Вы находитесь на странице: 1из 998

#

FortiOS - CLI Reference
VERSION 5.4.0
FORTINET DOCUMENT LIBRARY

http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com 

http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATE COOKBOOK

http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER

http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: techdocs@fortinet.com

December-16-15

FortiOS - CLI Reference

01-540-99686-20151216
Change Log

Change Log

Date Change Description

December 16, 2015 New FortiOS 5.4.0 release.

CLI Reference for FortiOS 5.4 3


Fortinet Technologies Inc.
How this guide is organized Introduction

Introduction

This document describes FortiOS 5.4 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI).

How this guide is organized

This document contains the following sections:

Managing Firmware with the FortiGate BIOS describes how to change firmware at the console during FortiGate
unit boot-up.

config describes the commands for each configuration branch of the FortiOS CLI. The command branches and
commands are in alphabetical order. The information in this section has been extracted and formatted from
FortiOS source code. The extracted information includes the command syntax, command descriptions (extracted
from CLI help) and default values. This is the first version of this content produced in this way. You can send
comments about this content to techdoc@fortinet.com.

execute describes execute commands.

get describes get commands.

tree describes the tree command.

Availability of commands and options

Some FortiOS™ CLI commands and options are not available on all FortiGate units. The CLI displays an error
message if you attempt to enter a command or option that is not available. You can use the question mark ‘?’ to
verify the commands and options that are available.

Commands and options may not be available for the following reasons:

FortiGate model

All commands are not available on all FortiGate models. For example, low-end FortiGate models do not support
the aggregate interface type option of the config system interface command.

Hardware configuration

For example, some AMC module commands are only available when an AMC module is installed.

FortiOS Carrier, FortiGate Voice, FortiWiFi, etc

Commands for extended functionality are not available on all FortiGate models. The CLI Reference includes
commands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units.

CLI Reference for FortiOS 5.4 4


Fortinet Technologies Inc.
Managing Firmware with the FortiGate BIOS Accessing the BIOS

Managing Firmware with the FortiGate BIOS

FortiGate units are shipped with firmware installed. Usually firmware upgrades are performed through the web-
based manager or by using the CLI execute restore command. From the console, you can also interrupt the
FortiGate unit’s boot-up process to load firmware using the BIOS firmware that is a permanent part of the unit.

Using the BIOS, you can:

l view system information


l format the boot device
l load firmware and reboot (see )
l reboot the FortiGate unit from the backup firmware, which then becomes the default firmware (see )

Accessing the BIOS

The BIOS menu is available only through direct connection to the FortiGate unit’s Console port. During boot-up,
“Press any key” appears briefly. If you press any keyboard key at this time, boot-up is suspended and the BIOS
menu appears. If you are too late, the boot-up process continues as usual.

Navigating the menu


The main BIOS menu looks like this:
[C]: Configure TFTP parameters
[R]: Review TFTP paramters
[T]: Initiate TFTP firmware transfer
[F]: Format boot device
[Q]: Quit menu and continue to boot
[I]: System Information
[B]: Boot with backup firmare and set as default
[Q]: Quit menu and continue to boot
[H]: Display this list of options

Enter C,R,T,F,I,B,Q,or H:
Typing the bracketed letter selects the option. Input is case-sensitive. Most options present a submenu. An
option value in square brackets at the end of the “Enter” line is the default value which you can enter simply by
pressing Return. For example,
Enter image download port number [WAN1]:
In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.

Loading firmware

The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unit network interface.
You need to know the IP address of the server and the name of the firmware file to download.

CLI Reference for FortiOS 5.4 5


Fortinet Technologies Inc.
Loading firmware Managing Firmware with the FortiGate BIOS

The downloaded firmware can be saved as either the default or backup firmware. It is also possible to boot the
downloaded firmware without saving it.

Configuring TFTP parameters


Starting from the main BIOS menu
[C]: Configure TFTP parameters.

Selecting the VLAN (if VLANs are used)


[V]: Set local VLAN ID.

Choose port and whether to use DHCP


[P]: Set firmware download port.
The options listed depend on the FortiGate model. Choose the network interface through which the TFTP
server can be reached. For example:
[0]: Any of port 1 - 7
[1]: WAN1
[2]: WAN2
Enter image download port number [WAN1]:
[D]: Set DHCP mode.
Please select DHCP setting
[1]: Enable DHCP
[2]: Disable DHCP
If there is a DHCP server on the network, select [1]. This simplifies configuration. Otherwise, select [2].

Non-DHCP steps
[I]: Set local IP address.
Enter local IP address [192.168.1.188]:
This is a temporary IP address for the FortiGate unit network interface. Use a unique address on the same
subnet to which the network interface connects.
[S]: Set local subnet mask.
Enter local subnet mask [255.255.252.0]:
[G]: Set local gateway.

The local gateway IP address is needed if the TFTP server is on a different subnet than the one to which the
FortiGate unit is connected.

TFTP and filename


[T]: Set remote TFTP server IP address.
Enter remote TFTP server IP address [192.168.1.145]:
[F]: Set firmware file name.
Enter firmware file name [image.out]:
Enter [Q] to return to the main menu.

Initiating TFTP firmware transfer


Starting from the main BIOS menu
[T]: Initiate TFTP firmware transfer.

CLI Reference for FortiOS 5.4 6


Fortinet Technologies Inc.
Managing Firmware with the FortiGate BIOS Booting the backup firmware

Please connect TFTP server to Ethernet port 'WAN1'.

MAC: 00:09:0f:b5:55:28

Connect to tftp server 192.168.1.145 ...

##########################################################
Image Received.
Checking image... OK
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]?
After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first a pause while the
firmware is copied:
Programming the boot device now.
................................................................
................................................................

Booting the backup firmware

You can reboot the FortiGate unit from the backup firmware, which then becomes the default firmware.

Starting from the main BIOS menu


[B]: Boot with backup firmware and set as default.
If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unit responds:
Failed to mount filesystem. . .
Mount back up partition failed.
Back up image open failed.
Press ‘Y’ or ‘y’ to boot default image.

CLI Reference for FortiOS 5.4 7


Fortinet Technologies Inc.
Booting the backup firmware config

config

Use the config commands to change your FortiGate's configuration.

The command branches and commands are in alphabetical order. The information in this section has been
extracted and formatted from FortiOS source code. The extracted information includes the command syntax,
command descriptions (extracted from CLI help) and default values. This is the first version of this content
produced in this way. You can send comments about this content to techdoc@fortinet.com

CLI Reference for FortiOS 5.4 8


Fortinet Technologies Inc.
alertemail/setting
CLI Syntax
config alertemail setting
edit <name_str>
set username <string>
set mailto1 <string>
set mailto2 <string>
set mailto3 <string>
set filter-mode {category | threshold}
set email-interval <integer>
set IPS-logs {enable | disable}
set firewall-authentication-failure-logs {enable | disable}
set HA-logs {enable | disable}
set IPsec-errors-logs {enable | disable}
set FDS-update-logs {enable | disable}
set PPP-errors-logs {enable | disable}
set sslvpn-authentication-errors-logs {enable | disable}
set antivirus-logs {enable | disable}
set webfilter-logs {enable | disable}
set configuration-changes-logs {enable | disable}
set violation-traffic-logs {enable | disable}
set admin-login-logs {enable | disable}
set FDS-license-expiring-warning {enable | disable}
set log-disk-usage-warning {enable | disable}
set fortiguard-log-quota-warning {enable | disable}
set amc-interface-bypass-mode {enable | disable}
set FIPS-CC-errors {enable | disable}
set FDS-license-expiring-days <integer>
set local-disk-usage <integer>
set emergency-interval <integer>
set alert-interval <integer>
set critical-interval <integer>
set error-interval <integer>
set warning-interval <integer>
set notification-interval <integer>
set information-interval <integer>
set debug-interval <integer>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
end

CLI Reference for FortiOS 5.4 9


Fortinet Technologies Inc.
Description
Configuration Description Default Value

username Email from address. (Empty)

mailto1 Destination email address 1. (Empty)

mailto2 Destination email address 2. (Empty)

mailto3 Destination email address 3. (Empty)

filter-mode Filter mode. category

email-interval Interval between each email. 5

IPS-logs Enable/disable IPS Logs. disable

firewall-authentication- Enable/disable logging of firewall authentication disable


failure-logs failures.

HA-logs Enable/disable HA Logs. disable

IPsec-errors-logs Enable/disable IPsec errors logs. disable

FDS-update-logs Enable/disable FortiGuard update logs. disable

PPP-errors-logs Enable/disable PPP errors logs. disable

sslvpn-authentication- Enable/disable logging of SSL-VPN disable


errors-logs authentication error.

antivirus-logs Enable/disable antivirus logs. disable

webfilter-logs Enable/disable web filter logging. disable

configuration-changes- Enable/disable logging of configuration changes. disable


logs

violation-traffic-logs Enable/disable logging of violation traffic. disable

admin-login-logs Enable/disable logging of administrator disable


login/logouts.

FDS-license-expiring- Enable/disable FortiGuard license expiration disable


warning warning.

log-disk-usage-warning Enable/disable logging of disk usage warning. disable

CLI Reference for FortiOS 5.4 10


Fortinet Technologies Inc.
fortiguard-log-quota- Enable/disable warning of FortiCloud log quota. disable
warning

amc-interface-bypass- Enable/disable Fortinet Advanced Mezzanine disable


mode Card (AMC) interface bypass mode.

FIPS-CC-errors Enable/disable FIPS and Common Criteria errors. disable

FDS-license-expiring- Number of days to end alert email prior to 15


days FortiGuard license expiration (1 - 100 days).

local-disk-usage Percentage at which to send alert email prior to 75


disk usage exceeding this threshold (1 - 99
percent).

emergency-interval Emergency alert interval in minutes. 1

alert-interval Alert alert interval in minutes. 2

critical-interval Critical alert interval in minutes. 3

error-interval Error alert interval in minutes. 5

warning-interval Warning alert interval in minutes. 10

notification-interval Notification alert interval in minutes. 20

information-interval Information alert interval in minutes. 30

debug-interval Debug alert interval in minutes. 60

severity Lowest severity level to log. alert

CLI Reference for FortiOS 5.4 11


Fortinet Technologies Inc.
antivirus/heuristic
CLI Syntax
config antivirus heuristic
edit <name_str>
set mode {pass | block | disable}
end

CLI Reference for FortiOS 5.4 12


Fortinet Technologies Inc.
Description
Configuration Description Default Value

mode Mode to use for heuristics. disable

CLI Reference for FortiOS 5.4 13


Fortinet Technologies Inc.
antivirus/profile
CLI Syntax
config antivirus profile
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set inspection-mode {proxy | flow-based}
set ftgd-analytics {disable | suspicious | everything}
set analytics-max-upload <integer>
set analytics-wl-filetype <integer>
set analytics-bl-filetype <integer>
set analytics-db {disable | enable}
set mobile-malware-db {disable | enable}
config http
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
end
config ftp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
end
config imap
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config pop3
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
CLI Reference for FortiOS 5.4 14
Fortinet Technologies Inc.
set emulator {enable | disable}
set executables {default | virus}
end
config smtp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config mapi
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
set executables {default | virus}
end
config nntp
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
end
config smb
edit <name_str>
set options {scan | avmonitor | avquery | quarantine}
set archive-block {encrypted | corrupted | multipart | nested | mailbomb | unh
andled}
set archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhan
dled}
set emulator {enable | disable}
end
config nac-quar
edit <name_str>
set infected {none | quar-src-ip | quar-interface}
set expiry <user>
set log {enable | disable}
end
set av-virus-log {enable | disable}
set av-block-log {enable | disable}
set scan-mode {quick | full}
end

CLI Reference for FortiOS 5.4 15


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

inspection-mode Inspection mode. flow-based

ftgd-analytics Submit suspicious or supposedly clean files to disable


FortiSandbox.

analytics-max-upload Maximum upload size to FortiSandbox (in MB). 10

analytics-wl-filetype Do not submit files matching this file-pattern table 0


to the FortiSandbox.

analytics-bl-filetype Only submit files matching this file-pattern table 0


to the FortiSandbox.

analytics-db Use signature database from FortiSandbox to disable


supplement the AV signature databases.

mobile-malware-db Use mobile malware signature database. enable

http HTTP. Details below

Configuration Default Value


options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable

ftp FTP. Details below

Configuration Default Value


options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable

imap IMAP. Details below

CLI Reference for FortiOS 5.4 16


Fortinet Technologies Inc.
Configuration Default Value
options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable
executables default

pop3 POP3. Details below

Configuration Default Value


options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable
executables default

smtp SMTP. Details below

Configuration Default Value


options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable
executables default

mapi MAPI. Details below

Configuration Default Value


options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable
executables default

nntp NNTP. Details below

Configuration Default Value


options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable

smb SMB. Details below

CLI Reference for FortiOS 5.4 17


Fortinet Technologies Inc.
Configuration Default Value
options (Empty)
archive-block (Empty)
archive-log (Empty)
emulator enable

nac-quar Quarantine settings. Details below

Configuration Default Value


infected none
expiry 5m
log disable

av-virus-log Enable/disable logging for antivirus scanning. enable

av-block-log Enable/disable logging for antivirus file blocking. enable

scan-mode Choose between full scan mode and quick scan full
mode.

