <string>
set description <string>
set contact-info <string>
set location <string>
set trap-high-cpu-threshold <integer>
set trap-low-memory-threshold <integer>
set trap-log-full-threshold <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

463

Description
Configuration

Description

Default Value

status

Enable/disable SNMP.

disable

engine-id

Local SNMP engineID string (maximum 24


characters).

(Empty)

description

System description.

(Empty)

contact-info

Contact information.

(Empty)

location

System location.

(Empty)

trap-high-cpu-threshold

CPU usage when trap is sent.

80

trap-low-memorythreshold

Memory usage when trap is sent.

80

trap-log-full-threshold

Log disk usage when trap is sent.

90

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

464

system.snmp/user
CLI Syntax
config system.snmp user
edit <name_str>
set name <string>
set status {enable | disable}
set trap-status {enable | disable}
set trap-lport <integer>
set trap-rport <integer>
set queries {enable | disable}
set query-port <integer>
set notify-hosts <ipv4-address>
set notify-hosts6 <ipv6-address>
set source-ip <ipv4-address>
set source-ipv6 <ipv6-address>
set ha-direct {enable | disable}
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | avpattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
set auth-proto {md5 | sha}
set auth-pwd <password>
set priv-proto {aes | des | aes256 | aes256cisco}
set priv-pwd <password>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

465

Description
Configuration

Description

Default Value

name

SNMP user name.

(Empty)

status

Enable/disable this user.

enable

trap-status

Enable/disable traps for this user.

enable

trap-lport

SNMPv3 trap local port.

162

trap-rport

SNMPv3 trap remote port.

162

queries

Enable/disable queries for this user.

enable

query-port

SNMPv3 query port.

161

notify-hosts

Hosts to send notifications (traps) to.

(Empty)

notify-hosts6

IPv6 hosts to send notifications (traps) to.

(Empty)

source-ip

Source IP for SNMP trap.

0.0.0.0

source-ipv6

Source IPv6 for SNMP trap.

::

ha-direct

Enable/disable direct management of HA cluster


members.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

466

events

SNMP notifications (traps) to send.

cpu-high mem-low logfull intf-ip vpn-tun-up


vpn-tun-down haswitch ha-hb-failure
ips-signature ipsanomaly av-virus avoversize av-pattern avfragmented fm-ifchange bgpestablished bgpbackward-transition hamember-up hamember-down entconf-change avconserve av-bypass
av-oversize-passed avoversize-blocked ipspkg-update ips-failopen temperature-high
voltage-alert powersupply-failure fazdisconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-realserver-down

security-level

Security level for message authentication and


encryption.

no-auth-no-priv

auth-proto

Authentication protocol.

sha

auth-pwd

Password for authentication protocol.

(Empty)

priv-proto

Privacy (encryption) protocol.

aes

priv-pwd

Password for privacy (encryption) protocol.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

467

system/accprofile
CLI Syntax

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

468

config system accprofile


edit <name_str>
set name <string>
set scope {vdom | global}
set comments <var-string>
set mntgrp {none | read | read-write}
set admingrp {none | read | read-write}
set updategrp {none | read | read-write}
set authgrp {none | read | read-write}
set sysgrp {none | read | read-write}
set netgrp {none | read | read-write}
set loggrp {none | read | read-write | custom | w | r | rw}
set routegrp {none | read | read-write}
set fwgrp {none | read | read-write | custom | w | r | rw}
set vpngrp {none | read | read-write}
set utmgrp {none | read | read-write | custom | w | r | rw}
set wanoptgrp {none | read | read-write}
set endpoint-control-grp {none | read | read-write}
set wifi {none | read | read-write}
config fwgrp-permission
edit <name_str>
set policy {none | read | read-write}
set address {none | read | read-write}
set service {none | read | read-write}
set schedule {none | read | read-write}
set packet-capture {none | read | read-write}
set others {none | read | read-write}
end
config loggrp-permission
edit <name_str>
set config {none | read | read-write}
set data-access {none | read | read-write}
set report-access {none | read | read-write}
set threat-weight {none | read | read-write}
end
config utmgrp-permission
edit <name_str>
set antivirus {none | read | read-write}
set ips {none | read | read-write}
set webfilter {none | read | read-write}
set spamfilter {none | read | read-write}
set data-loss-prevention {none | read | read-write}
set application-control {none | read | read-write}
set icap {none | read | read-write}
set casi {none | read | read-write}
set voip {none | read | read-write}
set waf {none | read | read-write}
set dnsfilter {none | read | read-write}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

469

Description
Configuration

Description

Default Value

name

Profile name.

(Empty)

scope

Global or single VDOM access restriction.

vdom

comments

Comment.

(Empty)

mntgrp

Maintenance.

none

admingrp

Administrator Users.

none

updategrp

FortiGuard Update.

none

authgrp

User & Device.

none

sysgrp

System Configuration.

none

netgrp

Network Configuration.

none

loggrp

Log & Report.

none

routegrp

Router Configuration.

none

fwgrp

Firewall Configuration.

none

vpngrp

VPN Configuration.

none

utmgrp

Security Profile Configuration.

none

wanoptgrp

WAN Opt & Cache.

none

endpoint-control-grp

Endpoint Security.

none

wifi

Wireless controller.

none

fwgrp-permission

Custom firewall permission.

Details below

Configuration
policy
address
service
schedule
packet-capture
others

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
none
none
none
none
none
none
470

loggrp-permission
Configuration
config
data-access
report-access
threat-weight
utmgrp-permission
Configuration
antivirus
ips
webfilter
spamfilter
data-loss-prevention
application-control
icap
casi
voip
waf
dnsfilter

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Custom Log & Report permission.

Details below

Default Value
none
none
none
none
Custom UTM permission.

Details below

Default Value
none
none
none
none
none
none
none
none
none
none
none

471

system/admin
CLI Syntax
config system admin
edit <name_str>
set name <string>
set wildcard {enable | disable}
set remote-auth {enable | disable}
set remote-group <string>
set password <password-2>
set peer-auth {enable | disable}
set peer-group <string>
set trusthost1 <ipv4-classnet>
set trusthost2 <ipv4-classnet>
set trusthost3 <ipv4-classnet>
set trusthost4 <ipv4-classnet>
set trusthost5 <ipv4-classnet>
set trusthost6 <ipv4-classnet>
set trusthost7 <ipv4-classnet>
set trusthost8 <ipv4-classnet>
set trusthost9 <ipv4-classnet>
set trusthost10 <ipv4-classnet>
set ip6-trusthost1 <ipv6-prefix>
set ip6-trusthost2 <ipv6-prefix>
set ip6-trusthost3 <ipv6-prefix>
set ip6-trusthost4 <ipv6-prefix>
set ip6-trusthost5 <ipv6-prefix>
set ip6-trusthost6 <ipv6-prefix>
set ip6-trusthost7 <ipv6-prefix>
set ip6-trusthost8 <ipv6-prefix>
set ip6-trusthost9 <ipv6-prefix>
set ip6-trusthost10 <ipv6-prefix>
set accprofile <string>
set allow-remove-admin-session {enable | disable}
set comments <var-string>
set hidden <integer>
config vdom
edit <name_str>
set name <string>
end
set is-admin <integer>
set ssh-public-key1 <user>
set ssh-public-key2 <user>
set ssh-public-key3 <user>
set ssh-certificate <string>
set schedule <string>
set accprofile-override {enable | disable}
set radius-vdom-override {enable | disable}
set password-expire <user>
set force-password-change {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

472

config dashboard
edit <name_str>
set id <integer>
set widget-type {sysinfo | licinfo | sysop | sysres | alert | jsconsole | raid
| tr-history | analytics | usb-modem}
set name <string>
set column <integer>
set refresh-interval <integer>
set time-period <integer>
set chart-color <integer>
set top-n <integer>
set sort-by {bytes | msg-counts | packets | bandwidth | sessions}
set report-by {source | destination | application | dlp-rule | dlp-sensor | po
licy | protocol | web-category | web-domain | all | profile}
set ip-version {ipboth | ipv4 | ipv6}
set resolve-host {enable | disable}
set resolve-service {enable | disable}
set aggregate-hosts {enable | disable}
set resolve-apps {enable | disable}
set display-format {chart | table | line}
set view-type {real-time | historical}
set cpu-display-type {average | each}
set interface <string>
set dst-interface <string>
set tr-history-period1 <integer>
set tr-history-period2 <integer>
set tr-history-period3 <integer>
set vdom <string>
set refresh {enable | disable}
set status {close | open}
set protocols <integer>
set show-system-restart {enable | disable}
set show-conserve-mode {enable | disable}
set show-firmware-change {enable | disable}
set show-fds-update {enable | disable}
set show-device-update {enable | disable}
set show-fds-quota {enable | disable}
set show-disk-failure {enable | disable}
set show-power-supply {enable | disable}
set show-admin-auth {enable | disable}
set show-fgd-alert {enable | disable}
set show-fcc-license {enable | disable}
set show-policy-overflow {enable | disable}
end
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set guest-auth {disable | enable}
config guest-usergroups
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

473

edit <name_str>
set name <string>
end
set guest-lang <string>
set history0 <password-2>
set history1 <password-2>
config login-time
edit <name_str>
set usr-name <string>
set last-login <datetime>
set last-failed-login <datetime>
end
config gui-global-menu-favorites
edit <name_str>
set id <string>
end
config gui-vdom-menu-favorites
edit <name_str>
set id <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

474

Description
Configuration

Description

Default Value

name

User name.

(Empty)

wildcard

Enable/disable wildcard RADIUS authentication.

disable

remote-auth

Enable/disable remote authentication.

disable

remote-group

User group name used for remote auth.

(Empty)

password

Admin user password.

ENC XXUp2ozpdysrQ

peer-auth

Enable/disable peer authentication.

disable

peer-group

Peer group name.

(Empty)

trusthost1

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

trusthost2

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

trusthost3

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

trusthost4

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

trusthost5

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

trusthost6

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

trusthost7

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

trusthost8

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

trusthost9

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

trusthost10

Admin user trust host IP, default 0.0.0.0 0.0.0.0


for all.

0.0.0.0 0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

475

ip6-trusthost1

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

ip6-trusthost2

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

ip6-trusthost3

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

ip6-trusthost4

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

ip6-trusthost5

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

ip6-trusthost6

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

ip6-trusthost7

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

ip6-trusthost8

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

ip6-trusthost9

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

ip6-trusthost10

Admin user IPv6 trust host IP, default ::/0 for all.

::/0

accprofile

Admin user access profile.

(Empty)

allow-remove-adminsession

Enable/disable allow admin session to be


removed by privileged admin users.

enable

comments

Comment.

(Empty)

hidden

Admin user hidden attribute.

vdom

Virtual domains.

(Empty)

is-admin

Is user admin.

ssh-public-key1

SSH public key1.

(Empty)

ssh-public-key2

SSH public key2.

(Empty)

ssh-public-key3

SSH public key3.

(Empty)

ssh-certificate

SSH certificate.

(Empty)

schedule

Schedule name.

(Empty)

accprofile-override

Enable/disable allow access profile to be


overridden from remote auth server.

disable

radius-vdom-override

Enable/disable allow VDOM to be overridden


from RADIUS.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

476

password-expire

Password expire time.

0000-00-00 00:00:00

force-password-change

Enable/disable force password change on next


login.

disable

dashboard

GUI custom dashboard.

(Empty)

two-factor

Enable/disable two-factor authentication.

disable

fortitoken

Two-factor recipient's FortiToken serial number.

(Empty)

email-to

Two-factor recipient's email address.

(Empty)

sms-server

Send SMS through FortiGuard or other external


server.

fortiguard

sms-custom-server

Two-factor recipient's SMS server.

(Empty)

sms-phone

Two-factor recipient's mobile phone number.

(Empty)

guest-auth

Enable/disable guest authentication.

disable

guest-usergroups

Select guest user groups.

(Empty)

guest-lang

Guest management portal language.

(Empty)

history0

history0

ENC

history1

history1

ENC

login-time

Record user login time.

(Empty)

gui-global-menufavorites

Favorite GUI menu IDs for the global VDOM.

(Empty)

gui-vdom-menufavorites

Favorite GUI menu IDs for VDOMs.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

477

system/alarm
CLI Syntax
config system alarm
edit <name_str>
set status {enable | disable}
set audible {enable | disable}
set sequence <integer>
config groups
edit <name_str>
set id <integer>
set period <integer>
set admin-auth-failure-threshold <integer>
set admin-auth-lockout-threshold <integer>
set user-auth-failure-threshold <integer>
set user-auth-lockout-threshold <integer>
set replay-attempt-threshold <integer>
set self-test-failure-threshold <integer>
set log-full-warning-threshold <integer>
set encryption-failure-threshold <integer>
set decryption-failure-threshold <integer>
config fw-policy-violations
edit <name_str>
set id <integer>
set threshold <integer>
set src-ip <ipv4-address>
set dst-ip <ipv4-address>
set src-port <integer>
set dst-port <integer>
end
set fw-policy-id <integer>
set fw-policy-id-threshold <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

478

Description
Configuration

Description

Default Value

status

Enable/disable alarm.

disable

audible

Enable/disable audible alarm.

disable

sequence

Sequence ID of alarms.

groups

Alarm groups.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

479

system/arp-table
CLI Syntax
config system arp-table
edit <name_str>
set id <integer>
set interface <string>
set ip <ipv4-address>
set mac <mac-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

480

Description
Configuration

Description

Default Value

id

Unique integer ID of the entry.

interface

Interface name.

(Empty)

ip

IP address.

0.0.0.0

mac

MAC address.

00:00:00:00:00:00

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

481

system/auto-install
CLI Syntax
config system auto-install
edit <name_str>
set auto-install-config {enable | disable}
set auto-install-image {enable | disable}
set default-config-file <string>
set default-image-file <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

482

Description
Configuration

Description

Default Value

auto-install-config

Enable/disable auto install the config in USB disk.

disable

auto-install-image

Enable/disable auto install the image in USB disk.

disable

default-config-file

Default config file name in USB disk.

fgt_system.conf

default-image-file

Default image file name in USB disk.

image.out

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

483

system/auto-script
CLI Syntax
config system auto-script
edit <name_str>
set name <string>
set interval <integer>
set repeat <integer>
set start {manual | auto}
set script <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

484

Description
Configuration

Description

Default Value

name

Auto script name.

(Empty)

interval

Repeat interval in seconds.

repeat

Number of times to repeat this script (0 = infinite).

start

Script starting mode.

manual

script

List of FortiOS CLI commands to repeat.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

485

system/central-management
CLI Syntax
config system central-management
edit <name_str>
set mode {normal | backup}
set type {fortimanager | fortiguard | none}
set schedule-config-restore {enable | disable}
set schedule-script-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-pushd-firmware {enable | disable}
set allow-remote-firmware-upgrade {enable | disable}
set allow-monitor {enable | disable}
set serial-number <user>
set fmg <string>
set fmg-source-ip <ipv4-address>
set fmg-source-ip6 <ipv6-address>
set vdom <string>
config server-list
edit <name_str>
set id <integer>
set server-type {update | rating}
set addr-type {ipv4 | ipv6 | fqdn}
set server-address <ipv4-address>
set server-address6 <ipv6-address>
set fqdn <string>
end
set include-default-servers {enable | disable}
set enc-algorithm {default | high | low}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

486

Description
Configuration

Description

Default Value

mode

Normal/backup management mode.

normal

type

Type of management server.

none

schedule-config-restore

Enable/disable scheduled configuration restore.

enable

schedule-script-restore

Enable/disable scheduled script restore.

enable

allow-pushconfiguration

Enable/disable push configuration.

enable

allow-pushd-firmware

Enable/disable push firmware.

enable

allow-remote-firmwareupgrade

Enable/disable remote firmware upgrade.

enable

allow-monitor

Enable/disable remote monitoring of device.

enable

serial-number

Serial number.

(Empty)

fmg

Address of FortiManager (IP or FQDN name).

(Empty)

fmg-source-ip

Source IPv4 address to use when connecting to


FortiManager.

0.0.0.0

fmg-source-ip6

Source IPv6 address to use when connecting to


FortiManager.

::

vdom

Virtual domain name.

root

server-list

FortiGuard override server list.

(Empty)

include-default-servers

Enable/disable inclusion of public FortiGuard


servers in the override server list.

enable

enc-algorithm

Use SSL encryption.

high

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

487

system/cluster-sync
CLI Syntax
config system cluster-sync
edit <name_str>
set sync-id <integer>
set peervd <string>
set peerip <ipv4-address>
config syncvd
edit <name_str>
set name <string>
end
config session-sync-filter
edit <name_str>
set srcintf <string>
set dstintf <string>
set srcaddr <ipv4-classnet-any>
set dstaddr <ipv4-classnet-any>
set srcaddr6 <ipv6-network>
set dstaddr6 <ipv6-network>
config custom-service
edit <name_str>
set id <integer>
set src-port-range <user>
set dst-port-range <user>
end
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

488

Description
Configuration

Description

Default Value

sync-id

Sync ID.

peervd

Peer connecting VDOM.

root

peerip

Peer connecting IP.

0.0.0.0

syncvd

VDOM of which sessions need to be synced.

(Empty)

session-sync-filter

Session sync filter.

Details below

Configuration
srcintf
dstintf
srcaddr
dstaddr
srcaddr6
dstaddr6
custom-service

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
(Empty)
(Empty)
0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0
::/0
::/0
(Empty)

489

system/console
CLI Syntax
config system console
edit <name_str>
set mode {batch | line}
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
set output {standard | more}
set login {enable | disable}
set fortiexplorer {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

490

Description
Configuration

Description

Default Value

mode

Console mode.

line

baudrate

Console baud rate.

9600

output

Console output mode.

more

login

Enable/disable serial console and FortiExplorer.

enable

fortiexplorer

Enable/disable access for FortiExplorer.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

491

system/custom-language
CLI Syntax
config system custom-language
edit <name_str>
set name <string>
set filename <string>
set comments <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

492

Description
Configuration

Description

Default Value

name

Name.

(Empty)

filename

Custom language file path.

(Empty)

comments

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

493

system/ddns
CLI Syntax
config system ddns
edit <name_str>
set ddnsid <integer>
set ddns-server {dyndns.org | dyns.net | ods.org | tzo.com | vavic.com | dipdns.ne
t | now.net.cn | dhs.org | easydns.com | genericDDNS | FortiGuardDDNS}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-ttl <integer>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-domain <string>
set ddns-username <string>
set ddns-sn <string>
set ddns-password <password>
set use-public-ip {disable | enable}
set clear-text {disable | enable}
set ssl-certificate <string>
set bound-ip <ipv4-address>
config monitor-interface
edit <name_str>
set interface-name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

494

Description
Configuration

Description

Default Value

ddnsid

DDNS ID.

ddns-server

DDNS server.

(Empty)

ddns-server-ip

Generic DDNS server IP.

0.0.0.0

ddns-zone

Zone of your domain name (ex. DDNS.com).

(Empty)

ddns-ttl

TTL.

300

ddns-auth

DDNS authentication mode.

disable

ddns-keyname

DDNS update key name.

(Empty)

ddns-key

DDNS update key (base 64 encoding).

'ENC
ws+aR7RX+Kk/g41Bs0
SWGbHac+vOTiv271H
XGJTNf9n+sPaprfG5u
bPEPH+8ZxccOuEMm
sLafbDZ/F1ySfgOMVa
RSxojcUfjSLNndHqBK
YANZsnuAxu47RJMJ4
A='

ddns-domain

Your domain name (ex. yourname.DDNS.com).

(Empty)

ddns-username

DDNS user name.

(Empty)

ddns-sn

DDNS Serial Number.

(Empty)

ddns-password

DDNS password.

(Empty)

use-public-ip

Enable/disable use of public IP address.

disable

clear-text

Enable/disable use of clear text connection.

enable

ssl-certificate

Name of local certificate for SSL connection.

Fortinet_Factory

bound-ip

Bound IP address.

0.0.0.0

monitor-interface

Monitored interface.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

495

system/dedicated-mgmt
CLI Syntax
config system dedicated-mgmt
edit <name_str>
set status {enable | disable}
set interface <string>
set default-gateway <ipv4-address>
set dhcp-server {enable | disable}
set dhcp-netmask <ipv4-netmask>
set dhcp-start-ip <ipv4-address>
set dhcp-end-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

496

Description
Configuration

Description

Default Value

status

Enable/disable dedicated management.

disable

interface

Dedicated management interface.

(Empty)

default-gateway

Default gateway for dedicated management


interface.

0.0.0.0

dhcp-server

Enable/disable DHCP server on management


interface.

disable

dhcp-netmask

DHCP netmask.

0.0.0.0

dhcp-start-ip

DHCP start IP for dedicated management.

0.0.0.0

dhcp-end-ip

DHCP end IP for dedicated management.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

497

system/dns
CLI Syntax
config system dns
edit <name_str>
set primary <ipv4-address>
set secondary <ipv4-address>
set domain <string>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {disable | enable}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

498

Description
Configuration

Description

Default Value

primary

Primary DNS IP.

0.0.0.0

secondary

Secondary DNS IP.

0.0.0.0

domain

Local domain name.

(Empty)

ip6-primary

IPv6 primary DNS IP.

::

ip6-secondary

IPv6 secondary DNS IP.

::

dns-cache-limit

Maximum number of entries in DNS cache.

5000

dns-cache-ttl

TTL in DNS cache.

1800

cache-notfoundresponses

Enable/disable cache NOTFOUND responses


from DNS server.

disable

source-ip

Source IP for communications to DNS server.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

499

system/dns-database
CLI Syntax
config system dns-database
edit <name_str>
set name <string>
set status {enable | disable}
set domain <string>
set allow-transfer <user>
set type {master | slave}
set view {shadow | public}
set ip-master <ipv4-address-any>
set primary-name <string>
set contact <string>
set ttl <integer>
set authoritative {enable | disable}
set forwarder <user>
set source-ip <ipv4-address>
config dns-entry
edit <name_str>
set id <integer>
set status {enable | disable}
set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
set ttl <integer>
set preference <integer>
set ip <ipv4-address-any>
set ipv6 <ipv6-address>
set hostname <string>
set canonical-name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

500

Description
Configuration

Description

Default Value

name

Zone name.

(Empty)

status

Enable/disable DNS zone status.

enable

domain

Domain name.

(Empty)

allow-transfer

DNS zone transfer IP address list.

(Empty)

type

Zone type ('master' to manage entries directly,


'slave' to import entries from outside).

master

view

Zone view ('public' to serve public clients,


'shadow' to serve internal clients).

shadow

ip-master

IP address of master DNS server to import


entries of this zone.

0.0.0.0

primary-name

Domain name of the default DNS server for this


zone.

dns

contact

Email address of the administrator for this zone.


You can specify only the username (e.g. admin)
or full email address (e.g. admin.ca@test.com)
When using simple username, the domain of the
email will be this zone.

hostmaster

ttl

Default time-to-live value in units of seconds for


the entries of this zone (0 - 2147483647).

86400

authoritative

Enable/disable authoritative zone.

enable

forwarder

DNS zone forwarder IP address list.

(Empty)

source-ip

Source IP for forwarding to DNS server.

0.0.0.0

dns-entry

DNS entry.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

501

system/dns-server
CLI Syntax
config system dns-server
edit <name_str>
set name <string>
set mode {recursive | non-recursive | forward-only}
set dnsfilter-profile <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

502

Description
Configuration

Description

Default Value

name

DNS server name.

(Empty)

mode

DNS server mode.

recursive

dnsfilter-profile

DNS filter profile.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

503

system/dscp-based-priority
CLI Syntax
config system dscp-based-priority
edit <name_str>
set id <integer>
set ds <integer>
set priority {low | medium | high}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

504

Description
Configuration

Description

Default Value

id

Item ID.

ds

DSCP(DiffServ) DS value (0 - 63).

priority

DSCP based priority level.

high

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

505

system/email-server
CLI Syntax
config system email-server
edit <name_str>
set type {custom}
set reply-to <string>
set server <string>
set port <integer>
set source-ip <ipv4-address>
set source-ip6 <ipv6-address>
set authenticate {enable | disable}
set validate-server {enable | disable}
set username <string>
set password <password>
set security {none | starttls | smtps}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

506

Description
Configuration

Description

Default Value

type

Use FortiGuard Message service or custom


server.

custom

reply-to

Reply-To email address.

(Empty)

server

SMTP server IP address or hostname.

(Empty)

port

SMTP server port.

25

source-ip

SMTP server source IP.

0.0.0.0

source-ip6

SMTP server source IPv6.

::

authenticate

Enable/disable authentication.

disable

validate-server

Enable/disable validation of server certificate.

disable

username

SMTP server user name for authentication.

(Empty)

password

SMTP server user password for authentication.

(Empty)

security

Connection security.

none

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

507

system/fips-cc
CLI Syntax
config system fips-cc
edit <name_str>
set status {enable | disable}
set entropy-token {enable | disable | dynamic}
set error-flag {error-mode | exit-ready}
set error-cause {none | memory | disk | syslog}
set self-test-period <integer>
set key-generation-self-test {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

508

Description
Configuration

Description

Default Value

status

Enable/disable FIPS-CC mode.

disable

entropy-token

Enable/disable/dynamic entropy token.

enable

error-flag

Hidden CC error flag.

(Empty)

error-cause

Hidden CC error cause.

none

self-test-period

Self test period.

1440

key-generation-self-test

Enable/disable self tests after key generation.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

509

system/fm
CLI Syntax
config system fm
edit <name_str>
set status {enable | disable}
set id <string>
set ip <ipv4-address>
set vdom <string>
set auto-backup {enable | disable}
set scheduled-config-restore {enable | disable}
set ipsec {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

510

Description
Configuration

Description

Default Value

status

Enable/disable FM.

disable

id

ID.

(Empty)

ip

IP address.

0.0.0.0

vdom

VDOM.

root

auto-backup

Enable/disable automatic backup.

disable

scheduled-configrestore

Enable/disable scheduled configuration restore.

disable

ipsec

Enable/disable IPsec.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

511

system/fortiguard
CLI Syntax
config system fortiguard
edit <name_str>
set port {53 | 8888 | 80}
set service-account-id <string>
set load-balance-servers <integer>
set antispam-force-off {enable | disable}
set antispam-cache {enable | disable}
set antispam-cache-ttl <integer>
set antispam-cache-mpercent <integer>
set antispam-license <integer>
set antispam-expiration <integer>
set antispam-timeout <integer>
set avquery-force-off {}
set avquery-cache {}
set avquery-cache-ttl <integer>
set avquery-cache-mpercent <integer>
set avquery-license <integer>
set avquery-timeout <integer>
set webfilter-force-off {enable | disable}
set webfilter-cache {enable | disable}
set webfilter-cache-ttl <integer>
set webfilter-license <integer>
set webfilter-expiration <integer>
set webfilter-timeout <integer>
set sdns-server-ip <user>
set sdns-server-port <integer>
set source-ip <ipv4-address>
set source-ip6 <ipv6-address>
set ddns-server-ip <ipv4-address>
set ddns-server-port <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

512

Description
Configuration

Description

Default Value

port

Port used to communicate with the FortiGuard


servers.

53

service-account-id

Service account ID.

(Empty)

load-balance-servers

Number of servers to alternate between as first


FortiGuard option.

antispam-force-off

Enable/disable forcibly disable the service.

disable

antispam-cache

Enable/disable FortiGuard antispam cache.

enable

antispam-cache-ttl

Time-to-live for cache entries in seconds (300 86400).

1800

antispam-cachempercent

Maximum percent of memory the cache is


allowed to use (1 - 15%).

antispam-license

License type.

4294967295

antispam-expiration

License expiration.

antispam-timeout

Query time out (1 - 30 sec).

avquery-force-off

avquery-force-off

avquery-cache

avquery-cache

avquery-cache-ttl

avquery-cache-ttl

avquery-cachempercent

avquery-cache-mpercent

avquery-license

avquery-license

avquery-timeout

avquery-timeout

webfilter-force-off

Enable/disable forcibly disable the service.

disable

webfilter-cache

Enable/disable FortiGuard webfilter cache.

enable

webfilter-cache-ttl

Time-to-live for cache entries in seconds (300 86400).

3600

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

513

webfilter-license

License type.

4294967295

webfilter-expiration

License expiration.

webfilter-timeout

Query time out (1 - 30 sec).

15

sdns-server-ip

IP address of the FortiDNS server.

(Empty)

sdns-server-port

Port used to communicate with the FortiDNS


servers.

53

source-ip

Source IPv4 address used to communicate with


the FortiGuard service.

0.0.0.0

source-ip6

Source IPv6 address used to communicate with


the FortiGuard service.

::

ddns-server-ip

IP address of the FortiDDNS server.

0.0.0.0

ddns-server-port

Port used to communicate with the FortiDDNS


servers.

443

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

514

system/fortimanager
CLI Syntax
config system fortimanager
edit <name_str>
set ip <ipv4-address-any>
set vdom <string>
set ipsec {enable | disable}
set central-management {enable | disable}
set central-mgmt-auto-backup {enable | disable}
set central-mgmt-schedule-config-restore {enable | disable}
set central-mgmt-schedule-script-restore {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

515

Description
Configuration

Description

Default Value

ip

IP address.

0.0.0.0

vdom

Virtual domain name.

root

ipsec

Enable/disable FortiManager IPsec tunnel.

disable

central-management

Enable/disable FortiManager central


management.

disable

central-mgmt-autobackup

Enable/disable central management auto backup.

disable

central-mgmt-scheduleconfig-restore

Enable/disable central management schedule


config restore.

disable

central-mgmt-schedulescript-restore

Enable/disable central management schedule


script restore.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

516

system/fortisandbox
CLI Syntax
config system fortisandbox
edit <name_str>
set status {enable | disable}
set server <ipv4-address-any>
set source-ip <ipv4-address>
set enc-algorithm {default | high | low | disable}
set email <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

517

Description
Configuration

Description

Default Value

status

Enable/disable FortiSandbox.

disable

server

Server IP.

0.0.0.0

source-ip

Source IP for communications to FortiSandbox.

0.0.0.0

enc-algorithm

Enable/disable sending of FortiSandbox data with


SSL encryption.

default

email

Notifier email address.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

518

system/fsso-polling
CLI Syntax
config system fsso-polling
edit <name_str>
set status {enable | disable}
set listening-port <integer>
set authentication {enable | disable}
set auth-password <password>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

519

Description
Configuration

Description

Default Value

status

Enable/disable FSSO Polling Mode status.

enable

listening-port

Listening port to accept clients.

8000

authentication

Enable/disable FSSO Agent Authentication


status.

disable

auth-password

Password to connect to FSSO Agent.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

520

system/geoip-override
CLI Syntax
config system geoip-override
edit <name_str>
set name <string>
set description <string>
set country-id <string>
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

521

Description
Configuration

Description

Default Value

name

Location name.

(Empty)

description

Description.

(Empty)

country-id

Country ID.