CLI Reference for FortiOS 5.4 18


Fortinet Technologies Inc.
antivirus/quarantine
CLI Syntax
config antivirus quarantine
edit <name_str>
set agelimit <integer>
set maxfilesize <integer>
set quarantine-quota <integer>
set drop-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps | p
op3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-infected {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |
pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s |
ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-blocked {imap | smtp | pop3 | http | ftp | nntp | imaps | smtps | pop3s
| ftps | mapi | mm1 | mm3 | mm4 | mm7}
set drop-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |
pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set store-heuristic {imap | smtp | pop3 | http | ftp | im | nntp | imaps | smtps |
pop3s | https | ftps | mapi | mm1 | mm3 | mm4 | mm7}
set lowspace {drop-new | ovrw-old}
set destination {NULL | disk | FortiAnalyzer}
end

CLI Reference for FortiOS 5.4 19


Fortinet Technologies Inc.
Description
Configuration Description Default Value

agelimit Age limit for quarantined files. 0

maxfilesize Maximum file size to quarantine. 0

quarantine-quota Quarantine quota. 0

drop-infected Ignore infected files from a protocol. (Empty)

store-infected Quarantine infected files from a protocol. imap smtp pop3 http ftp
nntp imaps smtps
pop3s https ftps mapi

drop-blocked Drop blocked files from a protocol. (Empty)

store-blocked Quarantine blocked files from a protocol. imap smtp pop3 http ftp
nntp imaps smtps
pop3s ftps mapi

drop-heuristic Ignore heuristically caught files from a protocol. (Empty)

store-heuristic Quarantine heuristically caught files from a imap smtp pop3 http ftp
protocol. nntp imaps smtps
pop3s https ftps mapi

lowspace Action when the disk is almost full. ovrw-old

destination Quarantine destination: disk/FortiAnalyzer. disk

CLI Reference for FortiOS 5.4 20


Fortinet Technologies Inc.
antivirus/settings
CLI Syntax
config antivirus settings
edit <name_str>
set default-db {normal | extended | extreme}
set grayware {enable | disable}
end

CLI Reference for FortiOS 5.4 21


Fortinet Technologies Inc.
Description
Configuration Description Default Value

default-db Select AV database to be used for AV scanning. extended

grayware Enable/disable detection of grayware. disable

CLI Reference for FortiOS 5.4 22


Fortinet Technologies Inc.
application/custom
CLI Syntax
config application custom
edit <name_str>
set tag <string>
set name <string>
set id <integer>
set comment <string>
set signature <string>
set category <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
end

CLI Reference for FortiOS 5.4 23


Fortinet Technologies Inc.
Description
Configuration Description Default Value

tag Signature tag. (Empty)

name Application name. (Empty)

id Application ID. 0

comment Comment. (Empty)

signature Signature text. (Empty)

category Application category ID. 0

protocol Application protocol. (Empty)

technology Application technology. (Empty)

behavior Application behavior. (Empty)

vendor Application vendor. (Empty)

CLI Reference for FortiOS 5.4 24


Fortinet Technologies Inc.
application/list
CLI Syntax
config application list
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set other-application-action {pass | block}
set app-replacemsg {disable | enable}
set other-application-log {disable | enable}
set unknown-application-action {pass | block}
set unknown-application-log {disable | enable}
set p2p-black-list {skype | edonkey | bittorrent}
set deep-app-inspection {disable | enable}
set options {allow-dns | allow-icmp | allow-http | allow-ssl}
config entries
edit <name_str>
set id <integer>
config risk
edit <name_str>
set level <integer>
end
config category
edit <name_str>
set id <integer>
end
config sub-category
edit <name_str>
set id <integer>
end
config application
edit <name_str>
set id <integer>
end
set protocols <user>
set vendor <user>
set technology <user>
set behavior <user>
set popularity {1 | 2 | 3 | 4 | 5}
config tags
edit <name_str>
set name <string>
end
config parameters
edit <name_str>
set id <integer>
set value <string>
end
set action {pass | block | reset}
CLI Reference for FortiOS 5.4 25
Fortinet Technologies Inc.
set log {disable | enable}
set log-packet {disable | enable}
set rate-count <integer>
set rate-duration <integer>
set rate-mode {periodical | continuous}
set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
set session-ttl <integer>
set shaper <string>
set shaper-reverse <string>
set per-ip-shaper <string>
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
end
end

CLI Reference for FortiOS 5.4 26


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name List name. (Empty)

comment comments (Empty)

replacemsg-group Replacement message group. (Empty)

other-application-action Action for other applications. pass

app-replacemsg Enable/disable replacement messages for enable


blocked applications.

other-application-log Enable/disable logging of other applications. disable

unknown-application- Action for unknown applications. pass


action

unknown-application- Enable/disable logging of unknown applications. disable


log

p2p-black-list Action for p2p black list. (Empty)

deep-app-inspection Enable/disable deep application inspection. disable

options Options. allow-dns

entries Application list entries. (Empty)

CLI Reference for FortiOS 5.4 27


Fortinet Technologies Inc.
application/name
CLI Syntax
config application name
edit <name_str>
set name <string>
set id <integer>
set category <integer>
set sub-category <integer>
set popularity <integer>
set risk <integer>
set protocol <user>
set technology <user>
set behavior <user>
set vendor <user>
set parameter <string>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

CLI Reference for FortiOS 5.4 28


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Application name. (Empty)

id Application ID. 0

category Application category ID. 0

sub-category Application sub-category ID. 0

popularity Application popularity. 0

risk Application risk. 0

protocol Application protocol. (Empty)

technology Application technology. (Empty)

behavior Application behavior. (Empty)

vendor Application vendor. (Empty)

parameter Application parameter name. (Empty)

metadata Meta data. (Empty)

CLI Reference for FortiOS 5.4 29


Fortinet Technologies Inc.
application/rule-settings
CLI Syntax
config application rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 30


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Rule ID. 0

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 31


Fortinet Technologies Inc.
certificate/ca
CLI Syntax
config certificate ca
edit <name_str>
set name <string>
set ca <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set trusted {enable | disable}
set scep-url <string>
set auto-update-days <integer>
set auto-update-days-warning <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 32


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

ca CA certificate. (Empty)

range CA certificate range. global

source CA certificate source. user

trusted Enable/disable trusted CA. enable

scep-url URL of SCEP server. (Empty)

auto-update-days Days to auto-update before expired, 0=disabled. 0

auto-update-days- Days to send update before auto-update 0


warning (0=disabled).

source-ip Source IP for communications to SCEP server. 0.0.0.0

CLI Reference for FortiOS 5.4 33


Fortinet Technologies Inc.
certificate/crl
CLI Syntax
config certificate crl
edit <name_str>
set name <string>
set crl <user>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set update-vdom <string>
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set http-url <string>
set scep-url <string>
set scep-cert <string>
set update-interval <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 34


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

crl Certificate Revocation List. (Empty)

range CRL range. global

source CRL source. user

update-vdom Virtual domain for CRL update. root

ldap-server LDAP server. (Empty)

ldap-username Login name for LDAP server. (Empty)

ldap-password Login password for LDAP server. (Empty)

http-url URL of HTTP server for CRL update. (Empty)

scep-url URL of CA server for CRL update via SCEP. (Empty)

scep-cert Local certificate used for CRL update via SCEP. Fortinet_CA_SSL

update-interval Second between updates, 0=disabled. 0

source-ip Source IP for communications to CA 0.0.0.0


(HTTP/SCEP) server.

CLI Reference for FortiOS 5.4 35


Fortinet Technologies Inc.
certificate/local
CLI Syntax
config certificate local
edit <name_str>
set name <string>
set password <password>
set comments <string>
set private-key <user>
set certificate <user>
set csr <user>
set state <user>
set scep-url <string>
set range {global | vdom}
set source {factory | user | bundle | fortiguard}
set auto-regenerate-days <integer>
set auto-regenerate-days-warning <integer>
set scep-password <password>
set ca-identifier <string>
set name-encoding {printable | utf8}
set source-ip <ipv4-address>
set ike-localid <string>
set ike-localid-type {asn1dn | fqdn}
end

CLI Reference for FortiOS 5.4 36


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

password Password. (Empty)

comments Comment. (Empty)

private-key Private key. (Empty)

certificate Certificate. (Empty)

csr Certificate Signing Request. (Empty)

state Certificate Signing Request State. (Empty)

scep-url URL of SCEP server. (Empty)

range Certificate range. global

source Certificate source. user

auto-regenerate-days Days to auto-regenerate before expired, 0


0=disabled.

auto-regenerate-days- Days to send warning before auto-regeneration, 0


warning 0=disabled.

scep-password SCEP server challenge password for auto- (Empty)


regeneration.

ca-identifier CA identifier of the CA server for signing via (Empty)


SCEP.

name-encoding Name encoding for auto-regeneration. printable

source-ip Source IP for communications to SCEP server. 0.0.0.0

ike-localid IKE local ID. (Empty)

ike-localid-type IKE local ID type. asn1dn

CLI Reference for FortiOS 5.4 37


Fortinet Technologies Inc.
dlp/filepattern
CLI Syntax
config dlp filepattern
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set filter-type {pattern | type}
set pattern <string>
set file-type {7z | arj | cab | lzh | rar | tar | zip | bzip | gzip | bzip2 |
xz | bat | msc | uue | mime | base64 | binhex | bin | elf | exe | hta | html | jad | c
lass | cod | javascript | msoffice | msofficex | fsg | upx | petite | aspack | prc | s
is | hlp | activemime | jpeg | gif | tiff | png | bmp | ignored | unknown | mpeg | mov
| mp3 | wma | wav | pdf | avi | rm | torrent | hibun}
end
end

CLI Reference for FortiOS 5.4 38


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Configure file patterns used by DLP blocking. (Empty)

CLI Reference for FortiOS 5.4 39


Fortinet Technologies Inc.
dlp/fp-doc-source
CLI Syntax
config dlp fp-doc-source
edit <name_str>
set name <string>
set server-type {samba}
set server <string>
set period {none | daily | weekly | monthly}
set vdom {mgmt | current}
set scan-subdirectories {enable | disable}
set scan-on-creation {enable | disable}
set remove-deleted {enable | disable}
set keep-modified {enable | disable}
set username <string>
set password <password>
set file-path <string>
set file-pattern <string>
set sensitivity <string>
set tod-hour <integer>
set tod-min <integer>
set weekday {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set date <integer>
end

CLI Reference for FortiOS 5.4 40


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name DLP Server. (Empty)

server-type DLP Server. samba

server Server location (can be IP or IPv6 address). (Empty)

period Select periodic server checking. none

vdom Select source on management or current VDOM. mgmt

scan-subdirectories Enable/disable scanning of subdirectories. enable

scan-on-creation Enable/disable force scan of server to happen enable


when document source is created or edited.

remove-deleted Enable/disable removing chunks of files deleted enable


from the server.

keep-modified Enable/disable retaining old chunks of modified enable


files.

username Login username. (Empty)

password Login password. (Empty)

file-path File path on server. (Empty)

file-pattern File patterns to fingerprint (wildcard). *

sensitivity DLP fingerprint sensitivity defined for these files. (Empty)

tod-hour Time of day to run scans (hour part, 24 hour 1


clock).

tod-min Time of day to run scans (min). 0

weekday Day of week to run scans. sunday

date Date within a month to run scans. 1

CLI Reference for FortiOS 5.4 41


Fortinet Technologies Inc.
dlp/fp-sensitivity
CLI Syntax
config dlp fp-sensitivity
edit <name_str>
set name <string>
end

CLI Reference for FortiOS 5.4 42


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name DLP Sensitivity Levels. (Empty)

CLI Reference for FortiOS 5.4 43


Fortinet Technologies Inc.
dlp/sensor
CLI Syntax
config dlp sensor
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
config filter
edit <name_str>
set id <integer>
set name <string>
set severity {info | low | medium | high | critical}
set type {file | message}
set proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim | icq
| msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}
set filter-by {credit-card | ssn | regexp | file-type | file-size | fingerprin
t | watermark | encrypted}
set file-size <integer>
set company-identifier <string>
config fp-sensitivity
edit <name_str>
set name <string>
end
set match-percentage <integer>
set file-type <integer>
set regexp <string>
set archive {disable | enable}
set action {allow | log-only | block | ban | quarantine-ip | quarantine-port}
set expiry <user>
end
set dlp-log {enable | disable}
set nac-quar-log {enable | disable}
set flow-based {enable | disable}
set options {}
set full-archive-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | a
im | icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}
set summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | aim |
icq | msn | yahoo | mapi | mm1 | mm3 | mm4 | mm7}
end

CLI Reference for FortiOS 5.4 44


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

filter Configure DLP filters. (Empty)

dlp-log Enable/disable logging for data leak prevention. enable

nac-quar-log Enable/disable logging for NAC quarantine disable


creation.

flow-based Enable/disable flow-based data leak prevention. disable

options options

full-archive-proto Protocols to always content archive. (Empty)

summary-proto Protocols to always log summary. (Empty)

CLI Reference for FortiOS 5.4 45


Fortinet Technologies Inc.
dlp/settings
CLI Syntax
config dlp settings
edit <name_str>
set storage-device <string>
set size <integer>
set db-mode {stop-adding | remove-modified-then-oldest | remove-oldest}
set cache-mem-percent <integer>
set chunk-size <integer>
end

CLI Reference for FortiOS 5.4 46


Fortinet Technologies Inc.
Description
Configuration Description Default Value

storage-device Storage name. (Empty)

size Maximum total size of files within the storage 16


(MB).

db-mode Method of maintaining database size. stop-adding

cache-mem-percent Maximum percentage of available memory 2


allocated to caching (1 - 15%).

chunk-size Maximum fingerprint chunk size. **Changing will 2800


flush the entire database**.

CLI Reference for FortiOS 5.4 47


Fortinet Technologies Inc.
dnsfilter/profile
CLI Syntax
config dnsfilter profile
edit <name_str>
set name <string>
set comment <var-string>
config urlfilter
edit <name_str>
set urlfilter-table <integer>
end
config ftgd-dns
edit <name_str>
set options {error-allow | ftgd-disable}
config filters
edit <name_str>
set id <integer>
set category <integer>
set action {block | monitor}
set log {enable | disable}
end
end
set log-all-url {enable | disable}
set block-action {block | redirect}
set redirect-portal <ipv4-address>
set block-botnet {disable | enable}
end

CLI Reference for FortiOS 5.4 48


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

comment Comment. (Empty)

urlfilter URL filter settings. Details below

Configuration Default Value


urlfilter-table 0

ftgd-dns FortiGuard DNS Filter settings. Details below

Configuration Default Value


options (Empty)
filters (Empty)

log-all-url Enable/disable log all URLs visited. disable

block-action Action to take for blocked domains. redirect

redirect-portal IP address of the SDNS portal. 0.0.0.0

block-botnet Enable/disable block of botnet C&C. disable

CLI Reference for FortiOS 5.4 49


Fortinet Technologies Inc.
dnsfilter/urlfilter
CLI Syntax
config dnsfilter urlfilter
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set id <integer>
set url <string>
set type {simple | regex | wildcard}
set action {block | allow | monitor}
set status {enable | disable}
end
end

CLI Reference for FortiOS 5.4 50


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries DNS URL filter. (Empty)

CLI Reference for FortiOS 5.4 51


Fortinet Technologies Inc.
endpoint-control/client
CLI Syntax
config endpoint-control client
edit <name_str>
set id <integer>
set ftcl-uid <string>
set src-ip <ipv4-address-any>
set src-mac <mac-address>
set info <user>
set ad-groups <var-string>
end

CLI Reference for FortiOS 5.4 52


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Endpoint client ID. 0

ftcl-uid Endpoint FortiClient UID. (Empty)

src-ip Endpoint client IP address. 0.0.0.0

src-mac Endpoint client MAC address. 00:00:00:00:00:00

info Endpoint client information. (Empty)

ad-groups Endpoint client AD logon groups. (Empty)

CLI Reference for FortiOS 5.4 53


Fortinet Technologies Inc.
endpoint-control/forticlient-registration-sync
CLI Syntax
config endpoint-control forticlient-registration-sync
edit <name_str>
set peer-name <string>
set peer-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 54


Fortinet Technologies Inc.
Description
Configuration Description Default Value

peer-name Peer name. (Empty)

peer-ip Peer connecting IP. 0.0.0.0

CLI Reference for FortiOS 5.4 55


Fortinet Technologies Inc.
endpoint-control/profile
CLI Syntax
config endpoint-control profile
edit <name_str>
set profile-name <string>
config forticlient-winmac-settings
edit <name_str>
set view-profile-details {enable | disable}
set forticlient-av {enable | disable}
set av-realtime-protection {enable | disable}
set scan-download-file {enable | disable}
set sandbox-scan {enable | disable}
set sandbox-address <string>
set wait-sandbox-result {enable | disable}
set use-sandbox-signature {enable | disable}
set block-malicious-website {enable | disable}
set block-attack-channel {enable | disable}
set av-scheduled-scan {enable | disable}
set av-scan-type {quick | full | custom}
set av-scan-folder <string>
set av-scan-schedule {daily | weekly | monthly}
set av-scan-day-of-week {sunday | monday | tuesday | wednesday | thursday | fr
iday | saturday}
set av-scan-day-of-month <integer>
set av-scan-time <user>
config av-scan-exclusions
edit <name_str>
set id <integer>
set type {file | folder}
set name <string>
end
set forticlient-application-firewall {enable | disable}
set forticlient-application-firewall-list <string>
set monitor-unknown-application {enable | disable}
set install-ca-certificate {enable | disable}
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set disable-wf-when-protected {enable | disable}
set forticlient-vuln-scan {enable | disable}
set forticlient-vuln-scan-schedule {daily | weekly | monthly}
set forticlient-vuln-scan-on-registration {enable | disable}
set forticlient-vpn-provisioning {enable | disable}
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <var-string>
config forticlient-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set remote-gw <string>
CLI Reference for FortiOS 5.4 56
Fortinet Technologies Inc.
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
set disable-unregister-option {enable | disable}
set forticlient-log-upload {enable | disable}
set forticlient-log-upload-server <string>
set forticlient-log-ssl-upload {enable | disable}
set forticlient-log-upload-schedule {hourly | daily}
set forticlient-update-from-fmg {enable | disable}
config forticlient-update-server
edit <name_str>
set name <string>
end
set forticlient-update-failover-to-fdn {enable | disable}
set forticlient-settings-lock {enable | disable}
set forticlient-settings-lock-passwd <password>
set auto-vpn-when-off-net {enable | disable}
set auto-vpn-name <user>
set client-log-when-on-net {enable | disable}
set forticlient-ad {enable | disable}
set fsso-ma {enable | disable}
set fsso-ma-server <string>
set fsso-ma-psk <password>
set allow-personal-vpn {enable | disable}
set disable-user-disconnect {enable | disable}
set vpn-before-logon {enable | disable}
set vpn-captive-portal {enable | disable}
set forticlient-ui-options {av | wf | af | vpn | vs}
set forticlient-advanced-cfg {enable | disable}
set forticlient-advanced-cfg-buffer <var-string>
config extra-buffer-entries
edit <name_str>
set id <integer>
set buffer <var-string>
end
end
config forticlient-android-settings
edit <name_str>
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set disable-wf-when-protected {enable | disable}
set forticlient-vpn-provisioning {enable | disable}
set forticlient-advanced-vpn {enable | disable}
set forticlient-advanced-vpn-buffer <var-string>
config forticlient-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set remote-gw <string>
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
CLI Reference for FortiOS 5.4 57
Fortinet Technologies Inc.
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
end
config forticlient-ios-settings
edit <name_str>
set forticlient-wf {enable | disable}
set forticlient-wf-profile <string>
set disable-wf-when-protected {enable | disable}
set client-vpn-provisioning {enable | disable}
config client-vpn-settings
edit <name_str>
set name <string>
set type {ipsec | ssl}
set vpn-configuration-name <string>
set vpn-configuration-content <var-string>
set remote-gw <string>
set sslvpn-access-port <integer>
set sslvpn-require-certificate {enable | disable}
set auth-method {psk | certificate}
set preshared-key <password>
end
set distribute-configuration-profile {enable | disable}
set configuration-name <string>
set configuration-content <var-string>
end
set description <var-string>
config src-addr
edit <name_str>
set name <string>
end
config device-groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config user-groups
edit <name_str>
set name <string>
end
config on-net-addr
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
end

CLI Reference for FortiOS 5.4 58


Fortinet Technologies Inc.
Description
Configuration Description Default Value

profile-name Profile name. (Empty)

forticlient-winmac- FortiClient settings for Windows/Mac platform. Details below


settings

Configuration Default Value


view-profile-details enable
forticlient-av enable
av-realtime-protection enable
scan-download-file enable
sandbox-scan disable
sandbox-address (Empty)
wait-sandbox-result disable
use-sandbox-signature disable
block-malicious-website disable
block-attack-channel disable
av-scheduled-scan disable
av-scan-type quick
av-scan-folder (Empty)
av-scan-schedule daily
av-scan-day-of-week sunday
av-scan-day-of-month 0
av-scan-time 00:00
av-scan-exclusions (Empty)
forticlient-application-firewall disable
forticlient-application-firewall-list (Empty)
monitor-unknown-application disable
install-ca-certificate disable
forticlient-wf enable
forticlient-wf-profile default
disable-wf-when-protected enable
forticlient-vuln-scan disable
forticlient-vuln-scan-schedule monthly
forticlient-vuln-scan-on-registration enable
forticlient-vpn-provisioning disable
forticlient-advanced-vpn disable
forticlient-advanced-vpn-buffer (Empty)
forticlient-vpn-settings (Empty)
disable-unregister-option disable
forticlient-log-upload disable
forticlient-log-upload-server (Empty)
CLI Reference for FortiOS 5.4 59
Fortinet Technologies Inc.
forticlient-log-ssl-upload enable
forticlient-log-upload-schedule daily
forticlient-update-from-fmg disable
forticlient-update-server (Empty)
forticlient-update-failover-to-fdn enable
forticlient-settings-lock disable
forticlient-settings-lock-passwd (Empty)
auto-vpn-when-off-net disable
auto-vpn-name (Empty)
client-log-when-on-net disable
forticlient-ad disable
fsso-ma disable
fsso-ma-server (Empty)
fsso-ma-psk (Empty)
allow-personal-vpn enable
disable-user-disconnect disable
vpn-before-logon disable
vpn-captive-portal disable
forticlient-ui-options av wf vpn
forticlient-advanced-cfg disable
forticlient-advanced-cfg-buffer (Empty)
extra-buffer-entries (Empty)

forticlient-android- FortiClient settings for Android platform. Details below


settings

Configuration Default Value


forticlient-wf disable
forticlient-wf-profile (Empty)
disable-wf-when-protected enable
forticlient-vpn-provisioning disable
forticlient-advanced-vpn disable
forticlient-advanced-vpn-buffer (Empty)
forticlient-vpn-settings (Empty)

forticlient-ios-settings FortiClient settings for iOS platform. Details below

CLI Reference for FortiOS 5.4 60


Fortinet Technologies Inc.
Configuration Default Value
forticlient-wf disable
forticlient-wf-profile (Empty)
disable-wf-when-protected enable
client-vpn-provisioning disable
client-vpn-settings (Empty)
distribute-configuration-profile disable
configuration-name (Empty)
configuration-content (Empty)

description Description. (Empty)

src-addr Source addresses. (Empty)

device-groups Device groups. (Empty)

users Users. (Empty)

user-groups User groups. (Empty)

on-net-addr Addresses for on-net detection. (Empty)

replacemsg-override- Specify endpoint control replacement message (Empty)


group override group.

CLI Reference for FortiOS 5.4 61


Fortinet Technologies Inc.
endpoint-control/registered-forticlient
CLI Syntax
config endpoint-control registered-forticlient
edit <name_str>
set uid <string>
set vdom <string>
set ip <ipv4-address-any>
set mac <mac-address>
set status <integer>
set flag <integer>
set reg-fortigate <string>
end

CLI Reference for FortiOS 5.4 62


Fortinet Technologies Inc.
Description
Configuration Description Default Value

uid FortiClient UID. (Empty)

vdom Registering vdom. (Empty)

ip Endpoint IP address. 0.0.0.0

mac Endpoint MAC address. 00:00:00:00:00:00

status FortiClient registration status. 1

flag FortiClient registration flag. 0

reg-fortigate Registering FortiGate SN. (Empty)

CLI Reference for FortiOS 5.4 63


Fortinet Technologies Inc.
endpoint-control/settings
CLI Syntax
config endpoint-control settings
edit <name_str>
set forticlient-reg-key-enforce {enable | disable}
set forticlient-reg-key <password>
set forticlient-reg-timeout <integer>
set download-custom-link <string>
set download-location {fortiguard | custom}
set forticlient-keepalive-interval <integer>
set forticlient-sys-update-interval <integer>
end

CLI Reference for FortiOS 5.4 64


Fortinet Technologies Inc.
Description
Configuration Description Default Value

forticlient-reg-key- Enable/disable enforcement of FortiClient disable


enforce registration key.

forticlient-reg-key FortiClient registration key. (Empty)

forticlient-reg-timeout FortiClient registration license timeout (days, min 7


= 1, max = 180, 0 = unlimited).

download-custom-link Customized URL for downloading FortiClient. (Empty)

download-location FortiClient download location. fortiguard

forticlient-keepalive- Interval between two KeepAlive messages from 60


interval FortiClient (in seconds).

forticlient-sys-update- Interval between two system update messages 720


interval from FortiClient (in minutes).

CLI Reference for FortiOS 5.4 65


Fortinet Technologies Inc.
extender-controller/extender
CLI Syntax
config extender-controller extender
edit <name_str>
set id <string>
set admin {disable | discovered | enable}
set ifname <string>
set vdom <integer>
set role {none | primary | secondary}
set mode {standalone | redundant}
set dial-mode {dial-on-demand | always-connect}
set redial {none | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10}
set redundant-intf <string>
set dial-status <integer>
set conn-status <integer>
set ext-name <string>
set description <string>
set quota-limit-mb <integer>
set billing-start-day <integer>
set at-dial-script <string>
set modem-passwd <password>
set initiated-update {enable | disable}
set modem-type {cdma | gsm/lte | wimax}
set ppp-username <string>
set ppp-password <password>
set ppp-auth-protocol {auto | pap | chap}
set ppp-echo-request {enable | disable}
set wimax-carrier <string>
set wimax-realm <string>
set wimax-auth-protocol {tls | ttls}
set sim-pin <password>
set access-point-name <string>
set multi-mode {auto | auto-3g | force-lte | force-3g | force-2g}
set roaming {enable | disable}
set cdma-nai <string>
set aaa-shared-secret <password>
set ha-shared-secret <password>
set primary-ha <string>
set secondary-ha <string>
set cdma-aaa-spi <string>
set cdma-ha-spi <string>
end

CLI Reference for FortiOS 5.4 66


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id FortiExtender serial number. (Empty)

admin FortiExtender Administration (enable or disable). disable

ifname FortiExtender interface name. (Empty)

vdom VDOM 0

role FortiExtender work role(Primary, Secondary, none


None).

mode FortiExtender mode. standalone

dial-mode Dial mode (dial-on-demand or always-connect). always-connect

redial Number of redials allowed based on failed none


attempts.

redundant-intf Redundant interface. (Empty)

dial-status Dial status. 0

conn-status Connection status. 0

ext-name FortiExtender name. (Empty)

description Description. (Empty)

quota-limit-mb Monthly quota limit (MB). 0

billing-start-day Billing start day. 1

at-dial-script Initialization AT commands specific to the (Empty)


MODEM.

modem-passwd MODEM password. (Empty)

initiated-update Allow/disallow network initiated updates to the disable


MODEM.

modem-type MODEM type (CDMA, GSM/LTE or WIMAX). gsm/lte

ppp-username PPP username. (Empty)

CLI Reference for FortiOS 5.4 67


Fortinet Technologies Inc.
ppp-password PPP password. (Empty)

ppp-auth-protocol PPP authentication protocol (PAP,CHAP or auto). auto

ppp-echo-request Enable/disable PPP echo request. disable

wimax-carrier WiMax carrier. (Empty)

wimax-realm WiMax realm. (Empty)

wimax-auth-protocol WiMax authentication protocol(TLS or TTLS). tls

sim-pin SIM PIN. (Empty)

access-point-name Access point name(APN). (Empty)

multi-mode MODEM mode of operation(3G,LTE,etc). auto

roaming Enable/disable MODEM roaming. disable

cdma-nai NAI for CDMA MODEMS. (Empty)

aaa-shared-secret AAA shared secret. (Empty)

ha-shared-secret HA shared secret. (Empty)

primary-ha Primary HA. (Empty)

secondary-ha Secondary HA. (Empty)

cdma-aaa-spi CDMA AAA SPI. (Empty)

cdma-ha-spi CDMA HA SPI. (Empty)

CLI Reference for FortiOS 5.4 68


Fortinet Technologies Inc.
firewall.ipmacbinding/setting
CLI Syntax
config firewall.ipmacbinding setting
edit <name_str>
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end

CLI Reference for FortiOS 5.4 69


Fortinet Technologies Inc.
Description
Configuration Description Default Value

bindthroughfw Enable/disable going through firewall. disable

bindtofw Enable/disable going to firewall. disable

undefinedhost Allow/block traffic for undefined hosts. block

CLI Reference for FortiOS 5.4 70


Fortinet Technologies Inc.
firewall.ipmacbinding/table
CLI Syntax
config firewall.ipmacbinding table
edit <name_str>
set seq-num <integer>
set ip <ipv4-address>
set mac <mac-address>
set name <string>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 71


Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Entry number. 0

ip IP address. 0.0.0.0

mac MAC address. 00:00:00:00:00:00

name Name (optional, default = no name). noname

status Enable/disable IP-mac binding. disable

CLI Reference for FortiOS 5.4 72


Fortinet Technologies Inc.
firewall.schedule/group
CLI Syntax
config firewall.schedule group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set color <integer>
end

CLI Reference for FortiOS 5.4 73


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Schedule group name. (Empty)

member Schedule group member. (Empty)

color GUI icon color. 0

CLI Reference for FortiOS 5.4 74


Fortinet Technologies Inc.
firewall.schedule/onetime
CLI Syntax
config firewall.schedule onetime
edit <name_str>
set name <string>
set start <user>
set end <user>
set color <integer>
set expiration-days <integer>
end

CLI Reference for FortiOS 5.4 75


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Onetime schedule name. (Empty)

start Start time and date. 00:00 2001/01/01

end End time and date. 00:00 2001/01/01

color GUI icon color. 0

expiration-days Generate event log before schedule expires (1- 3


100 days, 0 = disable).