(Empty)

ip-range

IP range.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

522

system/global
CLI Syntax
config system global
edit <name_str>
set language {english | french | spanish | portuguese | japanese | trach | simch |
korean}
set gui-ipv6 {enable | disable}
set gui-certificates {enable | disable}
set gui-custom-language {enable | disable}
set gui-wireless-opensecurity {enable | disable}
set gui-display-hostname {enable | disable}
set gui-lines-per-page <integer>
set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3}
set admin-https-banned-cipher {rc4 | low}
set admintimeout <integer>
set admin-console-timeout <integer>
set admin-concurrent {enable | disable}
set admin-lockout-threshold <integer>
set admin-lockout-duration <integer>
set refresh <integer>
set interval <integer>
set failtime <integer>
set daily-restart {enable | disable}
set restart-time <user>
set radius-port <integer>
set admin-login-max <integer>
set remoteauthtimeout <integer>
set ldapconntimeout <integer>
set batch-cmdb {enable | disable}
set max-dlpstat-memory <integer>
set dst {enable | disable}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set ntpserver <string>
set ntpsync {enable | disable}
set syncinterval <integer>
set traffic-priority {tos | dscp}
set traffic-priority-level {low | medium | high}
set anti-replay {disable | loose | strict}
set send-pmtu-icmp {enable | disable}
set honor-df {enable | disable}
set split-port <user>
set revision-image-auto-backup {enable | disable}
set revision-backup-on-logout {enable | disable}
set management-vdom <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

523

set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

hostname <string>
alias <string>
strong-crypto {enable | disable}
ssh-cbc-cipher {enable | disable}
ssh-hmac-md5 {enable | disable}
snat-route-change {enable | disable}
cli-audit-log {enable | disable}
dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}
fds-statistics {enable | disable}
fds-statistics-period <integer>
multicast-forward {enable | disable}
mc-ttl-notchange {enable | disable}
asymroute {enable | disable}
tcp-option {enable | disable}
phase1-rekey {enable | disable}
lldp-transmission {enable | disable}
explicit-proxy-auth-timeout <integer>
sys-perf-log-interval <integer>
check-protocol-header {loose | strict}
vip-arp-range {unlimited | restricted}
optimize {antivirus | session-setup | throughput}
reset-sessionless-tcp {enable | disable}
allow-traffic-redirect {enable | disable}
strict-dirty-session-check {enable | disable}
tcp-halfclose-timer <integer>
tcp-halfopen-timer <integer>
tcp-timewait-timer <integer>
udp-idle-timer <integer>
block-session-timer <integer>
ip-src-port-range <user>
pre-login-banner {enable | disable}
post-login-banner {disable | enable}
tftp {enable | disable}
av-failopen {pass | idledrop | off | one-shot}
av-failopen-session {enable | disable}
check-reset-range {strict | disable}
vdom-admin {enable | disable}
admin-port <integer>
admin-sport <integer>
admin-https-redirect {enable | disable}
admin-ssh-password {enable | disable}
admin-ssh-port <integer>
admin-ssh-grace-time <integer>
admin-ssh-v1 {enable | disable}
admin-telnet-port <integer>
admin-maintainer {enable | disable}
admin-server-cert <string>
user-server-cert <string>
admin-https-pki-required {enable | disable}
wifi-certificate <string>
wifi-ca-certificate <string>
auth-http-port <integer>
auth-https-port <integer>

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

524

set auth-https-port <integer>


set auth-keepalive {enable | disable}
set policy-auth-concurrent <integer>
set auth-cert <string>
set clt-cert-req {enable | disable}
set fortiservice-port <integer>
set endpoint-control-portal-port <integer>
set endpoint-control-fds-access {enable | disable}
set tp-mc-skip-policy {enable | disable}
set cfg-save {automatic | manual | revert}
set cfg-revert-timeout <integer>
set reboot-upon-config-restore {enable | disable}
set admin-scp {enable | disable}
set registration-notification {enable | disable}
set service-expire-notification {enable | disable}
set wireless-controller {enable | disable}
set wireless-controller-port <integer>
set fortiextender-data-port <integer>
set fortiextender {enable | disable}
set switch-controller {disable | enable}
set switch-controller-reserved-network <ipv4-classnet>
set proxy-worker-count <integer>
set scanunit-count <integer>
set ssl-worker-count <integer>
set proxy-kxp-hardware-acceleration {disable | enable}
set proxy-cipher-hardware-acceleration {disable | enable}
set fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attac
k | new-antivirus-db | new-attack-db}
set ipsec-hmac-offload {enable | disable}
set ipv6-accept-dad <integer>
set csr-ca-attribute {enable | disable}
set wimax-4g-usb {enable | disable}
set cert-chain-max <integer>
set sslvpn-max-worker-count <integer>
set sslvpn-kxp-hardware-acceleration {enable | disable}
set sslvpn-cipher-hardware-acceleration {enable | disable}
set sslvpn-plugin-version-check {enable | disable}
set two-factor-ftk-expiry <integer>
set two-factor-email-expiry <integer>
set two-factor-sms-expiry <integer>
set two-factor-fac-expiry <integer>
set two-factor-ftm-expiry <integer>
set per-user-bwl {enable | disable}
set virtual-server-count <integer>
set virtual-server-hardware-acceleration {disable | enable}
set wad-worker-count <integer>
set login-timestamp {enable | disable}
set miglogd-children <integer>
set special-file-23-support {disable | enable}
set log-uuid {disable | policy-only | extended}
set arp-max-entry <integer>
set ips-affinity <string>
set av-affinity <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

525

set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
end

av-affinity <string>
miglog-affinity <string>
ndp-max-entry <integer>
br-fdb-max-entry <integer>
max-route-cache-size <integer>
ipsec-asic-offload {enable | disable}
device-idle-timeout <integer>
device-identification-active-scan-delay <integer>
compliance-check {enable | disable}
compliance-check-time <time>
gui-device-latitude <string>
gui-device-longitude <string>
private-data-encryption {disable | enable}
auto-auth-extension-device {enable | disable}
gui-theme {green | red | blue | melongene | mariner}
igmp-state-limit <integer>

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

526

Description
Configuration

Description

Default Value

language

GUI display language.

english

gui-ipv6

Enable/disable IPv6 settings in GUI.

disable

gui-certificates

Enable/disable certificates configuration in GUI.

enable

gui-custom-language

Enable/disable custom languages in GUI.

disable

gui-wirelessopensecurity

Enable/disable wireless open security option in


GUI.

disable

gui-display-hostname

Enable/disable display of hostname on GUI login


page.

disable

gui-lines-per-page

Number of lines to display per page for web


administration.

50

admin-https-sslversions

Allowed SSL/TLS versions for web


administration.

tlsv1-1 tlsv1-2

admin-https-bannedcipher

Banned ciphers for web administration.

rc4 low

admintimeout

Idle time-out for firewall administration.

admin-console-timeout

Idle time-out for console.

admin-concurrent

Enable/disable admin concurrent login.

enable

admin-lockoutthreshold

Lockout threshold for firewall administration.

admin-lockout-duration

Lockout duration (sec) for firewall administration.

60

refresh

Statistics refresh interval in GUI.

interval

Dead gateway detection interval.

failtime

Fail-time for server lost.

daily-restart

Enable/disable firewall daily reboot.

disable

restart-time

Daily restart time (hh:mm).

00:00

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

527

radius-port

RADIUS service port number.

1812

admin-login-max

Maximum number admin users logged in at one


time (1 - 100).

100

remoteauthtimeout

Remote authentication (RADIUS/LDAP) time-out.

ldapconntimeout

LDAP connection time-out (0 - 4294967295


milliseconds).

500

batch-cmdb

Enable/disable batch mode to execute in CMDB


server.

enable

max-dlpstat-memory

Maximum DLP stat memory (0 - 4294967295).

dst

Enable/disable daylight saving time.

enable

timezone

Time zone.

00

ntpserver

IP address/hostname of NTP Server.

(Empty)

ntpsync

Enable/disable synchronization with NTP Server.

disable

syncinterval

NTP synchronization interval.

traffic-priority

Traffic priority type.

tos

traffic-priority-level

Default TOS/DSCP priority level.

medium

anti-replay

Anti-replay control.

strict

send-pmtu-icmp

Enable/disable sending of PMTU ICMP


destination unreachable packet.

enable

honor-df

Enable/disable honoring Don't-Fragment flag.

enable

split-port

Split port(s) to multiple 10Gbps ports.

(Empty)

revision-image-autobackup

Enable/disable revision image backup


automatically when upgrading image.

disable

revision-backup-onlogout

Enable/disable revision config backup


automatically when logout.

disable

management-vdom

Management virtual domain name.

root

hostname

Firewall hostname.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

528

alias

Device alias.

(Empty)

strong-crypto

Enable/disable strong crypto for HTTPS/SSH


access.

enable

ssh-cbc-cipher

Enable/disable CBC cipher for SSH access.

enable

ssh-hmac-md5

Enable/disable HMAC-MD5 for SSH access.

enable

snat-route-change

Enable/disable SNAT route change.

disable

cli-audit-log

Enable/disable CLI audit log.

disable

dh-params

Minimum size of Diffie-Hellman prime for


HTTPS/SSH.

2048

fds-statistics

Enable/disable FortiGuard statistics.

enable

fds-statistics-period

FortiGuard statistics update period (1 - 1440 min,


default = 60 min).

60

multicast-forward

Enable/disable multicast forwarding.

enable

mc-ttl-notchange

Enable/disable no modification of multicast TTL.

disable

asymroute

Enable/disable asymmetric route.

disable

tcp-option

Enable/disable TCP option.

enable

phase1-rekey

Enable/disable phase1 rekey.

enable

lldp-transmission

Enable/disable Link Layer Discovery Protocol


(LLDP) transmission.

disable

explicit-proxy-authtimeout

Authentication timeout (sec) for idle sessions in


explicit web proxy.

300

sys-perf-log-interval

The interval of performance statistics logging.

check-protocol-header

Level of checking protocol header.

loose

vip-arp-range

Control ARP behavior for VIP ranges.

restricted

optimize

Firmware optimization option.

antivirus

reset-sessionless-tcp

Enable/disable reset session-less TCP.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

529

allow-traffic-redirect

Enable/disable allow traffic redirect.

enable

strict-dirty-sessioncheck

Enable/disable strict dirty-session check.

enable

tcp-halfclose-timer

TCP half close timeout (1 - 86400 sec, default =


120).

120

tcp-halfopen-timer

TCP half open timeout (1 - 86400 sec, default =


10).

10

tcp-timewait-timer

TCP time wait timeout (0 - 300 sec, default = 1).

udp-idle-timer

UDP idle timeout (1 - 86400 sec, default = 180).

180

block-session-timer

Block-session timeout (1-300 sec, default = 30


sec).

30

ip-src-port-range

IP source port range for firewall originated traffic.

1024-25000

pre-login-banner

Enable/disable pre-login-banner.

disable

post-login-banner

Enable/disable post-login-banner.

disable

tftp

Enable/disable TFTP.

enable

av-failopen

AV fail open option.

pass

av-failopen-session

Enable/disable AV fail open session option.

disable

check-reset-range

Drop RST packets if out-of-window.

disable

vdom-admin

Enable/disable multiple VDOMs mode.

disable

admin-port

Admin access HTTP port (1 - 65535).

80

admin-sport

Admin access HTTPS port (1 - 65535).

443

admin-https-redirect

Enable/disable redirection of HTTP admin traffic


to HTTPS.

enable

admin-ssh-password

Enable/disable password authentication for SSH


admin access.

enable

admin-ssh-port

Admin access SSH port (1 - 65535).

22

admin-ssh-grace-time

Admin access login grace time (10 - 3600 sec).

120

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

530

admin-ssh-v1

Enable/disable SSH v1 compatibility.

disable

admin-telnet-port

Admin access TELNET port (1 - 65535).

23

admin-maintainer

Enable/disable login of maintainer user.

enable

admin-server-cert

Admin HTTPS server certificate.

Fortinet_Factory

user-server-cert

User HTTPS server certificate.

Fortinet_Factory

admin-https-pkirequired

Enable/disable require HTTPS login page when


PKI is enabled.

disable

wifi-certificate

WiFi certificate for WPA.

Fortinet_Wifi

wifi-ca-certificate

WiFi CA certificate for WPA.

Fortinet_Wifi_CA

auth-http-port

Authentication HTTP port (1 - 65535).

1000

auth-https-port

Authentication HTTPS port (1 - 65535).

1003

auth-keepalive

Enable/disable use of keep alive to extend


authentication.

disable

policy-auth-concurrent

Concurrent user to pass firewall authentication.

auth-cert

HTTPS server certificate for policy authentication.

Fortinet_Factory

clt-cert-req

Enable/disable require client certificate for GUI


login.

disable

fortiservice-port

FortiService port number (default = 8013).

8013

endpoint-control-portalport

Endpoint control portal port (1 - 65535).

8009

endpoint-control-fdsaccess

Enable/disable access to FortiGuard servers for


non-compliant endpoints.

enable

tp-mc-skip-policy

Enable/disable skip policy check and allow


multicast through.

disable

cfg-save

Configuration file save mode for changes made


using the CLI.

automatic

cfg-revert-timeout

Time-out for reverting to the last saved


configuration.

600

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

531

reboot-upon-configrestore

Enable/disable reboot of system upon restoring


configuration.

enable

admin-scp

Enable/disable allow system configuration


download by SCP.

disable

registration-notification

Enable/disable allow license registration


notification.

enable

service-expirenotification

Enable/disable service expiration notification.

enable

wireless-controller

Enable/disable wireless controller.

enable

wireless-controller-port

Local wireless controller port (1024 - 49150).

5246

fortiextender-data-port

Fortiextender controller data port (1024 - 49150).

25246

fortiextender

Enable/disable FortiExtender controller.

disable

switch-controller

Enable/disable switch controller feature.

disable

switch-controllerreserved-network

Reserved network for switch-controller.

169.254.0.0
255.255.0.0

proxy-worker-count

Proxy worker count.

16

scanunit-count

Scanunit count.

39

ssl-worker-count

SSL worker count (0 - 4294967295).

proxy-kxp-hardwareacceleration

Enable/disable use of content processor to


encrypt or decrypt traffic.

enable

proxy-cipher-hardwareacceleration

Enable/disable use of content processor to


encrypt or decrypt traffic.

enable

fgd-alert-subscription

FortiGuard alert subscription.

(Empty)

ipsec-hmac-offload

Enable/disable offload HMAC to hardware for


IPsec VPN.

enable

ipv6-accept-dad

Enable/disable acceptance of IPv6 DAD


(Duplicate Address Detection). 0: Disable DAD; 1:
Enable DAD (default); 2: Enable DAD, and
disable IPv6 operation if MAC-based duplicate
link-local address has been found.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

532

csr-ca-attribute

Enable/disable CSR CA attribute.

enable

wimax-4g-usb

Enable/disable WiMAX USB device.

disable

cert-chain-max

Maximum depth for certificate chain.

sslvpn-max-workercount

Maximum number of worker processes for SSLVPN.

39

sslvpn-kxp-hardwareacceleration

Enable/disable KXP SSL-VPN hardware


acceleration.

disable

sslvpn-cipherhardware-acceleration

Enable/disable SSL-VPN cipher hardware


acceleration.

disable

sslvpn-plugin-versioncheck

Enable/disable SSL-VPN automatic checking of


browser plug-in version.

enable

two-factor-ftk-expiry

Expiration time for FortiToken authentication (60 600 sec, default = 60 sec).

60

two-factor-email-expiry

Expiration time for email token authentication (30


- 300 sec, default = 60 sec).

60

two-factor-sms-expiry

Expiration time for SMS token authentication (30


- 300 sec, default = 60 sec).

60

two-factor-fac-expiry

Expiration time for FortiAuthenticator token


authentication (10 - 3600 sec, default = 60 sec).

60

two-factor-ftm-expiry

Expiration time for FortiToken mobile provision (1


- 168 hr, default = 72 hr).

72

per-user-bwl

Enable/disable per-user black/white list filter.

disable

virtual-server-count

Number of concurrent virtual server workers.

20

virtual-serverhardware-acceleration

Enable/disable use of content processor to


encrypt or decrypt traffic.

enable

wad-worker-count

Number of concurrent WAD workers.

20

login-timestamp

Enable/disable login time recording.

disable

miglogd-children

Number of miglog children.

special-file-23-support

Enable/disable support for special file 23.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

533

log-uuid

Universally Unique Identifier (UUID) log option.

policy-only

arp-max-entry

Maximum number of ARP table entries (set to


131,072 or higher).

131072

ips-affinity

Affinity setting for IPS (64-bit hexadecimal value


in the format of xxxxxxxxxxxxxxxx; allowed CPUs
must be less than total number of IPS engine
daemons).

av-affinity

Affinity setting for AV scanning (64-bit


hexadecimal value in the format of
xxxxxxxxxxxxxxxx).

miglog-affinity

Affinity setting for logging (64-bit hexadecimal


value in the format of xxxxxxxxxxxxxxxx).

ndp-max-entry

Maximum number of NDP table entries (set to


65,536 or higher; if set to 0, kernel holds 65,536
entries).

br-fdb-max-entry

Maximum number of bridge forwarding database


entries (set to 8192 or higher).

8192

max-route-cache-size

Maximum number of IP route cache entries (0 2147483647).

ipsec-asic-offload

Enable/disable ASIC offload for IPsec VPN.

enable

device-idle-timeout

Device idle timeout (30 - 31536000 sec, default =


300 sec).

300

device-identificationactive-scan-delay

How many seconds (20 - 3600, default 90) to


passively scan a device before performing an
active scan.

90

compliance-check

Enable/disable global PCI DSS compliance


check.

enable

compliance-check-time

PCI DSS compliance check time.

00:00:00

gui-device-latitude

Physical device latitude coordinate.

(Empty)

gui-device-longitude

Physical device longitude coordinate.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

534

private-data-encryption

Enable/disable private data encryption using an


AES 128-bit key.

disable

auto-auth-extensiondevice

Enable/disable automatic authorization of


dedicated Fortinet extension device globally.

enable

gui-theme

Color scheme to use for the administration GUI.

green

igmp-state-limit

Maximum IGMP memberships (96 - 64000,


default = 3200).

3200

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

535

system/gre-tunnel
CLI Syntax
config system gre-tunnel
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set sequence-number-transmission {disable | enable}
set sequence-number-reception {disable | enable}
set checksum-transmission {disable | enable}
set checksum-reception {disable | enable}
set key-outbound <integer>
set key-inbound <integer>
set dscp-copying {disable | enable}
set auto-asic-offload {enable | disable}
set keepalive-interval <integer>
set keepalive-failtimes <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

536

Description
Configuration

Description

Default Value

name

Tunnel name.

(Empty)

interface

Interface name.

(Empty)

remote-gw

IP address of the remote gateway.

0.0.0.0

local-gw

IP address of the local gateway.

0.0.0.0

sequence-numbertransmission

Enable/disable inclusion of sequence number in


transmitted GRE packets.

disable

sequence-numberreception

Enable/disable validation of sequence number in


received GRE packets.

disable

checksum-transmission

Enable/disable inclusion of checksum in


transmitted GRE packets.

disable

checksum-reception

Enable/disable validation of checksum in


received GRE packets.

disable

key-outbound

Include this key in transmitted GRE packets (0 4294967295).

key-inbound

Require received GRE packets contain this key (0


- 4294967295).

dscp-copying

Enable/disable DSCP copying.

disable

auto-asic-offload

Enable/disable tunnel ASIC offloading.

enable

keepalive-interval

Keepalive message interval (0 - 32767, 0 =


disabled).

keepalive-failtimes

Number of consecutive unreturned keepalive


messages before GRE connection is considered
down (1 - 255).

10

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

537

system/ha
CLI Syntax
config system ha
edit <name_str>
set group-id <integer>
set group-name <string>
set mode {standalone | a-a | a-p}
set password <password>
set key <password>
set hbdev <user>
set session-sync-dev <user>
set route-ttl <integer>
set route-wait <integer>
set route-hold <integer>
set load-balance-all {enable | disable}
set sync-config {enable | disable}
set encryption {enable | disable}
set authentication {enable | disable}
set hb-interval <integer>
set hb-lost-threshold <integer>
set helo-holddown <integer>
set gratuitous-arps {enable | disable}
set arps <integer>
set arps-interval <integer>
set session-pickup {enable | disable}
set session-pickup-connectionless {enable | disable}
set session-pickup-expectation {enable | disable}
set session-pickup-nat {enable | disable}
set session-pickup-delay {enable | disable}
set session-sync-daemon-number <integer>
set link-failed-signal {enable | disable}
set uninterruptible-upgrade {enable | disable}
set standalone-mgmt-vdom {enable | disable}
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface <string>
set ha-mgmt-interface-gateway <ipv4-address>
set ha-mgmt-interface-gateway6 <ipv6-address>
set ha-eth-type <string>
set hc-eth-type <string>
set l2ep-eth-type <string>
set ha-uptime-diff-margin <integer>
set standalone-config-sync {enable | disable}
set vcluster2 {enable | disable}
set vcluster-id <integer>
set override {enable | disable}
set priority <integer>
set override-wait-time <integer>
set schedule {none | hub | leastconnection | round-robin | weight-round-robin | ra
ndom | ip | ipport}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

538

set weight <user>


set cpu-threshold <user>
set memory-threshold <user>
set http-proxy-threshold <user>
set ftp-proxy-threshold <user>
set imap-proxy-threshold <user>
set nntp-proxy-threshold <user>
set pop3-proxy-threshold <user>
set smtp-proxy-threshold <user>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set pingserver-flip-timeout <integer>
set vdom <user>
config secondary-vcluster
edit <name_str>
set vcluster-id <integer>
set override {enable | disable}
set priority <integer>
set override-wait-time <integer>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set vdom <user>
end
set ha-direct {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

539

Description
Configuration

Description

Default Value

group-id

Group ID (0 - 255).

group-name

Group name.

(Empty)

mode

Mode.

standalone

password

password

(Empty)

key

key

(Empty)

hbdev

Heartbeat interfaces.

"port1" 50 "mgmt1" 50

session-sync-dev

Session sync interfaces.

(Empty)

route-ttl

HA route TTL on master (5 - 3600 sec).

10

route-wait

Route update wait time (0 - 3600 sec).

route-hold

Wait time between route updates (0 - 3600 sec).

10

load-balance-all

Enable/disable load balance.

disable

sync-config

Enable/disable configuration synchronization.

enable

encryption

Enable/disable HA message encryption.

disable

authentication

Enable/disable HA message authentication.

disable

hb-interval

Configure heartbeat interval (1 - 20 (100*ms)).

hb-lost-threshold

Lost heartbeat threshold (1 - 60).

helo-holddown

Configure hello state hold-down time (5 - 300


sec).

20

gratuitous-arps

Enable/disable gratuitous ARPs.

enable

arps

Configure number of gratuitous ARPs (1 - 60).

arps-interval

Configure gratuitous ARPs interval (1 - 20 sec).

session-pickup

Enable/disable session pickup.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

540

session-pickupconnectionless

Enable/disable pickup non-TCP sessions.

disable

session-pickupexpectation

Enable/disable pickup expectation sessions.

disable

session-pickup-nat

Enable/disable pickup of NATed sessions.

disable

session-pickup-delay

Enable/disable delay session sync by 30


seconds.

disable

session-sync-daemonnumber

Session sync daemon process number.

link-failed-signal

Enable/disable link failed signal.

disable

uninterruptible-upgrade

Enable/disable uninterruptible HA upgrade.

enable

standalone-mgmt-vdom

Enable/disable standalone management VDOM.

disable

ha-mgmt-status

Enable/disable HA management interface


reservation.

disable

ha-mgmt-interface

Reserved interface of HA management.

(Empty)

ha-mgmt-interfacegateway

Gateway for reserved interface of HA


management.

0.0.0.0

ha-mgmt-interfacegateway6

IPv6 gateway for reserved interface of HA


management.

::

ha-eth-type

HA Ethernet type (4-digit hex).

8890

hc-eth-type

HC Ethernet type (4-digit hex).

8891

l2ep-eth-type

L2EP Ethernet type (4-digit hex).

8893

ha-uptime-diff-margin

HA uptime difference margin (sec).

300

standalone-config-sync

Enable/disable standalone config sync.

disable

vcluster2

Enable/disable secondary virtual cluster.

disable

vcluster-id

Cluster ID.

override

Enable/disable master HA unit overriding.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

541

priority

Priority value (0 - 255).

128

override-wait-time

Override wait time (0 - 3600 sec).

schedule

Schedule.

round-robin

weight

Weight for weight-round-robin schedule.

40

cpu-threshold

CPU threshold weight.

500

memory-threshold

Memory threshold weight.

500

http-proxy-threshold

HTTP proxy threshold.

500

ftp-proxy-threshold

FTP proxy threshold.

500

imap-proxy-threshold

IMAP proxy threshold.

500

nntp-proxy-threshold

NNTP proxy threshold.

500

pop3-proxy-threshold

POP3 proxy threshold.

500

smtp-proxy-threshold

SMTP proxy threshold.

500

monitor

Interfaces to monitor.

(Empty)

pingserver-monitorinterface

Monitor interfaces that has PING server enabled.

(Empty)

pingserver-failoverthreshold

Threshold at which HA failover occurs upon PING


server failure (0 - 50).

pingserver-slave-forcereset

Enable/disable force reset of slave after PING


server failure.

enable

pingserver-flip-timeout

Minutes to wait before HA failover flip-flop.

60

vdom

VDOM members.

(Empty)

secondary-vcluster

Secondary virtual cluster.

Details below

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

542

Configuration
vcluster-id
override
priority
override-wait-time
monitor
pingserver-monitor-interface
pingserver-failover-threshold
pingserver-slave-force-reset
vdom
ha-direct

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
1
enable
128
0
(Empty)
(Empty)
0
enable
(Empty)

Enable/disable sending of messages (logs,


SNMP, RADIUS) directly from ha-mgmt interface.

disable

543

system/ha-monitor
CLI Syntax
config system ha-monitor
edit <name_str>
set monitor-vlan {enable | disable}
set vlan-hb-interval <integer>
set vlan-hb-lost-threshold <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

544

Description
Configuration

Description

Default Value

monitor-vlan

Enable/disable monitor VLAN interfaces.

disable

vlan-hb-interval

Configure heartbeat interval (seconds).

vlan-hb-lost-threshold

VLAN lost heartbeat threshold (1 - 60).

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

545

system/interface
CLI Syntax
config system interface
edit <name_str>
set name <string>
set vdom <string>
set cli-conn-status <integer>
set mode {static | dhcp | pppoe}
set distance <integer>
set priority <integer>
set dhcp-relay-service {disable | enable}
set dhcp-relay-ip <user>
set dhcp-relay-type {regular | ipsec}
set ip <ipv4-classnet-host>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | r
adius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
set ha-priority <integer>
set fail-detect {enable | disable}
set fail-detect-option {detectserver | link-down}
set fail-alert-method {link-failed-signal | link-down}
set fail-action-on-extender {soft-restart | hard-restart | reboot}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
set dhcp-client-identifier <string>
set ipunnumbered <ipv4-address>
set username <string>
set pppoe-unnumbered-negotiate {enable | disable}
set password <password>
set idle-timeout <integer>
set detected-peer-mtu <integer>
set disc-retry-timeout <integer>
set padt-retry-timeout <integer>
set service-name <string>
set ac-name <string>
set lcp-echo-interval <integer>
set lcp-max-echo-fails <integer>
set defaultgw {enable | disable}
set dns-server-override {enable | disable}
set auth-type {auto | pap | chap | mschapv1 | mschapv2}
set pptp-client {enable | disable}
set pptp-user <string>
set pptp-password <password>
set pptp-server-ip <ipv4-address>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

546

set pptp-auth-type {auto | pap | chap | mschapv1 | mschapv2}


set pptp-timeout <integer>
set arpforward {enable | disable}
set ndiscforward {enable | disable}
set broadcast-forward {enable | disable}
set bfd {global | enable | disable}
set bfd-desired-min-tx <integer>
set bfd-detect-mult <integer>
set bfd-required-min-rx <integer>
set l2forward {enable | disable}
set icmp-redirect {enable | disable}
set vlanforward {enable | disable}
set stpforward {enable | disable}
set stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | rpl-nothing}
set ips-sniffer-mode {enable | disable}
set ident-accept {enable | disable}
set ipmac {enable | disable}
set subst {enable | disable}
set macaddr <mac-address>
set substitute-dst-mac <mac-address>
set speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half | 1000
auto | 10000full | 10000auto | 40000full}
set status {up | down}
set netbios-forward {disable | enable}
set wins-ip <ipv4-address>
set type {physical | vlan | aggregate | redundant | tunnel | vdom-link | loopback
| switch | hard-switch | vap-switch | wl-mesh | fext-wan | hdlc | switch-vlan}
set dedicated-to {none | management}
set trust-ip-1 <ipv4-classnet-any>
set trust-ip-2 <ipv4-classnet-any>
set trust-ip-3 <ipv4-classnet-any>
set trust-ip6-1 <ipv6-prefix>
set trust-ip6-2 <ipv6-prefix>
set trust-ip6-3 <ipv6-prefix>
set mtu-override {enable | disable}
set mtu <integer>
set wccp {enable | disable}
set netflow-sampler {disable | tx | rx | both}
set sflow-sampler {enable | disable}
set drop-overlapped-fragment {enable | disable}
set drop-fragment {enable | disable}
set scan-botnet-connections {disable | block | monitor}
set sample-rate <integer>
set polling-interval <integer>
set sample-direction {tx | rx | both}
set explicit-web-proxy {enable | disable}
set explicit-ftp-proxy {enable | disable}
set tcp-mss <integer>
set mediatype {serdes-sfp | sgmii-sfp | serdes-copper-sfp}
set fp-anomaly {pass_winnuke | pass_tcpland | pass_udpland | pass_icmpland | pass_
ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas
s_iptimestamp | pass_ipunknown_option | pass_ipunknown_prot | pass_icmp_frag | pass_tc
p_no_flag | pass_tcp_fin_noack | drop_winnuke | drop_tcpland | drop_udpland | drop_icm
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

547

p_no_flag | pass_tcp_fin_noack | drop_winnuke | drop_tcpland | drop_udpland | drop_icm


pland | drop_ipland | drop_iprr | drop_ipssrr | drop_iplsrr | drop_ipstream | drop_ips
ecurity | drop_iptimestamp | drop_ipunknown_option | drop_ipunknown_prot | drop_icmp_f
rag | drop_tcp_no_flag | drop_tcp_fin_noack}
set inbandwidth <integer>
set outbandwidth <integer>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set weight <integer>
set interface <string>
set external {enable | disable}
set vlanid <integer>
set forward-domain <integer>
set remote-ip <ipv4-address-any>
config member
edit <name_str>
set interface-name <string>
end
set lacp-mode {static | passive | active}
set lacp-ha-slave {enable | disable}
set lacp-speed {slow | fast}
set min-links <integer>
set min-links-down {operational | administrative}
set algorithm {L2 | L3 | L4}
set link-up-delay <integer>
set priority-override {enable | disable}
set aggregate <string>
set redundant-interface <string>
config managed-device
edit <name_str>
set name <string>
end
set devindex <integer>
set vindex <integer>
set switch <string>
set description <var-string>
set alias <string>
set security-mode {none | captive-portal | 802.1X}
set security-mac-auth-bypass {enable | disable}
set security-external-web <string>
set security-external-logout <string>
set replacemsg-override-group <string>
set security-redirect-url <string>
set security-exempt-list <string>
config security-groups
edit <name_str>
set name <string>
end
set device-identification {enable | disable}
set device-user-identification {enable | disable}
set device-identification-active-scan {enable | disable}
set device-access-list <string>
set device-netscan {disable | enable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

548

set device-netscan {disable | enable}


set lldp-transmission {enable | disable | vdom}
set fortiheartbeat {enable | disable}
set broadcast-forticlient-discovery {enable | disable}
set endpoint-compliance {enable | disable}
set estimated-upstream-bandwidth <integer>
set estimated-downstream-bandwidth <integer>
set vrrp-virtual-mac {enable | disable}
config vrrp
edit <name_str>
set vrid <integer>
set vrgrp <integer>
set vrip <ipv4-address-any>
set priority <integer>
set adv-interval <integer>
set start-time <integer>
set preempt {enable | disable}
set vrdst <ipv4-address-any>
set status {enable | disable}
end
set role {lan | wan | dmz | undefined}
set snmp-index <integer>
set secondary-IP {enable | disable}
config secondaryip
edit <name_str>
set id <integer>
set ip <ipv4-classnet-host>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec
| radius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
set ha-priority <integer>
end
set auto-auth-extension-device {enable | disable}
set ap-discover {enable | disable}
set fortilink {enable | disable}
set fortilink-stacking {enable | disable}
set fortilink-split-interface {enable | disable}
set internal <integer>
set fortilink-backup-link <integer>
set color <integer>
config ipv6
edit <name_str>
set ip6-mode {static | dhcp | pppoe | delegated}
set ip6-dns-server-override {enable | disable}
set ip6-address <ipv6-prefix>
config ip6-extra-addr
edit <name_str>
set prefix <ipv6-prefix>
end
set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

549

set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap
}
set ip6-send-adv {enable | disable}
set ip6-manage-flag {enable | disable}
set ip6-other-flag {enable | disable}
set ip6-max-interval <integer>
set ip6-min-interval <integer>
set ip6-link-mtu <integer>
set ip6-reachable-time <integer>
set ip6-retrans-time <integer>
set ip6-default-life <integer>
set ip6-hop-limit <integer>
set autoconf {enable | disable}
set ip6-upstream-interface <string>
set ip6-subnet <ipv6-prefix>
config ip6-prefix-list
edit <name_str>
set prefix <ipv6-network>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set valid-life-time <integer>
set preferred-life-time <integer>
end
config ip6-delegated-prefix-list
edit <name_str>
set prefix-id <integer>
set upstream-interface <string>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set subnet <ipv6-network>
end
set dhcp6-relay-service {disable | enable}
set dhcp6-relay-type {regular}
set dhcp6-relay-ip <user>
set dhcp6-client-options {rapid | iapd | iana | dns | dnsname}
set dhcp6-prefix-delegation {enable | disable}
set dhcp6-prefix-hint <ipv6-network>
set dhcp6-prefix-hint-plt <integer>
set dhcp6-prefix-hint-vlt <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

550

Description
Configuration

Description

Default Value

name

Name.

(Empty)

vdom

Virtual domain name.

(Empty)

cli-conn-status

CLI connection status.

mode

Addressing mode (static, DHCP, PPPoE).

static

distance

Distance of learned routes.

priority

Priority of learned routes.

dhcp-relay-service

Enable/disable use DHCP relay service.

disable

dhcp-relay-ip

DHCP relay IP address.

(Empty)

dhcp-relay-type

DHCP relay type.

regular

ip

IP address of interface.

0.0.0.0 0.0.0.0

allowaccess

Allow management access to the interface.

(Empty)

gwdetect

Enable/disable detect gateway alive for first.

disable

ping-serv-status

PING server status.

detectserver

Gateway's ping server for this IP.