CLI Reference for FortiOS 5.4 76


Fortinet Technologies Inc.
firewall.schedule/recurring
CLI Syntax
config firewall.schedule recurring
edit <name_str>
set name <string>
set start <user>
set end <user>
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | no
ne}
set color <integer>
end

CLI Reference for FortiOS 5.4 77


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Recurring schedule name. (Empty)

start Start time. 00:00

end End time. 00:00

day weekday sunday

color GUI icon color. 0

CLI Reference for FortiOS 5.4 78


Fortinet Technologies Inc.
firewall.service/category
CLI Syntax
config firewall.service category
edit <name_str>
set name <string>
set comment <var-string>
end

CLI Reference for FortiOS 5.4 79


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Service category name. (Empty)

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 80


Fortinet Technologies Inc.
firewall.service/custom
CLI Syntax
config firewall.service custom
edit <name_str>
set name <string>
set explicit-proxy {enable | disable}
set category <string>
set protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP | HTTP | FTP | CONNECT | SOCKS | SO
CKS-TCP | SOCKS-UDP | ALL}
set iprange <user>
set fqdn <string>
set protocol-number <integer>
set icmptype <integer>
set icmpcode <integer>
set tcp-portrange <user>
set udp-portrange <user>
set sctp-portrange <user>
set tcp-halfclose-timer <integer>
set tcp-halfopen-timer <integer>
set tcp-timewait-timer <integer>
set udp-idle-timer <integer>
set session-ttl <integer>
set check-reset-range {disable | strict | default}
set comment <var-string>
set color <integer>
set visibility {enable | disable}
end

CLI Reference for FortiOS 5.4 81


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Custom service name. (Empty)

explicit-proxy Enable/disable explicit web proxy service. disable

category Service category. (Empty)

protocol Protocol type. TCP/UDP/SCTP

iprange Start IP-End IP. 0.0.0.0

fqdn Fully qualified domain name. (Empty)

protocol-number IP protocol number. 0

icmptype ICMP type. (Empty)

icmpcode ICMP code. (Empty)

tcp-portrange Multiple TCP port ranges. (Empty)

udp-portrange Multiple UDP port ranges. (Empty)

sctp-portrange Multiple SCTP port ranges. (Empty)

tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, 0 = 0


default).

tcp-halfopen-timer TCP half close timeout (1 - 86400 sec, 0 = 0


default).

tcp-timewait-timer TCP half close timeout (1 - 300 sec, 0 = default). 0

udp-idle-timer TCP half close timeout (0 - 86400 sec, 0 = 0


default).

session-ttl Session TTL (300 - 604800, 0 = default). 0

check-reset-range Enable/disable RST check. default

comment Comment. (Empty)

color GUI icon color. 0

visibility Enable/disable service visibility. enable

CLI Reference for FortiOS 5.4 82


Fortinet Technologies Inc.
firewall.service/group
CLI Syntax
config firewall.service group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set explicit-proxy {enable | disable}
set comment <var-string>
set color <integer>
end

CLI Reference for FortiOS 5.4 83


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address group name. (Empty)

member Address group member. (Empty)

explicit-proxy Enable/disable explicit web proxy service group. disable

comment Comment. (Empty)

color GUI icon color. 0

CLI Reference for FortiOS 5.4 84


Fortinet Technologies Inc.
firewall.shaper/per-ip-shaper
CLI Syntax
config firewall.shaper per-ip-shaper
edit <name_str>
set name <string>
set max-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set max-concurrent-session <integer>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
end

CLI Reference for FortiOS 5.4 85


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Traffic shaper name. (Empty)

max-bandwidth Maximum bandwidth value (0 - 16776000). 0

bandwidth-unit Bandwidth unit (default = kbps). kbps

max-concurrent- Maximum concurrent session (0 - 2097000). 0


session

diffserv-forward Forward (original) traffic DiffServ. disable

diffserv-reverse Reverse (reply) traffic DiffServ. disable

diffservcode-forward Forward (original) traffic DiffServ code point 000000


value.

diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000

CLI Reference for FortiOS 5.4 86


Fortinet Technologies Inc.
firewall.shaper/traffic-shaper
CLI Syntax
config firewall.shaper traffic-shaper
edit <name_str>
set name <string>
set guaranteed-bandwidth <integer>
set maximum-bandwidth <integer>
set bandwidth-unit {kbps | mbps | gbps}
set priority {low | medium | high}
set per-policy {disable | enable}
set diffserv {enable | disable}
set diffservcode <user>
end

CLI Reference for FortiOS 5.4 87


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Traffic shaper name. (Empty)

guaranteed-bandwidth Guaranteed bandwidth value (0 - 16776000). 0

maximum-bandwidth Maximum bandwidth value (0 - 16776000). 0

bandwidth-unit Bandwidth unit (default = kbps). kbps

priority Traffic priority. high

per-policy Enable/disable use a separate shaper for each disable


policy.

diffserv Enable/disable traffic DiffServ. disable

diffservcode Traffic DiffServ code point value. 000000

CLI Reference for FortiOS 5.4 88


Fortinet Technologies Inc.
firewall.ssl/setting
CLI Syntax
config firewall.ssl setting
edit <name_str>
set proxy-connect-timeout <integer>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-send-empty-frags {enable | disable}
set no-matching-cipher-action {bypass | drop}
set cert-cache-capacity <integer>
set cert-cache-timeout <integer>
set session-cache-capacity <integer>
set session-cache-timeout <integer>
end

CLI Reference for FortiOS 5.4 89


Fortinet Technologies Inc.
Description
Configuration Description Default Value

proxy-connect-timeout Time limit to make an internal connection to the 30


appropriate proxy process (1 - 60 sec).

ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSA 2048


negotiation.

ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV enable


(SSL 3.0 & TLS 1.0 only).

no-matching-cipher- Bypass or drop the connection when no matching bypass


action cipher was found.

cert-cache-capacity Maximum capacity of the host certificate cache (0 200


- 500).

cert-cache-timeout Minutes to keep certificate cache (1 - 120 min). 10

session-cache-capacity Obsolete. 500

session-cache-timeout Number of minutes to keep SSL session state. 20

CLI Reference for FortiOS 5.4 90


Fortinet Technologies Inc.
firewall/address
CLI Syntax
config firewall address
edit <name_str>
set name <string>
set uuid <uuid>
set subnet <ipv4-classnet-any>
set type {ipmask | iprange | fqdn | geography | wildcard | wildcard-fqdn}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set fqdn <string>
set country <string>
set wildcard-fqdn <string>
set cache-ttl <integer>
set wildcard <ipv4-classnet-any>
set comment <var-string>
set visibility {enable | disable}
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

CLI Reference for FortiOS 5.4 91


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

subnet IP address and netmask. 0.0.0.0 0.0.0.0

type Type. ipmask

start-ip Start IP. 0.0.0.0

end-ip End IP. 0.0.0.0

fqdn Fully qualified domain name. (Empty)

country Country name. (Empty)

wildcard-fqdn Wildcard FQDN. (Empty)

cache-ttl Minimal TTL of individual IP addresses in FQDN 0


cache.

wildcard IP address and wildcard netmask. 0.0.0.0 0.0.0.0

comment Comment. (Empty)

visibility Enable/disable address visibility. enable

associated-interface Associated interface name. (Empty)

color GUI icon color. 0

tags Applied object tags. (Empty)

allow-routing Enable/disable use of this address in the static disable


route configuration.

CLI Reference for FortiOS 5.4 92


Fortinet Technologies Inc.
firewall/address6
CLI Syntax
config firewall address6
edit <name_str>
set name <string>
set uuid <uuid>
set type {ipprefix | iprange}
set ip6 <ipv6-network>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
end

CLI Reference for FortiOS 5.4 93


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

type Type. ipprefix

ip6 IPv6 address prefix. ::/0

start-ip Start IP. ::

end-ip End IP. ::

visibility Enable/disable address visibility. enable

color GUI icon color. 0

tags Applied object tags. (Empty)

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 94


Fortinet Technologies Inc.
firewall/addrgrp
CLI Syntax
config firewall addrgrp
edit <name_str>
set name <string>
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
set allow-routing {enable | disable}
end

CLI Reference for FortiOS 5.4 95


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

member Address group member. (Empty)

comment Comment. (Empty)

visibility Enable/disable address group visibility. enable

color GUI icon color. 0

tags Applied object tags. (Empty)

allow-routing Enable/disable use of this group in the static route disable


configuration.

CLI Reference for FortiOS 5.4 96


Fortinet Technologies Inc.
firewall/addrgrp6
CLI Syntax
config firewall addrgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set visibility {enable | disable}
set color <integer>
set comment <var-string>
config member
edit <name_str>
set name <string>
end
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 97


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPv6 address group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

visibility Enable/disable address group6 visibility. enable

color GUI icon color. 0

comment Comment. (Empty)

member IPv6 address group member. (Empty)

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 98


Fortinet Technologies Inc.
firewall/auth-portal
CLI Syntax
config firewall auth-portal
edit <name_str>
config groups
edit <name_str>
set name <string>
end
set portal-addr <string>
set portal-addr6 <string>
set identity-based-route <string>
end

CLI Reference for FortiOS 5.4 99


Fortinet Technologies Inc.
Description
Configuration Description Default Value

groups Group name. (Empty)

portal-addr Address (or domain name) of authentication (Empty)


portal.

portal-addr6 IPv6 address (or domain name) of authentication (Empty)


portal.

identity-based-route Name of identity-based routing rule. (Empty)

CLI Reference for FortiOS 5.4 100


Fortinet Technologies Inc.
firewall/central-snat-map
CLI Syntax
config firewall central-snat-map
edit <name_str>
set policyid <integer>
set status {enable | disable}
config orig-addr
edit <name_str>
set name <string>
end
config dst-addr
edit <name_str>
set name <string>
end
config nat-ippool
edit <name_str>
set name <string>
end
set protocol <integer>
set orig-port <integer>
set nat-port <user>
end

CLI Reference for FortiOS 5.4 101


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

orig-addr Original address. (Empty)

dst-addr Destination address. (Empty)

nat-ippool IP pool names for translated address. (Empty)

protocol Protocol (0 - 255). 0

orig-port Original port. 0

nat-port Translated port or port range. 0

CLI Reference for FortiOS 5.4 102


Fortinet Technologies Inc.
firewall/dnstranslation
CLI Syntax
config firewall dnstranslation
edit <name_str>
set id <integer>
set src <ipv4-address>
set dst <ipv4-address>
set netmask <ipv4-netmask>
end

CLI Reference for FortiOS 5.4 103


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

src Source IP. 0.0.0.0

dst Destination IP. 0.0.0.0

netmask Network mask. 255.255.255.255

CLI Reference for FortiOS 5.4 104


Fortinet Technologies Inc.
firewall/DoS-policy
CLI Syntax
config firewall DoS-policy
edit <name_str>
set policyid <integer>
set status {enable | disable}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
end

CLI Reference for FortiOS 5.4 105


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

interface Interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

service Service name. (Empty)

anomaly Anomaly. (Empty)

CLI Reference for FortiOS 5.4 106


Fortinet Technologies Inc.
firewall/DoS-policy6
CLI Syntax
config firewall DoS-policy6
edit <name_str>
set policyid <integer>
set status {enable | disable}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
end

CLI Reference for FortiOS 5.4 107


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

interface Interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

service Service name. (Empty)

anomaly Anomaly. (Empty)

CLI Reference for FortiOS 5.4 108


Fortinet Technologies Inc.
firewall/explicit-proxy-address
CLI Syntax
config firewall explicit-proxy-address
edit <name_str>
set name <string>
set uuid <uuid>
set type {host-regex | url | category | method | ua | header | src-advanced | dst-
advanced}
set host <string>
set host-regex <string>
set path <string>
config category
edit <name_str>
set id <integer>
end
set method {get | post | put | head | connect | trace | options | delete}
set ua {chrome | ms | firefox | safari | other}
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
config header-group
edit <name_str>
set id <integer>
set header-name <string>
set header <string>
set case-sensitivity {disable | enable}
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
end

CLI Reference for FortiOS 5.4 109


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

type Address type. url

host Host address (Empty)

host-regex Host regular expression. (Empty)

path URL path regular expression. (Empty)

category FortiGuard category ID. (Empty)

method HTTP methods. (Empty)

ua User agent. (Empty)

header-name HTTP header. (Empty)

header HTTP header regular expression. (Empty)

case-sensitivity Case sensitivity in pattern. disable

header-group HTTP header group. (Empty)

color GUI icon color. 0

tags Applied object tags. (Empty)

comment Comment. (Empty)

visibility Enable/disable address visibility. disable

CLI Reference for FortiOS 5.4 110


Fortinet Technologies Inc.
firewall/explicit-proxy-addrgrp
CLI Syntax
config firewall explicit-proxy-addrgrp
edit <name_str>
set name <string>
set type {src | dst}
set uuid <uuid>
config member
edit <name_str>
set name <string>
end
set color <integer>
config tags
edit <name_str>
set name <string>
end
set comment <var-string>
set visibility {enable | disable}
end