(Empty)

detectprotocol

Protocols used to detect the server.

ping

ha-priority

HA election priority for the PING server.

fail-detect

Enable/disable interface failed option status.

disable

fail-detect-option

Interface fail detect option.

link-down

fail-alert-method

Interface fail alert.

link-down

fail-action-on-extender

Action on extender when interface fail .

soft-restart

fail-alert-interfaces

Physical interfaces that will be alerted.

(Empty)

dhcp-client-identifier

DHCP client identifier.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

551

ipunnumbered

PPPoE unnumbered IP.

0.0.0.0

username

User name.

(Empty)

pppoe-unnumberednegotiate

Enable/disable PPPoE unnumbered negotiation.

enable

password

Password

(Empty)

idle-timeout

PPPoE auto disconnect after idle timeout


seconds.

detected-peer-mtu

MTU of detected peer (0 - 4294967295).

disc-retry-timeout

PPPoE discovery init timeout value in sec.

padt-retry-timeout

PPPoE terminate timeout value in sec.

service-name

PPPoE service name.

(Empty)

ac-name

PPPoE AC name.

(Empty)

lcp-echo-interval

PPPoE LCP echo interval (sec).

lcp-max-echo-fails

Maximum missed LCP echo messages before


disconnect.

defaultgw

Enable/disable default gateway.

enable

dns-server-override

Enable/disable use DNS acquired by DHCP or


PPPoE.

enable

auth-type

PPP authentication type to use.

auto

pptp-client

Enable/disable PPTP client.

disable

pptp-user

PPTP user name.

(Empty)

pptp-password

PPTP password.

(Empty)

pptp-server-ip

PPTP server IP address.

0.0.0.0

pptp-auth-type

PPTP authentication type.

auto

pptp-timeout

Idle timer in minutes (0 for disabled).

arpforward

Enable/disable ARP forwarding.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

552

ndiscforward

Enable/disable NDISC forwarding.

enable

broadcast-forward

Enable/disable broadcast forwarding.

disable

bfd

Bidirectional Forwarding Detection (BFD).

global

bfd-desired-min-tx

BFD desired minimal transmit interval.

250

bfd-detect-mult

BFD detection multiplier.

bfd-required-min-rx

BFD required minimal receive interval.

250

l2forward

Enable/disable l2 forwarding.

disable

icmp-redirect

Enable/disable ICMP redirect.

enable

vlanforward

Enable/disable VLAN forwarding.

disable

stpforward

Enable/disable STP forwarding.

disable

stpforward-mode

Configure STP forwarding mode.

rpl-all-ext-id

ips-sniffer-mode

Enable/disable IPS sniffer mode.

disable

ident-accept

Enable/disable accept ident protocol.

disable

ipmac

Enable/disable IP/MAC binding status.

disable

subst

Enable/disable substitute MAC.

disable

macaddr

MAC address.

00:00:00:00:00:00

substitute-dst-mac

Substitute destination MAC address.

00:00:00:00:00:00

speed

Speed

auto

status

Interface status.

up

netbios-forward

Enable/disable NETBIOS forwarding.

disable

wins-ip

WINS server IP.

0.0.0.0

type

Interface type.

vlan

dedicated-to

Configure interface for single purpose.

none

trust-ip-1

Trusted host for dedicated management traffic


(0.0.0.0/24 for all hosts).

0.0.0.0 0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

553

trust-ip-2

Trusted host for dedicated management traffic


(0.0.0.0/24 for all hosts).

0.0.0.0 0.0.0.0

trust-ip-3

Trusted host for dedicated management traffic


(0.0.0.0/24 for all hosts).

0.0.0.0 0.0.0.0

trust-ip6-1

Trusted IPv6 host for dedicated management


traffic (::/0 for all hosts).

::/0

trust-ip6-2

Trusted IPv6 host for dedicated management


traffic (::/0 for all hosts).

::/0

trust-ip6-3

Trusted IPv6 host for dedicated management


traffic (::/0 for all hosts).

::/0

mtu-override

Enable/disable use custom MTU.

disable

mtu

Maximum transportation unit.

1500

wccp

Enable/disable WCCP protocol on this interface.

disable

netflow-sampler

NetFlow measurement status.

disable

sflow-sampler

Enable/disable sFlow protocol.

disable

drop-overlappedfragment

Enable/disable drop overlapped fragment


packets.

disable

drop-fragment

Enable/disable drop fragment packets.

disable

scan-botnetconnections

Enable/disable scanning of connections to Botnet


servers.

disable

sample-rate

sFlow sampler sample rate.

2000

polling-interval

sFlow sampler counter polling interval.

20

sample-direction

sFlow sample direction.

both

explicit-web-proxy

Enable/disable explicit Web proxy.

disable

explicit-ftp-proxy

Enable/disable explicit FTP proxy.

disable

tcp-mss

Maximum sending TCP packet size.

mediatype

Select SFP media interface type

serdes-sfp

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

554

fp-anomaly

Pass or drop different types of anomalies using


Fastpath

(Empty)

inbandwidth

Bandwidth limit for incoming traffic (0 - 16776000


kbps).

outbandwidth

Bandwidth limit for outgoing traffic (0 - 16776000


kbps).

spillover-threshold

Egress Spillover threshold (0 - 16776000 kbps).

ingress-spilloverthreshold

Ingress Spillover threshold (0 - 16776000 kbps).

weight

Default weight for static routes (if route has no


weight configured).

interface

Interface name.

(Empty)

external

Enable/disable identifying interface as connected


to external side.

disable

vlanid

VLAN ID.

forward-domain

TP mode forward domain.

remote-ip

Remote IP address of tunnel.

0.0.0.0

member

Physical interfaces that belong to the


aggregate/redundant interface.

(Empty)

lacp-mode

LACP mode.

active

lacp-ha-slave

LACP HA slave.

enable

lacp-speed

LACP speed.

slow

min-links

Minimum number of aggregated ports that must


be up.

min-links-down

Action to take when there are less than min-links


active members.

operational

algorithm

Frame distribution algorithm.

L4

link-up-delay

Number of milliseconds to wait before


considering a link is up.

50

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

555

priority-override

Enable/disable fail back to higher priority port


once recovered.

enable

aggregate

Aggregate interface.

(Empty)

redundant-interface

Redundant interface.

(Empty)

managed-device

FortiLink interface managed device.

(Empty)

devindex

Device Index.

vindex

Switch control interface VLAN ID.

switch

Contained in switch.

(Empty)

description

Description.

(Empty)

alias

Alias.

(Empty)

security-mode

Security mode.

none

security-mac-authbypass

Enable/disable MAC authentication bypass.

disable

security-external-web

URL of external authentication web server.

(Empty)

security-external-logout

URL of external authentication logout server.

(Empty)

replacemsg-overridegroup

Specify replacement message override group.

(Empty)

security-redirect-url

URL redirection after disclaimer/authentication.

(Empty)

security-exempt-list

Name of security-exempt-list.

(Empty)

security-groups

Group name.

(Empty)

device-identification

Enable/disable passive gathering of identity


information about source hosts on this interface.

disable

device-useridentification

Enable/disable passive gathering of user identity


information about source hosts on this interface.

enable

device-identificationactive-scan

Enable/disable active gathering of identity


information about source hosts on this interface.

enable

device-access-list

Device access list.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

556

device-netscan

Enable/disable inclusion of devices detected on


this interface in network vulnerability scans.

lldp-transmission

Enable/disable Link Layer Discovery Protocol


(LLDP) transmission.

vdom

fortiheartbeat

Enable/disable FortiHeartBeat (FortiTelemetry on


GUI).

disable

broadcast-forticlientdiscovery

Enable/disable broadcast FortiClient discovery


messages.

disable

endpoint-compliance

Enable/disable endpoint compliance


enforcement.

disable

estimated-upstreambandwidth

Estimated maximum upstream bandwidth (kbps).


Used to estimate link utilization.

estimated-downstreambandwidth

Estimated maximum downstream bandwidth


(kbps). Used to estimate link utilization.

vrrp-virtual-mac

Enable/disable use of virtual MAC for VRRP.

disable

vrrp

VRRP configuration.

(Empty)

role

Interface role.

undefined

snmp-index

Permanent SNMP Index of the interface.

secondary-IP

Enable/disable secondary IP.

disable

secondaryip

Second IP address of interface.

(Empty)

auto-auth-extensiondevice

Enable/disable automatic authorization of


dedicated Fortinet extension device on this
interface.

disable

ap-discover

Enable/disable automatic registration of unknown


FortiAP devices.

enable

fortilink

Enable/disable FortiLink to dedicated interface for


managing FortiSwitch devices.

disable

fortilink-stacking

Enable/disable FortiLink switch-stacking on this


interface.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

557

fortilink-split-interface

Enable/disable FortiLink split interface to connect


member link to different FortiSwitch in stack for
uplink redundancy (maximum 2 interfaces in the
"members" command).

disable

internal

Implicitly created.

fortilink-backup-link

fortilink split interface backup link.

color

GUI icon color.

ipv6

IPv6 of interface.

Details below

Configuration
ip6-mode
ip6-dns-server-override
ip6-address
ip6-extra-addr
ip6-allowaccess
ip6-send-adv
ip6-manage-flag
ip6-other-flag
ip6-max-interval
ip6-min-interval
ip6-link-mtu
ip6-reachable-time
ip6-retrans-time
ip6-default-life
ip6-hop-limit
autoconf
ip6-upstream-interface
ip6-subnet
ip6-prefix-list
ip6-delegated-prefix-list
dhcp6-relay-service
dhcp6-relay-type
dhcp6-relay-ip
dhcp6-client-options
dhcp6-prefix-delegation
dhcp6-prefix-hint
dhcp6-prefix-hint-plt
dhcp6-prefix-hint-vlt

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
static
enable
::/0
(Empty)
(Empty)
disable
disable
disable
600
198
0
0
0
1800
0
disable
(Empty)
::/0
(Empty)
(Empty)
disable
regular
(Empty)
dns
disable
::/0
604800
2592000

558

system/ipip-tunnel
CLI Syntax
config system ipip-tunnel
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

559

Description
Configuration

Description

Default Value

name

IPIP Tunnel name.

(Empty)

interface

Interface name.

(Empty)

remote-gw

IP address of the remote gateway.

0.0.0.0

local-gw

Enable/disable IP address of the local gateway.

0.0.0.0

auto-asic-offload

Enable/disable tunnel ASIC offloading.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

560

system/ips-urlfilter-dns
CLI Syntax
config system ips-urlfilter-dns
edit <name_str>
set address <ipv4-address>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

561

Description
Configuration

Description

Default Value

address

DNS server IP address.

0.0.0.0

status

Enable/disable this server for queries.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

562

system/ipv6-neighbor-cache
CLI Syntax
config system ipv6-neighbor-cache
edit <name_str>
set id <integer>
set interface <string>
set ipv6 <ipv6-address>
set mac <mac-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

563

Description
Configuration

Description

Default Value

id

Unique integer ID of the entry.

interface

Interface name.

(Empty)

ipv6

IPv6 address.

::

mac

MAC address.

00:00:00:00:00:00

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

564

system/ipv6-tunnel
CLI Syntax
config system ipv6-tunnel
edit <name_str>
set name <string>
set source <ipv6-address>
set destination <ipv6-address>
set interface <string>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

565

Description
Configuration

Description

Default Value

name

Tunnel name.

(Empty)

source

Local IPv6 address of tunnel.

::

destination

Remote IPv6 address of tunnel.

::

interface

Interface name.

(Empty)

auto-asic-offload

Enable/disable tunnel ASIC offloading.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

566

system/link-monitor
CLI Syntax
config system link-monitor
edit <name_str>
set name <string>
set srcintf <string>
config server
edit <name_str>
set address <string>
end
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set gateway-ip <ipv4-address-any>
set source-ip <ipv4-address-any>
set http-get <string>
set http-match <string>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set security-mode {none | authentication}
set password <password>
set packet-size <integer>
set ha-priority <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set status {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

567

Description
Configuration

Description

Default Value

name

Link monitor name.

(Empty)

srcintf

Interface where the monitor traffic is sent.

(Empty)

server

Server address(es).

(Empty)

protocol

Protocols used to detect the server.

ping

port

Port number to poll.

80

gateway-ip

Gateway IP used to PING the server.

0.0.0.0

source-ip

Source IP used in packet to the server.

0.0.0.0

http-get

HTTP GET URL string.

http-match

Response value from detected server in http-get.

(Empty)

interval

Detection interval.

timeout

Detect request timeout.

failtime

Number of retry attempts before bringing server


down.

recoverytime

Number of retry attempts before bringing server


up.

security-mode

Twamp controller security mode.

none

password

Twamp controller password in authentication


mode

(Empty)

packet-size

Packet size of a twamp test session,

64

ha-priority

HA election priority (1 - 50).

update-cascadeinterface

Enable/disable update cascade interface.

enable

update-static-route

Enable/disable update static route.

enable

status

Enable/disable Link monitor administrative status.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

568

system/mac-address-table
CLI Syntax
config system mac-address-table
edit <name_str>
set mac <mac-address>
set interface <string>
set reply-substitute <mac-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

569

Description
Configuration

Description

Default Value

mac

MAC address.

00:00:00:00:00:00

interface

Interface name.

(Empty)

reply-substitute

New MAC for reply traffic.

00:00:00:00:00:00

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

570

system/management-tunnel
CLI Syntax
config system management-tunnel
edit <name_str>
set status {enable | disable}
set allow-config-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-push-firmware {enable | disable}
set allow-collect-statistics {enable | disable}
set authorized-manager-only {enable | disable}
set serial-number <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

571

Description
Configuration

Description

Default Value

status

Enable/disable FGFM tunnel.

enable

allow-config-restore

Enable/disable allow config restore.

enable

allow-pushconfiguration

Enable/disable push configuration.

enable

allow-push-firmware

Enable/disable push firmware.

enable

allow-collect-statistics

Enable/disable collection of run time statistics.

enable

authorized-manageronly

Enable/disable restriction of authorized manager


only.

enable

serial-number

Serial number.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

572

system/mobile-tunnel
CLI Syntax
config system mobile-tunnel
edit <name_str>
set name <string>
set status {disable | enable}
set roaming-interface <string>
set home-agent <ipv4-address>
set home-address <ipv4-address>
set renew-interval <integer>
set lifetime <integer>
set reg-interval <integer>
set reg-retry <integer>
set n-mhae-spi <integer>
set n-mhae-key-type {ascii | base64}
set n-mhae-key <user>
set hash-algorithm {hmac-md5}
set tunnel-mode {gre}
config network
edit <name_str>
set id <integer>
set interface <string>
set prefix <ipv4-classnet>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

573

Description
Configuration

Description

Default Value

name

Tunnel name.

(Empty)

status

Enable/disable this mobile tunnel.

enable

roaming-interface

Roaming interface name.

(Empty)

home-agent

IP address of the NEMO HA.

0.0.0.0

home-address

Home IP address.

0.0.0.0

renew-interval

Time before lifetime expiraton to send NMMO HA


re-registration.

60

lifetime

NMMO HA registration request lifetime.

65535

reg-interval

NMMO HA registration interval.

reg-retry

NMMO HA registration maximal retries.

n-mhae-spi

NEMO authentication spi.

256

n-mhae-key-type

NEMO authentication key type.

ascii

n-mhae-key

NEMO authentication key.

'ENC
AQAAAMfMADGjaE1u
XnMNcglZAOU1olJLaQ
Tpy1cUY+iM/eyN61pZ
cd9q4u4lzUZ7Ar7ptVw
gtfiB3PJBXT+jqecFU7F
l7T9EREz21rRkr3XeQ
A6OfVhpJuk3/ZQ='

hash-algorithm

Hash Algorithm.

hmac-md5

tunnel-mode

NEMO tunnnel mode.

gre

network

NEMO network configuration.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

574

system/nat64
CLI Syntax
config system nat64
edit <name_str>
set status {enable | disable}
set nat64-prefix <ipv6-prefix>
set always-synthesize-aaaa-record {enable | disable}
set generate-ipv6-fragment-header {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

575

Description
Configuration

Description

Default Value

status

Enable/disable NAT64.

disable

nat64-prefix

NAT64 prefix must be ::/96.

64:ff9b::/96

always-synthesizeaaaa-record

Enable/disable AAAA record synthesis.

enable

generate-ipv6fragment-header

Enable/disable IPv6 fragment header generation.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

576

system/netflow
CLI Syntax
config system netflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
set active-flow-timeout <integer>
set inactive-flow-timeout <integer>
set template-tx-timeout <integer>
set template-tx-counter <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

577

Description
Configuration

Description

Default Value

collector-ip

Collector IP.

0.0.0.0

collector-port

NetFlow collector port.

2055

source-ip

Source IP for NetFlow agent.

0.0.0.0

active-flow-timeout

Timeout to report active flows (min).

30

inactive-flow-timeout

Timeout for periodic report of finished flows (sec).

15

template-tx-timeout

Timeout for periodic template flowset


transmission (min).

30

template-tx-counter

Counter of flowset records before resending a


template flowset record.

20

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

578

system/network-visibility
CLI Syntax
config system network-visibility
edit <name_str>
set destination-visibility {disable | enable}
set source-location {disable | enable}
set destination-hostname-visibility {disable | enable}
set hostname-ttl <integer>
set hostname-limit <integer>
set destination-location {disable | enable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

579

Description
Configuration

Description

Default Value

destination-visibility

Enable/disable logging of destination visibility.

enable

source-location

Enable/disable logging of source geographical


location visibility.

enable

destination-hostnamevisibility

Enable/disable logging of destination hostname


visibility.

enable

hostname-ttl

TTL of hostname table entries.

86400

hostname-limit

Limit of hostname table entries.

5000

destination-location

Enable/disable logging of destination


geographical location visibility.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

580

system/ntp
CLI Syntax
config system ntp
edit <name_str>
set ntpsync {enable | disable}
set type {fortiguard | custom}
set syncinterval <integer>
config ntpserver
edit <name_str>
set id <integer>
set server <string>
set ntpv3 {enable | disable}
set authentication {enable | disable}
set key <password>
set key-id <integer>
end
set source-ip <ipv4-address>
set server-mode {enable | disable}
config interface
edit <name_str>
set interface-name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

581

Description
Configuration

Description

Default Value

ntpsync

Enable/disable synchronization with NTP Server.

disable

type

FortiGuard or custom NTP Server.

fortiguard

syncinterval

NTP synchronization interval.

ntpserver

NTP Server.

(Empty)

source-ip

Source IP for communications to NTP server.

0.0.0.0

server-mode

Enable/disable NTP Server Mode.

disable

interface

List of interfaces with NTP server mode enabled.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

582

system/object-tag
CLI Syntax
config system object-tag
edit <name_str>
set name <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

583

Description
Configuration

Description

Default Value

name

Tag name.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

584

system/password-policy
CLI Syntax
config system password-policy
edit <name_str>
set status {enable | disable}
set apply-to {admin-password | ipsec-preshared-key}
set minimum-length <integer>
set min-lower-case-letter <integer>
set min-upper-case-letter <integer>
set min-non-alphanumeric <integer>
set min-number <integer>
set change-4-characters {enable | disable}
set expire-status {enable | disable}
set expire-day <integer>
set reuse-password {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

585

Description
Configuration

Description

Default Value

status

Enable/disable password policy.

disable

apply-to

Apply password policy to.

admin-password

minimum-length

Minimum password length.

min-lower-case-letter

Minimum number of lowercase characters in


password.

min-upper-case-letter

Minimum number of uppercase characters in


password.

min-non-alphanumeric

Minimum number of non-alphanumeric


characters in password.

min-number

Minimum number of numeric characters in


password.

change-4-characters

Enable/disable changing at least 4 characters for


new password.

disable

expire-status

Enable/disable password expiration.

disable

expire-day

Number of days after which admin users'


password will expire.

90

reuse-password

Enable/disable reuse of password.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

586

system/probe-response
CLI Syntax
config system probe-response
edit <name_str>
set port <integer>
set http-probe-value <string>
set ttl-mode {reinit | decrease | retain}
set mode {none | http-probe | twamp}
set security-mode {none | authentication}
set password <password>
set timeout <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

587

Description
Configuration

Description

Default Value

port

Port number to response.

8008

http-probe-value

Value to respond to the monitoring server.

OK

ttl-mode

Mode for TWAMP packet TTL modification.

retain

mode

SLA response mode.

none

security-mode

Twamp respondor security mode.

none

password

Twamp respondor password in authentication


mode

(Empty)

timeout

An inactivity timer for a twamp test session.

300

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

588

system/proxy-arp
CLI Syntax
config system proxy-arp
edit <name_str>
set id <integer>
set interface <string>
set ip <ipv4-address>
set end-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

589

Description
Configuration

Description

Default Value

id

Unique integer ID of the entry.

interface

Interface acting proxy-ARP.

(Empty)

ip

IP address or start IP to be proxied.

0.0.0.0

end-ip

End IP of IP range to be proxied.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

590

system/replacemsg-group
CLI Syntax
config system replacemsg-group
edit <name_str>
set name <string>
set comment <var-string>
set group-type {default | utm
config mail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config http
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config webproxy
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config ftp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config nntp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
config fortiguard-wf
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http |
set format {none | text |
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

| auth | ec}

8bit}
html | wml}

8bit}
html | wml}

8bit}
html | wml}

8bit}
html | wml}

8bit}
html | wml}

8bit}
html | wml}
591

config spam
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config alertmail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config admin
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config auth
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config sslvpn
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config ec
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config device-detection-portal
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html |
end
config nac-quar
edit <name_str>
set msg-type <string>
set buffer <var-string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

wml}

wml}

wml}

wml}

wml}

wml}

wml}

592

set buffer <var-string>


set header {none | http
set format {none | text
end
config traffic-quota
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http
set format {none | text
end
config utm
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http
set format {none | text
end
config custom-message
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http
set format {none | text
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

| 8bit}
| html | wml}

| 8bit}
| html | wml}

| 8bit}
| html | wml}

| 8bit}
| html | wml}

593

Description
Configuration

Description

Default Value

name

Group name.

(Empty)

comment

Comment.

(Empty)

group-type

Group type.

default

mail

Replacement message table entries.

(Empty)

http

Replacement message table entries.

(Empty)

webproxy

Replacement message table entries.

(Empty)

ftp

Replacement message table entries.

(Empty)

nntp

Replacement message table entries.

(Empty)

fortiguard-wf

Replacement message table entries.

(Empty)

spam

Replacement message table entries.

(Empty)

alertmail

Replacement message table entries.

(Empty)

admin

Replacement message table entries.

(Empty)

auth

Replacement message table entries.

(Empty)

sslvpn

Replacement message table entries.

(Empty)

ec

Replacement message table entries.

(Empty)

device-detection-portal

Replacement message table entries.

(Empty)

nac-quar

Replacement message table entries.

(Empty)

traffic-quota

Replacement message table entries.

(Empty)

utm

Replacement message table entries.

(Empty)

custom-message

Replacement message table entries.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

594

system/replacemsg-image
CLI Syntax
config system replacemsg-image
edit <name_str>
set name <string>
set image-type {gif | jpg | tiff | png}
set image-base64 <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

595

Description
Configuration

Description

Default Value

name

Image name.

(Empty)

image-type

Image type.

(Empty)

image-base64

Image data.

(null)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

596

system/resource-limits
CLI Syntax
config system resource-limits
edit <name_str>
set session <integer>
set ipsec-phase1 <integer>
set ipsec-phase2 <integer>
set dialup-tunnel <integer>
set firewall-policy <integer>
set firewall-address <integer>
set firewall-addrgrp <integer>
set custom-service <integer>
set service-group <integer>
set onetime-schedule <integer>
set recurring-schedule <integer>
set user <integer>
set user-group <integer>
set sslvpn <integer>
set proxy <integer>
set log-disk-quota <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

597

Description
Configuration

Description

Default Value

session

Maximum number of sessions.

ipsec-phase1

Maximum number of VPN IPsec phase1 tunnels.

ipsec-phase2

Maximum number of VPN IPsec phase2 tunnels.

dialup-tunnel

Maximum number of dial-up tunnels.

firewall-policy

Maximum number of firewall policies.

firewall-address

Maximum number of firewall addresses.

firewall-addrgrp

Maximum number of firewall address groups.

custom-service

Maximum number of firewall custom services.

service-group

Maximum number of firewall service groups.

onetime-schedule

Maximum number of firewall one-time schedules.

recurring-schedule

Maximum number of firewall recurring schedules.

user

Maximum number of local users.

user-group

Maximum number of user groups.

sslvpn

Maximum number of SSL-VPN.

proxy

Maximum number of concurrent explicit proxy


users.

log-disk-quota

Log disk quota in MB.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

598

system/session-helper
CLI Syntax
config system session-helper
edit <name_str>
set id <integer>
set name {ftp | tftp | ras | h323 | h245O | h245I | tns | mms | sip | pptp | rtsp
| dns-udp | dns-tcp | pmap | rsh | dcerpc | mgcp | gtp-c | gtp-u | gtp-b}
set protocol <integer>
set port <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

599

Description
Configuration

Description

Default Value

id

Session helper ID.

name

Helper name.

(Empty)

protocol

Protocol number.

port

Protocol port.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

600

system/session-ttl
CLI Syntax
config system session-ttl
edit <name_str>
set default <user>
config port
edit <name_str>
set id <integer>
set protocol <integer>
set start-port <integer>
set end-port <integer>
set timeout <user>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

601

Description
Configuration

Description

Default Value

default

Default timeout.

3600

port

Session TTL port.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

602

system/settings
CLI Syntax
config system settings
edit <name_str>
set comments <var-string>
set opmode {nat | transparent}
set inspection-mode {proxy | flow}
set http-external-dest {fortiweb | forticache}
set firewall-session-dirty {check-all | check-new | check-policy-option}
set manageip <user>
set gateway <ipv4-address>
set ip <ipv4-classnet-host>
set manageip6 <ipv6-prefix>
set gateway6 <ipv6-address>
set ip6 <ipv6-prefix>
set device <string>
set bfd {enable | disable}
set bfd-desired-min-tx <integer>
set bfd-required-min-rx <integer>
set bfd-detect-mult <integer>
set bfd-dont-enforce-src-port {enable | disable}
set utf8-spam-tagging {enable | disable}
set wccp-cache-engine {enable | disable}
set vpn-stats-log {ipsec | pptp | l2tp | ssl}
set vpn-stats-period <integer>
set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-ba
sed}
set mac-ttl <integer>
set fw-session-hairpin {enable | disable}
set snat-hairpin-traffic {enable | disable}
set dhcp-proxy {enable | disable}
set dhcp-server-ip <user>
set dhcp6-server-ip <user>
set central-nat {enable | disable}
config gui-default-policy-columns
edit <name_str>
set name <string>
end
set lldp-transmission {enable | disable | global}
set asymroute {enable | disable}
set asymroute-icmp {enable | disable}
set tcp-session-without-syn {enable | disable}
set ses-denied-traffic {enable | disable}
set strict-src-check {enable | disable}
set asymroute6 {enable | disable}
set asymroute6-icmp {enable | disable}
set sip-helper {enable | disable}
set sip-nat-trace {enable | disable}
set status {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

603

set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

sip-tcp-port <integer>
sip-udp-port <integer>
sip-ssl-port <integer>
sccp-port <integer>
multicast-forward {enable | disable}
multicast-ttl-notchange {enable | disable}
multicast-skip-policy {enable | disable}
allow-subnet-overlap {enable | disable}
deny-tcp-with-icmp {enable | disable}
ecmp-max-paths <integer>
discovered-device-timeout <integer>
email-portal-check-dns {disable | enable}
default-voip-alg-mode {proxy-based | kernel-helper-based}
gui-icap {enable | disable}
gui-nat46-64 {enable | disable}
gui-implicit-policy {enable | disable}
gui-dns-database {enable | disable}
gui-load-balance {enable | disable}
gui-multicast-policy {enable | disable}
gui-dos-policy {enable | disable}
gui-object-colors {enable | disable}
gui-replacement-message-groups {enable | disable}
gui-voip-profile {enable | disable}
gui-ap-profile {enable | disable}
gui-dynamic-profile-display {enable | disable}
gui-ipsec-manual-key {enable | disable}
gui-local-in-policy {enable | disable}
gui-local-reports {enable | disable}
gui-wanopt-cache {enable | disable}
gui-explicit-proxy {enable | disable}
gui-dynamic-routing {enable | disable}
gui-dlp {enable | disable}
gui-sslvpn-personal-bookmarks {enable | disable}
gui-sslvpn-realms {enable | disable}
gui-policy-based-ipsec {enable | disable}
gui-threat-weight {enable | disable}
gui-multiple-utm-profiles {enable | disable}
gui-spamfilter {enable | disable}
gui-application-control {enable | disable}
gui-casi {enable | disable}
gui-ips {enable | disable}
gui-endpoint-control {enable | disable}
gui-endpoint-on-net {enable | disable}
gui-dhcp-advanced {enable | disable}
gui-vpn {enable | disable}
gui-wireless-controller {enable | disable}
gui-switch-controller {enable | disable}
gui-fortiap-split-tunneling {enable | disable}
gui-webfilter-advanced {enable | disable}
gui-traffic-shaping {enable | disable}
gui-wan-load-balancing {enable | disable}
gui-antivirus {enable | disable}
gui-webfilter {enable | disable}

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

604

set
set
set
set
set
set
set
set
set
set
set
set
set
end

gui-webfilter {enable | disable}


gui-dnsfilter {enable | disable}
gui-waf-profile {enable | disable}
gui-fortiextender-controller {enable | disable}
gui-advanced-policy {enable | disable}
gui-allow-unnamed-policy {enable | disable}
gui-email-collection {enable | disable}
gui-domain-ip-reputation {enable | disable}
gui-multiple-interface-policy {enable | disable}
gui-policy-learning {enable | disable}
compliance-check {enable | disable}
ike-session-resume {enable | disable}
ike-quick-crash-detect {enable | disable}

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

605

Description
Configuration

Description

Default Value

comments

VDOM comments.

(Empty)

opmode

Firewall operation mode.

nat

inspection-mode

Inspection mode.

proxy

http-external-dest

HTTP service external inspection destination.

fortiweb

firewall-session-dirty

Packet session management.

check-all

manageip

IP address and netmask.

(Empty)

gateway

Default gateway IP address.

0.0.0.0

ip

IP address and netmask.

0.0.0.0 0.0.0.0

manageip6

Management IPv6 address prefix for transparent


mode.

::/0

gateway6

Default gateway IPv6 address.

::

ip6

IPv6 address prefix for NAT mode.

::/0

device

Interface.

(Empty)

bfd

Enable/disable Bi-directional Forwarding


Detection (BFD) on all interfaces.

disable

bfd-desired-min-tx

BFD desired minimal transmit interval.

250

bfd-required-min-rx

BFD required minimal receive interval.

250

bfd-detect-mult

BFD detection multiplier.

bfd-dont-enforce-srcport

Enable/disable verify source port of BFD Packets.

disable

utf8-spam-tagging

Convert spam tags to UTF-8 for better non-ASCII


character support.

enable

wccp-cache-engine

Enable/disable WCCP cache engine.

disable

vpn-stats-log

Enable/disable periodic VPN log statistics.

ipsec pptp l2tp ssl

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

606

vpn-stats-period

Period to send VPN log statistics (sec).

600

v4-ecmp-mode

IPv4 ECMP mode.

source-ip-based

mac-ttl

Bridge MAC address expiration time (sec).

300

fw-session-hairpin

Check every cross.

disable

snat-hairpin-traffic

Enable/disable SNAT hairpin traffic.

enable

dhcp-proxy

Enable/disable DHCP Proxy.

disable

dhcp-server-ip

DHCP Server IP address.

(Empty)

dhcp6-server-ip

DHCPv6 server IP address.

(Empty)

central-nat

Enable/disable central NAT.

disable

gui-default-policycolumns

Default columns to display for firewall policy list


on GUI.

(Empty)

lldp-transmission

Enable/disable Link Layer Discovery Protocol


(LLDP) transmission.

global

asymroute

Enable/disable asymmetric route.

disable

asymroute-icmp

Enable/disable asymmetric ICMP route.

disable

tcp-session-without-syn

Enable/disable creation of TCP session without


SYN flag.

disable

ses-denied-traffic

Enable/disable insertion of denied traffic into


session table.

disable

strict-src-check

Enable/disable strict source verification.

disable

asymroute6

Enable/disable asymmetric IPv6 route.

disable

asymroute6-icmp

Enable/disable asymmetric ICMPv6 route.

disable

sip-helper

Enable/disable helper to add dynamic SIP firewall


allow rule.

enable

sip-nat-trace

Enable/disable adding original IP if NATed.

enable

status

Enable/disable this VDOM.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

607

sip-tcp-port

TCP port the SIP proxy will monitor for SIP traffic.

5060

sip-udp-port

UDP port the SIP proxy will monitor for SIP traffic.

5060

sip-ssl-port

TCP SSL port the SIP proxy will monitor for SIP
traffic.

5061

sccp-port

TCP port the SCCP proxy will monitor for SCCP


traffic.