CLI Reference for FortiOS 5.4 111


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Address group name. (Empty)

type Address group type. src

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

member Address group members. (Empty)

color GUI icon color. 0

tags Applied object tags. (Empty)

comment Comment. (Empty)

visibility Enable/disable address visibility. disable

CLI Reference for FortiOS 5.4 112


Fortinet Technologies Inc.
firewall/explicit-proxy-policy
CLI Syntax
config firewall explicit-proxy-policy
edit <name_str>
set uuid <uuid>
set policyid <integer>
set proxy {web | ftp | wanopt}
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set action {accept | deny}
set status {enable | disable}
set schedule <string>
set logtraffic {all | utm | disable}
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
set identity-based {enable | disable}
set ip-based {enable | disable}
set active-auth-method {ntlm | basic | digest | form | none}
set sso-auth-method {fsso | rsso | none}
set require-tfa {enable | disable}
set web-auth-cookie {enable | disable}
set transaction-based {enable | disable}
config identity-based-policy
edit <name_str>
set id <integer>
set schedule <string>
CLI Reference for FortiOS 5.4 113
Fortinet Technologies Inc.
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
set scan-botnet-connections {disable | block | monitor}
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
set disclaimer {disable | domain | policy | user}
set replacemsg-override-group <string>
end
set webproxy-forward-server <string>
set webproxy-profile <string>
set transparent {enable | disable}
set webcache {enable | disable}
set webcache-https {disable | any | enable}
set disclaimer {disable | domain | policy | user}
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set replacemsg-override-group <string>
set logtraffic-start {enable | disable}
config tags
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4 114
Fortinet Technologies Inc.
set name <string>
end
set label <string>
set global-label <string>
set scan-botnet-connections {disable | block | monitor}
set comments <var-string>
end

CLI Reference for FortiOS 5.4 115


Fortinet Technologies Inc.
Description
Configuration Description Default Value

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

policyid Policy ID. 0

proxy Explicit proxy type. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. [srcaddr or srcaddr6(web (Empty)


proxy only) must be set].

dstaddr Destination address name. [dstaddr or (Empty)


dstaddr6(web proxy only) must be set].

service Service name. (Empty)

srcaddr-negate Enable/disable negated source address match. disable

dstaddr-negate Enable/disable negated destination address disable


match.

service-negate Enable/disable negated service match. disable

action Policy action. deny

status Enable/disable policy status. enable

schedule Schedule name. (Empty)

logtraffic Enable/disable policy log traffic. utm

srcaddr6 IPv6 source address (web proxy only). [srcaddr6 (Empty)


or srcaddr must be set].

dstaddr6 IPv6 destination address (web proxy only). (Empty)


[dstaddr6 or dstaddr must be set].

identity-based Enable/disable identity-based policy. disable

ip-based Enable/disable IP-based authentication. disable

active-auth-method Active authentication method. basic

CLI Reference for FortiOS 5.4 116


Fortinet Technologies Inc.
sso-auth-method SSO authentication method. none

require-tfa Enable/disable requirement of 2-factor disable


authentication.

web-auth-cookie Enable/disable Web authentication cookie. disable

transaction-based Enable/disable transaction based authentication. disable

identity-based-policy Identity-based policy. (Empty)

webproxy-forward- Web proxy forward server. (Empty)


server

webproxy-profile Web proxy profile. (Empty)

transparent Use IP address of client to connect to server. disable

webcache Enable/disable web cache. disable

webcache-https Enable/disable web cache for HTTPS. disable

disclaimer Web proxy disclaimer setting. disable

utm-status Enable AV/web/IPS protection profile. disable

profile-type profile type single

profile-group profile group (Empty)

av-profile Antivirus profile. (Empty)

webfilter-profile Web filter profile. (Empty)

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor DLP sensor. (Empty)

ips-sensor IPS sensor. (Empty)

application-list Application list. (Empty)

casi-profile CASI profile. (Empty)

icap-profile ICAP profile. (Empty)

waf-profile Web application firewall profile. (Empty)

CLI Reference for FortiOS 5.4 117


Fortinet Technologies Inc.
profile-protocol-options Profile protocol options. (Empty)

ssl-ssh-profile SSL SSH Profile. (Empty)

replacemsg-override- Specify authentication replacement message (Empty)


group override group.

logtraffic-start Enable/disable policy log traffic start. disable

tags Applied object tags. (Empty)

label Label for section view. (Empty)

global-label Label for global view. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable


connections servers.

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 118


Fortinet Technologies Inc.
firewall/identity-based-route
CLI Syntax
config firewall identity-based-route
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set gateway <ipv4-address>
set device <string>
config groups
edit <name_str>
set name <string>
end
end
end

CLI Reference for FortiOS 5.4 119


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Description/comments. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 120


Fortinet Technologies Inc.
firewall/interface-policy
CLI Syntax
config firewall interface-policy
edit <name_str>
set policyid <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set address-type {ipv4 | ipv6}
set interface <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set scan-botnet-connections {disable | block | monitor}
set label <string>
end

CLI Reference for FortiOS 5.4 121


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

logtraffic Enable/disable interface log traffic. utm

address-type Policy address type. ipv4

interface Interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

service Service name. (Empty)

application-list-status Enable/disable application control. disable

application-list Application list name. (Empty)

casi-profile-status Enable/disable CASI. disable

casi-profile CASI profile name. (Empty)

ips-sensor-status Enable/disable IPS sensor. disable

ips-sensor IPS sensor name. (Empty)

dsri Enable/disable DSRI. disable

av-profile-status Enable/disable antivirus. disable

av-profile Antivirus profile. (Empty)

webfilter-profile-status Enable/disable web filter profile. disable

webfilter-profile Web filter profile. (Empty)

spamfilter-profile-status Enable/disable spam filter. disable

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor-status Enable/disable DLP sensor. disable

CLI Reference for FortiOS 5.4 122


Fortinet Technologies Inc.
dlp-sensor DLP sensor. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable


connections servers.

label Label. (Empty)

CLI Reference for FortiOS 5.4 123


Fortinet Technologies Inc.
firewall/interface-policy6
CLI Syntax
config firewall interface-policy6
edit <name_str>
set policyid <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set address-type {ipv4 | ipv6}
set interface <string>
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service6
edit <name_str>
set name <string>
end
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set scan-botnet-connections {disable | block | monitor}
set label <string>
end

CLI Reference for FortiOS 5.4 124


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

status Enable/disable policy status. enable

logtraffic Enable/disable interface log traffic. utm

address-type Policy address type. ipv6

interface Interface name. (Empty)

srcaddr6 IPv6 source address name. (Empty)

dstaddr6 IPv6 destination address name. (Empty)

service6 Service name. (Empty)

application-list-status Enable/disable application control. disable

application-list Application list name. (Empty)

casi-profile-status Enable/disable CASI. disable

casi-profile CASI profile name. (Empty)

ips-sensor-status Enable/disable IPS sensor. disable

ips-sensor IPS sensor name. (Empty)

dsri Enable/disable DSRI. disable

av-profile-status Enable/disable antivirus. disable

av-profile Antivirus profile. (Empty)

webfilter-profile-status Enable/disable web filter profile. disable

webfilter-profile Web filter profile. (Empty)

spamfilter-profile-status Enable/disable spam filter. disable

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor-status Enable/disable DLP sensor. disable

CLI Reference for FortiOS 5.4 125


Fortinet Technologies Inc.
dlp-sensor DLP sensor. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable


connections servers.

label Label. (Empty)

CLI Reference for FortiOS 5.4 126


Fortinet Technologies Inc.
firewall/ip-translation
CLI Syntax
config firewall ip-translation
edit <name_str>
set transid <integer>
set type {SCTP}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set map-startip <ipv4-address-any>
end

CLI Reference for FortiOS 5.4 127


Fortinet Technologies Inc.
Description
Configuration Description Default Value

transid IP translation ID. 0

type IP translation type. SCTP

startip Start IP. 0.0.0.0

endip End IP. 0.0.0.0

map-startip Mapped start IP. 0.0.0.0

CLI Reference for FortiOS 5.4 128


Fortinet Technologies Inc.
firewall/ippool
CLI Syntax
config firewall ippool
edit <name_str>
set name <string>
set type {overload | one-to-one | fixed-port-range | port-block-allocation}
set startip <ipv4-address-any>
set endip <ipv4-address-any>
set source-startip <ipv4-address-any>
set source-endip <ipv4-address-any>
set block-size <integer>
set num-blocks-per-user <integer>
set permit-any-host {disable | enable}
set arp-reply {disable | enable}
set arp-intf <string>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 129


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IP pool name. (Empty)

type IP pool type. overload

startip Start IP. 0.0.0.0

endip End IP. 0.0.0.0

source-startip Source start IP. 0.0.0.0

source-endip Source end IP. 0.0.0.0

block-size Block size. 128

num-blocks-per-user Number of blocks per user (1 - 128). 8

permit-any-host Enable/disable full cone. disable

arp-reply Enable/disable ARP reply. enable

arp-intf ARP reply interface. Any if unset. (Empty)

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 130


Fortinet Technologies Inc.
firewall/ippool6
CLI Syntax
config firewall ippool6
edit <name_str>
set name <string>
set startip <ipv6-address>
set endip <ipv6-address>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 131


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPv6 pool name. (Empty)

startip Start IP. ::

endip End IP. ::

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 132


Fortinet Technologies Inc.
firewall/ipv6-eh-filter
CLI Syntax
config firewall ipv6-eh-filter
edit <name_str>
set hop-opt {enable | disable}
set dest-opt {enable | disable}
set hdopt-type <integer>
set routing {enable | disable}
set routing-type <integer>
set fragment {enable | disable}
set auth {enable | disable}
set no-next {enable | disable}
end

CLI Reference for FortiOS 5.4 133


Fortinet Technologies Inc.
Description
Configuration Description Default Value

hop-opt Block packets with Hop-by-Hop Options header. disable

dest-opt Block packets with Destination Options header. disable

hdopt-type Block specific Hop-by-Hop and/or Destination (Empty)


Option types (maximum 7 types, each between 0
and 255).

routing Block packets with Routing header. enable

routing-type Block specific Routing header types (maximum 7 0


types, each between 0 and 255).

fragment Block packets with Fragment header. disable

auth Block packets with Authentication header. disable

no-next Block packets with No Next header. disable

CLI Reference for FortiOS 5.4 134


Fortinet Technologies Inc.
firewall/ldb-monitor
CLI Syntax
config firewall ldb-monitor
edit <name_str>
set name <string>
set type {ping | tcp | http | passive-sip}
set interval <integer>
set timeout <integer>
set retry <integer>
set port <integer>
set http-get <string>
set http-match <string>
set http-max-redirects <integer>
end

CLI Reference for FortiOS 5.4 135


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Monitor name. (Empty)

type Monitor type. (Empty)

interval Detect interval. 10

timeout Detect request timeout. 2

retry Number of detect tries before bring server down. 3

port Service port. 0

http-get HTTP get URL string. (Empty)

http-match String for matching HTTP-get response. (Empty)

http-max-redirects The maximum number of HTTP redirects to be 0


allowed.

CLI Reference for FortiOS 5.4 136


Fortinet Technologies Inc.
firewall/local-in-policy
CLI Syntax
config firewall local-in-policy
edit <name_str>
set policyid <integer>
set ha-mgmt-intf-only {enable | disable}
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
config service
edit <name_str>
set name <string>
end
set schedule <string>
set auto-asic-offload {enable | disable}
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 137


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid User defined local in policy ID. 0

ha-mgmt-intf-only Enable/disable dedication of HA management disable


interface only for local-in policy.

intf Source interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Local-In policy action. deny

service Service name. (Empty)

schedule Schedule name. (Empty)

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

status Enable/disable policy status. enable

CLI Reference for FortiOS 5.4 138


Fortinet Technologies Inc.
firewall/local-in-policy6
CLI Syntax
config firewall local-in-policy6
edit <name_str>
set policyid <integer>
set intf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
config service
edit <name_str>
set name <string>
end
set schedule <string>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 139


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid User defined local in policy ID. 0

intf Source interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Local-In policy action. deny

service Service name. (Empty)

schedule Schedule name. (Empty)

status Enable/disable policy status. enable

CLI Reference for FortiOS 5.4 140


Fortinet Technologies Inc.
firewall/multicast-address
CLI Syntax
config firewall multicast-address
edit <name_str>
set name <string>
set type {multicastrange | broadcastmask}
set subnet <ipv4-classnet-any>
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set comment <var-string>
set visibility {enable | disable}
set associated-interface <string>
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 141


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Multicast address name. (Empty)

type type multicastrange

subnet Broadcast address and subnet. 0.0.0.0 0.0.0.0

start-ip Start IP. 0.0.0.0

end-ip End IP. 0.0.0.0

comment Comment. (Empty)

visibility Enable/disable multicast address visibility. enable

associated-interface Associated interface name. (Empty)

color GUI icon color. 0

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 142


Fortinet Technologies Inc.
firewall/multicast-address6
CLI Syntax
config firewall multicast-address6
edit <name_str>
set name <string>
set ip6 <ipv6-network>
set comment <var-string>
set visibility {enable | disable}
set color <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 143


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPv6 multicast address name. (Empty)

ip6 IPv6 address prefix. ::/0

comment Comment. (Empty)

visibility Enable/disable multicast address visibility. enable

color GUI icon color. 0

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 144


Fortinet Technologies Inc.
firewall/multicast-policy
CLI Syntax
config firewall multicast-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set snat {enable | disable}
set snat-ip <ipv4-address>
set dnat <ipv4-address-any>
set action {accept | deny}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 145


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Policy ID. 0

status Enable/disable policy status. enable

logtraffic Enable/disable policy log traffic. disable

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

snat Enable/disable NAT source address. disable

snat-ip NAT source address. 0.0.0.0

dnat NAT destination address. 0.0.0.0

action Policy action. accept

protocol Protocol number. 0

start-port Start port number. 1

end-port End port number. 65535

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

CLI Reference for FortiOS 5.4 146


Fortinet Technologies Inc.
firewall/multicast-policy6
CLI Syntax
config firewall multicast-policy6
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {enable | disable}
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 147


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Policy ID. 0

status Enable/disable multicast IPv6 policy status. enable

logtraffic Enable/disable multicast IPv6 policy log traffic. disable

srcintf IPv6 source interface name. (Empty)

dstintf IPv6 destination interface name. (Empty)

srcaddr IPv6 source address name. (Empty)

dstaddr IPv6 destination address name. (Empty)

action Policy action. accept

protocol Protocol number. 0

start-port Start port number. 1

end-port End port number. 65535

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

CLI Reference for FortiOS 5.4 148


Fortinet Technologies Inc.
firewall/policy
CLI Syntax
config firewall policy
edit <name_str>
set policyid <integer>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set rtp-nat {disable | enable}
config rtp-addr
edit <name_str>
set name <string>
end
set action {accept | deny | ipsec | ssl-vpn}
set send-deny-packet {disable | enable}
set firewall-session-dirty {check-all | check-new}
set status {enable | disable}
set schedule <string>
set schedule-timeout {enable | disable}
config service
edit <name_str>
set name <string>
end
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set dnsfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
CLI Reference for FortiOS 5.4 149
Fortinet Technologies Inc.
set voip-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
set capture-packet {enable | disable}
set auto-asic-offload {enable | disable}
set wanopt {enable | disable}
set wanopt-detection {active | passive | off}
set wanopt-passive-opt {default | transparent | non-transparent}
set wanopt-profile <string>
set wanopt-peer <string>
set webcache {enable | disable}
set webcache-https {disable | ssl-server | any | enable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set nat {enable | disable}
set permit-any-host {enable | disable}
set permit-stun-host {enable | disable}
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set session-ttl <integer>
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set wccp {enable | disable}
set ntlm {enable | disable}
set ntlm-guest {enable | disable}
config ntlm-enabled-browsers
edit <name_str>
set user-agent-string <string>
end
set fsso {enable | disable}
set wsso {enable | disable}
set rsso {enable | disable}
set fsso-agent-for-ntlm <string>
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4 150
Fortinet Technologies Inc.
set name <string>
end
config devices
edit <name_str>
set name <string>
end
set auth-path {enable | disable}
set disclaimer {enable | disable}
set vpntunnel <string>
set natip <ipv4-classnet>
set match-vip {enable | disable}
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
set label <string>
set global-label <string>
set auth-cert <string>
set auth-redirect-addr <string>
set redirect-url <string>
set identity-based-route <string>
set block-notification {enable | disable}
config custom-log-fields
edit <name_str>
set field_id <string>
end
config tags
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
set timeout-send-rst {enable | disable}
set captive-portal-exempt {enable | disable}
set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
set scan-botnet-connections {disable | block | monitor}
set dsri {enable | disable}
end

CLI Reference for FortiOS 5.4 151


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

name Policy name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

rtp-nat Enable/disable use of this policy for RTP NAT. disable

rtp-addr RTP NAT address name. (Empty)

action Policy action. deny

send-deny-packet Enable/disable return of deny-packet. disable

firewall-session-dirty Packet session management. check-all

status Enable/disable policy status. enable

schedule Schedule name. (Empty)

schedule-timeout Enable/disable schedule timeout. disable

service Service name. (Empty)

utm-status Enable AV/web/IPS protection profile. disable

profile-type profile type single

profile-group profile group (Empty)

av-profile Antivirus profile. (Empty)

webfilter-profile Web filter profile. (Empty)

dnsfilter-profile DNS filter profile. (Empty)

CLI Reference for FortiOS 5.4 152


Fortinet Technologies Inc.
spamfilter-profile Spam filter profile. (Empty)

dlp-sensor DLP sensor. (Empty)

ips-sensor IPS sensor. (Empty)

application-list Application list. (Empty)

casi-profile CASI profile. (Empty)

voip-profile VoIP profile. (Empty)

icap-profile ICAP profile. (Empty)

waf-profile Web application firewall profile. (Empty)

profile-protocol-options Profile protocol options. (Empty)

ssl-ssh-profile SSL SSH Profile. (Empty)

logtraffic Enable/disable policy log traffic. utm

logtraffic-start Enable/disable policy log traffic start. disable

capture-packet Enable/disable capture packets. disable

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

wanopt Enable/disable WAN optimization. disable

wanopt-detection WAN optimization auto-detection mode. active

wanopt-passive-opt WAN optimization passive mode options. This default


option decides what IP address will be used to
connect server.

wanopt-profile WAN optimization profile. (Empty)

wanopt-peer WAN optimization peer. (Empty)

webcache Enable/disable web cache. disable

webcache-https Enable/disable web cache for HTTPS. disable

traffic-shaper Traffic shaper. (Empty)

traffic-shaper-reverse Traffic shaper. (Empty)

CLI Reference for FortiOS 5.4 153


Fortinet Technologies Inc.
per-ip-shaper Per-IP shaper. (Empty)

nat Enable/disable policy NAT. disable

permit-any-host Enable/disable permit any host in. disable

permit-stun-host Enable/disable permit stun host in. disable

fixedport Enable/disable policy fixed port. disable

ippool Enable/disable policy IP pool. disable

poolname Policy IP pool names. (Empty)

session-ttl Session TTL. 0

vlan-cos-fwd VLAN forward direction user priority. 255

vlan-cos-rev VLAN reverse direction user priority. 255

inbound Enable/disable policy inbound. disable

outbound Enable/disable policy outbound. disable

natinbound Enable/disable policy NAT inbound. disable

natoutbound Enable/disable policy NAT outbound. disable

wccp Enable/disable Web Cache Coordination Protocol disable


(WCCP).

ntlm Enable/disable NTLM authentication. disable

ntlm-guest Enable/disable guest user for NTLM disable


authentication.

ntlm-enabled-browsers User agent strings for NTLM enabled browsers. (Empty)

fsso Enable/disable Fortinet Single Sign-On. disable

wsso Enable/disable WiFi Single Sign-On. enable

rsso Enable/disable RADIUS Single Sign-On. disable

fsso-agent-for-ntlm Specify FSSO agent for NTLM authentication. (Empty)

groups User authentication groups. (Empty)

CLI Reference for FortiOS 5.4 154


Fortinet Technologies Inc.
users User name. (Empty)

devices Devices or device groups. (Empty)

auth-path Enable/disable authentication-based routing. disable

disclaimer Enable/disable user authentication disclaimer. disable

vpntunnel Policy VPN tunnel. (Empty)

natip NAT address. 0.0.0.0 0.0.0.0

match-vip Enable/disable match DNATed packet. disable

diffserv-forward Enable/disable forward (original) traffic DiffServ. disable

diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable

diffservcode-forward Forward (original) traffic DiffServ code point 000000


value.

diffservcode-rev Reverse (reply) traffic DiffServ code point value. 000000

tcp-mss-sender TCP MSS value of sender. 0

tcp-mss-receiver TCP MSS value of receiver. 0

comments Comment. (Empty)

label Label for section view. (Empty)

global-label Label for global view. (Empty)

auth-cert HTTPS server certificate for policy authentication. (Empty)

auth-redirect-addr HTTP-to-HTTPS redirect address for firewall (Empty)


authentication.

redirect-url URL redirection after disclaimer/authentication. (Empty)

identity-based-route Name of identity-based routing rule. (Empty)

block-notification Enable/disable block notification. disable

custom-log-fields Log custom fields. (Empty)

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 155


Fortinet Technologies Inc.
replacemsg-override- Specify authentication replacement message (Empty)
group override group.

srcaddr-negate Enable/disable negated source address match. disable

dstaddr-negate Enable/disable negated destination address disable


match.

service-negate Enable/disable negated service match. disable

timeout-send-rst Enable/disable sending of RST packet upon TCP disable


session expiration.

captive-portal-exempt Enable/disable exemption of captive portal. disable

ssl-mirror Enable/disable SSL mirror. disable

ssl-mirror-intf Mirror interface name. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable


connections servers.

dsri Enable/disable DSRI. disable

CLI Reference for FortiOS 5.4 156


Fortinet Technologies Inc.
firewall/policy46
CLI Syntax
config firewall policy46
edit <name_str>
set permit-any-host {enable | disable}
set policyid <integer>
set uuid <uuid>
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set status {enable | disable}
set schedule <string>
config service
edit <name_str>
set name <string>
end
set logtraffic {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set fixedport {enable | disable}
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 157


Fortinet Technologies Inc.
Description
Configuration Description Default Value

permit-any-host Enable/disable permit any host in. disable

policyid Policy ID. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Policy action. deny

status Policy status. enable

schedule Schedule name. (Empty)

service Service name. (Empty)

logtraffic Enable/disable traffic log. disable

traffic-shaper Traffic shaper. (Empty)

traffic-shaper-reverse Reverse traffic shaper. (Empty)

per-ip-shaper Per IP traffic shaper. (Empty)

fixedport Enable/disable policy fixed port. disable

tcp-mss-sender TCP MSS value of sender. 0

tcp-mss-receiver TCP MSS value of receiver. 0

comments Comment. (Empty)

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 158


Fortinet Technologies Inc.
firewall/policy6
CLI Syntax
config firewall policy6
edit <name_str>
set policyid <integer>
set name <string>
set uuid <uuid>
config srcintf
edit <name_str>
set name <string>
end
config dstintf
edit <name_str>
set name <string>
end
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny | ipsec | ssl-vpn}
set firewall-session-dirty {check-all | check-new}
set status {enable | disable}
set vlan-cos-fwd <integer>
set vlan-cos-rev <integer>
set schedule <string>
config service
edit <name_str>
set name <string>
end
set utm-status {enable | disable}
set profile-type {single | group}
set profile-group <string>
set av-profile <string>
set webfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set voip-profile <string>
set icap-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable}
CLI Reference for FortiOS 5.4 159
Fortinet Technologies Inc.
set auto-asic-offload {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set nat {enable | disable}
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set inbound {enable | disable}
set outbound {enable | disable}
set natinbound {enable | disable}
set natoutbound {enable | disable}
set send-deny-packet {enable | disable}
set vpntunnel <string>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <user>
set diffservcode-rev <user>
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
set label <string>
set global-label <string>
set rsso {enable | disable}
config tags
edit <name_str>
set name <string>
end
set replacemsg-override-group <string>
set srcaddr-negate {enable | disable}
set dstaddr-negate {enable | disable}
set service-negate {enable | disable}
config groups
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config devices
edit <name_str>
set name <string>
end
set timeout-send-rst {enable | disable}
set ssl-mirror {enable | disable}
config ssl-mirror-intf
edit <name_str>
set name <string>
end
CLI Reference for FortiOS 5.4 160
Fortinet Technologies Inc.
end
set dsri {enable | disable}
end

CLI Reference for FortiOS 5.4 161


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

name Policy name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Policy action. deny

firewall-session-dirty Packet session management. check-all

status Enable/disable policy status. enable

vlan-cos-fwd VLAN forward direction user priority. 255

vlan-cos-rev VLAN reverse direction user priority. 255

schedule Schedule name. (Empty)

service Service name. (Empty)

utm-status Enable AV/web/ips protection profile. disable

profile-type profile type single

profile-group profile group (Empty)

av-profile Antivirus profile. (Empty)

webfilter-profile Web filter profile. (Empty)

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor DLP sensor. (Empty)

ips-sensor IPS sensor. (Empty)

CLI Reference for FortiOS 5.4 162


Fortinet Technologies Inc.
application-list Application list. (Empty)

casi-profile CASI profile. (Empty)

voip-profile VoIP profile. (Empty)

icap-profile ICAP profile. (Empty)

profile-protocol-options Profile protocol options. (Empty)

ssl-ssh-profile SSL SSH Profile. (Empty)

logtraffic Enable/disable policy log traffic. utm

logtraffic-start Enable/disable policy log traffic start. disable

auto-asic-offload Enable/disable policy traffic ASIC offloading. enable

traffic-shaper Traffic shaper. (Empty)

traffic-shaper-reverse Traffic shaper. (Empty)

per-ip-shaper Per-IP shaper. (Empty)

nat Enable/disable policy NAT. disable

fixedport Enable/disable policy fixed port. disable

ippool Enable/disable policy IP pool. disable

poolname Policy IP pool names. (Empty)

inbound Enable/disable policy inbound. disable

outbound Enable/disable policy outbound. disable

natinbound Enable/disable policy NAT inbound. disable

natoutbound Enable/disable policy NAT outbound. disable

send-deny-packet Enable/disable return of deny-packet. disable

vpntunnel Policy VPN tunnel. (Empty)

diffserv-forward Enable/disable forward (original) traffic DiffServ. disable

diffserv-reverse Enable/disable reverse (reply) traffic DiffServ. disable

CLI Reference for FortiOS 5.4 163


Fortinet Technologies Inc.
diffservcode-forward Forward (original) Traffic DiffServ code point 000000
value.

diffservcode-rev Reverse (reply) Traffic DiffServ code point value. 000000

tcp-mss-sender TCP MSS value of sender. 0

tcp-mss-receiver TCP MSS value of receiver. 0

comments Comment. (Empty)

label Label for section view. (Empty)

global-label Label for global view. (Empty)

rsso Enable/disable RADIUS Single Sign-On. disable

tags Applied object tags. (Empty)

replacemsg-override- Specify authentication replacement message (Empty)


group override group.

srcaddr-negate Enable/disable negated source address match. disable

dstaddr-negate Enable/disable negated destination address disable


match.

service-negate Enable/disable negated service match. disable

groups User authentication groups. (Empty)

users User name. (Empty)

devices Devices or device groups. (Empty)

timeout-send-rst Enable/disable sending of RST packet upon TCP disable


session expiration.