2000

multicast-forward

Enable/disable multicast forwarding.

enable

multicast-ttl-notchange

Enable/disable modification of multicast TTL.

disable

multicast-skip-policy

Enable/disable skip policy check and allow


multicast through.

disable

allow-subnet-overlap

Enable/disable allow one interface subnet overlap


with other interfaces.

disable

deny-tcp-with-icmp

Enable/disable deny TCP with ICMP.

disable

ecmp-max-paths

Maximum number of ECMP next-hops.

10

discovered-devicetimeout

Discard discovered devices after N days of


inactivity.

28

email-portal-check-dns

Enable/disable DNS to validate domain names


used in the email address collection captive
portal.

enable

default-voip-alg-mode

Default ALG mode for VoIP traffic (when no VoIP


profile on firewall policy).

proxy-based

gui-icap

Enable/disable ICAP settings in GUI.

disable

gui-nat46-64

Enable/disable NAT46 and NAT64 settings in


GUI.

disable

gui-implicit-policy

Enable/disable implicit firewall policies in GUI.

enable

gui-dns-database

Enable/disable DNS database in GUI.

disable

gui-load-balance

Enable/disable load balance in GUI.

disable

gui-multicast-policy

Enable/disable multicast firewall policies in GUI.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

608

gui-dos-policy

Enable/disable DoS policy display in GUI.

enable

gui-object-colors

Enable/disable object colors in GUI.

enable

gui-replacementmessage-groups

Enable/disable replacement message groups in


GUI.

disable

gui-voip-profile

Enable/disable VoIP profiles in GUI.

disable

gui-ap-profile

Enable/disable AP profiles in GUI.

enable

gui-dynamic-profiledisplay

Enable/disable dynamic profiles in GUI.

disable

gui-ipsec-manual-key

Enable/disable IPsec manual Key configuration in


GUI.

disable

gui-local-in-policy

Enable/disable Local-In policies in GUI.

disable

gui-local-reports

Enable/disable local reports in the GUI.

disable

gui-wanopt-cache

Enable/disable WAN Opt & Cache configuration


in GUI.

disable

gui-explicit-proxy

Enable/disable explicit proxy configuration in GUI.

disable

gui-dynamic-routing

Enable/disable dynamic routing menus in GUI.

enable

gui-dlp

Enable/disable DLP settings in GUI.

disable

gui-sslvpn-personalbookmarks

Enable/disable SSL-VPN personal bookmark


management in GUI.

disable

gui-sslvpn-realms

Enable/disable SSL-VPN custom login pages in


GUI.

disable

gui-policy-based-ipsec

Enable/disable policy-based IPsec VPN.

disable

gui-threat-weight

Enable/disable threat weight feature in GUI.

enable

gui-multiple-utmprofiles

Enable/disable multiple UTM profiles in GUI.

enable

gui-spamfilter

Enable/disable spamfilter profiles in GUI.

disable

gui-application-control

Enable/disable application control profiles in GUI.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

609

gui-casi

Enable/disable CASI profiles in GUI.

enable

gui-ips

Enable/disable IPS sensors in GUI.

enable

gui-endpoint-control

Enable/disable endpoint control in GUI.

enable

gui-endpoint-on-net

Enable/disable endpoint on-net/off-net options in


GUI.

disable

gui-dhcp-advanced

Enable/disable advanced DHCP configuration in


GUI.

enable

gui-vpn

Enable/disable VPN tunnels in GUI.

enable

gui-wireless-controller

Enable/disable wireless controller in GUI.

enable

gui-switch-controller

Enable/disable switch controller in GUI.

enable

gui-fortiap-splittunneling

Enable/disable FortiAP split tunneling in GUI.

disable

gui-webfilter-advanced

Enable/disable advanced web filter configuration


in GUI.

disable

gui-traffic-shaping

Enable/disable traffic shaping in GUI.

enable

gui-wan-load-balancing

Enable/disable WAN link load balancing in GUI.

enable

gui-antivirus

Enable/disable AntiVirus profile display in GUI.

enable

gui-webfilter

Enable/disable WebFilter profile display in GUI.

enable

gui-dnsfilter

Enable/disable DNS Filter profile display in GUI.

enable

gui-waf-profile

Enable/disable Web Application Firewall Profile


display in GUI.

disable

gui-fortiextendercontroller

Enable/disable FortiExtender controller in GUI.

disable

gui-advanced-policy

Enable/disable advanced policy configuration in


GUI.

disable

gui-allow-unnamedpolicy

Enable/disable relaxation of requirement for


policy to have a name when created in GUI.

disable

gui-email-collection

Enable/disable email collection feature.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

610

gui-domain-ipreputation

Enable/disable Domain and IP Reputation


feature.

disable

gui-multiple-interfacepolicy

Enable/disable the ability to configure multiple


interfaces in a policy in the GUI.

disable

gui-policy-learning

Enable/disable learning mode for firewall policies


in the GUI.

enable

compliance-check

Enable/disable PCI DSS compliance check.

disable

ike-session-resume

Enable/disable IKEv2 session resumption (RFC


5723).

disable

ike-quick-crash-detect

Enable/disable IKE quick crash detection (RFC


6290).

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

611

system/sflow
CLI Syntax
config system sflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

612

Description
Configuration

Description

Default Value

collector-ip

Collector IP.

0.0.0.0

collector-port

sFlow collector port.

6343

source-ip

Source IP for sFlow agent.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

613

system/sit-tunnel
CLI Syntax
config system sit-tunnel
edit <name_str>
set name <string>
set source <ipv4-address>
set destination <ipv4-address>
set ip6 <ipv6-prefix>
set interface <string>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

614

Description
Configuration

Description

Default Value

name

Tunnel name.

(Empty)

source

Source IP address of tunnel.

0.0.0.0

destination

Destination IP address of tunnel.

0.0.0.0

ip6

IPv6 address of tunnel.

::/0

interface

Interface name.

(Empty)

auto-asic-offload

Enable/disable tunnel ASIC offloading.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

615

system/sms-server
CLI Syntax
config system sms-server
edit <name_str>
set name <string>
set mail-server <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

616

Description
Configuration

Description

Default Value

name

Name of SMS server.

(Empty)

mail-server

Email-to-SMS server domain name.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

617

system/storage
CLI Syntax
config system storage
edit <name_str>
set name <string>
set partition <string>
set media-type <string>
set device <string>
set size <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

618

Description
Configuration

Description

Default Value

name

Storage name.

default_n

partition

Label of underlying partition.

<unknown>

media-type

Media of underlying disk.

device

Partition device.

size

Partition size.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

619

system/switch-interface
CLI Syntax
config system switch-interface
edit <name_str>
set name <string>
set vdom <string>
set span-dest-port <string>
config span-source-port
edit <name_str>
set interface-name <string>
end
config member
edit <name_str>
set interface-name <string>
end
set type {switch | hub}
set intra-switch-policy {implicit | explicit}
set span {disable | enable}
set span-direction {rx | tx | both}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

620

Description
Configuration

Description

Default Value

name

Interface name.

(Empty)

vdom

VDOM.

(Empty)

span-dest-port

Span destination port.

(Empty)

span-source-port

Span source ports.

(Empty)

member

Interfaces compose the virtual switch.

(Empty)

type

Type.

switch

intra-switch-policy

Enable/disable policies between the members of


the switch interface.

implicit

span

Enable/disable span port.

disable

span-direction

SPAN direction.

both

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

621

system/tos-based-priority
CLI Syntax
config system tos-based-priority
edit <name_str>
set id <integer>
set tos <integer>
set priority {low | medium | high}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

622

Description
Configuration

Description

Default Value

id

Item ID.

tos

IP ToS value (0 - 15).

priority

ToS based priority level.

high

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

623

system/vdom
CLI Syntax
config system vdom
edit <name_str>
set name <string>
set vcluster-id <integer>
set temporary <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

624

Description
Configuration

Description

Default Value

name

VDOM name.

(Empty)

vcluster-id

Virtual cluster ID (0 - 4294967295).

temporary

Temporary.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

625

system/vdom-dns
CLI Syntax
config system vdom-dns
edit <name_str>
set vdom-dns {enable | disable}
set primary <ipv4-address>
set secondary <ipv4-address>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

626

Description
Configuration

Description

Default Value

vdom-dns

Enable/disable DNS per VDOM.

disable

primary

VDOM primary DNS IP.

0.0.0.0

secondary

VDOM secondary DNS IP.

0.0.0.0

ip6-primary

VDOM IPv6 primary DNS IP.

::

ip6-secondary

VDOM IPv6 Secondary DNS IP.

::

source-ip

Source IP for communications to DNS server.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

627

system/vdom-link
CLI Syntax
config system vdom-link
edit <name_str>
set name <string>
set vcluster {vcluster1 | vcluster2}
set type {ppp | ethernet}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

628

Description
Configuration

Description

Default Value

name

VDOM link name.

(Empty)

vcluster

Virtual cluster.

vcluster1

type

Type.

ppp

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

629

system/vdom-netflow
CLI Syntax
config system vdom-netflow
edit <name_str>
set vdom-netflow {enable | disable}
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

630

Description
Configuration

Description

Default Value

vdom-netflow

Enable/disable NetFlow per VDOM.

disable

collector-ip

Collector IP.

0.0.0.0

collector-port

NetFlow collector port.

2055

source-ip

Source IP for NetFlow agent.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

631

system/vdom-property
CLI Syntax
config system vdom-property
edit <name_str>
set name <string>
set description <string>
set snmp-index <integer>
set session <user>
set ipsec-phase1 <user>
set ipsec-phase2 <user>
set dialup-tunnel <user>
set firewall-policy <user>
set firewall-address <user>
set firewall-addrgrp <user>
set custom-service <user>
set service-group <user>
set onetime-schedule <user>
set recurring-schedule <user>
set user <user>
set user-group <user>
set sslvpn <user>
set proxy <user>
set log-disk-quota <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

632

Description
Configuration

Description

Default Value

name

VDOM name.

(Empty)

description

Description.

(Empty)

snmp-index

Permanent SNMP Index of the virtual domain.

session

Maximum number (guaranteed number) of


sessions.

00

ipsec-phase1

Maximum number (guaranteed number) of VPN


IPsec phase1 tunnels.

00

ipsec-phase2

Maximum number (guaranteed number) of VPN


IPsec phase2 tunnels.

00

dialup-tunnel

Maximum number (guaranteed number) of dialup tunnels.

00

firewall-policy

Maximum number (guaranteed number) of


firewall policies.

00

firewall-address

Maximum number (guaranteed number) of


firewall addresses.

00

firewall-addrgrp

Maximum number (guaranteed number) of


firewall address groups.

00

custom-service

Maximum number (guaranteed number) of


firewall custom services.

00

service-group

Maximum number (guaranteed number) of


firewall service groups.

00

onetime-schedule

Maximum number (guaranteed number) of


firewall one-time schedules.

00

recurring-schedule

Maximum number (guaranteed number) of


firewall recurring schedules.

00

user

Maximum number (guaranteed number) of local


users.

00

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

633

user-group

Maximum number (guaranteed number) of user


groups.

00

sslvpn

Maximum number (guaranteed number) of SSLVPN.

00

proxy

Maximum number (guaranteed number) of


concurrent proxy users.

00

log-disk-quota

Log disk quota in MB.

00

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

634

system/vdom-radius-server
CLI Syntax
config system vdom-radius-server
edit <name_str>
set name <string>
set status {enable | disable}
set radius-server-vdom <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

635

Description
Configuration

Description

Default Value

name

Name of virtual domain for server settings.

(Empty)

status

Enable/disable or disable the entry.

disable

radius-server-vdom

Virtual domain of dynamic profile radius server to


use for dynamic profile traffic in the current vdom.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

636

system/vdom-sflow
CLI Syntax
config system vdom-sflow
edit <name_str>
set vdom-sflow {enable | disable}
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

637

Description
Configuration

Description

Default Value

vdom-sflow

Enable/disable sFlow per VDOM.

disable

collector-ip

Collector IP.

0.0.0.0

collector-port

sFlow collector port.

6343

source-ip

Source IP for sFlow agent.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

638

system/virtual-wan-link
CLI Syntax
config system virtual-wan-link
edit <name_str>
set status {disable | enable}
set load-balance-mode {source-ip-based | weight-based | usage-based | source-destip-based | measured-volume-based}
set fail-detect {enable | disable}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
config members
edit <name_str>
set seq-num <integer>
set interface <string>
set gateway <ipv4-address>
set weight <integer>
set priority <integer>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set volume-ratio <integer>
set status {disable | enable}
end
config health-check
edit <name_str>
set name <string>
set server <string>
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set security-mode {none | authentication}
set password <password>
set packet-size <integer>
set http-get <string>
set http-match <string>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set threshold-warning-packetloss <integer>
set threshold-alert-packetloss <integer>
set threshold-warning-latency <integer>
set threshold-alert-latency <integer>
set threshold-warning-jitter <integer>
set threshold-alert-jitter <integer>
end
config service
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

639

edit <name_str>
set name <string>
set id <integer>
set mode {auto | manual | priority}
set quality-link <integer>
set member <integer>
set tos <user>
set tos-mask <user>
set protocol <integer>
set start-port <integer>
set end-port <integer>
config dst
edit <name_str>
set name <string>
end
config src
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set internet-service {enable | disable}
config internet-service-custom
edit <name_str>
set name <string>
end
config internet-service-id
edit <name_str>
set id <integer>
end
set health-check <string>
set link-cost-factor {latency | jitter | packet-loss}
set link-cost-threshold <integer>
config priority-members
edit <name_str>
set seq-num <integer>
end
set status {disable | enable}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

640

Description
Configuration

Description

Default Value

status

Enable/disable using the virtual-wan-link settings.

disable

load-balance-mode

Load balance mode among virtual WAN link


members.

source-ip-based

fail-detect

Enable/disable fail detection.

disable

fail-alert-interfaces

Physical interfaces that will be alerted.

(Empty)

members

Members belong to the virtual-wan-link.

(Empty)

health-check

Health check.

(Empty)

service

Service to be distributed.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

641

system/virtual-wire-pair
CLI Syntax
config system virtual-wire-pair
edit <name_str>
set name <string>
config member
edit <name_str>
set interface-name <string>
end
set wildcard-vlan {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

642

Description
Configuration

Description

Default Value

name

virtual-wire-pair name.

(Empty)

member

Interfaces belong to the port pair.

(Empty)

wildcard-vlan

Enable/disable wildcard VLAN.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

643

system/wccp
CLI Syntax
config system wccp
edit <name_str>
set service-id <string>
set router-id <ipv4-address>
set cache-id <ipv4-address>
set group-address <ipv4-address-multicast>
set server-list <user>
set router-list <user>
set ports-defined {source | destination}
set ports <user>
set authentication {enable | disable}
set password <password>
set forward-method {GRE | L2 | any}
set cache-engine-method {GRE | L2}
set service-type {auto | standard | dynamic}
set primary-hash {src-ip | dst-ip | src-port | dst-port}
set priority <integer>
set protocol <integer>
set assignment-weight <integer>
set assignment-bucket-format {wccp-v2 | cisco-implementation}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

644

Description
Configuration

Description

Default Value

service-id

Service ID.

(Empty)

router-id

IP address which is known by all web cache


servers.

0.0.0.0

cache-id

IP address which is known by all routers.

0.0.0.0

group-address

IP multicast address.

0.0.0.0

server-list

Addresses of potential cache servers.

(Empty)

router-list

Addresses of potential routers.

(Empty)

ports-defined

Match method.

(Empty)

ports

Service ports.

(Empty)

authentication

Enable/disable MD5 authentication.

disable

password

Password of MD5 authentication.

(Empty)

forward-method

Method traffic is forwarded to cache servers.

GRE

cache-engine-method

Method traffic is forwarded to route or returned to


cache engine.

GRE

service-type

Service type auto/standard/dynamic.

auto

primary-hash

Hash method.

dst-ip

priority

Service priority.

protocol

Service protocol.

assignment-weight

Cache server hash weight.

assignment-bucketformat

Hash table bucket format.

cisco-implementation

return-method

Method traffic is returned back to firewall.

GRE

assignment-method

Assignment method preference.

HASH

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

645

system/zone
CLI Syntax
config system zone
edit <name_str>
set name <string>
set intrazone {allow | deny}
config interface
edit <name_str>
set interface-name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

646

Description
Configuration

Description

Default Value

name

Zone name.

(Empty)

intrazone

Intra-zone traffic.

deny

interface

Interfaces belong to the zone.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

647

user/adgrp
CLI Syntax
config user adgrp
edit <name_str>
set name <string>
set server-name <string>
set polling-id <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

648

Description
Configuration

Description

Default Value

name

Name.

(Empty)

server-name

FSSO agent name.

(Empty)

polling-id

FSSO polling ID.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

649

user/device
CLI Syntax
config user device
edit <name_str>
set alias <string>
set mac <mac-address>
set user <string>
set master-device <string>
set comment <var-string>
set avatar <var-string>
set type {android-phone | android-tablet | blackberry-phone | blackberry-playbook
| forticam | fortifone | fortinet-device | gaming-console | ip-phone | ipad | iphone |
linux-pc | mac | media-streaming | printer | router-nat-device | windows-pc | windows
-phone | windows-tablet | other-network-device}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

650

Description
Configuration

Description

Default Value

alias

Device alias.

(Empty)

mac

Device MAC address(es).

00:00:00:00:00:00

user

User name.

(Empty)

master-device

Master device (optional).

(Empty)

comment

Comment.

(Empty)

avatar

Image file for avatar (maximum 4K base64


encoded).

(Empty)

type

Device type.

other-network-device

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

651

user/device-access-list
CLI Syntax
config user device-access-list
edit <name_str>
set name <string>
set default-action {accept | deny}
config device-list
edit <name_str>
set id <integer>
set device <string>
set action {accept | deny}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

652

Description
Configuration

Description

Default Value

name

Device access list name.

(Empty)

default-action

Allow or block unknown devices.

accept

device-list

Device list.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

653

user/device-category
CLI Syntax
config user device-category
edit <name_str>
set name <string>
set desc <var-string>
set comment <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

654

Description
Configuration

Description

Default Value

name

Device category name.

(Empty)

desc

Device category description.

(Empty)

comment

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

655

user/device-group
CLI Syntax
config user device-group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set comment <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

656

Description
Configuration

Description

Default Value

name

Device group name.

(Empty)

member

Device group member.

(Empty)

comment

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

657

user/fortitoken
CLI Syntax
config user fortitoken
edit <name_str>
set serial-number <string>
set status {active | lock}
set seed <string>
set comments <var-string>
set license <string>
set activation-code <string>
set activation-expire <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

658

Description
Configuration

Description

Default Value

serial-number

Serial number.

(Empty)

status

Status

active

seed

Token seed.

(Empty)

comments

Comment.

(Empty)

license

Mobile token license.

(Empty)

activation-code

Mobile token user activation-code.

(Empty)

activation-expire

Mobile token user activation-code expire time.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

659

user/fsso
CLI Syntax
config user fsso
edit <name_str>
set name <string>
set server <string>
set port <integer>
set password <password>
set server2 <string>
set port2 <integer>
set password2 <password>
set server3 <string>
set port3 <integer>
set password3 <password>
set server4 <string>
set port4 <integer>
set password4 <password>
set server5 <string>
set port5 <integer>
set password5 <password>
set ldap-server <string>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

660

Description
Configuration

Description

Default Value

name

Name.

(Empty)

server

Address of the 1st FSSO agent.

(Empty)

port

Port of the 1st FSSO agent.

8000

password

Password of the 1st FSSO agent.

(Empty)

server2

Address of the 2nd FSSO agent.

(Empty)

port2

Port of the 2nd FSSO agent.

8000

password2

Password of the 2nd FSSO agent.

(Empty)

server3

Address of the 3rd FSSO agent.

(Empty)

port3

Port of the 3rd FSSO agent.

8000

password3

Password of the 3rd FSSO agent.

(Empty)

server4

Address of the 4th FSSO agent.

(Empty)

port4

Port of the 4th FSSO agent.

8000

password4

Password of the 4th FSSO agent.

(Empty)

server5

Address of the 5th FSSO agent.

(Empty)

port5

Port of the 5th FSSO agent.

8000

password5

Password of the 5th FSSO agent.

(Empty)

ldap-server

LDAP server to get group information.

(Empty)

source-ip

Source IP for communications to FSSO agent.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

661

user/fsso-polling
CLI Syntax
config user fsso-polling
edit <name_str>
set id <integer>
set status {enable | disable}
set server <string>
set default-domain <string>
set port <integer>
set user <string>
set password <password>
set ldap-server <string>
set logon-history <integer>
set polling-frequency <integer>
config adgrp
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

662

Description
Configuration

Description

Default Value

id

Active Directory server ID.

status

Enable/disable poll Active Directory status.

enable

server

Active Directory server name/IP address.

(Empty)

default-domain

Default domain in this server.

(Empty)

port

Port of the Active Directory server.

user

Active Directory server user account.

(Empty)

password

Password to connect to Active Directory server.

(Empty)

ldap-server

LDAP Server NAME for group name and users.

(Empty)

logon-history

hours to keep as an active logon. 0 means


keeping forever

polling-frequency

Polling frequency (1 - 30 s).

10

adgrp

LDAP Group Info.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

663

user/group
CLI Syntax

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

664

config user group


edit <name_str>
set name <string>
set group-type {firewall | sslvpn | fsso-service | directory-service | active-dire
ctory | rsso | guest}
set authtimeout <integer>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
set http-digest-realm <string>
set sso-attribute-value <string>
config member
edit <name_str>
set name <string>
end
config match
edit <name_str>
set id <integer>
set server-name <string>
set group-name <string>
end
set user-id {email | auto-generate | specify}
set password {auto-generate | specify | disable}
set user-name {disable | enable}
set sponsor {optional | mandatory | disabled}
set company {optional | mandatory | disabled}
set email {disable | enable}
set mobile-phone {disable | enable}
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set expire-type {immediately | first-successful-login}
set expire <integer>
set max-accounts <integer>
set multiple-guest-add {disable | enable}
config guest
edit <name_str>
set user-id <string>
set name <string>
set group <string>
set password <password>
set mobile-phone <string>
set sponsor <string>
set company <string>
set email <string>
set expiration <user>
set comment <var-string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

665

Description
Configuration

Description

Default Value

name

Group name.

(Empty)

group-type

Type of user group.

firewall

authtimeout

Authentication timeout.

auth-concurrentoverride

Enable/disable concurrent authentication


override.

disable

auth-concurrent-value

Maximum number of concurrent authenticated


connections per user (0 - 100).

http-digest-realm

Realm attribute for MD5-digest authentication.

(Empty)

sso-attribute-value

Single Sign On Attribute Value.

(Empty)

member

Group members.

(Empty)

match

Group matches.

(Empty)

user-id

User ID.

email

password

Password.

auto-generate

user-name

Enable/disable user name.

disable

sponsor

Sponsor.

optional

company

Company.

optional

email

Enable/disable email address.

enable

mobile-phone

Enable/disable mobile phone.

disable

sms-server

Send SMS through FortiGuard or other external


server.

fortiguard

sms-custom-server

SMS server.

(Empty)

expire-type

Point at which expiration count down begins.

immediately

expire

Expiration (1 - 31536000 sec).

14400

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

666

max-accounts

Maximum number of guest accounts that can be


created for this group (0 = unlimited).

multiple-guest-add

Enable/disable addition of multiple guests.

disable

guest

Guest User.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

667

user/ldap
CLI Syntax
config user ldap
edit <name_str>
set name <string>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set source-ip <ipv4-address>
set cnid <string>
set dn <string>
set type {simple | anonymous | regular}
set username <string>
set password <password>
set group-member-check {user-attr | group-object | posix-group-object}
set group-object-filter <string>
set group-object-search-base <string>
set secure {disable | starttls | ldaps}
set ca-cert <string>
set port <integer>
set password-expiry-warning {enable | disable}
set password-renewal {enable | disable}
set member-attr <string>
set search-type {nested}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

668

Description
Configuration

Description

Default Value

name

LDAP server entry name.

(Empty)

server

LDAP server CN domain name or IP.

(Empty)

secondary-server

Secondary LDAP server CN domain name or IP.

(Empty)

tertiary-server

Tertiary LDAP server CN domain name or IP.

(Empty)

source-ip

Source IP for communications to LDAP server.

0.0.0.0

cnid

Common Name Identifier (default = "cn").

cn

dn

Distinguished Name.

(Empty)

type

Type of LDAP binding.

simple

username

Username (full DN) for initial binding.

(Empty)

password

Password for initial binding.

(Empty)

group-member-check

Group member checking options.

user-attr

group-object-filter

Filter used for group searching.

(&
(objectcategory=group)
(member=*))

group-object-searchbase

Search base used for group searching.

(Empty)

secure

SSL connection.

disable

ca-cert

CA certificate name.

(Empty)

port

Port number of the LDAP server (default = 389).

389

password-expirywarning

Enable/disable password expiry warnings.

disable

password-renewal

Enable/disable online password renewal.

disable

member-attr

Name of attribute from which to get group


membership.

memberOf

search-type

Search type.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

669

user/local
CLI Syntax
config user local
edit <name_str>
set name <string>
set status {enable | disable}
set type {password | radius | tacacs+ | ldap}
set passwd <password>
set ldap-server <string>
set radius-server <string>
set tacacs+-server <string>
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set passwd-policy <string>
set passwd-time <user>
set authtimeout <integer>
set workstation <string>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

670

Description
Configuration

Description

Default Value

name

User name.

(Empty)

status

Enable/disable user.

enable

type

Authentication type.

(Empty)

passwd

User password.

(Empty)

ldap-server

LDAP server name.

(Empty)

radius-server

RADIUS server name.

(Empty)

tacacs+-server

TACACS+ server name.

(Empty)

two-factor

Enable/disable two-factor authentication.

disable

fortitoken

Two-factor recipient's FortiToken serial number.

(Empty)

email-to

Two-factor recipient's email address.

(Empty)

sms-server

Send SMS through FortiGuard or other external


server.

fortiguard

sms-custom-server

Two-factor recipient's SMS server.

(Empty)

sms-phone

Two-factor recipient's mobile phone number.

(Empty)

passwd-policy

Password policy.

(Empty)

passwd-time

Password last update time.

0000-00-00 00:00:00

authtimeout

Authentication timeout.

workstation

Name of remote user workstation.

(Empty)

auth-concurrentoverride

Enable/disable concurrent authentication


override.

disable

auth-concurrent-value

Maximum number of concurrent authenticated


connections per user.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

671

user/password-policy
CLI Syntax
config user password-policy
edit <name_str>
set name <string>
set expire-days <integer>
set warn-days <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

672

Description
Configuration

Description

Default Value

name

Password policy name.

(Empty)

expire-days

Number of days password will expire.

180

warn-days

Number of days to warn before password


expires.

15

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

673

user/peer
CLI Syntax
config user peer
edit <name_str>
set name <string>
set mandatory-ca-verify {enable | disable}
set ca <string>
set subject <string>
set cn <string>
set cn-type {string | email | FQDN | ipv4 | ipv6}
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set ldap-mode {password | principal-name}
set ocsp-override-server <string>
set two-factor {enable | disable}
set passwd <password>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

674

Description
Configuration

Description

Default Value

name

Peer name.

(Empty)

mandatory-ca-verify

Enable/disable mandatory CA verify.

enable

ca

Peer certificate CA (CA name in local).

(Empty)

subject

Peer certificate name constraints.

(Empty)

cn

Peer certificate common name.

(Empty)

cn-type

Peer certificate common name type.

string

ldap-server

LDAP server for access rights check.

(Empty)

ldap-username

Username for LDAP server bind.

(Empty)

ldap-password

Password for LDAP server bind.

(Empty)

ldap-mode

Peer LDAP mode.

password

ocsp-override-server

OSCP server.

(Empty)

two-factor

Enable/disable 2-factor authentication (certificate


+ password).

disable

passwd

User password.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

675

user/peergrp
CLI Syntax
config user peergrp
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

676

Description
Configuration

Description

Default Value

name

Peer group name.

(Empty)

member

Peer group members.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

677

user/pop3
CLI Syntax
config user pop3
edit <name_str>
set name <string>
set server <string>
set port <integer>
set secure {none | starttls | pop3s}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

678

Description
Configuration

Description

Default Value

name

POP3 server entry name.

(Empty)

server

{<name_str|ip_str>} server domain name or IP.

(Empty)

port

POP3 service port number.

secure

SSL connection.

starttls

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

679

user/radius
CLI Syntax
config user radius
edit <name_str>
set name <string>
set server <string>
set secret <password>
set secondary-server <string>
set secondary-secret <password>
set tertiary-server <string>
set tertiary-secret <password>
set timeout <integer>
set all-usergroup {disable | enable}
set use-management-vdom {enable | disable}
set nas-ip <ipv4-address>
set acct-interim-interval <integer>
set radius-coa {enable | disable}
set radius-port <integer>
set h3c-compatibility {enable | disable}
set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}
set source-ip <ipv4-address>
set username-case-sensitive {enable | disable}
config class
edit <name_str>
set name <string>
end
set password-renewal {enable | disable}
set rsso {enable | disable}
set rsso-radius-server-port <integer>
set rsso-radius-response {enable | disable}
set rsso-validate-request-secret {enable | disable}
set rsso-secret <password>
set rsso-endpoint-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Ad
dress | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netm
ask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | L
ogin-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed
-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termina
tion-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State |
Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | FramedAppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | AcctInput-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Ti
me | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sess
ion-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Por
t}
set rsso-endpoint-block-attribute {User-Name | User-Password | CHAP-Password | NAS
-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-I
P-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Ho
st | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id |
Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | T
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

680

ermination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-St


ate | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | F
ramed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time |
Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Sess
ion-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Mult
i-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-L
AT-Port}
set sso-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NA
S-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Fram
ed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Servi
ce | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | F
ramed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Actio
n | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LATService | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalkNetwork | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octe
ts | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | AcctInput-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | A
cct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
set sso-attribute-key <string>
set sso-attribute-value-override {enable | disable}
set rsso-context-timeout <integer>
set rsso-log-period <integer>
set rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | ac
counting-event | endpoint-block | radiusd-other | none}
set rsso-flush-ip-session {enable | disable}
config accounting-server
edit <name_str>
set id <integer>
set status {enable | disable}
set server <string>
set secret <password>
set port <integer>
set source-ip <ipv4-address>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

681

Description
Configuration

Description

Default Value

name

RADIUS server entry name.

(Empty)

server

{<name_str|ip_str>} primary server CN domain


name or IP.

(Empty)

secret

Secret key to access the primary server.

(Empty)

secondary-server

{<name_str|ip_str>} secondary RADIUS CN


domain name or IP.

(Empty)

secondary-secret

Secret key to access the secondary server.

(Empty)

tertiary-server

{<name_str|ip_str>} tertiary RADIUS CN domain


name or IP.

(Empty)

tertiary-secret

Secret key to access the tertiary server.

(Empty)

timeout

Authentication time-out.

all-usergroup

Enable/disable automatically include this RADIUS


server to all user groups.

disable

use-managementvdom

Enable/disable using management VDOM to


send requests.

disable

nas-ip

NAS IP address.

0.0.0.0

acct-interim-interval

Number of seconds between each accouting


interim update message (600 - 86400 sec).

radius-coa

Enable/Disable RADIUS CoA.

disable

radius-port

RADIUS service port number.

h3c-compatibility

Enable/disable H3C compatibility.

disable

auth-type

Authentication Protocol.

auto

source-ip

Source IP for communications to RADIUS server.

0.0.0.0

username-casesensitive

Enable/disable username case sensitive.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

682

class

Class name(s).

(Empty)

password-renewal

Enable/disable password renewal.

disable

rsso

Enable/disable RADIUS based single sign on


feature.

disable

rsso-radius-server-port

UDP port to listen on for RADIUS accounting


packets.

1813

rsso-radius-response

Enable/disable sending RADIUS response


packets.

disable

rsso-validate-requestsecret

Enable/disable validating RADIUS request shared


secret.

disable

rsso-secret

RADIUS shared secret for responses / validating


requests.

(Empty)

rsso-endpoint-attribute

RADIUS Attribute used to hold End Point name.

Calling-Station-Id

rsso-endpoint-blockattribute

RADIUS Attribute used to hold endpoint to block.

(Empty)

sso-attribute

RADIUS Attribute used to match the single sign


on group value.

Class

sso-attribute-key

Key prefix for single-sign-on group value in the


sso-attribute.

(Empty)

sso-attribute-valueoverride

Enable/disable override old attribute value with


new value for the same endpoint.

enable

rsso-context-timeout

Timeout value for RADIUS server database


entries (0 = infinite).

28800

rsso-log-period

Minimum time period to use for event logs.

rsso-log-flags

Events to log.

protocol-error profilemissing accountingstop-missed


accounting-event
endpoint-block radiusdother

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

683

rsso-flush-ip-session

Enable/disable flush user IP sessions on RADIUS


accounting stop.

disable

accounting-server

Additional accounting servers.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

684

user/security-exempt-list
CLI Syntax
config user security-exempt-list
edit <name_str>
set name <string>
set description <string>
config rule
edit <name_str>
set id <integer>
config srcaddr
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

685

Description
Configuration

Description

Default Value

name

Name of the exempt list.

(Empty)

description

Description.

(Empty)

rule

Exempt rules.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

686

user/setting
CLI Syntax
config user setting
edit <name_str>
set auth-type {http | https | ftp | telnet}
set auth-cert <string>
set auth-ca-cert <string>
set auth-secure-http {enable | disable}
set auth-http-basic {enable | disable}
set auth-multi-group {enable | disable}
set auth-timeout <integer>
set auth-timeout-type {idle-timeout | hard-timeout | new-session}
set auth-portal-timeout <integer>
set radius-ses-timeout-act {hard-timeout | ignore-timeout}
set auth-blackout-time <integer>
set auth-invalid-max <integer>
set auth-lockout-threshold <integer>
set auth-lockout-duration <integer>
config auth-ports
edit <name_str>
set id <integer>
set type {http | https | ftp | telnet}
set port <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

687

Description
Configuration

Description

Default Value

auth-type

Allowed firewall policy authentication methods.

http https ftp telnet

auth-cert

HTTPS server certificate for policy authentication.

(Empty)

auth-ca-cert

HTTPS CA certificate for policy authentication.

(Empty)

auth-secure-http

Enable/disable use of HTTPS for HTTP


authentication.

disable

auth-http-basic

Enable/disable use of HTTP BASIC for HTTP


authentication.

disable

auth-multi-group

Enable/disable retrieval of groups to which a user


belongs.

enable

auth-timeout

Firewall user authentication time-out.

auth-timeout-type

Authenticated policy expiration behavior.

idle-timeout

auth-portal-timeout

Firewall captive portal authentication time-out (1 30 min, default - 3).

radius-ses-timeout-act

RADIUS session timeout behavior.

hard-timeout

auth-blackout-time

Authentication blackout time (0 - 3600 s).

auth-invalid-max

Number of invalid auth tries allowed before


blackout.

auth-lockout-threshold

Maximum number of failed login attempts before


lockout (1 - 10).

auth-lockout-duration

Lockout period in seconds after too many login


failures.

auth-ports

Authentication port table.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

688

user/tacacs+
CLI Syntax
config user tacacs+
edit <name_str>
set name <string>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set port <integer>
set key <password>
set secondary-key <password>
set tertiary-key <password>
set authen-type {mschap | chap | pap | ascii | auto}
set authorization {enable | disable}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

689

Description
Configuration

Description

Default Value

name

TACACS+ server entry name.

(Empty)

server

{<name_str|ip_str>} server CN domain name or


IP.

(Empty)

secondary-server

{<name_str|ip_str>} secondary server CN domain


name or IP.

(Empty)

tertiary-server

{<name_str|ip_str>} tertiary server CN domain


name or IP.

(Empty)

port

Port number of the TACACS+ server.

49

key

Key to access the server.

(Empty)

secondary-key

Key to access the secondary server.

(Empty)

tertiary-key

Key to access the tertiary server.

(Empty)

authen-type

Authentication type to use.

auto

authorization

Enable/disable TACACS+ authorization.

disable

source-ip

source IP for communications to TACACS+


server.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

690

voip/profile
CLI Syntax
config voip profile
edit <name_str>
set name <string>
set comment <var-string>
config sip
edit <name_str>
set status {disable | enable}
set rtp {disable | enable}
set open-register-pinhole {disable | enable}
set open-contact-pinhole {disable | enable}
set strict-register {disable | enable}
set register-rate <integer>
set invite-rate <integer>
set max-dialogs <integer>
set max-line-length <integer>
set block-long-lines {disable | enable}
set block-unknown {disable | enable}
set call-keepalive <integer>
set block-ack {disable | enable}
set block-bye {disable | enable}
set block-cancel {disable | enable}
set block-info {disable | enable}
set block-invite {disable | enable}
set block-message {disable | enable}
set block-notify {disable | enable}
set block-options {disable | enable}
set block-prack {disable | enable}
set block-publish {disable | enable}
set block-refer {disable | enable}
set block-register {disable | enable}
set block-subscribe {disable | enable}
set block-update {disable | enable}
set register-contact-trace {disable | enable}
set open-via-pinhole {disable | enable}
set open-record-route-pinhole {disable | enable}
set rfc2543-branch {disable | enable}
set log-violations {disable | enable}
set log-call-summary {disable | enable}
set nat-trace {disable | enable}
set subscribe-rate <integer>
set message-rate <integer>
set notify-rate <integer>
set refer-rate <integer>
set update-rate <integer>
set options-rate <integer>
set ack-rate <integer>
set prack-rate <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

691

set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set

info-rate <integer>
publish-rate <integer>
bye-rate <integer>
cancel-rate <integer>
preserve-override {disable | enable}
no-sdp-fixup {disable | enable}
contact-fixup {disable | enable}
max-idle-dialogs <integer>
block-geo-red-options {disable | enable}
hosted-nat-traversal {disable | enable}
hnt-restrict-source-ip {disable | enable}
max-body-length <integer>
unknown-header {discard | pass | respond}
malformed-request-line {discard | pass | respond}
malformed-header-via {discard | pass | respond}
malformed-header-from {discard | pass | respond}
malformed-header-to {discard | pass | respond}
malformed-header-call-id {discard | pass | respond}
malformed-header-cseq {discard | pass | respond}
malformed-header-rack {discard | pass | respond}
malformed-header-rseq {discard | pass | respond}
malformed-header-contact {discard | pass | respond}
malformed-header-record-route {discard | pass | respond}
malformed-header-route {discard | pass | respond}
malformed-header-expires {discard | pass | respond}
malformed-header-content-type {discard | pass | respond}
malformed-header-content-length {discard | pass | respond}
malformed-header-max-forwards {discard | pass | respond}
malformed-header-allow {discard | pass | respond}
malformed-header-p-asserted-identity {discard | pass | respond}
malformed-header-sdp-v {discard | pass | respond}
malformed-header-sdp-o {discard | pass | respond}
malformed-header-sdp-s {discard | pass | respond}
malformed-header-sdp-i {discard | pass | respond}
malformed-header-sdp-c {discard | pass | respond}
malformed-header-sdp-b {discard | pass | respond}
malformed-header-sdp-z {discard | pass | respond}
malformed-header-sdp-k {discard | pass | respond}
malformed-header-sdp-a {discard | pass | respond}
malformed-header-sdp-t {discard | pass | respond}
malformed-header-sdp-r {discard | pass | respond}
malformed-header-sdp-m {discard | pass | respond}
provisional-invite-expiry-time <integer>
ips-rtp {disable | enable}
ssl-mode {off | full}
ssl-send-empty-frags {enable | disable}
ssl-client-renegotiation {allow | deny | secure}
ssl-algorithm {high | medium | low}
ssl-pfs {require | deny | allow}
ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
ssl-client-certificate <string>
ssl-server-certificate <string>

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

692

set ssl-server-certificate <string>


set ssl-auth-client <string>
set ssl-auth-server <string>
end
config sccp
edit <name_str>
set status {disable | enable}
set block-mcast {disable | enable}
set verify-header {disable | enable}
set log-call-summary {disable | enable}
set log-violations {disable | enable}
set max-calls <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

693

Description
Configuration

Description

Default Value

name

Profile name.

(Empty)

comment

Comment.

(Empty)

sip

SIP.

Details below

Configuration
status
rtp
open-register-pinhole
open-contact-pinhole
strict-register
register-rate
invite-rate
max-dialogs
max-line-length
block-long-lines
block-unknown
call-keepalive
block-ack
block-bye
block-cancel
block-info
block-invite
block-message
block-notify
block-options
block-prack
block-publish
block-refer
block-register
block-subscribe
block-update
register-contact-trace
open-via-pinhole
open-record-route-pinhole
rfc2543-branch
log-violations
log-call-summary
nat-trace
subscribe-rate
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

Default Value
enable
enable
enable
enable
disable
0
0
0
998
enable
enable
0
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
disable
enable
disable
disable
enable
enable
0
694

message-rate
notify-rate
refer-rate
update-rate
options-rate
ack-rate
prack-rate
info-rate
publish-rate
bye-rate
cancel-rate
preserve-override
no-sdp-fixup
contact-fixup
max-idle-dialogs
block-geo-red-options
hosted-nat-traversal
hnt-restrict-source-ip
max-body-length
unknown-header
malformed-request-line
malformed-header-via
malformed-header-from
malformed-header-to
malformed-header-call-id
malformed-header-cseq
malformed-header-rack
malformed-header-rseq
malformed-header-contact
malformed-header-record-route
malformed-header-route
malformed-header-expires
malformed-header-content-type
malformed-header-content-length
malformed-header-max-forwards
malformed-header-allow
malformed-header-p-asserted-identity
malformed-header-sdp-v
malformed-header-sdp-o
malformed-header-sdp-s
malformed-header-sdp-i
malformed-header-sdp-c
malformed-header-sdp-b
malformed-header-sdp-z
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

0
0
0
0
0
0
0
0
0
0
0
disable
disable
enable
0
disable
disable
disable
0
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
pass
695

malformed-header-sdp-k
malformed-header-sdp-a
malformed-header-sdp-t
malformed-header-sdp-r
malformed-header-sdp-m
provisional-invite-expiry-time
ips-rtp
ssl-mode
ssl-send-empty-frags
ssl-client-renegotiation
ssl-algorithm
ssl-pfs
ssl-min-version
ssl-max-version
ssl-client-certificate
ssl-server-certificate
ssl-auth-client
ssl-auth-server
sccp

pass
pass
pass
pass
pass
210
enable
off
enable
allow
high
allow
tls-1.0
tls-1.2
(Empty)
(Empty)
(Empty)
(Empty)

SCCP.

Configuration
status
block-mcast
verify-header
log-call-summary
log-violations
max-calls

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Details below
Default Value
enable
disable
disable
disable
disable
0

696

vpn.certificate/ca
CLI Syntax
config vpn.certificate ca
edit <name_str>
set name <string>
set ca <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set trusted {enable | disable}
set scep-url <string>
set auto-update-days <integer>
set auto-update-days-warning <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

697

Description
Configuration

Description

Default Value

name

Name.

(Empty)

ca

CA certificate.

(Empty)

range

CA certificate range.

vdom

source

CA certificate source.

user

trusted

Enable/disable trusted CA.

enable

scep-url

URL of SCEP server.

(Empty)

auto-update-days

Days to auto-update before expired, 0=disabled.

auto-update-dayswarning

Days to send update before auto-update


(0=disabled).

source-ip

Source IP for communications to SCEP server.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

698

vpn.certificate/crl
CLI Syntax
config vpn.certificate crl
edit <name_str>
set name <string>
set crl <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set update-vdom <string>
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set http-url <string>
set scep-url <string>
set scep-cert <string>
set update-interval <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

699

Description
Configuration

Description

Default Value

name

Name.

(Empty)

crl

Certificate Revocation List.

(Empty)

range

CRL range.

vdom

source

CRL source.

user

update-vdom

Virtual domain for CRL update.

root

ldap-server

LDAP server.

(Empty)

ldap-username

Login name for LDAP server.

(Empty)

ldap-password

Login password for LDAP server.

(Empty)

http-url

URL of HTTP server for CRL update.

(Empty)

scep-url

URL of CA server for CRL update via SCEP.

(Empty)

scep-cert

Local certificate used for CRL update via SCEP.

Fortinet_CA_SSL

update-interval

Second between updates, 0=disabled.

source-ip

Source IP for communications to CA


(HTTP/SCEP) server.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

700

vpn.certificate/local
CLI Syntax
config vpn.certificate local
edit <name_str>
set name <string>
set password <password>
set comments <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set scep-url <string>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set source-ip <ipv4-address>
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

701

Description
Configuration

Description

Default Value

name

Name.

(Empty)

password

Password.

(Empty)

comments

Comment.

(Empty)

private-key

Private key.

(Empty)

certificate

Certificate.

(Empty)

csr

Certificate Signing Request.

(Empty)

state

Certificate Signing Request State.

(Empty)

scep-url

URL of SCEP server.

(Empty)

range

Certificate range.

vdom

source

Certificate source.

user

auto-regenerate-days

Days to auto-regenerate before expired,


0=disabled.

auto-regenerate-dayswarning

Days to send warning before auto-regeneration,


0=disabled.

scep-password

SCEP server challenge password for autoregeneration.

(Empty)

ca-identifier

CA identifier of the CA server for signing via


SCEP.

(Empty)

name-encoding

Name encoding for auto-regeneration.

printable

source-ip

Source IP for communications to SCEP server.

0.0.0.0

ike-localid

IKE local ID.

(Empty)

ike-localid-type

IKE local ID type.

asn1dn

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

702

vpn.certificate/ocsp-server
CLI Syntax
config vpn.certificate ocsp-server
edit <name_str>
set name <string>
set url <string>
set cert <string>
set secondary-url <string>
set secondary-cert <string>
set unavail-action {revoke | ignore}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

703

Description
Configuration

Description

Default Value

name

OCSP server entry name.

(Empty)

url

URL to OCSP server.

(Empty)

cert

OCSP server certificate.

(Empty)

secondary-url

URL to secondary OCSP server.

(Empty)

secondary-cert

Secondary OCSP server certificate.

(Empty)

unavail-action

Action when server is unavailable.

revoke

source-ip

Enable/disable source IP for communications to


OCSP server.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

704

vpn.certificate/remote
CLI Syntax
config vpn.certificate remote
edit <name_str>
set name <string>
set remote <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

705

Description
Configuration

Description

Default Value

name

Name.

(Empty)

remote

Remote certificate.

(Empty)

range

Remote certificate range.

vdom

source

Remote certificate source.

user

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

706

vpn.certificate/setting
CLI Syntax
config vpn.certificate setting
edit <name_str>
set ocsp-status {enable | disable}
set ocsp-default-server <string>
set check-ca-cert {enable | disable}
set strict-crl-check {enable | disable}
set strict-ocsp-check {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

707

Description
Configuration

Description

Default Value

ocsp-status

OCSP status.

disable

ocsp-default-server

Default OCSP server.

(Empty)

check-ca-cert

Enable/disable check CA certificate.

enable

strict-crl-check

Enable/disable check CRL in strict mode.

disable

strict-ocsp-check

Enable/disable check OCSP in strict mode.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

708

vpn.ipsec/concentrator
CLI Syntax
config vpn.ipsec concentrator
edit <name_str>
set name <string>
set src-check {disable | enable}
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

709

Description
Configuration

Description

Default Value

name

Concentrator name.

(Empty)

src-check

Enable/disable use of source selector when


choosing appropriate tunnel.

disable

member

Concentrator members.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

710

vpn.ipsec/forticlient
CLI Syntax
config vpn.ipsec forticlient
edit <name_str>
set realm <string>
set usergroupname <string>
set phase2name <string>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

711

Description
Configuration

Description

Default Value

realm

FortiClient realm name.

(Empty)

usergroupname

User group name.

(Empty)

phase2name

Tunnel (phase2) name.

(Empty)

status

Enable/disable realm status.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

712

vpn.ipsec/manualkey
CLI Syntax
config vpn.ipsec manualkey
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set authentication {null | md5 | sha1 | sha256 | sha384 | sha512}
set encryption {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 |
aria256 | seed}
set authkey <user>
set enckey <user>
set localspi <user>
set remotespi <user>
set npu-offload {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

713

Description
Configuration

Description

Default Value

name

IPsec tunnel name.

(Empty)

interface

Interface name.

(Empty)

remote-gw

Peer gateway.

0.0.0.0

local-gw

Local gateway.

0.0.0.0

authentication

Authentication algorithm.

null

encryption

Encryption algorithm.

null

authkey

Authentication key.

enckey

Encryption key.

localspi

Local SPI.

0x100

remotespi

Remote SPI.

0x100

npu-offload

Enable/disable NPU offloading.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

714

vpn.ipsec/manualkey-interface
CLI Syntax
config vpn.ipsec manualkey-interface
edit <name_str>
set name <string>
set interface <string>
set ip-version {4 | 6}
set addr-type {4 | 6}
set remote-gw <ipv4-address>
set remote-gw6 <ipv6-address>
set local-gw <ipv4-address-any>
set local-gw6 <ipv6-address>
set auth-alg {null | md5 | sha1 | sha256 | sha384 | sha512}
set enc-alg {null | des | 3des | aes128 | aes192 | aes256 | aria128 | aria192 | ar
ia256 | seed}
set auth-key <user>
set enc-key <user>
set local-spi <user>
set remote-spi <user>
set npu-offload {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

715

Description
Configuration

Description

Default Value

name

IPsec tunnel name.

(Empty)

interface

Interface name.

(Empty)

ip-version

IP version to use for VPN interface.

addr-type

IP version to use for IP packets.

remote-gw

Remote IPv4 address of VPN gateway.

0.0.0.0

remote-gw6

Remote IPv6 address of VPN gateway.

::

local-gw

Local IPv4 address of VPN gateway.

0.0.0.0

local-gw6

Local IPv6 address of VPN gateway.

::

auth-alg

Authentication algorithm.

null

enc-alg

Encryption algorithm.

null

auth-key

Authentication key.

enc-key

Encryption key.

local-spi

Local SPI.

0x100

remote-spi

Remote SPI.

0x100

npu-offload

Enable/disable offloading NPU.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

716

vpn.ipsec/phase1
CLI Syntax
config vpn.ipsec phase1
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set interface <string>
set ike-version {1 | 2}
set remote-gw <ipv4-address>
set local-gw <ipv4-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set usrgrp <string>
set peer <string>
set peergrp <string>
set autoconfig {disable | client | gateway}
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-start-ip <ipv4-address>
set ipv4-end-ip <ipv4-address>
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
set ipv4-dns-server1 <ipv4-address>
set ipv4-dns-server2 <ipv4-address>
set ipv4-dns-server3 <ipv4-address>
set ipv4-wins-server1 <ipv4-address>
set ipv4-wins-server2 <ipv4-address>
config ipv4-exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
set ipv4-split-include <string>
set split-include-service <string>
set ipv6-start-ip <ipv6-address>
set ipv6-end-ip <ipv6-address>
set ipv6-prefix <integer>
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

717

set ipv6-dns-server3 <ipv6-address>


config ipv6-exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
end
set ipv6-split-include <string>
set unity-support {disable | enable}
set domain <string>
set banner <var-string>
set include-local-lan {disable | enable}
set save-password {disable | enable}
set client-auto-negotiate {disable | enable}
set client-keep-alive {disable | enable}
config backup-gateway
edit <name_str>
set address <string>
end
set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5
| 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | ae
s128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256
| aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-s
ha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 |
aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria1
92-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha
512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512}
set add-route {disable | enable}
set exchange-interface-ip {enable | disable}
set add-gw-route {enable | disable}
set psksecret <password>
set keepalive <integer>
set distance <integer>
set priority <integer>
set localid <string>
set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn}
set auto-negotiate {enable | disable}
set negotiate-timeout <integer>
set fragmentation {enable | disable}
set dpd {disable | on-idle | on-demand}
set dpd-retrycount <integer>
set dpd-retryinterval <user>
set forticlient-enforcement {enable | disable}
set comments <var-string>
set npu-offload {enable | disable}
set send-cert-chain {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set acct-verify {enable | disable}
set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu
p-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

718

p-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup


-cisco-fw}
set xauthtype {disable | client | pap | chap | auto}
set reauth {disable | enable}
set authusr <string>
set authpasswd <password>
set authusrgrp <string>
set mesh-selector-type {disable | subnet | host}
set idle-timeout {enable | disable}
set idle-timeoutinterval <integer>
set ha-sync-esp-seqno {enable | disable}
set nattraversal {enable | disable | forced}
set esn {require | allow | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

719

Description
Configuration

Description

Default Value

name

IPsec remote gateway name.

(Empty)

type

Remote gateway type (static, dialup, or DDNS).

static

interface

Local outgoing interface.

(Empty)

ike-version

IKE protocol version (IKEv1 or IKEv2).

remote-gw

Remote VPN gateway.

0.0.0.0

local-gw

Local VPN gateway.

0.0.0.0

remotegw-ddns

Domain name of remote gateway (eg.


name.DDNS.com).

(Empty)

keylife

Phase1 keylife.

86400

certificate

Certificate name for signature.

(Empty)

authmethod

Authentication method.

psk

mode

Mode.

main

peertype

Peer type.

any

peerid

Peer ID.

(Empty)

usrgrp

User group.

(Empty)

peer

Accept this peer certificate.

(Empty)

peergrp

Accept this peer certificate group.

(Empty)

autoconfig

Auto-configuration type.

mode-cfg

Enable/disable configuration method.

disable

assign-ip

Enable/disable assignment of IP to IPsec


interface via configuration method.

enable

assign-ip-from

Method by which the IP address will be assigned.

range

ipv4-start-ip

Start of IPv4 range.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

720

ipv4-end-ip

End of IPv4 range.

0.0.0.0

ipv4-netmask

IPv4 Netmask.

255.255.255.255

dns-mode

DNS server mode.

manual

ipv4-dns-server1

IPv4 DNS server 1.

0.0.0.0

ipv4-dns-server2

IPv4 DNS server 2.

0.0.0.0

ipv4-dns-server3

IPv4 DNS server 3.

0.0.0.0

ipv4-wins-server1

WINS server 1.

0.0.0.0

ipv4-wins-server2

WINS server 2.

0.0.0.0

ipv4-exclude-range

Configuration Method IPv4 exclude ranges.

(Empty)

ipv4-split-include

IPv4 split-include subnets.

(Empty)

split-include-service

Split-include services.

(Empty)

ipv6-start-ip

Start of IPv6 range.

::

ipv6-end-ip

End of IPv6 range.

::

ipv6-prefix

IPv6 prefix.

128

ipv6-dns-server1

IPv6 DNS server 1.

::

ipv6-dns-server2

IPv6 DNS server 2.

::

ipv6-dns-server3

IPv6 DNS server 3.

::

ipv6-exclude-range

Configuration method IPv6 exclude ranges.

(Empty)

ipv6-split-include

IPv6 split-include subnets.

(Empty)

unity-support

Enable/disable support for Cisco UNITY


Configuration Method extensions.

enable

domain

Instruct unity clients about the default DNS


domain.

(Empty)

banner

Message that unity client should display after


connecting.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

721

include-local-lan

Enable/disable allow local LAN access on unity


clients.

disable

save-password

Enable/disable saving XAuth username and


password on VPN clients.

disable

client-auto-negotiate

Enable/disable allowing the VPN client to bring up


the tunnel when there is no traffic.

disable

client-keep-alive

Enable/disable allowing the VPN client to keep


the tunnel up when there is no traffic.

disable

backup-gateway

Instruct unity clients about the backup gateway


address(es).

(Empty)

proposal

Phase1 proposal.

aes128-sha256
aes256-sha256 3dessha256 aes128-sha1
aes256-sha1 3dessha1

add-route

Enable/disable control addition of a route to peer


destination selector.

disable

exchange-interface-ip

Enable/disable exchange of IPsec interface IP


address.

disable

add-gw-route

Enable/disable automatically add a route to the


remote gateway.

disable

psksecret

Pre-shared secret for PSK authentication.

(Empty)

keepalive

NAT-T keep alive interval.

10

distance

Distance for routes added by IKE (1 - 255).

15

priority

Priority for routes added by IKE (0 4294967295).

localid

Local ID.

(Empty)

localid-type

Local ID type.

auto

auto-negotiate

Enable/disable automatic initiation of IKE SA


negotiation.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

722

negotiate-timeout

IKE SA negotiation timeout in seconds (1 - 300).

30

fragmentation

Enable/disable fragment IKE message on retransmission.

enable

dpd

Dead Peer Detection mode.

on-demand

dpd-retrycount

Number of DPD retry attempts.

dpd-retryinterval

DPD retry interval.

20

forticlient-enforcement

Enable/disable FortiClient enforcement.

disable

comments

Comment.

(Empty)

npu-offload

Enable/disable offloading NPU.

enable

send-cert-chain

Enable/disable sending certificate chain.

enable

dhgrp

DH group.

14 5

suite-b

Use Suite-B.

disable

eap

Enable/disable IKEv2 EAP authentication.

disable

eap-identity

IKEv2 EAP peer identity type.

use-id-payload

acct-verify

Enable/disable verification of RADIUS accounting


record.

disable

wizard-type

GUI VPN Wizard Type.

custom

xauthtype

XAuth type.

disable

reauth

Enable/disable re-authentication upon IKE SA


lifetime expiration.

disable

authusr

XAuth user name.

(Empty)

authpasswd

XAuth password (max 35 characters).

(Empty)

authusrgrp

Authentication user group.

(Empty)

mesh-selector-type

Add selectors containing subsets of the


configuration depending on traffic.

disable

idle-timeout

Enable/disable IPsec tunnel idle timeout.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

723

idle-timeoutinterval

IPsec tunnel idle timeout in minutes (10 - 43200).

15

ha-sync-esp-seqno

Enable/disable sequence number jump ahead for


IPsec HA.

enable

nattraversal

Enable/disable NAT traversal.

enable

esn

Extended sequence number (ESN) negotiation.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

724

vpn.ipsec/phase1-interface
CLI Syntax
config vpn.ipsec phase1-interface
edit <name_str>
set name <string>
set type {static | dynamic | ddns}
set interface <string>
set ip-version {4 | 6}
set ike-version {1 | 2}
set local-gw <ipv4-address>
set local-gw6 <ipv6-address>
set remote-gw <ipv4-address>
set remote-gw6 <ipv6-address>
set remotegw-ddns <string>
set keylife <integer>
config certificate
edit <name_str>
set name <string>
end
set authmethod {psk | rsa-signature | signature}
set mode {aggressive | main}
set peertype {any | one | dialup | peer | peergrp}
set peerid <string>
set default-gw <ipv4-address>
set default-gw-priority <integer>
set usrgrp <string>
set peer <string>
set peergrp <string>
set monitor <string>
set monitor-hold-down-type {immediate | delay | time}
set monitor-hold-down-delay <integer>
set monitor-hold-down-weekday {everyday | sunday | monday | tuesday | wednesday |
thursday | friday | saturday}
set monitor-hold-down-time <user>
set mode-cfg {disable | enable}
set assign-ip {disable | enable}
set assign-ip-from {range | usrgrp | dhcp}
set ipv4-start-ip <ipv4-address>
set ipv4-end-ip <ipv4-address>
set ipv4-netmask <ipv4-netmask>
set dns-mode {manual | auto}
set ipv4-dns-server1 <ipv4-address>
set ipv4-dns-server2 <ipv4-address>
set ipv4-dns-server3 <ipv4-address>
set ipv4-wins-server1 <ipv4-address>
set ipv4-wins-server2 <ipv4-address>
config ipv4-exclude-range
edit <name_str>
set id <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

725

set start-ip <ipv4-address>


set end-ip <ipv4-address>
end
set ipv4-split-include <string>
set split-include-service <string>
set ipv6-start-ip <ipv6-address>
set ipv6-end-ip <ipv6-address>
set ipv6-prefix <integer>
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
set ipv6-dns-server3 <ipv6-address>
config ipv6-exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
end
set ipv6-split-include <string>
set unity-support {disable | enable}
set domain <string>
set banner <var-string>
set include-local-lan {disable | enable}
set save-password {disable | enable}
set client-auto-negotiate {disable | enable}
set client-keep-alive {disable | enable}
config backup-gateway
edit <name_str>
set address <string>
end
set proposal {des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-md5
| 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-md5 | aes128-sha1 | ae
s128-sha256 | aes128-sha384 | aes128-sha512 | aes192-md5 | aes192-sha1 | aes192-sha256
| aes192-sha384 | aes192-sha512 | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-s
ha384 | aes256-sha512 | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 |
aria128-sha512 | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sha384 | aria1
92-sha512 | aria256-md5 | aria256-sha1 | aria256-sha256 | aria256-sha384 | aria256-sha
512 | seed-md5 | seed-sha1 | seed-sha256 | seed-sha384 | seed-sha512}
set add-route {disable | enable}
set exchange-interface-ip {enable | disable}
set add-gw-route {enable | disable}
set psksecret <password>
set keepalive <integer>
set distance <integer>
set priority <integer>
set localid <string>
set localid-type {auto | fqdn | user-fqdn | keyid | address | asn1dn}
set auto-negotiate {enable | disable}
set negotiate-timeout <integer>
set fragmentation {enable | disable}
set dpd {disable | on-idle | on-demand}
set dpd-retrycount <integer>
set dpd-retryinterval <user>
set forticlient-enforcement {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

726

set forticlient-enforcement {enable | disable}


set comments <var-string>
set npu-offload {enable | disable}
set send-cert-chain {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set suite-b {disable | suite-b-gcm-128 | suite-b-gcm-256}
set eap {enable | disable}
set eap-identity {use-id-payload | send-request}
set acct-verify {enable | disable}
set wizard-type {custom | dialup-forticlient | dialup-ios | dialup-android | dialu
p-windows | dialup-cisco | static-fortigate | dialup-fortigate | static-cisco | dialup
-cisco-fw}
set xauthtype {disable | client | pap | chap | auto}
set reauth {disable | enable}
set authusr <string>
set authpasswd <password>
set authusrgrp <string>
set mesh-selector-type {disable | subnet | host}
set idle-timeout {enable | disable}
set idle-timeoutinterval <integer>
set ha-sync-esp-seqno {enable | disable}
set auto-discovery-sender {enable | disable}
set auto-discovery-receiver {enable | disable}
set auto-discovery-forwarder {enable | disable}
set auto-discovery-psk {enable | disable}
set encapsulation {none | gre | vxlan}
set encapsulation-address {ike | ipv4 | ipv6}
set encap-local-gw4 <ipv4-address>
set encap-local-gw6 <ipv6-address>
set encap-remote-gw4 <ipv4-address>
set encap-remote-gw6 <ipv6-address>
set nattraversal {enable | disable | forced}
set esn {require | allow | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

727

Description
Configuration

Description

Default Value

name

IPsec remote gateway name.

(Empty)

type

Remote gateway type (static, dialup, or DDNS).

static

interface

Local outgoing interface.

(Empty)

ip-version

IP version to use for VPN interface.

ike-version

IKE protocol version (IKEv1 or IKEv2).

local-gw

Local IPv4 address of VPN.

0.0.0.0

local-gw6

Local IPv6 address of VPN.

::

remote-gw

Remote IPv4 address of VPN gateway.

0.0.0.0

remote-gw6

Remote IPv6 address of VPN.

::

remotegw-ddns

Domain name of remote gateway (eg.


name.DDNS.com).

(Empty)

keylife

Phase1 keylife.

86400

certificate

Certificate name for signature.

(Empty)

authmethod

Authentication method.

psk

mode

Mode.

main

peertype

Peer type.

any

peerid

Peer ID.

(Empty)

default-gw

IPv4 address of default route gateway to use for


traffic exiting the interface.

0.0.0.0

default-gw-priority

Priority for default gateway route.

usrgrp

User group.

(Empty)

peer

Accept this peer certificate.

(Empty)

peergrp

Accept this peer certificate group.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

728

monitor

IPsec interface to backup.

(Empty)

monitor-hold-down-type

Control recovery time when primary reestablishes.

immediate

monitor-hold-downdelay

Number of seconds to wait before recovery once


primary re-establishes.

monitor-hold-downweekday

Day of the week to recover once primary reestablishes.

sunday

monitor-hold-down-time

Time of day to recover once primary reestablishes.

00:00

mode-cfg

Enable/disable configuration method.

disable

assign-ip

Enable/disable assignment of IP to IPsec


interface via configuration method.

enable

assign-ip-from

Method by which the IP address will be assigned.

range

ipv4-start-ip

Start of IPv4 range.

0.0.0.0

ipv4-end-ip

End of IPv4 range.

0.0.0.0

ipv4-netmask

IPv4 Netmask.

255.255.255.255

dns-mode

DNS server mode.

manual

ipv4-dns-server1

IPv4 DNS server 1.

0.0.0.0

ipv4-dns-server2

IPv4 DNS server 2.

0.0.0.0

ipv4-dns-server3

IPv4 DNS server 3.

0.0.0.0

ipv4-wins-server1

WINS server 1.

0.0.0.0

ipv4-wins-server2

WINS server 2.

0.0.0.0

ipv4-exclude-range

Configuration Method IPv4 exclude ranges.

(Empty)

ipv4-split-include

IPv4 split-include subnets.

(Empty)

split-include-service

Split-include services.

(Empty)

ipv6-start-ip

Start of IPv6 range.

::

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

729

ipv6-end-ip

End of IPv6 range.

::

ipv6-prefix

IPv6 prefix.

128

ipv6-dns-server1

IPv6 DNS server 1.

::

ipv6-dns-server2

IPv6 DNS server 2.

::

ipv6-dns-server3

IPv6 DNS server 3.

::

ipv6-exclude-range

Configuration method IPv6 exclude ranges.

(Empty)

ipv6-split-include

IPv6 split-include subnets.

(Empty)

unity-support

Enable/disable support for Cisco UNITY


Configuration Method extensions.

enable

domain

Instruct unity clients about the default DNS


domain.

(Empty)

banner

Message that unity client should display after


connecting.