ssl-mirror Enable/disable SSL mirror. disable

ssl-mirror-intf Mirror interface name. (Empty)

dsri Enable/disable DSRI. disable

CLI Reference for FortiOS 5.4 164


Fortinet Technologies Inc.
firewall/policy64
CLI Syntax
config firewall policy64
edit <name_str>
set policyid <integer>
set uuid <uuid>
set srcintf <string>
set dstintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set action {accept | deny}
set status {enable | disable}
set schedule <string>
config service
edit <name_str>
set name <string>
end
set logtraffic {enable | disable}
set permit-any-host {enable | disable}
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
set fixedport {enable | disable}
set ippool {enable | disable}
config poolname
edit <name_str>
set name <string>
end
set tcp-mss-sender <integer>
set tcp-mss-receiver <integer>
set comments <var-string>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 165


Fortinet Technologies Inc.
Description
Configuration Description Default Value

policyid Policy ID. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

srcintf Source interface name. (Empty)

dstintf Destination interface name. (Empty)

srcaddr Source address name. (Empty)

dstaddr Destination address name. (Empty)

action Policy action. deny

status Enable/disable policy status. enable

schedule Schedule name. (Empty)

service Service name. (Empty)

logtraffic Enable/disable policy log traffic. disable

permit-any-host Enable/disable permit any host in. disable

traffic-shaper Traffic shaper. (Empty)

traffic-shaper-reverse Reverse traffic shaper. (Empty)

per-ip-shaper Per-IP traffic shaper. (Empty)

fixedport Enable/disable policy fixed port. disable

ippool Enable/disable policy64 IP pool. disable

poolname Policy IP pool names. (Empty)

tcp-mss-sender TCP MSS value of sender. 0

tcp-mss-receiver TCP MSS value of receiver. 0

comments Comment. (Empty)

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 166


Fortinet Technologies Inc.
firewall/profile-group
CLI Syntax
config firewall profile-group
edit <name_str>
set name <string>
set av-profile <string>
set webfilter-profile <string>
set dnsfilter-profile <string>
set spamfilter-profile <string>
set dlp-sensor <string>
set ips-sensor <string>
set application-list <string>
set casi-profile <string>
set voip-profile <string>
set icap-profile <string>
set waf-profile <string>
set profile-protocol-options <string>
set ssl-ssh-profile <string>
end

CLI Reference for FortiOS 5.4 167


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile group name. (Empty)

av-profile Antivirus profile. (Empty)

webfilter-profile Web filter profile. (Empty)

dnsfilter-profile DNS filter profile. (Empty)

spamfilter-profile Spam filter profile. (Empty)

dlp-sensor DLP sensor. (Empty)

ips-sensor IPS sensor. (Empty)

application-list Application list. (Empty)

casi-profile CASI profile. (Empty)

voip-profile VoIP profile. (Empty)

icap-profile ICAP profile. (Empty)

waf-profile Web application firewall profile. (Empty)

profile-protocol-options Profile protocol options. (Empty)

ssl-ssh-profile SSL SSH Profile. (Empty)

CLI Reference for FortiOS 5.4 168


Fortinet Technologies Inc.
firewall/profile-protocol-options
CLI Syntax
config firewall profile-protocol-options
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set oversize-log {disable | enable}
set switching-protocols-log {disable | enable}
config http
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {clientcomfort | servercomfort | oversize | no-content-summary | c
hunkedbypass}
set comfort-interval <integer>
set comfort-amount <integer>
set range-block {disable | enable}
set post-lang {jisx0201 | jisx0208 | jisx0212 | gb2312 | ksc5601-ex | euc-jp |
sjis | iso2022-jp | iso2022-jp-1 | iso2022-jp-2 | euc-cn | ces-gbk | hz | ces-big5 |
euc-kr | iso2022-jp-3 | iso8859-1 | tis620 | cp874 | cp1252 | cp1251}
set fortinet-bar {enable | disable}
set fortinet-bar-port <integer>
set streaming-content-bypass {enable | disable}
set switching-protocols {bypass | block}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set block-page-status-code <integer>
set retry-count <integer>
end
config ftp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {clientcomfort | oversize | no-content-summary | splice | bypass-r
est-command | bypass-mode-command}
set comfort-interval <integer>
set comfort-amount <integer>
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config imap
edit <name_str>
CLI Reference for FortiOS 5.4 169
Fortinet Technologies Inc.
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {fragmail | oversize | no-content-summary}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config mapi
edit <name_str>
set ports <integer>
set status {enable | disable}
set options {fragmail | oversize | no-content-summary}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config pop3
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {fragmail | oversize | no-content-summary}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
config smtp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {fragmail | oversize | no-content-summary | splice}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
set server-busy {enable | disable}
end
config nntp
edit <name_str>
set ports <integer>
set status {enable | disable}
set inspect-all {enable | disable}
set options {oversize | no-content-summary | splice}
set oversize-limit <integer>
set uncompressed-oversize-limit <integer>
set uncompressed-nest-limit <integer>
set scan-bzip2 {enable | disable}
end
CLI Reference for FortiOS 5.4 170
Fortinet Technologies Inc.
end
config dns
edit <name_str>
set ports <integer>
set status {enable | disable}
end
config mail-signature
edit <name_str>
set status {disable | enable}
set signature <string>
end
set rpc-over-http {enable | disable}
end

CLI Reference for FortiOS 5.4 171


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

oversize-log Enable/disable log antivirus oversize file blocking. disable

switching-protocols-log Enable/disable log HTTP/HTTPS switching disable


protocols.

http HTTP. Details below

Configuration Default Value


ports (Empty)
status enable
inspect-all disable
options (Empty)
comfort-interval 10
comfort-amount 1
range-block disable
post-lang (Empty)
fortinet-bar disable
fortinet-bar-port 8011
streaming-content-bypass enable
switching-protocols bypass
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable
block-page-status-code 200
retry-count 0

ftp FTP. Details below

CLI Reference for FortiOS 5.4 172


Fortinet Technologies Inc.
Configuration Default Value
ports (Empty)
status enable
inspect-all disable
options (Empty)
comfort-interval 10
comfort-amount 1
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

imap IMAP. Details below

Configuration Default Value


ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

mapi MAPI Details below

Configuration Default Value


ports (Empty)
status enable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

pop3 POP3. Details below

CLI Reference for FortiOS 5.4 173


Fortinet Technologies Inc.
Configuration Default Value
ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

smtp SMTP. Details below

Configuration Default Value


ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable
server-busy disable

nntp NNTP. Details below

Configuration Default Value


ports (Empty)
status enable
inspect-all disable
options (Empty)
oversize-limit 10
uncompressed-oversize-limit 10
uncompressed-nest-limit 12
scan-bzip2 enable

dns DNS. Details below

Configuration Default Value


ports (Empty)
status enable

mail-signature Mail signature. Details below

CLI Reference for FortiOS 5.4 174


Fortinet Technologies Inc.
Configuration Default Value
status disable
signature (Empty)

rpc-over-http Enable/disable inspection of RPC over HTTP. enable

CLI Reference for FortiOS 5.4 175


Fortinet Technologies Inc.
firewall/shaping-policy
CLI Syntax
config firewall shaping-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set ip-version {4 | 6}
config srcaddr
edit <name_str>
set name <string>
end
config dstaddr
edit <name_str>
set name <string>
end
config srcaddr6
edit <name_str>
set name <string>
end
config dstaddr6
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
config application
edit <name_str>
set id <integer>
end
config app-category
edit <name_str>
set id <integer>
end
config url-category
edit <name_str>
set id <integer>
end
config dstintf
edit <name_str>
CLI Reference for FortiOS 5.4 176
Fortinet Technologies Inc.
set name <string>
end
set traffic-shaper <string>
set traffic-shaper-reverse <string>
set per-ip-shaper <string>
end

CLI Reference for FortiOS 5.4 177


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Shaping policy ID. 0

status Enable/disable traffic shaping policy. enable

ip-version IP version. 4

srcaddr Source address. (Empty)

dstaddr Destination address. (Empty)

srcaddr6 IPv6 source address. (Empty)

dstaddr6 IPv6 destination address. (Empty)

service Service name. (Empty)

users User name. (Empty)

groups User authentication groups. (Empty)

application Application ID list. (Empty)

app-category Application category ID list. (Empty)

url-category URL category ID list. (Empty)

dstintf Destination interface list. (Empty)

traffic-shaper Forward traffic shaper. (Empty)

traffic-shaper-reverse Reverse traffic shaper. (Empty)

per-ip-shaper Per IP shaper. (Empty)

CLI Reference for FortiOS 5.4 178


Fortinet Technologies Inc.
firewall/sniffer
CLI Syntax
config firewall sniffer
edit <name_str>
set id <integer>
set status {enable | disable}
set logtraffic {all | utm | disable}
set ipv6 {enable | disable}
set non-ip {enable | disable}
set interface <string>
set host <string>
set port <string>
set protocol <string>
set vlan <string>
set application-list-status {enable | disable}
set application-list <string>
set casi-profile-status {enable | disable}
set casi-profile <string>
set ips-sensor-status {enable | disable}
set ips-sensor <string>
set dsri {enable | disable}
set av-profile-status {enable | disable}
set av-profile <string>
set webfilter-profile-status {enable | disable}
set webfilter-profile <string>
set spamfilter-profile-status {enable | disable}
set spamfilter-profile <string>
set dlp-sensor-status {enable | disable}
set dlp-sensor <string>
set ips-dos-status {enable | disable}
config anomaly
edit <name_str>
set name <string>
set status {disable | enable}
set log {enable | disable}
set action {pass | block | proxy}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
set threshold <integer>
set threshold(default) <integer>
end
set scan-botnet-connections {disable | block | monitor}
set max-packet-count <integer>
end

CLI Reference for FortiOS 5.4 179


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Sniffer ID. 0

status Enable/disable sniffer status. enable

logtraffic Enable/disable sniffer log traffic. utm

ipv6 Enable/disable sniffer for IPv6 packets. disable

non-ip Enable/disable sniffer for non-IP packets. disable

interface Interface name. (Empty)

host Host list (IP or IP/mask or IP range). (Empty)

port Port list. (Empty)

protocol IP protocol list. (Empty)

vlan VLAN list. (Empty)

application-list-status Enable/disable application control. disable

application-list Application list name. (Empty)

casi-profile-status Enable/disable CASI. disable

casi-profile CASI profile name. (Empty)

ips-sensor-status Enable/disable IPS sensor. disable

ips-sensor IPS sensor name. (Empty)

dsri Enable/disable DSRI. disable

av-profile-status Enable/disable antivirus. disable

av-profile Antivirus profile. (Empty)

webfilter-profile-status Enable/disable web filter. disable

webfilter-profile Web filter profile. (Empty)

spamfilter-profile-status Enable/disable spam filter. disable

CLI Reference for FortiOS 5.4 180


Fortinet Technologies Inc.
spamfilter-profile Spam filter profile. (Empty)

dlp-sensor-status Enable/disable DLP sensor. disable

dlp-sensor DLP sensor. (Empty)

ips-dos-status Enable/disable IPS DoS anomaly detection. disable

anomaly Configure anomaly. (Empty)

scan-botnet- Enable/disable scanning of connections to Botnet disable


connections servers.

max-packet-count Maximum packet count. 4000

CLI Reference for FortiOS 5.4 181


Fortinet Technologies Inc.
firewall/ssl-server
CLI Syntax
config firewall ssl-server
edit <name_str>
set name <string>
set ip <ipv4-address-any>
set port <integer>
set ssl-mode {half | full}
set add-header-x-forwarded-proto {enable | disable}
set mapped-port <integer>
set ssl-cert <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-algorithm {high | medium | low}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-min-version {ssl-3.0 | tls-1.0}
set ssl-max-version {ssl-3.0 | tls-1.0}
set ssl-send-empty-frags {enable | disable}
set url-rewrite {enable | disable}
end

CLI Reference for FortiOS 5.4 182


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Server name. (Empty)

ip Server IP address. 0.0.0.0

port Server service port. 0

ssl-mode SSL/TLS mode for encryption & decryption of full


traffic.

add-header-x- Enable/disable add X-Forwarded-Proto header to enable


forwarded-proto forwarded requests.

mapped-port Mapped server service port. 0

ssl-cert Name of certificate for SSL connections to this (Empty)


server.

ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSA 2048


negotiation.

ssl-algorithm Relative strength of encryption algorithms high


accepted in negotiation.

ssl-client-renegotiation Allow/block client renegotiation by server. allow

ssl-min-version Lowest SSL/TLS version to negotiate. ssl-3.0

ssl-max-version Highest SSL/TLS version to negotiate. tls-1.0

ssl-send-empty-frags Enable/disable send empty fragments to avoid enable


attack on CBC IV.

url-rewrite Enable/disable rewrite URL. disable

CLI Reference for FortiOS 5.4 183


Fortinet Technologies Inc.
firewall/ssl-ssh-profile
CLI Syntax
config firewall ssl-ssh-profile
edit <name_str>
set name <string>
set comment <var-string>
config ssl
edit <name_str>
set inspect-all {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config https
edit <name_str>
set ports <integer>
set status {disable | certificate-inspection | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config ftps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config imaps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config pop3s
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
CLI Reference for FortiOS 5.4 184
Fortinet Technologies Inc.
end
config smtps
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | inspect | block}
set allow-invalid-server-cert {enable | disable}
set untrusted-cert {allow | block | ignore}
end
config ssh
edit <name_str>
set ports <integer>
set status {disable | deep-inspection | enable}
set inspect-all {disable | deep-inspection | enable}
set block {x11-filter | ssh-shell | exec | port-forward}
set log {x11-filter | ssh-shell | exec | port-forward}
end
set whitelist {enable | disable}
config ssl-exempt
edit <name_str>
set id <integer>
set type {fortiguard-category | address | address6}
set fortiguard-category <integer>
set address <string>
set address6 <string>
end
set server-cert-mode {re-sign | replace}
set use-ssl-server {disable | enable}
set caname <string>
set untrusted-caname <string>
set certname <string>
set server-cert <string>
config ssl-server
edit <name_str>
set id <integer>
set ip <ipv4-address-any>
set https-client-cert-request {bypass | inspect | block}
set smtps-client-cert-request {bypass | inspect | block}
set pop3s-client-cert-request {bypass | inspect | block}
set imaps-client-cert-request {bypass | inspect | block}
set ftps-client-cert-request {bypass | inspect | block}
set ssl-other-client-cert-request {bypass | inspect | block}
end
set ssl-invalid-server-cert-log {disable | enable}
set rpc-over-https {enable | disable}
end

CLI Reference for FortiOS 5.4 185


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comment Comment. (Empty)

ssl ssl Details below

Configuration Default Value


inspect-all disable
client-cert-request bypass
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

https https Details below

Configuration Default Value


ports (Empty)
status deep-inspection
client-cert-request bypass
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

ftps ftps Details below

Configuration Default Value


ports (Empty)
status deep-inspection
client-cert-request bypass
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

imaps imaps Details below

Configuration Default Value


ports (Empty)
status deep-inspection
client-cert-request inspect
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

CLI Reference for FortiOS 5.4 186


Fortinet Technologies Inc.
pop3s pop3s Details below

Configuration Default Value


ports (Empty)
status deep-inspection
client-cert-request inspect
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

smtps smtps Details below

Configuration Default Value


ports (Empty)
status deep-inspection
client-cert-request inspect
unsupported-ssl bypass
allow-invalid-server-cert disable
untrusted-cert allow

ssh ssh Details below

Configuration Default Value


ports (Empty)
status deep-inspection
inspect-all disable
block (Empty)
log (Empty)

whitelist Enable/disable exempt servers by FortiGuard disable


whitelist.

ssl-exempt Servers to exempt from SSL inspection. (Empty)

server-cert-mode Re-sign or replace the server's certificate. re-sign

use-ssl-server Enable/disable to use SSL server table for SSL disable


offloading.

caname CA certificate used by SSL Inspection. Fortinet_CA_SSL

untrusted-caname Untrusted CA certificate used by SSL Inspection. Fortinet_CA_Untrusted

certname Certificate containing the key to use when re- Fortinet_SSL


signing server certificates for SSL inspection.