(Empty)

include-local-lan

Enable/disable allow local LAN access on unity


clients.

disable

save-password

Enable/disable saving XAuth username and


password on VPN clients.

disable

client-auto-negotiate

Enable/disable allowing the VPN client to bring up


the tunnel when there is no traffic.

disable

client-keep-alive

Enable/disable allowing the VPN client to keep


the tunnel up when there is no traffic.

disable

backup-gateway

Instruct unity clients about the backup gateway


address(es).

(Empty)

proposal

Phase1 proposal.

aes128-sha256
aes256-sha256 3dessha256 aes128-sha1
aes256-sha1 3dessha1

add-route

Enable/disable control addition of a route to peer


destination selector.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

730

exchange-interface-ip

Enable/disable exchange of IPsec interface IP


address.

disable

add-gw-route

Enable/disable automatically add a route to the


remote gateway.

disable

psksecret

Pre-shared secret for PSK authentication.

(Empty)

keepalive

NAT-T keep alive interval.

10

distance

Distance for routes added by IKE (1 - 255).

15

priority

Priority for routes added by IKE (0 4294967295).

localid

Local ID.

(Empty)

localid-type

Local ID type.

auto

auto-negotiate

Enable/disable automatic initiation of IKE SA


negotiation.

enable

negotiate-timeout

IKE SA negotiation timeout in seconds (1 - 300).

30

fragmentation

Enable/disable fragment IKE message on retransmission.

enable

dpd

Dead Peer Detection mode.

on-demand

dpd-retrycount

Number of DPD retry attempts.

dpd-retryinterval

DPD retry interval.

20

forticlient-enforcement

Enable/disable FortiClient enforcement.

disable

comments

Comment.

(Empty)

npu-offload

Enable/disable offloading NPU.

enable

send-cert-chain

Enable/disable sending certificate chain.

enable

dhgrp

DH group.

14 5

suite-b

Use Suite-B.

disable

eap

Enable/disable IKEv2 EAP authentication.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

731

eap-identity

IKEv2 EAP peer identity type.

use-id-payload

acct-verify

Enable/disable verification of RADIUS accounting


record.

disable

wizard-type

GUI VPN Wizard Type.

custom

xauthtype

XAuth type.

disable

reauth

Enable/disable re-authentication upon IKE SA


lifetime expiration.

disable

authusr

XAuth user name.

(Empty)

authpasswd

XAuth password (max 35 characters).

(Empty)

authusrgrp

Authentication user group.

(Empty)

mesh-selector-type

Add selectors containing subsets of the


configuration depending on traffic.

disable

idle-timeout

Enable/disable IPsec tunnel idle timeout.

disable

idle-timeoutinterval

IPsec tunnel idle timeout in minutes (10 - 43200).

15

ha-sync-esp-seqno

Enable/disable sequence number jump ahead for


IPsec HA.

enable

auto-discovery-sender

Enable/disable sending auto-discovery short-cut


messages.

disable

auto-discovery-receiver

Enable/disable accepting auto-discovery short-cut


messages.

disable

auto-discoveryforwarder

Enable/disable forwarding auto-discovery shortcut messages.

disable

auto-discovery-psk

Enable/disable use of pre-shared secrets for


authentication of auto-discovery tunnels.

disable

encapsulation

Enable/disable GRE/VXLAN encapsulation.

none

encapsulation-address

Source for GRE/VXLAN tunnel address.

ike

encap-local-gw4

Local IPv4 address of GRE/VXLAN tunnel.

0.0.0.0

encap-local-gw6

Local IPv6 address of GRE/VXLAN tunnel.

::

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

732

encap-remote-gw4

Remote IPv4 address of GRE/VXLAN tunnel.

0.0.0.0

encap-remote-gw6

Remote IPv6 address of GRE/VXLAN tunnel.

::

nattraversal

Enable/disable NAT traversal.

enable

esn

Extended sequence number (ESN) negotiation.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

733

vpn.ipsec/phase2
CLI Syntax
config vpn.ipsec phase2
edit <name_str>
set name <string>
set phase1name <string>
set dhcp-ipsec {enable | disable}
set use-natip {enable | disable}
set selector-match {exact | subset | auto}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set auto-negotiate {enable | disable}
set add-route {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set comments <var-string>
set protocol <integer>
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set src-port <integer>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name}
set dst-start-ip <ipv4-address-any>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

734

set
set
set
set
set
set
end

dst-start-ip6 <ipv6-address>
dst-end-ip <ipv4-address-any>
dst-end-ip6 <ipv6-address>
dst-subnet <ipv4-classnet-any>
dst-subnet6 <ipv6-prefix>
dst-port <integer>

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

735

Description
Configuration

Description

Default Value

name

IPsec tunnel name.

(Empty)

phase1name

IKE phase1 name.

(Empty)

dhcp-ipsec

Enable/disable DHCP-IPsec.

disable

use-natip

Enable/disable source NAT selector fix-up.

enable

selector-match

Match type to use when comparing selectors.

auto

proposal

Phase2 proposal.

aes128-sha1 aes256sha1 3des-sha1


aes128-sha256
aes256-sha256 3dessha256

pfs

Enable/disable PFS feature.

enable

dhgrp

Phase2 DH group.

14 5

replay

Enable/disable replay detection.

enable

keepalive

Enable/disable keep alive.

disable

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

disable

add-route

Enable/disable automatic route addition.

phase1

keylifeseconds

Phase2 key life in time in seconds (120 172800).

43200

keylifekbs

Phase2 key life in number of bytes of traffic (5120


- 4294967295).

5120

keylife-type

Keylife type.

seconds

single-source

Enable/disable single source IP restriction.

disable

route-overlap

Action for overlapping routes.

use-new

encapsulation

ESP encapsulation mode.

tunnel-mode

l2tp

Enable/disable L2TP over IPsec.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

736

comments

Comment.

(Empty)

protocol

Quick mode protocol selector (1 - 255 or 0 for all).

src-name

Local proxy ID name.

(Empty)

src-name6

Local proxy ID name.

(Empty)

src-addr-type

Local proxy ID type.

subnet

src-start-ip

Local proxy ID start.

0.0.0.0

src-start-ip6

Local proxy ID IPv6 start.

::

src-end-ip

Local proxy ID end.

0.0.0.0

src-end-ip6

Local proxy ID IPv6 end.

::

src-subnet

Local proxy ID subnet.

0.0.0.0 0.0.0.0

src-subnet6

Local proxy ID IPv6 subnet.

::/0

src-port

Quick mode source port (1 - 65535 or 0 for all).

dst-name

Remote proxy ID name.

(Empty)

dst-name6

Remote proxy ID name.

(Empty)

dst-addr-type

Remote proxy ID type.

subnet

dst-start-ip

Remote proxy ID IPv4 start.

0.0.0.0

dst-start-ip6

Remote proxy ID IPv6 start.

::

dst-end-ip

Remote proxy ID IPv4 end.

0.0.0.0

dst-end-ip6

Remote proxy ID IPv6 end.

::

dst-subnet

Remote proxy ID IPv4 subnet.

0.0.0.0 0.0.0.0

dst-subnet6

Remote proxy ID IPv6 subnet.

::/0

dst-port

Quick mode destination port (1 - 65535 or 0 for


all).

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

737

vpn.ipsec/phase2-interface
CLI Syntax
config vpn.ipsec phase2-interface
edit <name_str>
set name <string>
set phase1name <string>
set dhcp-ipsec {enable | disable}
set proposal {null-md5 | null-sha1 | null-sha256 | null-sha384 | null-sha512 | des
-null | des-md5 | des-sha1 | des-sha256 | des-sha384 | des-sha512 | 3des-null | 3des-m
d5 | 3des-sha1 | 3des-sha256 | 3des-sha384 | 3des-sha512 | aes128-null | aes128-md5 |
aes128-sha1 | aes128-sha256 | aes128-sha384 | aes128-sha512 | aes128gcm | aes192-null
| aes192-md5 | aes192-sha1 | aes192-sha256 | aes192-sha384 | aes192-sha512 | aes256-nu
ll | aes256-md5 | aes256-sha1 | aes256-sha256 | aes256-sha384 | aes256-sha512 | aes256
gcm | aria128-null | aria128-md5 | aria128-sha1 | aria128-sha256 | aria128-sha384 | ar
ia128-sha512 | aria192-null | aria192-md5 | aria192-sha1 | aria192-sha256 | aria192-sh
a384 | aria192-sha512 | aria256-null | aria256-md5 | aria256-sha1 | aria256-sha256 | a
ria256-sha384 | aria256-sha512 | seed-null | seed-md5 | seed-sha1 | seed-sha256 | seed
-sha384 | seed-sha512}
set pfs {enable | disable}
set dhgrp {1 | 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21}
set replay {enable | disable}
set keepalive {enable | disable}
set auto-negotiate {enable | disable}
set add-route {phase1 | enable | disable}
set auto-discovery-sender {phase1 | enable | disable}
set auto-discovery-forwarder {phase1 | enable | disable}
set keylifeseconds <integer>
set keylifekbs <integer>
set keylife-type {seconds | kbs | both}
set single-source {enable | disable}
set route-overlap {use-old | use-new | allow}
set encapsulation {tunnel-mode | transport-mode}
set l2tp {enable | disable}
set comments <var-string>
set protocol <integer>
set src-name <string>
set src-name6 <string>
set src-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set src-start-ip <ipv4-address-any>
set src-start-ip6 <ipv6-address>
set src-end-ip <ipv4-address-any>
set src-end-ip6 <ipv6-address>
set src-subnet <ipv4-classnet-any>
set src-subnet6 <ipv6-prefix>
set src-port <integer>
set dst-name <string>
set dst-name6 <string>
set dst-addr-type {subnet | range | ip | name | subnet6 | range6 | ip6 | name6}
set dst-start-ip <ipv4-address-any>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

738

set
set
set
set
set
set
end

dst-start-ip6 <ipv6-address>
dst-end-ip <ipv4-address-any>
dst-end-ip6 <ipv6-address>
dst-subnet <ipv4-classnet-any>
dst-subnet6 <ipv6-prefix>
dst-port <integer>

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

739

Description
Configuration

Description

Default Value

name

IPsec tunnel name.

(Empty)

phase1name

IKE phase1 name.

(Empty)

dhcp-ipsec

Enable/disable DHCP-IPsec.

disable

proposal

Phase2 proposal.

aes128-sha1 aes256sha1 3des-sha1


aes128-sha256
aes256-sha256 3dessha256

pfs

Enable/disable PFS feature.

enable

dhgrp

Phase2 DH group.

14 5

replay

Enable/disable replay detection.

enable

keepalive

Enable/disable keep alive.

disable

auto-negotiate

Enable/disable IPsec SA auto-negotiation.

disable

add-route

Enable/disable automatic route addition.

phase1

auto-discovery-sender

Enable/disable sending short-cut messages.

phase1

auto-discoveryforwarder

Enable/disable forwarding short-cut messages.

phase1

keylifeseconds

Phase2 key life in time in seconds (120 172800).

43200

keylifekbs

Phase2 key life in number of bytes of traffic (5120


- 4294967295).

5120

keylife-type

Keylife type.

seconds

single-source

Enable/disable single source IP restriction.

disable

route-overlap

Action for overlapping routes.

use-new

encapsulation

ESP encapsulation mode.

tunnel-mode

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

740

l2tp

Enable/disable L2TP over IPsec.

disable

comments

Comment.

(Empty)

protocol

Quick mode protocol selector (1 - 255 or 0 for all).

src-name

Local proxy ID name.

(Empty)

src-name6

Local proxy ID name.

(Empty)

src-addr-type

Local proxy ID type.

subnet

src-start-ip

Local proxy ID start.

0.0.0.0

src-start-ip6

Local proxy ID IPv6 start.

::

src-end-ip

Local proxy ID end.

0.0.0.0

src-end-ip6

Local proxy ID IPv6 end.

::

src-subnet

Local proxy ID subnet.

0.0.0.0 0.0.0.0

src-subnet6

Local proxy ID IPv6 subnet.

::/0

src-port

Quick mode source port (1 - 65535 or 0 for all).

dst-name

Remote proxy ID name.

(Empty)

dst-name6

Remote proxy ID name.

(Empty)

dst-addr-type

Remote proxy ID type.

subnet

dst-start-ip

Remote proxy ID IPv4 start.

0.0.0.0

dst-start-ip6

Remote proxy ID IPv6 start.

::

dst-end-ip

Remote proxy ID IPv4 end.

0.0.0.0

dst-end-ip6

Remote proxy ID IPv6 end.

::

dst-subnet

Remote proxy ID IPv4 subnet.

0.0.0.0 0.0.0.0

dst-subnet6

Remote proxy ID IPv6 subnet.

::/0

dst-port

Quick mode destination port (1 - 65535 or 0 for


all).

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

741

vpn.ssl.web/host-check-software
CLI Syntax
config vpn.ssl.web host-check-software
edit <name_str>
set name <string>
set type {av | fw}
set version <string>
set guid <user>
config check-item-list
edit <name_str>
set id <integer>
set action {require | deny}
set type {file | registry | process}
set target <string>
set version <string>
config md5s
edit <name_str>
set id <string>
end
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

742

Description
Configuration

Description

Default Value

name

Name.

(Empty)

type

Type.

av

version

Version.

(Empty)

guid

Globally unique ID.

"00000000-0000-00000000-000000000000"

check-item-list

Check item list.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

743

vpn.ssl.web/portal
CLI Syntax
config vpn.ssl.web portal
edit <name_str>
set name <string>
set tunnel-mode {enable | disable}
set ip-mode {range | user-group}
set auto-connect {enable | disable}
set keep-alive {enable | disable}
set save-password {enable | disable}
config ip-pools
edit <name_str>
set name <string>
end
set exclusive-routing {enable | disable}
set service-restriction {enable | disable}
set split-tunneling {enable | disable}
config split-tunneling-routing-address
edit <name_str>
set name <string>
end
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set ipv6-tunnel-mode {enable | disable}
config ipv6-pools
edit <name_str>
set name <string>
end
set ipv6-exclusive-routing {enable | disable}
set ipv6-service-restriction {enable | disable}
set ipv6-split-tunneling {enable | disable}
config ipv6-split-tunneling-routing-address
edit <name_str>
set name <string>
end
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
set ipv6-wins-server1 <ipv6-address>
set ipv6-wins-server2 <ipv6-address>
set web-mode {enable | disable}
set display-bookmark {enable | disable}
set user-bookmark {enable | disable}
set user-group-bookmark {enable | disable}
config bookmark-group
edit <name_str>
set name <string>
config bookmarks
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

744

edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | te
lnet | vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set listening-port <integer>
set remote-port <integer>
set show-status-window {enable | disable}
set description <var-string>
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwer
ty | sv-se-qwerty | failsafe}
set security {rdp | nla | tls | any}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end
set display-connection-tools {enable | disable}
set display-history {enable | disable}
set display-status {enable | disable}
set heading <string>
set redir-url <var-string>
set theme {blue | green | red | melongene | mariner}
set custom-lang <string>
set host-check {none | av | fw | av-fw | custom}
set host-check-interval <integer>
config host-check-policy
edit <name_str>
set name <string>
end
set limit-user-logins {enable | disable}
set mac-addr-check {enable | disable}
set mac-addr-action {allow | deny}
config mac-addr-check-rule
edit <name_str>
set name <string>
set mac-addr-mask <integer>
config mac-addr-list
edit <name_str>
set addr <mac-address>
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

745

end
end
set os-check {enable | disable}
config os-check-list
edit <name_str>
set name <string>
set action {deny | allow | check-up-to-date}
set tolerance <integer>
set latest-patch-level <user>
end
set virtual-desktop {enable | disable}
set virtual-desktop-app-list <string>
set virtual-desktop-clipboard-share {enable | disable}
set virtual-desktop-desktop-switch {enable | disable}
set virtual-desktop-logout-when-browser-close {enable | disable}
set virtual-desktop-network-share-access {enable | disable}
set virtual-desktop-printing {enable | disable}
set virtual-desktop-removable-media-access {enable | disable}
set skip-check-for-unsupported-os {enable | disable}
set skip-check-for-unsupported-browser {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

746

Description
Configuration

Description

Default Value

name

Portal name.

(Empty)

tunnel-mode

Enable/disable SSL VPN tunnel mode.

disable

ip-mode

IP mode is range or by user group.

range

auto-connect

Enable/disable automatic connect by client when


system is up.

disable

keep-alive

Enable/disable automatic re-connect by client.

disable

save-password

Enable/disable save of user password by client.

disable

ip-pools

Tunnel IP pools.

(Empty)

exclusive-routing

Enable/disable all traffic go through tunnel only.

disable

service-restriction

Enable/disable tunnel service restriction.

disable

split-tunneling

Enable/disable split tunneling.

enable

split-tunneling-routingaddress

Split tunnelling address range for client routing.

(Empty)

dns-server1

DNS server 1.

0.0.0.0

dns-server2

DNS server 2.

0.0.0.0

wins-server1

WINS server 1.

0.0.0.0

wins-server2

WINS server 2.

0.0.0.0

ipv6-tunnel-mode

Enable/disable SSL VPN IPV6 tunnel mode.

disable

ipv6-pools

Tunnel IP pools.

(Empty)

ipv6-exclusive-routing

Enable/disable all IPv6 traffic go through tunnel


only.

disable

ipv6-service-restriction

Enable/disable IPv6 tunnel service restriction.

disable

ipv6-split-tunneling

Enable/disable IPv6 split tunneling.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

747

ipv6-split-tunnelingrouting-address

IPv6 split tunnelling address range for client


routing.

(Empty)

ipv6-dns-server1

IPv6 DNS server 1.

::

ipv6-dns-server2

IPv6 DNS server 2.

::

ipv6-wins-server1

IPv6 WINS server 1.

::

ipv6-wins-server2

IPv6 WINS server 2.

::

web-mode

Enable/disable SSL VPN web mode.

disable

display-bookmark

Enable/disable displaying of bookmark widget.

enable

user-bookmark

Enable/disable user defined bookmark.

enable

user-group-bookmark

Enable/disable user group defined bookmark.

enable

bookmark-group

Portal bookmark group.

(Empty)

display-connectiontools

Enable/disable displaying of connection tools


widget.

enable

display-history

Enable/disable displaying of user login history


widget.

enable

display-status

Enable/disable display of status widget.

enable

heading

Portal heading message.

SSL-VPN Portal

redir-url

Client login redirect URL.

(Empty)

theme

Color scheme for the portal.

blue

custom-lang

Custom portal language.

(Empty)

host-check

Configure host check settings.

none

host-check-interval

Periodic host check interval.

host-check-policy

Host check policy.

(Empty)

limit-user-logins

Enable/disable allow users to have only one


active SSL VPN connection at a time.

disable

mac-addr-check

Client MAC address check.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

748

mac-addr-action

Client MAC address action.

allow

mac-addr-check-rule

Client MAC address check rule.

(Empty)

os-check

Enable/disable SSL VPN OS check.

disable

os-check-list

SSL VPN OS checks.

(Empty)

virtual-desktop

Enable/disable SSL VPN virtual desktop.

disable

virtual-desktop-app-list

Virtual desktop application list.

(Empty)

virtual-desktopclipboard-share

Enable/disable sharing of clipboard in virtual


desktop.

disable

virtual-desktopdesktop-switch

Enable/disable switch to virtual desktop.

enable

virtual-desktop-logoutwhen-browser-close

Enable/disable logout when browser is close in


virtual desktop.

disable

virtual-desktopnetwork-share-access

Enable/disable network share access in virtual


desktop.

disable

virtual-desktop-printing

Enable/disable printing in virtual desktop.

disable

virtual-desktopremovable-mediaaccess

Enable/disable access to removable media in


virtual desktop.

disable

skip-check-forunsupported-os

Skip check for unsupported OS.

enable

skip-check-forunsupported-browser

Skip check for unsupported browsers.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

749

vpn.ssl.web/realm
CLI Syntax
config vpn.ssl.web realm
edit <name_str>
set url-path <string>
set max-concurrent-user <integer>
set login-page <var-string>
set virtual-host <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

750

Description
Configuration

Description

Default Value

url-path

URL path to access SSL-VPN login page.

(Empty)

max-concurrent-user

Maximum concurrent users (0 - 65535, 0 for


unlimited).

login-page

Replacement HTML for SSL-VPN login page.

(Empty)

virtual-host

Virtual host name for realm.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

751

vpn.ssl.web/user-bookmark
CLI Syntax
config vpn.ssl.web user-bookmark
edit <name_str>
set name <string>
set custom-lang <string>
config bookmarks
edit <name_str>
set name <string>
set apptype {citrix | ftp | portforward | rdp | rdpnative | smb | ssh | telnet
| vnc | web}
set url <var-string>
set host <var-string>
set folder <var-string>
set additional-params <var-string>
set listening-port <integer>
set remote-port <integer>
set show-status-window {enable | disable}
set description <var-string>
set server-layout {en-us-qwerty | de-de-qwertz | fr-fr-azerty | it-it-qwerty |
sv-se-qwerty | failsafe}
set security {rdp | nla | tls | any}
set port <integer>
set logon-user <var-string>
set logon-password <password>
set sso {disable | static | auto}
config form-data
edit <name_str>
set name <string>
set value <var-string>
end
set sso-credential {sslvpn-login | alternative}
set sso-username <var-string>
set sso-password <password>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

752

Description
Configuration

Description

Default Value

name

User and group name.

(Empty)

custom-lang

Personal language.

(Empty)

bookmarks

Bookmark table.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

753

vpn.ssl.web/virtual-desktop-app-list
CLI Syntax
config vpn.ssl.web virtual-desktop-app-list
edit <name_str>
set name <string>
set action {allow | block}
config apps
edit <name_str>
set name <string>
config md5s
edit <name_str>
set id <string>
end
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

754

Description
Configuration

Description

Default Value

name

Application list name.

(Empty)

action

Action.

allow

apps

Applications.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

755

vpn.ssl/settings
CLI Syntax
config vpn.ssl settings
edit <name_str>
set reqclientcert {enable | disable}
set sslv3 {enable | disable}
set tlsv1-0 {enable | disable}
set tlsv1-1 {enable | disable}
set tlsv1-2 {enable | disable}
set banned-cipher {RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CA
MELLIA | 3DES | SHA1 | SHA256 | SHA384}
set ssl-big-buffer {enable | disable}
set ssl-insert-empty-fragment {enable | disable}
set https-redirect {enable | disable}
set ssl-client-renegotiation {disable | enable}
set force-two-factor-auth {enable | disable}
set unsafe-legacy-renegotiation {enable | disable}
set servercert <string>
set algorithm {high | medium | default | low}
set idle-timeout <integer>
set auth-timeout <integer>
config tunnel-ip-pools
edit <name_str>
set name <string>
end
config tunnel-ipv6-pools
edit <name_str>
set name <string>
end
set dns-suffix <var-string>
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set ipv6-dns-server1 <ipv6-address>
set ipv6-dns-server2 <ipv6-address>
set ipv6-wins-server1 <ipv6-address>
set ipv6-wins-server2 <ipv6-address>
set route-source-interface {enable | disable}
set url-obscuration {enable | disable}
set http-compression {enable | disable}
set http-only-cookie {enable | disable}
set deflate-compression-level <integer>
set deflate-min-data-size <integer>
set port <integer>
set port-precedence {enable | disable}
set auto-tunnel-static-route {enable | disable}
set header-x-forwarded-for {pass | add | remove}
config source-interface
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

756

edit <name_str>
set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
set default-portal <string>
config authentication-rule
edit <name_str>
set id <integer>
config source-interface
edit <name_str>
set name <string>
end
config source-address
edit <name_str>
set name <string>
end
set source-address-negate {enable | disable}
config source-address6
edit <name_str>
set name <string>
end
set source-address6-negate {enable | disable}
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set portal <string>
set realm <string>
set client-cert {enable | disable}
set cipher {any | high | medium}
set auth {any | local | radius | tacacs+ | ldap}
end
set dtls-tunnel {enable | disable}
set check-referer {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

757

Description
Configuration

Description

Default Value

reqclientcert

Enable/disable require client certificate.

disable

sslv3

Enable/disable SSLv3.

disable

tlsv1-0

Enable/disable TLSv1.0.

disable

tlsv1-1

Enable/disable TLSv1.1.

enable

tlsv1-2

Enable/disable TLSv1.2.

enable

banned-cipher

Banned ciphers for SSLVPN

(Empty)

ssl-big-buffer

Enable/disable big SSLv3 buffer.

disable

ssl-insert-emptyfragment

Enable/disable insertion of empty fragment.

enable

https-redirect

Enable/disable redirect of port 80 to SSL-VPN


port.

disable

ssl-client-renegotiation

Allow/block client renegotiation by server.

disable

force-two-factor-auth

Enable/disable force two-factor authentication.

disable

unsafe-legacyrenegotiation

Enable/disable unsafe legacy re-negotiation.

disable

servercert

Server certificate.

Fortinet_Factory

algorithm

Allow algorithms.

high

idle-timeout

SSL VPN disconnects if idle for specified time.

300

auth-timeout

Forced re-authentication after timeout.

28800

tunnel-ip-pools

Tunnel IP pools.

(Empty)

tunnel-ipv6-pools

Tunnel IPv6 pools.

(Empty)

dns-suffix

DNS suffix.

(Empty)

dns-server1

DNS server 1.

0.0.0.0

dns-server2

DNS server 2.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

758

wins-server1

WINS server 1.

0.0.0.0

wins-server2

WINS server 2.

0.0.0.0

ipv6-dns-server1

IPv6 DNS server 1.

::

ipv6-dns-server2

IPv6 DNS server 2.

::

ipv6-wins-server1

IPv6 WINS server 1.

::

ipv6-wins-server2

IPv6 WINS server 2.

::

route-source-interface

Enable/disable bind client side outgoing interface.

disable

url-obscuration

Enable/disable URL obscuration.

disable

http-compression

Enable/disable support HTTP compression.

disable

http-only-cookie

Enable/disable support HTTP only cookie.

enable

deflate-compressionlevel

Compression level (0~9).

deflate-min-data-size

Minimum size to start compression (200 - 65535).

300

port

SSL VPN access HTTPS port (1 - 65535).

10443

port-precedence

Enable/disable SSLVPN port precedence over


admin GUI HTTPS port.

enable

auto-tunnel-static-route

Enable/disable auto create static route for tunnel


IP addresses.

enable

header-x-forwarded-for

Action when HTTP x-forwarded-for header to


forwarded requests.

add

source-interface

SSL VPN source interface of incoming traffic.

(Empty)

source-address

Source address of incoming traffic.

(Empty)

source-address-negate

Enable/disable negated source address match.

disable

source-address6

IPv6 source address of incoming traffic.

(Empty)

source-address6negate

Enable/disable negated source IPv6 address


match.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

759

default-portal

Default SSL VPN portal.

(Empty)

authentication-rule

Authentication rule for SSL VPN.

(Empty)

dtls-tunnel

Enable/disable DTLS tunnel.

enable

check-referer

Enable/disable verification of referer field in HTTP


request header.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

760

vpn/l2tp
CLI Syntax
config vpn l2tp
edit <name_str>
set eip <ipv4-address>
set sip <ipv4-address>
set status {enable | disable}
set usrgrp <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

761

Description
Configuration

Description

Default Value

eip

End IP.

0.0.0.0

sip

Start IP.

0.0.0.0

status

Enable/disable FortiGate as a L2TP gateway.

disable

usrgrp

User group.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

762

vpn/pptp
CLI Syntax
config vpn pptp
edit <name_str>
set status {enable | disable}
set ip-mode {range | usrgrp}
set eip <ipv4-address>
set sip <ipv4-address>
set local-ip <ipv4-address>
set usrgrp <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

763

Description
Configuration

Description

Default Value

status

Enable/disable FortiGate as a PPTP gateway.

disable

ip-mode

IP assignment mode for PPTP client.

range

eip

End IP.

0.0.0.0

sip

Start IP.

0.0.0.0

local-ip

Local IP to be used for peer's remote IP.

0.0.0.0

usrgrp

User group.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

764

waf/main-class
CLI Syntax
config waf main-class
edit <name_str>
set name <string>
set id <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

765

Description
Configuration

Description

Default Value

name

Main signature class name.

(Empty)

id

Main signature class ID.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

766

waf/profile
CLI Syntax
config waf profile
edit <name_str>
set name <string>
set external {disable | enable}
config signature
edit <name_str>
config main-class
edit <name_str>
set id <integer>
set status {enable | disable}
set action {allow | block | erase}
set log {enable | disable}
set severity {high | medium | low}
end
config disabled-sub-class
edit <name_str>
set id <integer>
end
config disabled-signature
edit <name_str>
set id <integer>
end
set credit-card-detection-threshold <integer>
config custom-signature
edit <name_str>
set name <string>
set status {enable | disable}
set action {allow | block | erase}
set log {enable | disable}
set severity {high | medium | low}
set direction {request | response}
set case-sensitivity {disable | enable}
set pattern <string>
set target {arg | arg-name | req-body | req-cookie | req-cookie-name | req
-filename | req-header | req-header-name | req-raw-uri | req-uri | resp-body | resp-hd
r | resp-status}
end
end
config constraint
edit <name_str>
config header-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

767

end
config content-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config param-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config line-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config url-param-length
edit <name_str>
set status {enable | disable}
set length <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config version
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config method
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium |
end
config hostname
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium |

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

low}

low}

low}

low}

low}

low}

low}

768

set severity {high | medium | low}


end
config malformed
edit <name_str>
set status {enable | disable}
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config max-cookie
edit <name_str>
set status {enable | disable}
set max-cookie <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config max-header-line
edit <name_str>
set status {enable | disable}
set max-header-line <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config max-url-param
edit <name_str>
set status {enable | disable}
set max-url-param <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config max-range-segment
edit <name_str>
set status {enable | disable}
set max-range-segment <integer>
set action {allow | block}
set log {enable | disable}
set severity {high | medium | low}
end
config exception
edit <name_str>
set id <integer>
set pattern <string>
set regex {enable | disable}
set address <string>
set header-length {enable | disable}
set content-length {enable | disable}
set param-length {enable | disable}
set line-length {enable | disable}
set url-param-length {enable | disable}
set version {enable | disable}

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

769

set
set
set
set
set
set
set
set
end

version {enable | disable}


method {enable | disable}
hostname {enable | disable}
malformed {enable | disable}
max-cookie {enable | disable}
max-header-line {enable | disable}
max-url-param {enable | disable}
max-range-segment {enable | disable}

end
config method
edit <name_str>
set status {enable | disable}
set log {enable | disable}
set severity {high | medium | low}
set default-allowed-methods {get | post | put | head | connect | trace | optio
ns | delete | others}
config method-policy
edit <name_str>
set id <integer>
set pattern <string>
set regex {enable | disable}
set address <string>
set allowed-methods {get | post | put | head | connect | trace | options |
delete | others}
end
end
config address-list
edit <name_str>
set status {enable | disable}
set blocked-log {enable | disable}
set severity {high | medium | low}
config trusted-address
edit <name_str>
set name <string>
end
config blocked-address
edit <name_str>
set name <string>
end
end
config url-access
edit <name_str>
set id <integer>
set address <string>
set action {bypass | permit | block}
set log {enable | disable}
set severity {high | medium | low}
config access-pattern
edit <name_str>
set id <integer>
set srcaddr <string>
set pattern <string>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

770

set pattern <string>


set regex {enable | disable}
set negate {enable | disable}
end
end
set comment <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

771

Description
Configuration

Description

Default Value

name

WAF Profile name.

(Empty)

external

Disable/Enable external HTTP Inspection.

disable

signature

WAF signatures.

Details below

Configuration
main-class
disabled-sub-class
disabled-signature
credit-card-detection-threshold
custom-signature
constraint

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
(Empty)
(Empty)
(Empty)
3
(Empty)

WAF HTTP protocol restrictions.

Details below

772

Configuration
header-length
content-length
param-length
line-length
url-param-length
version
method
hostname
malformed
max-cookie
max-header-line
max-url-param
max-range-segment
exception

method
Configuration
status
log
severity
default-allowed-methods
method-policy
address-list

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
{"status":"disable","length":8192,"action":"allow","log":"disable",
"severity":"medium"}
{"status":"disable","length":67108864,"action":"allow","log":"disa
ble","severity":"medium"}
{"status":"disable","length":8192,"action":"allow","log":"disable",
"severity":"medium"}
{"status":"disable","length":1024,"action":"allow","log":"disable",
"severity":"medium"}
{"status":"disable","length":8192,"action":"allow","log":"disable",
"severity":"medium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
dium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
dium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
dium"}
{"status":"disable","action":"allow","log":"disable","severity":"me
dium"}
{"status":"disable","maxcookie":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-headerline":32,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-urlparam":16,"action":"allow","log":"disable","severity":"medium"}
{"status":"disable","max-rangesegment":5,"action":"allow","log":"disable","severity":"medium"}
(Empty)

Method restriction.

Details below

Default Value
disable
disable
medium
(Empty)
(Empty)
Black address list and white address list.

Details below

773

Configuration
status
blocked-log
severity
trusted-address
blocked-address

Default Value
disable
disable
medium
(Empty)
(Empty)

url-access

URL access list

(Empty)

comment

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

774

waf/signature
CLI Syntax
config waf signature
edit <name_str>
set desc <string>
set id <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

775

Description
Configuration

Description

Default Value

desc

Signature description.

(Empty)

id

Signature ID.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

776

waf/sub-class
CLI Syntax
config waf sub-class
edit <name_str>
set name <string>
set id <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

777

Description
Configuration

Description

Default Value

name

Signature subclass name.

(Empty)

id

Signature subclass ID.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

778

wanopt/auth-group
CLI Syntax
config wanopt auth-group
edit <name_str>
set name <string>
set auth-method {cert | psk}
set psk <password>
set cert <string>
set peer-accept {any | defined | one}
set peer <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

779

Description
Configuration

Description

Default Value

name

Auth-group name.

(Empty)

auth-method

Group authentication method.

cert

psk

Pre-shared secret for PSK authentication.

(Empty)

cert

Name of certificate to identify this host.

(Empty)

peer-accept

Peer acceptance method.

any

peer

Peer host ID.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

780

wanopt/peer
CLI Syntax
config wanopt peer
edit <name_str>
set peer-host-id <string>
set ip <ipv4-address-any>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

781

Description
Configuration

Description

Default Value

peer-host-id

Peer host ID.

(Empty)

ip

Peer IP address.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

782

wanopt/profile
CLI Syntax
config wanopt profile
edit <name_str>
set name <string>
set transparent {enable | disable}
set comments <var-string>
set auth-group <string>
config http
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
set ssl {enable | disable}
set ssl-port <integer>
set unknown-http-version {reject | tunnel | best-effort}
set tunnel-non-http {enable | disable}
end
config cifs
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
end
config mapi
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <integer>
end
config ftp
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set prefer-chunking {dynamic | fix}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

783

set port <integer>


end
config tcp
edit <name_str>
set status {enable | disable}
set secure-tunnel {enable | disable}
set byte-caching {enable | disable}
set byte-caching-opt {mem-only | mem-disk}
set tunnel-sharing {private | shared | express-shared}
set log-traffic {enable | disable}
set port <user>
set ssl {enable | disable}
set ssl-port <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

784

Description
Configuration

Description

Default Value

name

Profile name.

(Empty)

transparent

Enable/disable transparent mode.

enable

comments

Comment.

(Empty)

auth-group

Peer authentication group.

(Empty)

http

HTTP protocol settings.

Details below

Configuration
status
secure-tunnel
byte-caching
prefer-chunking
tunnel-sharing
log-traffic
port
ssl
ssl-port
unknown-http-version
tunnel-non-http
cifs

Default Value
disable
disable
enable
fix
private
enable
80
disable
443
tunnel
disable
CIFS protocol settings.

Configuration
status
secure-tunnel
byte-caching
prefer-chunking
tunnel-sharing
log-traffic
port
mapi

Default Value
disable
disable
enable
fix
private
enable
445
MAPI protocol settings.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Details below

Details below

785

Configuration
status
secure-tunnel
byte-caching
tunnel-sharing
log-traffic
port
ftp

Default Value
disable
disable
enable
private
enable
135
FTP protocol settings.

Configuration
status
secure-tunnel
byte-caching
prefer-chunking
tunnel-sharing
log-traffic
port
tcp

Default Value
disable
disable
enable
fix
private
enable
21
TCP protocol settings.

Configuration
status
secure-tunnel
byte-caching
byte-caching-opt
tunnel-sharing
log-traffic
port
ssl
ssl-port

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Details below

Details below

Default Value
disable
disable
disable
mem-only
private
enable
1-65535
disable
443 990 995 465 993

786

wanopt/settings
CLI Syntax
config wanopt settings
edit <name_str>
set host-id <string>
set tunnel-ssl-algorithm {high | medium | low}
set auto-detect-algorithm {simple | diff-req-resp}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

787

Description
Configuration

Description

Default Value

host-id

Host identity.

default-id

tunnel-ssl-algorithm

Relative strength of encryption algorithms


accepted in tunnel negotiation.

high

auto-detect-algorithm

Auto detection algorithms used in tunnel


negotiation.

simple

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

788

wanopt/storage
CLI Syntax
config wanopt storage
edit <name_str>
set name <string>
set size <integer>
set webcache-storage-percentage <integer>
set webcache-storage-size <user>
set wan-optimization-cache-storage-size <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

789

Description
Configuration

Description

Default Value

name

Storage name.

(Empty)

size

Maximum total size of files within the storage


(MB).

1024

webcache-storagepercentage

Percentage of storage available for Web cache.


The rest is used for WAN optimization

50

webcache-storage-size

Web cache storage size.

(Empty)

wan-optimizationcache-storage-size

WAN optimization cache storage size.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

790

wanopt/webcache
CLI Syntax
config wanopt webcache
edit <name_str>
set max-object-size <integer>
set neg-resp-time <integer>
set fresh-factor <integer>
set max-ttl <integer>
set min-ttl <integer>
set default-ttl <integer>
set ignore-ims {enable | disable}
set ignore-conditional {enable | disable}
set ignore-pnc {enable | disable}
set ignore-ie-reload {enable | disable}
set cache-expired {enable | disable}
set cache-cookie {enable | disable}
set reval-pnc {enable | disable}
set always-revalidate {enable | disable}
set cache-by-default {enable | disable}
set host-validate {enable | disable}
set external {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

791

Description
Configuration

Description

Default Value

max-object-size

Maximum cacheable object size in kB, the


maximum is 2147483 (2GB).

512000

neg-resp-time

Duration of negative responses cache.

fresh-factor

Fresh factor percentage (1 - 100 percent).

100

max-ttl

Maximum TTL in minutes (default = 7200 (5


days); maximum = 5256000 (100 years)).

7200

min-ttl

Minimum TTL in minutes (default = 5; maximum


= 5256000 (100 years)).

default-ttl

Default TTL minutes (default = 1440 (1 day);


maximum = 5256000 (100 years)).

1440

ignore-ims

Enable/disable ignore if-modified-since.

disable

ignore-conditional

Enable/disable ignore HTTP 1.1 conditionals.

disable

ignore-pnc

Enable/disable ignore pragma-no-cache.

disable

ignore-ie-reload

Enable/disable ignore IE reload.

enable

cache-expired

Enable/disable cache expired objects.

disable

cache-cookie

Enable/disable caching of HTTP response with


Set-Cookie header.

disable

reval-pnc

Enable/disable re-validation of pragma-no-cache.

disable

always-revalidate

Enable/disable re-validation of requested cached


object with content server before serving it to
client.

disable

cache-by-default

Enable/disable caching of content lacking explicit


caching policy from server.

disable

host-validate

Enable/disable validating "Host:" with original


server IP.

disable

external

Enable/disable external cache.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

792

web-proxy/debug-url
CLI Syntax
config web-proxy debug-url
edit <name_str>
set name <string>
set url-pattern <string>
set status {enable | disable}
set exact {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

793

Description
Configuration

Description

Default Value

name

Debug URL name.

(Empty)

url-pattern

URL exemption pattern.

(Empty)

status

Enable/disable this URL exemption.

enable

exact

Enable/disable match exact path.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

794

web-proxy/explicit
CLI Syntax
config web-proxy explicit
edit <name_str>
set status {enable | disable}
set ftp-over-http {enable | disable}
set socks {enable | disable}
set http-incoming-port <integer>
set https-incoming-port <integer>
set ftp-incoming-port <integer>
set socks-incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set ipv6-status {enable | disable}
set incoming-ip6 <ipv6-address>
set outgoing-ip6 <ipv6-address>
set strict-guest {enable | disable}
set pref-dns-result {ipv4 | ipv6}
set unknown-http-version {reject | best-effort}
set realm <string>
set sec-default-action {accept | deny}
set https-replacement-message {enable | disable}
set message-upon-server-error {enable | disable}
set pac-file-server-status {enable | disable}
set pac-file-server-port <integer>
set pac-file-name <string>
set pac-file-data <user>
set pac-file-url <user>
set ssl-algorithm {high | medium | low}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

795

Description
Configuration

Description

Default Value

status

Enable/disable explicit Web proxy.

disable

ftp-over-http

Enable/disable FTP-over-HTTP.

disable

socks

Enable/disable SOCKS proxy.

disable

http-incoming-port

Accept incoming HTTP requests on ports other


than port 80.

8080

https-incoming-port

Accept incoming HTTPS requests on this port.

ftp-incoming-port

Accept incoming FTP-over-HTTP requests on this


port.

socks-incoming-port

Accept incoming SOCKS proxy requests on this


port.

incoming-ip

Accept incoming HTTP requests from this IP. An


interface must have this IP address.

0.0.0.0

outgoing-ip

Outgoing HTTP requests will leave this IP. An


interface must have this IP address.

(Empty)

ipv6-status

Enable/disable IPv6 destination in policy.

disable

incoming-ip6

Accept incoming HTTP requests from this IP. An


interface must have this IP address.

::

outgoing-ip6

Outgoing HTTP requests will leave this IP. An


interface must have this IP address.

(Empty)

strict-guest

Enable/disable strict guest user check in explicit


proxy.

disable

pref-dns-result

IPv4 or IPv6 DNS result preference.

ipv4

unknown-http-version

Unknown HTTP version handling.

reject

realm

Authentication realm.

default

sec-default-action

Default action to allow or deny when no webproxy firewall policy exists.

deny

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

796

https-replacementmessage

Default action to enable or disable return


replacement message for HTTPS requests.

enable

message-upon-servererror

Enable/disable return of replacement message


upon server error detection.

enable

pac-file-server-status

Enable/disable PAC file server.

disable

pac-file-server-port

PAC file server listening port.

pac-file-name

PAC file name.

proxy.pac

pac-file-data

PAC file contents.

(Empty)

pac-file-url

PAC file access URL.

(Empty)

ssl-algorithm

Relative strength of encryption algorithms


accepted in HTTPS deep-scan.

low

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

797

web-proxy/forward-server
CLI Syntax
config web-proxy forward-server
edit <name_str>
set name <string>
set ip <ipv4-address-any>
set fqdn <string>
set addr-type {ip | fqdn}
set port <integer>
set healthcheck {disable | enable}
set monitor <string>
set server-down-option {block | pass}
set comment <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

798

Description
Configuration

Description

Default Value

name

Server name.

(Empty)

ip

Forward server IP.

0.0.0.0

fqdn

Forward server FQDN.

(Empty)

addr-type

Address type.

ip

port

Forward server port.

3128

healthcheck

Enable/disable forward server health checking.

disable

monitor

Forward health checking URL.

http://www.google.com

server-down-option

Action when forward server is down.

block

comment

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

799

web-proxy/forward-server-group
CLI Syntax
config web-proxy forward-server-group
edit <name_str>
set name <string>
set affinity {enable | disable}
set ldb-method {weighted | least-session}
set group-down-option {block | pass}
config server-list
edit <name_str>
set name <string>
set weight <integer>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

800

Description
Configuration

Description

Default Value

name

Forward server group name.

(Empty)

affinity

Enable/disable affinity.

enable

ldb-method

Load balance method.

weighted

group-down-option

Action when group is down.

block

server-list

Forward server list.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

801

web-proxy/global
CLI Syntax
config web-proxy global
edit <name_str>
set proxy-fqdn <string>
set max-request-length <integer>
set max-message-length <integer>
set strict-web-check {enable | disable}
set forward-proxy-auth {enable | disable}
set tunnel-non-http {enable | disable}
set unknown-http-version {reject | tunnel | best-effort}
set forward-server-affinity-timeout <integer>
set max-waf-body-cache-length <integer>
set webproxy-profile <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

802

Description
Configuration

Description

Default Value

proxy-fqdn

Proxy FQDN.

default.fqdn

max-request-length

Maximum length of HTTP request line (1kB units


(1024 Bytes)).

max-message-length

Maximum length of HTTP message not including


body (1kB units (1024 Bytes)).

32

strict-web-check

Enable/disable strict web check.

disable

forward-proxy-auth

Enable/disable forward proxy authentication.

disable

tunnel-non-http

Enable/disable non-HTTP tunnel.

enable

unknown-http-version

Unknown HTTP version handling.

best-effort

forward-server-affinitytimeout

Timeout of the forward server affinity (6 - 60 min,


default = 30 min).

30

max-waf-body-cachelength

Maximum length of HTTP message (1kB units


(1024 Bytes)) processed by Web Application
Firewall.

100

webproxy-profile

Web proxy profile using when none matched


policy.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

803

web-proxy/profile
CLI Syntax
config web-proxy profile
edit <name_str>
set name <string>
set header-client-ip {pass | add | remove}
set header-via-request {pass | add | remove}
set header-via-response {pass | add | remove}
set header-x-forwarded-for {pass | add | remove}
set header-front-end-https {pass | add | remove}
config headers
edit <name_str>
set id <integer>
set name <string>
set action {add-to-request | add-to-response | remove-from-request | remove-fr
om-response}
set content <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

804

Description
Configuration

Description

Default Value

name

Profile name.

(Empty)

header-client-ip

Action when HTTP client-IP header to forwarded


requests.

pass

header-via-request

Action when HTTP via header to forwarded


requests.

pass

header-via-response

Action when HTTP via header to forwarded


responses.

pass

header-x-forwarded-for

Action when HTTP x-forwarded-for header to


forwarded requests.

pass

header-front-end-https

Action when HTTP front-end-HTTPS header to


forwarded requests.

pass

headers

Configure HTTP forwarded requests headers.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

805

web-proxy/url-match
CLI Syntax
config web-proxy url-match
edit <name_str>
set name <string>
set status {enable | disable}
set url-pattern <string>
set forward-server <string>
set cache-exemption {enable | disable}
set comment <var-string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

806

Description
Configuration

Description

Default Value

name

Configure URL name.

(Empty)

status

Enable/disable per URL pattern web proxy


forwarding and cache exemptions.

enable

url-pattern

URL pattern.

(Empty)

forward-server

Forward server name.

(Empty)

cache-exemption

Enable/disable cache exemption for this URL


pattern.

disable

comment

Comment.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

807

webfilter/content
CLI Syntax
config webfilter content
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set name <string>
set pattern-type {wildcard | regexp}
set status {enable | disable}
set lang {western | simch | trach | japanese | korean | french | thai | spanis
h | cyrillic}
set score <integer>
set action {block | exempt}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

808

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

entries

Configure web filter banned word.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

809

webfilter/content-header
CLI Syntax
config webfilter content-header
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set pattern <string>
set action {block | allow | exempt}
set category <user>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

810

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

entries

Configure content types used by web filter.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

811

webfilter/cookie-ovrd
CLI Syntax
config webfilter cookie-ovrd
edit <name_str>
set auth-epoch <integer>
set redir-host <string>
set redir-port <integer>
set cookie-name <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

812

Description
Configuration

Description

Default Value

auth-epoch

Current authentication epoch - changing this


value will invalidate all currently issued override
cookies.

redir-host

Domain name or IP of host that will be used to


validate override authentication cookies.

(Empty)

redir-port

TCP port that will be used on "redir-host" to


validate override authentication cookies.

20080

cookie-name

Name to use for override authentication cookies.

wfovrdZnkHSb2CESh

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

813

webfilter/fortiguard
CLI Syntax
config webfilter fortiguard
edit <name_str>
set cache-mode {ttl | db-ver}
set cache-prefix-match {enable | disable}
set cache-mem-percent <integer>
set ovrd-auth-port-http <integer>
set ovrd-auth-port-https <integer>
set ovrd-auth-port-warning <integer>
set ovrd-auth-https {enable | disable}
set warn-auth-https {enable | disable}
set close-ports {enable | disable}
set request-packet-size-limit <integer>
set ovrd-auth-port <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

814

Description
Configuration

Description

Default Value

cache-mode

Cache entry expiration mode.

ttl

cache-prefix-match

Enable/disable prefix matching in the cache.

enable

cache-mem-percent

Maximum percentage of available memory


allocated to caching (1 - 15%).

ovrd-auth-port-http

Port to use for FortiGuard Web Filter HTTP


override authentication

8008

ovrd-auth-port-https

Port to use for FortiGuard Web Filter HTTPS


override authentication.

8010

ovrd-auth-port-warning

Port to use for FortiGuard Web Filter Warning


override authentication.

8020

ovrd-auth-https

Enable/disable use of HTTPS for override


authentication.

enable

warn-auth-https

Enable/disable use of HTTPS for warning and


authentication.

enable

close-ports

Close ports used for HTTP/HTTPS override


authentication and disable user overrides.

disable

request-packet-sizelimit

Limit size of URL request packets sent to


FortiGuard server (0 for default).

ovrd-auth-port

Port to use for FortiGuard Web Filter override


authentication.

8008

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

815

webfilter/ftgd-local-cat
CLI Syntax
config webfilter ftgd-local-cat
edit <name_str>
set id <integer>
set desc <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

816

Description
Configuration

Description

Default Value

id

Local category ID.

desc

Local category description.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

817

webfilter/ftgd-local-rating
CLI Syntax
config webfilter ftgd-local-rating
edit <name_str>
set url <string>
set status {enable | disable}
set rating <user>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

818

Description
Configuration

Description

Default Value

url

URL to rate locally.

(Empty)

status

Enable/disable local rating.

enable

rating

Local rating.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

819

webfilter/ftgd-warning
CLI Syntax
config webfilter ftgd-warning
edit <name_str>
set id <integer>
set status {enable | disable}
set scope {user | user-group | ip | ip6}
set ip <ipv4-address>
set user <string>
set user-group <string>
set old-profile <string>
set expires <user>
set rating <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

820

Description
Configuration

Description

Default Value

id

Specify the override rule ID.

status

Enable/disable override rule.

disable

scope

Specify the scope of the override rule.

user

ip

Specify the IP address for which the override


applies.

0.0.0.0

user

Specify the username for which the override


applies.

(Empty)

user-group

Specify the user group for which the override


applies.

(Empty)

old-profile

Specify the web-filter profile for which the


override applies.

(Empty)

expires

Specify when the override expires.

1969/12/31 17:00:00

rating

Ratings associated with the overridden filter.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

821

webfilter/ips-urlfilter-cache-setting
CLI Syntax
config webfilter ips-urlfilter-cache-setting
edit <name_str>
set dns-retry-interval <integer>
set extended-ttl <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

822

Description
Configuration

Description

Default Value

dns-retry-interval

Retry interval. Refresh DNS faster than TTL to


capture multiple IPs for hosts. 0 means use DNS
server's TTL only.

extended-ttl

Extend time to live beyond reported by DNS. 0


means use DNS server's TTL

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

823

webfilter/ips-urlfilter-setting
CLI Syntax
config webfilter ips-urlfilter-setting
edit <name_str>
set device <string>
set distance <integer>
set gateway <ipv4-address>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

824

Description
Configuration

Description

Default Value

device

Enable/disable gateway out interface.

(Empty)

distance

Administrative distance (1 - 255).

gateway

Gateway IP for this route.

0.0.0.0

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

825

webfilter/override
CLI Syntax
config webfilter override
edit <name_str>
set id <integer>
set status {enable | disable}
set scope {user | user-group | ip | ip6}
set ip <ipv4-address>
set user <string>
set user-group <string>
set old-profile <string>
set new-profile <string>
set ip6 <ipv6-address>
set expires <user>
set initiator <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

826

Description
Configuration

Description

Default Value

id

Specify the override rule ID.

status

Enable/disable override rule.

disable

scope

Specify the scope of the override rule.

user

ip

Specify the IP address for which the override


applies.

0.0.0.0

user

Specify the username for which the override


applies.

(Empty)

user-group

Specify the user group for which the override


applies.

(Empty)

old-profile

Specify the web-filter profile for which the


override applies.

(Empty)

new-profile

Specify the new web-filter profile to apply


override.

(Empty)

ip6

Specify the IPv6 address for which the override


applies.

::

expires

Specify when the override expires.

1969/12/31 17:00:00

initiator

Initiating user of override (not settable).

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

827

webfilter/override-user
CLI Syntax
config webfilter override-user
edit <name_str>
set id <integer>
set status {enable | disable}
set scope {user | user-group | ip | ip6}
set ip <ipv4-address>
set user <string>
set user-group <string>
set old-profile <string>
set new-profile <string>
set ip6 <ipv6-address>
set expires <user>
set initiator <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

828

Description
Configuration

Description

Default Value

id

Specify the override rule ID.

status

Enable/disable override rule.

disable

scope

Specify the scope of the override rule.

user

ip

Specify the IP address for which the override


applies.

0.0.0.0

user

Specify the username for which the override


applies.

(Empty)

user-group

Specify the user group for which the override


applies.

(Empty)

old-profile

Specify the web-filter profile for which the


override applies.

(Empty)

new-profile

Specify the new web-filter profile to apply


override.

(Empty)

ip6

Specify the IPv6 address for which the override


applies.

::

expires

Specify when the override expires.

1969/12/31 17:00:00

initiator

Initiating user of override (not settable).

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

829

webfilter/profile
CLI Syntax
config webfilter profile
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set inspection-mode {proxy | flow-based | dns}
set options {rangeblock | activexfilter | cookiefilter | javafilter | block-invali
d-url | jscript | js | vbs | unknown | intrinsic | wf-referer | wf-cookie | https-urlscan | per-user-bwl}
set https-replacemsg {enable | disable}
set ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override |
contenttype-check-override}
set post-action {normal | comfort | block}
config override
edit <name_str>
set ovrd-cookie {allow | deny}
set ovrd-scope {user | user-group | ip | browser | ask}
set profile-type {list | radius}
set ovrd-dur-mode {constant | ask}
set ovrd-dur <user>
set profile-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Addr
ess | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmas
k | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Log
in-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-R
oute | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Terminati
on-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Lo
gin-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-Ap
pleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-In
put-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time
| Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sessio
n-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
config ovrd-user-group
edit <name_str>
set name <string>
end
config profile
edit <name_str>
set name <string>
end
end
config web
edit <name_str>
set bword-threshold <integer>
set bword-table <integer>
set urlfilter-table <integer>
set content-header-list <integer>
set blacklist {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

830

set whitelist {exempt-av | exempt-webcontent | exempt-activex-java-cookie | ex


empt-dlp | exempt-rangeblock | extended-log-others}
set safe-search {url | header}
set youtube-edu-filter-id <string>
set log-search {enable | disable}
config keyword-match
edit <name_str>
set pattern <string>
end
end
config ftgd-wf
edit <name_str>
set options {error-allow | http-err-detail | rate-image-urls | rate-server-ip
| redir-block | connect-request-bypass | ftgd-disable}
set category-override <user>
set exempt-quota <user>
set ovrd <user>
config filters
edit <name_str>
set id <integer>
set category <integer>
set action {block | authenticate | monitor | warning}
set warn-duration <user>
config auth-usr-grp
edit <name_str>
set name <string>
end
set log {enable | disable}
set override-replacemsg <string>
set warning-prompt {per-domain | per-category}
set warning-duration-type {session | timeout}
end
config quota
edit <name_str>
set id <integer>
set category <user>
set type {time | traffic}
set unit {B | KB | MB | GB}
set value <integer>
set duration <user>
set override-replacemsg <string>
end
set max-quota-timeout <integer>
set rate-image-urls {disable | enable}
set rate-javascript-urls {disable | enable}
set rate-css-urls {disable | enable}
set rate-crl-urls {disable | enable}
end
set wisp {enable | disable}
config wisp-servers
edit <name_str>
set name <string>
end
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

831

end
set wisp-algorithm {primary-secondary | round-robin | auto-learning}
set log-all-url {enable | disable}
set web-content-log {enable | disable}
set web-filter-activex-log {enable | disable}
set web-filter-command-block-log {enable | disable}
set web-filter-cookie-log {enable | disable}
set web-filter-applet-log {enable | disable}
set web-filter-jscript-log {enable | disable}
set web-filter-js-log {enable | disable}
set web-filter-vbs-log {enable | disable}
set web-filter-unknown-log {enable | disable}
set web-filter-referer-log {enable | disable}
set web-filter-cookie-removal-log {enable | disable}
set web-url-log {enable | disable}
set web-invalid-domain-log {enable | disable}
set web-ftgd-err-log {enable | disable}
set web-ftgd-quota-usage {enable | disable}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

832

Description
Configuration

Description

Default Value

name

Profile name.

(Empty)

comment

Comment.

(Empty)

replacemsg-group

Replacement message group.

(Empty)

inspection-mode

Web filtering inspection mode.

proxy

options

Options.

(Empty)

https-replacemsg

Enable replacement message display for nondeep SSL inspection.

enable

ovrd-perm

Override permit option.

(Empty)

post-action

Action for HTTP POST requests.

normal

override

Web Filter override settings.

Details below

Configuration
ovrd-cookie
ovrd-scope
profile-type
ovrd-dur-mode
ovrd-dur
profile-attribute
ovrd-user-group
profile
web

Default Value
deny
user
list
constant
15m
Login-LAT-Service
(Empty)
(Empty)
Web settings.

Configuration
bword-threshold
bword-table
urlfilter-table
content-header-list
blacklist
whitelist
safe-search
youtube-edu-filter-id
log-search
keyword-match
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

Details below
Default Value
10
0
0
0
disable
(Empty)
(Empty)
(Empty)
disable
(Empty)
833

ftgd-wf

FortiGuard Web Filter settings.

Configuration
options
category-override
exempt-quota
ovrd
filters
quota
max-quota-timeout
rate-image-urls
rate-javascript-urls
rate-css-urls
rate-crl-urls

Details below

Default Value
ftgd-disable
17
(Empty)
(Empty)
300
enable
enable
enable
enable

wisp

Enable/disable web proxy WISP.

disable

wisp-servers

WISP servers.

(Empty)

wisp-algorithm

WISP server selection algorithm.

auto-learning

log-all-url

Enable/disable log all URLs visited.

disable

web-content-log

Enable/disable logging for web filter content


blocking.

enable

web-filter-activex-log

Enable/disable logging for web script filtering on


ActiveX.

enable

web-filter-commandblock-log

Enable/disable logging for web filtering on


command blocking.

enable

web-filter-cookie-log

Enable/disable logging for web script filtering on


cookies.

enable

web-filter-applet-log

Enable/disable logging for web script filtering on


Java applets.

enable

web-filter-jscript-log

Enable/disable logging for web script filtering on


JScripts.

enable

web-filter-js-log

Enable/disable logging for web script filtering on


Java scripts.

enable

web-filter-vbs-log

Enable/disable logging for web script filtering on


VB scripts.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

834

web-filter-unknown-log

Enable/disable logging for web script filtering on


unknown scripts.

enable

web-filter-referer-log

Enable/disable logging of web filter referrer block.

enable

web-filter-cookieremoval-log

Enable/disable logging of web filter cookie block.

enable

web-url-log

Enable/disable logging for URL filtering.

enable

web-invalid-domain-log

Enable/disable logging for web filtering of invalid


domain name.

enable

web-ftgd-err-log

Enable/disable logging for FortiGuard Web Filter


rating errors.

enable

web-ftgd-quota-usage

Enable/disable logging for FortiGuard Web Filter


quota usage each day.

enable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

835

webfilter/search-engine
CLI Syntax
config webfilter search-engine
edit <name_str>
set name <string>
set hostname <string>
set url <string>
set query <string>
set safesearch {disable | url | header}
set charset {utf-8 | gb2312}
set safesearch-str <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

836

Description
Configuration

Description

Default Value

name

Search engine name.

(Empty)

hostname

Hostname regular expression.

(Empty)

url

URL regular expression.

(Empty)

query

Query string (must end with an equals character).

(Empty)

safesearch

Safe search enable.

disable

charset

Search engine charset.

utf-8

safesearch-str

Safe search parameter.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

837

webfilter/urlfilter
CLI Syntax
config webfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
set one-arm-ips-urlfilter {enable | disable}
set ip-addr-block {enable | disable}
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {exempt | block | allow | monitor}
set status {enable | disable}
set exempt {av | filepattern | web-content | activex-java-cookie | dlp | forti
guard | range-block | pass | all}
set web-proxy-profile <string>
set referrer-host <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

838

Description
Configuration

Description

Default Value

id

ID.

name

Name of table.

(Empty)

comment

Comment.

(Empty)

one-arm-ips-urlfilter

Enable/disable DNS resolver for one-arm IPS


URL filter operation.

disable

ip-addr-block

Enable/disable block URLs when hostname


appears as an IP address.

disable

entries

Web filter/URL filter.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

839

wireless-controller/ap-status
CLI Syntax
config wireless-controller ap-status
edit <name_str>
set id <integer>
set bssid <mac-address>
set ssid <string>
set status {rogue | accepted | suppressed}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

840

Description
Configuration

Description

Default Value

id

AP ID.

bssid

AP's BSSID.

00:00:00:00:00:00

ssid

AP's SSID.

(Empty)

status

AP status.

rogue

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

841

wireless-controller/global
CLI Syntax
config wireless-controller global
edit <name_str>
set name <string>
set location <string>
set max-retransmit <integer>
set data-ethernet-II {enable | disable}
set link-aggregation {enable | disable}
set mesh-eth-type <integer>
set fiapp-eth-type <integer>
set discovery-mc-addr <ipv4-address-multicast>
set max-clients <integer>
set rogue-scan-mac-adjacency <integer>
set ap-log-server {enable | disable}
set ap-log-server-ip <ipv4-address>
set ap-log-server-port <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

842

Description
Configuration

Description

Default Value

name

Name.

(Empty)

location

Location.

(Empty)

max-retransmit

Maximum # of retransmissions for tunnel packet.

data-ethernet-II

Enable/disable ethernet frame type with 802.3


data tunnel mode.

disable

link-aggregation

Enable/disable CAPWAP transmit hash


calculation for selecting link aggregation slaves.

disable

mesh-eth-type

Ethernet type for wireless backhaul tunnel packet.

8755

fiapp-eth-type

Ethernet type for Fortinet Inter-Access Point


Protocol (IAPP) packets.

5252

discovery-mc-addr

Discovery multicast address.

224.0.1.140

max-clients

Maximum number of stations supported by the


AC.

rogue-scan-macadjacency

Range of numerical difference between AP's


Ethernet MAC and AP's BSSID, given the
identical OUI (default = 7).

ap-log-server

Enable/disable AP log server.

disable

ap-log-server-ip

AP log server IP address.

0.0.0.0

ap-log-server-port

AP log server port.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

843

wireless-controller/setting
CLI Syntax
config wireless-controller setting
edit <name_str>
set account-id <string>
set country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | BZ |
BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG |
SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN | I
D | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU | MO
| MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA | PG
| PY | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | ZA |
ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY |
UZ | VE | VN | YE | ZW | JP | AU | CA}
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

844

Description
Configuration

Description

Default Value

account-id

FortiCloud customer account ID.

(Empty)

country

Country.

US

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

845

wireless-controller/timers
CLI Syntax
config wireless-controller timers
edit <name_str>
set echo-interval <integer>
set discovery-interval <integer>
set client-idle-timeout <integer>
set rogue-ap-log <integer>
set fake-ap-log <integer>
set darrp-optimize <integer>
set darrp-day {sunday | monday | tuesday | wednesday | thursday | friday | saturda
y}
config darrp-time
edit <name_str>
set time <string>
end
set sta-stats-interval <integer>
set vap-stats-interval <integer>
set radio-stats-interval <integer>
set sta-capability-interval <integer>
set sta-locate-timer <integer>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

846

Description
Configuration

Description

Default Value

echo-interval

Interval before WTP sends Echo Request after


joining AC (1 - 255, default = 30 sec).

30

discovery-interval

Interval between Discovery Request (2 - 180 sec,


default = 5 sec).

client-idle-timeout

Wireless station idle timeout (0 no client-idle


check, 20 - 3600 sec, default = 300 sec).

300

rogue-ap-log

Rogue AP periodic log reporting interval (default


= 0 min).

fake-ap-log

Fake AP periodic log reporting interval (default =


1 min).

darrp-optimize

DARRP optimization interval (default = 1800 sec).

1800

darrp-day

Weekday on which DARRP optimization is


executed.

(Empty)

darrp-time

Time at which DARRP optimization is executed


(Up to 8 time points).

(Empty)

sta-stats-interval

WTP interval for which station statistics are sent


(1 - 255, default = 1 sec).

vap-stats-interval

WTP interval for which vap statistics are sent (1 255, default = 15 sec).

15

radio-stats-interval

WTP interval for which radio statistics are sent (1


- 255, default = 15 sec).

15

sta-capability-interval

WTP interval for which station capability


information is sent (1 - 255, default = 30 sec).

30

sta-locate-timer

Interval at which the WTP flushes the station


presence (default = 1800 sec).

1800

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

847

wireless-controller/vap
CLI Syntax
config wireless-controller vap
edit <name_str>
set name <string>
set vdom <string>
set fast-roaming {enable | disable}
set external-fast-roaming {enable | disable}
set mesh-backhaul {enable | disable}
set max-clients <integer>
set max-clients-ap <integer>
set ssid <string>
set broadcast-ssid {enable | disable}
set security-obsolete-option {enable | disable}
set security {open | captive-portal | wep64 | wep128 | wpa-personal | wpa-personal
+captive-portal | wpa-enterprise | wpa-only-personal | wpa-only-personal+captive-porta
l | wpa-only-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa
2-only-enterprise}
set pmf {disable | enable | optional}
set pmf-assoc-comeback-timeout <integer>
set pmf-sa-query-retry-timeout <integer>
set okc {disable | enable}
set tkip-counter-measure {enable | disable}
set external-web <string>
set external-logout <string>
set radius-mac-auth {enable | disable}
set radius-mac-auth-server <string>
set auth {psk | radius | usergroup}
set encrypt {TKIP | AES | TKIP-AES}
set keyindex <integer>
set key <password>
set passphrase <password>
set radius-server <string>
set acct-interim-interval <integer>
config usergroup
edit <name_str>
set name <string>
end
set portal-message-override-group <string>
config portal-message-overrides
edit <name_str>
set auth-disclaimer-page <string>
set auth-reject-page <string>
set auth-login-page <string>
set auth-login-failed-page <string>
end
set portal-type {auth | auth+disclaimer | disclaimer | email-collect}
config selected-usergroups
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

848

set name <string>


end
set security-exempt-list <string>
set security-redirect-url <string>
set intra-vap-privacy {enable | disable}
set schedule <string>
set local-standalone {enable | disable}
set local-standalone-nat {enable | disable}
set ip <ipv4-classnet-host>
set local-bridging {enable | disable}
set split-tunneling {enable | disable}
set local-authentication {enable | disable}
set vlanid <integer>
set vlan-auto {enable | disable}
set dynamic-vlan {enable | disable}
set alias <string>
set multicast-rate {0 | 6000 | 12000 | 24000}
set multicast-enhance {enable | disable}
set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arp
-unknown | arp-reply | arp-poison | arp-proxy | netbios-ns | netbios-ds | ipv6 | all-o
ther-mc | all-other-bc}
set me-disable-thresh <integer>
set probe-resp-suppression {enable | disable}
set probe-resp-threshold <string>
set vlan-pooling {wtp-group | round-robin | hash | disable}
config vlan-pool
edit <name_str>
set id <integer>
set wtp-group <string>
end
set ptk-rekey {enable | disable}
set ptk-rekey-intv <integer>
set gtk-rekey {enable | disable}
set gtk-rekey-intv <integer>
set eap-reauth {enable | disable}
set eap-reauth-intv <integer>
set rates-11a {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 11 | 11-basic | 6 | 6
-basic | 9 | 9-basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic |
48 | 48-basic | 54 | 54-basic}
set rates-11bg {1 | 1-basic | 2 | 2-basic | 5.5 | 5.5-basic | 11 | 11-basic | 6 |
6-basic | 9 | 9-basic | 12 | 12-basic | 18 | 18-basic | 24 | 24-basic | 36 | 36-basic
| 48 | 48-basic | 54 | 54-basic}
set rates-11n-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1 |
mcs7/1 | mcs8/2 | mcs9/2 | mcs10/2 | mcs11/2 | mcs12/2 | mcs13/2 | mcs14/2 | mcs15/2}
set rates-11n-ss34 {mcs16/3 | mcs17/3 | mcs18/3 | mcs19/3 | mcs20/3 | mcs21/3 | mc
s22/3 | mcs23/3 | mcs24/4 | mcs25/4 | mcs26/4 | mcs27/4 | mcs28/4 | mcs29/4 | mcs30/4
| mcs31/4}
set rates-11ac-ss12 {mcs0/1 | mcs1/1 | mcs2/1 | mcs3/1 | mcs4/1 | mcs5/1 | mcs6/1
| mcs7/1 | mcs8/1 | mcs9/1 | mcs0/2 | mcs1/2 | mcs2/2 | mcs3/2 | mcs4/2 | mcs5/2 | mcs
6/2 | mcs7/2 | mcs8/2 | mcs9/2}
set rates-11ac-ss34 {mcs0/3 | mcs1/3 | mcs2/3 | mcs3/3 | mcs4/3 | mcs5/3 | mcs6/3
| mcs7/3 | mcs8/3 | mcs9/3 | mcs0/4 | mcs1/4 | mcs2/4 | mcs3/4 | mcs4/4 | mcs5/4 | mcs
6/4 | mcs7/4 | mcs8/4 | mcs9/4}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

849

6/4 | mcs7/4 | mcs8/4 | mcs9/4}


set mac-filter {enable | disable}
set mac-filter-policy-other {allow | deny}
config mac-filter-list
edit <name_str>
set id <integer>
set mac <mac-address>
set mac-filter-policy {allow | deny}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

850

Description
Configuration

Description

Default Value

name

Virtual AP name.

(Empty)

vdom

Owning VDOM.

(Empty)

fast-roaming

Enable/disable fast roaming.

enable

external-fast-roaming

Enable/disable fast roaming with external nonmanaged AP.

disable

mesh-backhaul

Enable/disable mesh backhaul.

disable

max-clients

Maximum number of STAs supported by the


VAP.

max-clients-ap

Maximum number of STAs supported by the VAP


(per AP radio).

ssid

IEEE 802.11 Service Set Identifier.

fortinet

broadcast-ssid

Enable/disable SSID broadcast in the beacon.

enable

security-obsoleteoption

Enable/disable obsolete security options.

disable

security

Wireless access security of SSID.

wpa2-only-personal

pmf

Protected Management Frames (PMF) support.

disable

pmf-assoc-comebacktimeout

Protected Management Frames (PMF) comeback


maximum timeout (1-20 sec).

pmf-sa-query-retrytimeout

Protected Management Frames (PMF) SA query


retry timeout interval (1 - 5 in 100s of msec).

okc

Enable/disable Opportunistic Key Caching (OKC).

enable

tkip-counter-measure

Enable/disable TKIP counter measure.

enable

external-web

URL of external authentication web server.

(Empty)

external-logout

URL of external authentication logout server.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

851

radius-mac-auth

Enable/disable RADIUS-based MAC


authentication.

disable

radius-mac-auth-server

RADIUS-based MAC authentication server.

(Empty)

auth

Authentication protocol.

psk

encrypt

Data encryption.

AES

keyindex

WEP key index (1 - 4).

key

WEP Key.

(Empty)

passphrase

Pre-shared key for WPA.

(Empty)

radius-server

WiFi RADIUS server.

(Empty)

acct-interim-interval

WiFi RADIUS accounting interim interval (60 86400 sec, default = 0).

usergroup

Selected user group.

(Empty)

portal-messageoverride-group

Specify captive portal replacement message


override group.

(Empty)

portal-messageoverrides

Individual message overrides.

Details below

Configuration
auth-disclaimer-page
auth-reject-page
auth-login-page
auth-login-failed-page

Default Value
(Empty)
(Empty)
(Empty)
(Empty)

portal-type

Captive portal type.

auth

selected-usergroups

Selected user group.

(Empty)

security-exempt-list

Security exempt list name.

(Empty)

security-redirect-url

URL redirection after disclaimer/authentication.

(Empty)

intra-vap-privacy

Enable/disable intra-SSID privacy.

disable

schedule

VAP schedule name.

(Empty)

local-standalone

Enable/disable AP local standalone.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

852

local-standalone-nat

Enable/disable AP local standalone NAT mode.

disable

ip

IP address and subnet mask for the local


standalone NAT subnet.

0.0.0.0 0.0.0.0

local-bridging

Enable/disable FortiAP local VAP-to-Ethernet


bridge.

disable

split-tunneling

Enable/disable split tunneling.

disable

local-authentication

Enable/disable AP local authentication.

disable

vlanid

Optional VLAN ID.

vlan-auto

Enable/disable automatic management of SSID


VLAN interface.

disable

dynamic-vlan

Enable/disable dynamic VLAN assignment.

disable

alias

Alias.

(Empty)

multicast-rate

Multicast rate (kbps).

multicast-enhance

Enable/disable multicast enhancement.

disable

broadcast-suppression

Suppress broadcast frames from WiFi clients.

dhcp-up arp-known

me-disable-thresh

Threshold of number of multicast clients to


disable multicast enhancement.

32

probe-respsuppression

Enable/disable probe response suppression.

disable

probe-resp-threshold

Threshold at which FortiAP responds to probe


requests (signal level must be no lower than this
value).

-80

vlan-pooling

Enable/disable VLAN pooling.

disable

vlan-pool

VLAN pool.

(Empty)

ptk-rekey

Enable/disable PTK rekey for WPA-Enterprise


security.

disable

ptk-rekey-intv

PTK rekey interval interval (1800 - 864000 sec,


default = 86400).

86400

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

853

gtk-rekey

Enable/disable GTK rekey for WPA security.

disable

gtk-rekey-intv

GTK rekey interval interval (1800 - 864000 sec,


default = 86400).

86400

eap-reauth

Enable/disable EAP re-authentication for WPAEnterprise security.

disable

eap-reauth-intv

EAP re-authentication interval (1800 - 864000


sec, default = 86400).

86400

rates-11a

Configure allowed data rates for 802.11a.

(Empty)

rates-11bg

Configure allowed data rates for 802.11b/g.

(Empty)

rates-11n-ss12

Configure allowed data rates for 802.11n with 1 or (Empty)


2 spatial streams.

rates-11n-ss34

Configure allowed data rates for 802.11n with 3 or (Empty)


4 spatial streams.

rates-11ac-ss12

Configure allowed data rates for 802.11ac with 1


or 2 spatial streams.

(Empty)

rates-11ac-ss34

Configure allowed data rates for 802.11ac with 3


or 4 spatial streams.

(Empty)

mac-filter

Enable/disable MAC filter status.

disable

mac-filter-policy-other

Deny or allow STAs whose MAC addresses are


not in the filter list.

allow

mac-filter-list

MAC filter list.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

854

wireless-controller/vap-group
CLI Syntax
config wireless-controller vap-group
edit <name_str>
set name <string>
set comment <var-string>
config vaps
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

855

Description
Configuration

Description

Default Value

name

Group Name

(Empty)

comment

Comment.

(Empty)

vaps

Selected list of SSIDs to be included in the group.

(Empty)

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

856

wireless-controller/wids-profile
CLI Syntax
config wireless-controller wids-profile
edit <name_str>
set name <string>
set comment <string>
set ap-scan {disable | enable}
set ap-bgscan-period <integer>
set ap-bgscan-intv <integer>
set ap-bgscan-duration <integer>
set ap-bgscan-idle <integer>
set ap-bgscan-report-intv <integer>
set ap-bgscan-disable-day {sunday | monday | tuesday | wednesday | thursday | frid
ay | saturday}
set ap-bgscan-disable-start <user>
set ap-bgscan-disable-end <user>
set ap-fgscan-report-intv <integer>
set ap-scan-passive {enable | disable}
set rogue-scan {enable | disable}
set ap-auto-suppress {enable | disable}
set wireless-bridge {enable | disable}
set deauth-broadcast {enable | disable}
set null-ssid-probe-resp {enable | disable}
set long-duration-attack {enable | disable}
set long-duration-thresh <integer>
set invalid-mac-oui {enable | disable}
set weak-wep-iv {enable | disable}
set auth-frame-flood {enable | disable}
set auth-flood-time <integer>
set auth-flood-thresh <integer>
set assoc-frame-flood {enable | disable}
set assoc-flood-time <integer>
set assoc-flood-thresh <integer>
set spoofed-deauth {enable | disable}
set asleap-attack {enable | disable}
set eapol-start-flood {enable | disable}
set eapol-start-thresh <integer>
set eapol-start-intv <integer>
set eapol-logoff-flood {enable | disable}
set eapol-logoff-thresh <integer>
set eapol-logoff-intv <integer>
set eapol-succ-flood {enable | disable}
set eapol-succ-thresh <integer>
set eapol-succ-intv <integer>
set eapol-fail-flood {enable | disable}
set eapol-fail-thresh <integer>
set eapol-fail-intv <integer>
set eapol-pre-succ-flood {enable | disable}
set eapol-pre-succ-thresh <integer>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

857

set
set
set
set
set
end

eapol-pre-succ-intv <integer>
eapol-pre-fail-flood {enable | disable}
eapol-pre-fail-thresh <integer>
eapol-pre-fail-intv <integer>
deauth-unknown-src-thresh <integer>

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

858

Description
Configuration

Description

Default Value

name

WIDS profile name.

(Empty)

comment

Comment.

(Empty)

ap-scan

Enable/disable AP scan.

disable

ap-bgscan-period

Interval between two rounds of scanning (60 3600 sec).

600

ap-bgscan-intv

Interval between two scanning channels (1 - 600


sec).

ap-bgscan-duration

Listening time on a scanning channel (10 - 1000


msec).

20

ap-bgscan-idle

Channel idle time before scanning channel (0 1000 msec).

ap-bgscan-report-intv

Interval between two background scan reports


(15 - 600 sec).

30

ap-bgscan-disable-day

Weekday on which background scan is disabled.

(Empty)

ap-bgscan-disable-start

Start time at which background scan is disabled.

00:00

ap-bgscan-disable-end

End time at which background scan is disabled.

00:00

ap-fgscan-report-intv

Interval between two foreground scan reports (15


- 600 sec)

15

ap-scan-passive

Enable/disable passive scan on all channels.

disable

rogue-scan

Enable/disable rogue AP on-wire scan.

disable

ap-auto-suppress

Enable/disable on-wire rogue AP auto-suppress.

disable

wireless-bridge

Enable/disable wireless bridge detection.

disable

deauth-broadcast

Enable/disable broadcasting de-authentication


detection.

disable

null-ssid-probe-resp

Enable/disable null SSID probe response


detection.

disable

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

859

long-duration-attack

Enable/disable long duration attack detection


based on user configured threshold.

disable

long-duration-thresh

Threshold value (usec) for long duration attack


detection.

8200

invalid-mac-oui

Enable/disable invalid MAC OUI detection.

disable

weak-wep-iv

Enable/disable weak WEP IV (Initialization


Vector) detection.

disable

auth-frame-flood

Enable/disable authentication frame flooding


detection.

disable

auth-flood-time

Number of seconds after which an STA is


considered not connected.

10

auth-flood-thresh

Threshold value for authentication flooding.

30

assoc-frame-flood

Enable/disable association frame flooding


detection.

disable

assoc-flood-time

Number of seconds after which an STA is


considered not connected.

10

assoc-flood-thresh

Threshold value for association flooding.

30

spoofed-deauth

Enable/disable spoofed de-authentication attack


detection.

disable

asleap-attack

Enable/disable asleap attack detection.

disable

eapol-start-flood

Enable/disable EAPOL-Start flooding (to AP)


detection.

disable

eapol-start-thresh

The threshold value for EAPOL-Start flooding in


specified interval.

10

eapol-start-intv

The detection interval for EAPOL-Start flooding in


sec.

eapol-logoff-flood

Enable/disable EAPOL-Logoff flooding (to AP)


detection.

disable

eapol-logoff-thresh

The threshold value for EAPOL-Logoff flooding in


specified interval.

10

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

860

eapol-logoff-intv

The detection interval for EAPOL-Logoff flooding


in sec.

eapol-succ-flood

Enable/disable EAPOL-Success flooding (to AP)


detection.

disable

eapol-succ-thresh

The threshold value for EAPOL-Success flooding


in specified interval.

10

eapol-succ-intv

The detection interval for EAPOL-Success


flooding in sec.

eapol-fail-flood

Enable/disable EAPOL-Failure flooding (to AP)


detection.

disable

eapol-fail-thresh

The threshold value for EAPOL-Failure flooding


in specified interval.

10

eapol-fail-intv

The detection interval for EAPOL-Failure flooding


in sec.

eapol-pre-succ-flood

Enable/disable premature EAPOL-Success


flooding (to STA) detection.

disable

eapol-pre-succ-thresh

The threshold value for premature EAPOLSuccess flooding in specified interval.

10

eapol-pre-succ-intv

The detection interval for premature EAPOLSuccess flooding in sec.

eapol-pre-fail-flood

Enable/disable premature EAPOL-Failure


flooding (to STA) detection.

disable

eapol-pre-fail-thresh

The threshold value for premature EAPOLFailure flooding in specified interval.

10

eapol-pre-fail-intv

The detection interval for premature EAPOLFailure flooding in sec.

deauth-unknown-srcthresh

Threshold value per second to deauth unknown


src for DoS attack(0: no limit).

10

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

861

wireless-controller/wtp
CLI Syntax
config wireless-controller wtp
edit <name_str>
set wtp-id <string>
set index <integer>
set admin {discovered | disable | enable}
set name <string>
set location <string>
set wtp-mode {normal | remote}
set wtp-profile <string>
set override-led-state {enable | disable}
set led-state {enable | disable}
set override-wan-port-mode {enable | disable}
set wan-port-mode {wan-lan | wan-only}
set override-ip-fragment {enable | disable}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set override-split-tunnel {enable | disable}
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set override-lan {enable | disable}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port1-ssid <string>
set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port2-ssid <string>
set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port3-ssid <string>
set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port4-ssid <string>
set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port5-ssid <string>
set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port6-ssid <string>
set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port7-ssid <string>
set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port8-ssid <string>
end
set override-allowaccess {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

862

set allowaccess {telnet | http | https | ssh}


set override-login-passwd-change {enable | disable}
set login-passwd-change {yes | default | no}
set login-passwd <password>
config radio-1
edit <name_str>
set radio-id <integer>
set override-band {enable | disable}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only
| 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11a
c-only}
set override-analysis {enable | disable}
set spectrum-analysis {enable | disable}
set override-txpower {enable | disable}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set override-vaps {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
set name <string>
end
set override-channel {enable | disable}
config channel
edit <name_str>
set chan <string>
end
end
config radio-2
edit <name_str>
set radio-id <integer>
set override-band {enable | disable}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11n,g-only
| 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac | 802.11ac,n-only | 802.11a
c-only}
set override-analysis {enable | disable}
set spectrum-analysis {enable | disable}
set override-txpower {enable | disable}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set override-vaps {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
set name <string>
end
set override-channel {enable | disable}
config channel
edit <name_str>
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

863

edit <name_str>
set chan <string>
end
end
set image-download {enable | disable}
set mesh-bridge-enable {default | enable | disable}
set coordinate-enable {enable | disable}
set coordinate-x <string>
set coordinate-y <string>
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

864

Description
Configuration

Description

Default Value

wtp-id

WTP ID.

(Empty)

index

Index (0 - 4294967295).

admin

Admin status.

enable

name

WTP name.

(Empty)

location

WTP location.

(Empty)

wtp-mode

WTP mode.

normal

wtp-profile

WTP profile name.

(Empty)

override-led-state

Enable/disable override of LED state.

disable

led-state

Enable/disable use of LEDs on WTP.

enable

override-wan-portmode

Enable/disable override of wan-port-mode.

disable

wan-port-mode

Enable/disable use of WAN port as LAN port.

wan-only

override-ip-fragment

Enable/disable override of IP fragment


prevention.

disable

ip-fragment-preventing

Prevent IP fragmentation for CAPWAP tunnelled


control and data packets.

tcp-mss-adjust

tun-mtu-uplink

Uplink tunnel MTU.

tun-mtu-downlink

Downlink tunnel MTU.

override-split-tunnel

Enable/disable override of split tunneling.

disable

split-tunneling-acllocal-ap-subnet

Enable/disable split tunneling ACL local AP


subnet.

disable

split-tunneling-acl

Split tunneling ACL filter list.

(Empty)

override-lan

Enable/disable override of WTP LAN port.

disable

lan

WTP LAN port mapping.

Details below

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

865

Configuration
port-mode
port-ssid
port1-mode
port1-ssid
port2-mode
port2-ssid
port3-mode
port3-ssid
port4-mode
port4-ssid
port5-mode
port5-ssid
port6-mode
port6-ssid
port7-mode
port7-ssid
port8-mode
port8-ssid

Default Value
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)

override-allowaccess

Enable/disable override of management access


to managed AP.

disable

allowaccess

Allow management access to managed AP.

(Empty)

override-login-passwdchange

Enable/disable override of login password of


managed AP.

disable

login-passwd-change

Configuration options for login password of


managed AP.

no

login-passwd

Login password of managed AP.

(Empty)

radio-1

Radio 1.

Details below

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

866

Configuration
radio-id
override-band
band
override-analysis
spectrum-analysis
override-txpower
auto-power-level
auto-power-high
auto-power-low
power-level
override-vaps
vap-all
vaps
override-channel
channel
radio-2
Configuration
radio-id
override-band
band
override-analysis
spectrum-analysis
override-txpower
auto-power-level
auto-power-high
auto-power-low
power-level
override-vaps
vap-all
vaps
override-channel
channel

Default Value
0
disable
(Empty)
disable
disable
disable
disable
17
10
100
disable
enable
(Empty)
disable
(Empty)
Radio 2.

Details below
Default Value
1
disable
(Empty)
disable
disable
disable
disable
17
10
100
disable
enable
(Empty)
disable
(Empty)

image-download

Enable/disable WTP image download.

enable

mesh-bridge-enable

Enable/disable mesh Ethernet bridge when WTP


is configured as a mesh branch/leaf AP.

default

coordinate-enable

Enable/disable WTP coordinates.

disable

coordinate-x

X axis coordinate.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

867

coordinate-y

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Y axis coordinate.

868

wireless-controller/wtp-profile
CLI Syntax
config wireless-controller wtp-profile
edit <name_str>
set name <string>
set comment <var-string>
config platform
edit <name_str>
set type {AP-11N | 220A | 220B | 223B | 210B | 222B | 112B | 320B | 11C | 14C
| 28C | 320C | 221C | 25D | 222C | 224D | 214B | 21D | 24D | 112D | 223C | 321C | S321
C | S322C | S323C | S311C | S313C | S321CR | S322CR | S323CR | S421E | S422E | S423E}
end
set wan-port-mode {wan-lan | wan-only}
config lan
edit <name_str>
set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port-ssid <string>
set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port1-ssid <string>
set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port2-ssid <string>
set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port3-ssid <string>
set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port4-ssid <string>
set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port5-ssid <string>
set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port6-ssid <string>
set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port7-ssid <string>
set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}
set port8-ssid <string>
end
set led-state {enable | disable}
set dtls-policy {clear-text | dtls-enabled}
set dtls-in-kernel {enable | disable}
set max-clients <integer>
set handoff-rssi <integer>
set handoff-sta-thresh <integer>
set handoff-roaming {enable | disable}
config deny-mac-list
edit <name_str>
set id <integer>
set mac <mac-address>
end
set ap-country {NA | AL | DZ | AO | AR | AM | AT | AZ | BH | BD | BB | BY | BE | B
Z | BO | BA | BR | BN | BG | KH | CL | CN | CO | CR | HR | CY | CZ | DK | DO | EC | EG
| SV | EE | FI | FR | GE | DE | GR | GL | GD | GU | GT | HT | HN | HK | HU | IS | IN
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

869

| ID | IR | IE | IL | IT | JM | JO | KZ | KE | KP | KR | KW | LV | LB | LI | LT | LU |
MO | MK | MY | MT | MX | MC | MA | MZ | NP | NL | AN | AW | NZ | NO | OM | PK | PA |
PG | PY | PE | PH | PL | PT | PR | QA | RO | RU | RW | SA | RS | ME | SG | SK | SI | Z
A | ES | LK | SE | SD | CH | SY | TW | TH | TT | TN | TR | AE | UA | GB | US | PS | UY
| UZ | VE | VN | YE | ZW | JP | AU | CA}
set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
set tun-mtu-uplink <integer>
set tun-mtu-downlink <integer>
set split-tunneling-acl-local-ap-subnet {enable | disable}
config split-tunneling-acl
edit <name_str>
set id <integer>
set dest-ip <ipv4-classnet>
end
set allowaccess {telnet | http | https | ssh}
set login-passwd-change {yes | default | no}
set login-passwd <password>
set lldp {enable | disable}
config radio-1
edit <name_str>
set radio-id <integer>
set mode {disabled | ap | monitor | sniffer}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.
11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11a
c-only}
set protection-mode {rtscts | ctsonly | disable}
set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate
-follow}
set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}
set amsdu {enable | disable}
set coexistence {enable | disable}
set short-guard-interval {enable | disable}
set channel-bonding {80MHz | 40MHz | 20MHz}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set dtim <integer>
set beacon-interval <integer>
set rts-threshold <integer>
set frag-threshold <integer>
set ap-sniffer-bufsize <integer>
set ap-sniffer-chan <integer>
set ap-sniffer-addr <mac-address>
set ap-sniffer-mgmt-beacon {enable | disable}
set ap-sniffer-mgmt-probe {enable | disable}
set ap-sniffer-mgmt-other {enable | disable}
set ap-sniffer-ctl {enable | disable}
set ap-sniffer-data {enable | disable}
set spectrum-analysis {enable | disable}
set wids-profile <string>
set darrp {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

870

set darrp {enable | disable}


set max-clients <integer>
set max-distance <integer>
set frequency-handoff {enable | disable}
set ap-handoff {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
set name <string>
end
config channel
edit <name_str>
set chan <string>
end
end
config radio-2
edit <name_str>
set radio-id <integer>
set mode {disabled | ap | monitor | sniffer}
set band {802.11a | 802.11b | 802.11g | 802.11n | 802.11n-5G | 802.11ac | 802.
11n,g-only | 802.11g-only | 802.11n-only | 802.11n-5G-only | 802.11ac,n-only | 802.11a
c-only}
set protection-mode {rtscts | ctsonly | disable}
set powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate
-follow}
set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}
set amsdu {enable | disable}
set coexistence {enable | disable}
set short-guard-interval {enable | disable}
set channel-bonding {80MHz | 40MHz | 20MHz}
set auto-power-level {enable | disable}
set auto-power-high <integer>
set auto-power-low <integer>
set power-level <integer>
set dtim <integer>
set beacon-interval <integer>
set rts-threshold <integer>
set frag-threshold <integer>
set ap-sniffer-bufsize <integer>
set ap-sniffer-chan <integer>
set ap-sniffer-addr <mac-address>
set ap-sniffer-mgmt-beacon {enable | disable}
set ap-sniffer-mgmt-probe {enable | disable}
set ap-sniffer-mgmt-other {enable | disable}
set ap-sniffer-ctl {enable | disable}
set ap-sniffer-data {enable | disable}
set spectrum-analysis {enable | disable}
set wids-profile <string>
set darrp {enable | disable}
set max-clients <integer>
set max-distance <integer>
set frequency-handoff {enable | disable}
CLI Reference for FortiOS 5.4
Fortinet Technologies Inc.

871

set frequency-handoff {enable | disable}


set ap-handoff {enable | disable}
set vap-all {enable | disable}
config vaps
edit <name_str>
set name <string>
end
config channel
edit <name_str>
set chan <string>
end
end
config lbs
edit <name_str>
set ekahau-blink-mode {enable | disable}
set ekahau-tag <mac-address>
set erc-server-ip <ipv4-address-any>
set erc-server-port <integer>
set aeroscout {enable | disable}
set aeroscout-server-ip <ipv4-address-any>
set aeroscout-server-port <integer>
set aeroscout-mu-factor <integer>
set aeroscout-mu-timeout <integer>
set fortipresence {enable | disable}
set fortipresence-server <ipv4-address-any>
set fortipresence-port <integer>
set fortipresence-secret <password>
set fortipresence-project <string>
set fortipresence-frequency <integer>
set fortipresence-rogue {enable | disable}
set fortipresence-unassoc {enable | disable}
set station-locate {enable | disable}
end
end

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

872

Description
Configuration

Description

Default Value

name

WTP profile name.

(Empty)

comment

Comment.

(Empty)

platform

WTP platform.

Details below

Configuration
type

Default Value
220B

wan-port-mode

Enable/disable use of WAN port as LAN port.

wan-only

lan

WTP LAN port mapping.

Details below

Configuration
port-mode
port-ssid
port1-mode
port1-ssid
port2-mode
port2-ssid
port3-mode
port3-ssid
port4-mode
port4-ssid
port5-mode
port5-ssid
port6-mode
port6-ssid
port7-mode
port7-ssid
port8-mode
port8-ssid

Default Value
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)
offline
(Empty)

led-state

Enable/disable use of LEDs on WTP.

enable

dtls-policy

WTP data channel DTLS policy.

clear-text

dtls-in-kernel

Enable/disable data channel DTLS in kernel.

disable

max-clients

Maximum number of STAs supported by the


WTP.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

873

handoff-rssi

Minimum RSSI value for handoff.

25

handoff-sta-thresh

Threshold value for AP handoff.

30

handoff-roaming

Enable/disable handoff when a client is roaming.

enable

deny-mac-list

Deny MAC filter list.

(Empty)

ap-country

AP country code.

NA

ip-fragment-preventing

Prevent IP fragmentation for CAPWAP tunneled


control and data packets.

tcp-mss-adjust

tun-mtu-uplink

Uplink tunnel MTU.

tun-mtu-downlink

Downlink tunnel MTU.

split-tunneling-acllocal-ap-subnet

Enable/disable split tunneling ACL local AP


subnet.

disable

split-tunneling-acl

Split tunneling ACL filter list.

(Empty)

allowaccess

Allow management access to managed AP.

(Empty)

login-passwd-change

Configuration options for login password of


managed AP.

no

login-passwd

Login password of managed AP.

(Empty)

lldp

Enable/disable LLDP.

disable

radio-1

Radio 1.

Details below

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

874

Configuration
radio-id
mode
band
protection-mode
powersave-optimize
transmit-optimize
amsdu
coexistence
short-guard-interval
channel-bonding
auto-power-level
auto-power-high
auto-power-low
power-level
dtim
beacon-interval
rts-threshold
frag-threshold
ap-sniffer-bufsize
ap-sniffer-chan
ap-sniffer-addr
ap-sniffer-mgmt-beacon
ap-sniffer-mgmt-probe
ap-sniffer-mgmt-other
ap-sniffer-ctl
ap-sniffer-data
spectrum-analysis
wids-profile
darrp
max-clients
max-distance
frequency-handoff
ap-handoff
vap-all
vaps
channel
radio-2

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
0
ap
(Empty)
disable
(Empty)
power-save aggr-limit retry-limit send-bar
enable
enable
disable
20MHz
disable
17
10
100
1
100
2346
2346
16
36
00:00:00:00:00:00
enable
enable
enable
enable
enable
disable
(Empty)
disable
0
0
disable
disable
enable
(Empty)
(Empty)
Radio 2.

Details below

875

Configuration
radio-id
mode
band
protection-mode
powersave-optimize
transmit-optimize
amsdu
coexistence
short-guard-interval
channel-bonding
auto-power-level
auto-power-high
auto-power-low
power-level
dtim
beacon-interval
rts-threshold
frag-threshold
ap-sniffer-bufsize
ap-sniffer-chan
ap-sniffer-addr
ap-sniffer-mgmt-beacon
ap-sniffer-mgmt-probe
ap-sniffer-mgmt-other
ap-sniffer-ctl
ap-sniffer-data
spectrum-analysis
wids-profile
darrp
max-clients
max-distance
frequency-handoff
ap-handoff
vap-all
vaps
channel
lbs

Default Value
1
ap
(Empty)
disable
(Empty)
power-save aggr-limit retry-limit send-bar
enable
enable
disable
20MHz
disable
17
10
100
1
100
2346
2346
16
6
00:00:00:00:00:00
enable
enable
enable
enable
enable
disable
(Empty)
disable
0
0
disable
disable
enable
(Empty)
(Empty)
Location based service.

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Details below

876

Configuration
ekahau-blink-mode
ekahau-tag
erc-server-ip
erc-server-port
aeroscout
aeroscout-server-ip
aeroscout-server-port
aeroscout-mu-factor
aeroscout-mu-timeout
fortipresence
fortipresence-server
fortipresence-port
fortipresence-secret
fortipresence-project
fortipresence-frequency
fortipresence-rogue
fortipresence-unassoc
station-locate

CLI Reference for FortiOS 5.4


Fortinet Technologies Inc.

Default Value
disable
01:18:8e:00:00:00
0.0.0.0
8569
disable
0.0.0.0
0
20
5
disable
0.0.0.0
3000
fortinet
fortipresence
30
disable
disable
disable

877

execute

backup

execute
The execute commands perform immediate operations on the FortiGate unit, including:
l

Maintenance operations, such as back up and restore the system configuration, reset the configuration to factory
settings, update antivirus and attack definitions, view and delete log messages, set the date and time.
Network operations, such as view and clear DHCP leases, clear arp table entries, use ping or traceroute to diagnose
network problems.
Generate certificate requests and install certificates for VPN authentication.

backup
Back up the FortiGate configuration files, logs, or IPS user-defined signatures file to a TFTP or FTP server, USB
disk, or a management station. Management stations can either be a FortiManager unit, or FortiGuard Analysis
and Management Service. For more information, see "fortiguard" on page 1 or "central-management" on page 1.
When virtual domain configuration is enabled (in global, vdom-admin is enabled), the content of the backup file
depends on the administrator account that created it.
A backup of the system configuration from the super admin account contains the global settings and the settings
for all of the VDOMs. Only the super admin can restore the configuration from this file.
When you back up the system configuration from a regular administrator account, the backup file contains the
global settings and the settings for the VDOM to which the administrator belongs. Only a regular administrator
account can restore the configuration from this file.

Syntax
execute backup config flash <comment>
execute backup config ftp <filename_str> <server_ipv4[:port_int] | server_fqdn[:port_
int]> [<usernam