CLI Reference for FortiOS 5.4 187


Fortinet Technologies Inc.
server-cert Certificate used by SSL Inspection to replace Fortinet_SSL
server certificate.

ssl-server SSL servers. (Empty)

ssl-invalid-server-cert- Enable/disable SSL server certificate validation disable


log logging.

rpc-over-https Enable/disable inspection of RPC over HTTPS. enable

CLI Reference for FortiOS 5.4 188


Fortinet Technologies Inc.
firewall/ttl-policy
CLI Syntax
config firewall ttl-policy
edit <name_str>
set id <integer>
set status {enable | disable}
set action {accept | deny}
set srcintf <string>
config srcaddr
edit <name_str>
set name <string>
end
config service
edit <name_str>
set name <string>
end
set schedule <string>
set ttl <user>
end

CLI Reference for FortiOS 5.4 189


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

status status enable

action Action. deny

srcintf Source interface name. (Empty)

srcaddr Source address name. (Empty)

service Service name. (Empty)

schedule Schedule name. (Empty)

ttl TTL range. (Empty)

CLI Reference for FortiOS 5.4 190


Fortinet Technologies Inc.
firewall/vip
CLI Syntax
config firewall vip
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
set type {static-nat | load-balance | server-load-balance | dns-translation | fqdn
}
set dns-mapping-ttl <integer>
set ldb-method {static | round-robin | weighted | least-session | least-rtt | firs
t-alive | http-host}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
config mappedip
edit <name_str>
set range <string>
end
set mapped-addr <string>
set extintf <string>
set arp-reply {disable | enable}
set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip}
set persistence {none | http-cookie | ssl-session-id}
set nat-source-vip {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp | icmp}
set extport <user>
set mappedport <user>
set gratuitous-arp-interval <integer>
config srcintf-filter
edit <name_str>
set interface-name <string>
end
set portmapping-type {1-to-1 | m-to-n}
config realservers
edit <name_str>
set id <integer>
set ip <ipv4-address-any>
set port <integer>
set status {active | standby | disable}
set weight <integer>
set holddown-interval <integer>
set healthcheck {disable | enable | vip}
set http-host <string>
set max-connections <integer>
CLI Reference for FortiOS 5.4 191
Fortinet Technologies Inc.
set monitor <string>
set client-ip <user>
end
set http-cookie-domain-from-host {disable | enable}
set http-cookie-domain <string>
set http-cookie-path <string>
set http-cookie-generation <integer>
set http-cookie-age <integer>
set http-cookie-share {disable | same-ip}
set https-cookie-secure {disable | enable}
set http-multiplex {enable | disable}
set http-ip-header {enable | disable}
set http-ip-header-name <string>
set outlook-web-access {disable | enable}
set weblogic-server {disable | enable}
set websphere-server {disable | enable}
set ssl-mode {half | full}
set ssl-certificate <string>
set ssl-dh-bits {768 | 1024 | 1536 | 2048}
set ssl-algorithm {high | medium | low | custom}
config ssl-cipher-suites
edit <name_str>
set priority <integer>
set cipher {TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-ECDHE-ECDSA-WITH
-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 | TLS-DHE-RSA-WI
TH-AES-128-CBC-SHA | TLS-DHE-RSA-WITH-AES-256-CBC-SHA | TLS-DHE-RSA-WITH-AES-128-CBC-S
HA256 | TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 | TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 | TL
S-DHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-DHE-DSS-WITH-AES-128-CBC-SHA | TLS-DHE-DSS-WIT
H-AES-256-CBC-SHA | TLS-DHE-DSS-WITH-AES-128-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-128-GCM
-SHA256 | TLS-DHE-DSS-WITH-AES-256-CBC-SHA256 | TLS-DHE-DSS-WITH-AES-256-GCM-SHA384 |
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA | TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE
-RSA-WITH-AES-128-GCM-SHA256 | TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA | TLS-ECDHE-RSA-WITH
-AES-256-CBC-SHA384 | TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 | TLS-ECDHE-ECDSA-WITH-AES
-128-CBC-SHA | TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-128-
GCM-SHA256 | TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 | TLS-ECDHE-ECDSA-WITH-AES-256-GC
M-SHA384 | TLS-RSA-WITH-AES-128-CBC-SHA | TLS-RSA-WITH-AES-256-CBC-SHA | TLS-RSA-WITH-
AES-128-CBC-SHA256 | TLS-RSA-WITH-AES-128-GCM-SHA256 | TLS-RSA-WITH-AES-256-CBC-SHA256
| TLS-RSA-WITH-AES-256-GCM-SHA384 | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA | TLS-RSA-WITH-
CAMELLIA-256-CBC-SHA | TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-RSA-WITH-CAMELLIA-25
6-CBC-SHA256 | TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-S
HA | TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA | T
LS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA | TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 | TLS-
DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 | TLS-
DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256 | TLS-DHE-RSA-WITH-SEED-CBC-SHA | TLS-DHE-DSS-WIT
H-SEED-CBC-SHA | TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-RSA-WITH-ARIA-256-CBC-
SHA384 | TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256 | TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384 |
TLS-RSA-WITH-SEED-CBC-SHA | TLS-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-RSA-WITH-ARIA-256-
CBC-SHA384 | TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-RSA-WITH-ARIA-256-CBC-
SHA384 | TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 | TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-
SHA384 | TLS-ECDHE-RSA-WITH-RC4-128-SHA | TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA | TLS-DH
E-DSS-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-3DES-EDE-CBC-SHA | TLS-RSA-WITH-RC4-128-MD5
| TLS-RSA-WITH-RC4-128-SHA | TLS-DHE-RSA-WITH-DES-CBC-SHA | TLS-DHE-DSS-WITH-DES-CBC-
SHA | TLS-RSA-WITH-DES-CBC-SHA}
CLI Reference for FortiOS 5.4 192
Fortinet Technologies Inc.
SHA | TLS-RSA-WITH-DES-CBC-SHA}
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
set ssl-pfs {require | deny | allow}
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-send-empty-frags {enable | disable}
set ssl-client-renegotiation {allow | deny | secure}
set ssl-client-session-state-type {disable | time | count | both}
set ssl-client-session-state-timeout <integer>
set ssl-client-session-state-max <integer>
set ssl-server-session-state-type {disable | time | count | both}
set ssl-server-session-state-timeout <integer>
set ssl-server-session-state-max <integer>
set ssl-http-location-conversion {enable | disable}
set ssl-http-match-host {enable | disable}
set monitor <string>
set max-embryonic-connections <integer>
set color <integer>
end

CLI Reference for FortiOS 5.4 193


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Virtual IP name. (Empty)

id Custom defined ID. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

comment Comment. (Empty)

type VIP type: static NAT, load balance., server load static-nat
balance

dns-mapping-ttl DNS mapping TTL (Set to zero to use TTL in 0


DNS response, default = 0).

ldb-method Load balance method. static

src-filter Source IP filter (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)

extip Start external IP - end external IP. 0.0.0.0

mappedip Mapped IP (x.x.x.x/x x.x.x.x-y.y.y.y). (Empty)

mapped-addr Mapped address. (Empty)

extintf External interface. (Empty)

arp-reply Enable/disable ARP reply. enable

server-type Server type. (Empty)

persistence Persistence. none

nat-source-vip Enable/disable force NAT as VIP when server disable


goes out.

portforward Enable/disable port forward. disable

protocol Mapped port protocol. tcp

extport External service port. 0

mappedport Mapped service port. 0

CLI Reference for FortiOS 5.4 194


Fortinet Technologies Inc.
gratuitous-arp-interval Interval between sending gratuitous ARPs 0
(seconds, 0 to disable).

srcintf-filter Source interface filter. (Empty)

portmapping-type Port mapping type. 1-to-1

realservers Real servers. (Empty)

http-cookie-domain- Enable/disable use of HTTP cookie domain from disable


from-host host field in HTTP.

http-cookie-domain HTTP cookie domain. (Empty)

http-cookie-path HTTP cookie path. (Empty)

http-cookie-generation Generation of HTTP cookie to be accepted. 0


Changing invalidates all existing cookies.

http-cookie-age Number of minutes the web browser should keep 60


cookie (0 = forever).

http-cookie-share Share HTTP cookies across different virtual same-ip


servers.

https-cookie-secure Enable/disable verification of cookie inserted into disable


HTTPS is marked as secure.

http-multiplex Enable/disable multiplex HTTP disable


requests/responses over a single TCP
connection.

http-ip-header Add additional HTTP header containing client's disable


original IP address.

http-ip-header-name Name of HTTP header containing client's IP (Empty)


address (X-Forwarded-For is used if empty).

outlook-web-access Enable/disable adding HTTP header indicating disable


SSL offload for Outlook Web Access server.

weblogic-server Enable/disable adding HTTP header indicating disable


SSL offload for WebLogic server.

websphere-server Enable/disable adding HTTP header indicating disable


SSL offload for WebSphere server.

CLI Reference for FortiOS 5.4 195


Fortinet Technologies Inc.
ssl-mode SSL/TLS mode for encryption & decryption of half
traffic.

ssl-certificate Name of Certificate to offer in every SSL (Empty)


connection.

ssl-dh-bits Size of Diffie-Hellman prime used in DHE-RSA 2048


negotiation.

ssl-algorithm Relative strength of encryption algorithms high


accepted in negotiation.

ssl-cipher-suites SSL/TLS cipher suites ordered by priority. (Empty)

ssl-pfs SSL Perfect Forward Secrecy. allow

ssl-min-version Lowest SSL/TLS version to negotiate. tls-1.0

ssl-max-version Highest SSL/TLS version to negotiate. tls-1.2

ssl-send-empty-frags Send empty fragments to avoid attack on CBC IV enable


(SSL 3.0 & TLS 1.0 only).

ssl-client-renegotiation Allow/block client renegotiation by server. allow

ssl-client-session-state- Control Client to FortiGate SSL session state both


type preservation.

ssl-client-session-state- Number of minutes to keep client to FortiGate 30


timeout SSL session state.

ssl-client-session-state- Maximum number of client to FortiGate SSL 1000


max session states to keep.

ssl-server-session- Control FortiGate to server SSL session state both


state-type preservation.

ssl-server-session- Number of minutes to keep FortiGate to Server 60


state-timeout SSL session state.

ssl-server-session- Maximum number of FortiGate to Server SSL 100


state-max session states to keep.

ssl-http-location- Enable/disable location conversion on HTTP disable


conversion response header.

CLI Reference for FortiOS 5.4 196


Fortinet Technologies Inc.
ssl-http-match-host Enable/disable HTTP host matching for location disable
conversion.

monitor Health monitors. (Empty)

max-embryonic- Maximum number of incomplete connections. 1000


connections

color GUI icon color. 0

CLI Reference for FortiOS 5.4 197


Fortinet Technologies Inc.
firewall/vip46
CLI Syntax
config firewall vip46
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp}
set extport <user>
set mappedport <user>
set color <integer>
end

CLI Reference for FortiOS 5.4 198


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP46 name. (Empty)

id Custom defined id. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

comment Comment. (Empty)

src-filter Source IP filter (x.x.x.x/x). (Empty)

extip Start-external-IP [-end-external-IP]. 0.0.0.0

mappedip Start-mapped-IP [-end mapped-IP]. ::

arp-reply Enable ARP reply. enable

portforward Enable port forward. disable

protocol Mapped port protocol. tcp

extport External service port. 0

mappedport Mapped service port. 0

color GUI icon color. 0

CLI Reference for FortiOS 5.4 199


Fortinet Technologies Inc.
firewall/vip6
CLI Syntax
config firewall vip6
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
set type {static-nat}
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp | sctp}
set extport <user>
set mappedport <user>
set color <integer>
end

CLI Reference for FortiOS 5.4 200


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Virtual ip6 name. (Empty)

id Custom defined ID. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

comment Comment. (Empty)

type VIP type: static NAT. static-nat

src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)

extip Start external IP - end external IP. ::

mappedip Start mapped IP -end mapped IP. ::

arp-reply Enable/disable ARP reply. enable

portforward Enable/disable port forward. disable

protocol Mapped port protocol. tcp

extport External service port. 0

mappedport Mapped service port. 0

color GUI icon color. 0

CLI Reference for FortiOS 5.4 201


Fortinet Technologies Inc.
firewall/vip64
CLI Syntax
config firewall vip64
edit <name_str>
set name <string>
set id <integer>
set uuid <uuid>
set comment <var-string>
config src-filter
edit <name_str>
set range <string>
end
set extip <user>
set mappedip <user>
set arp-reply {disable | enable}
set portforward {disable | enable}
set protocol {tcp | udp}
set extport <user>
set mappedport <user>
set color <integer>
end

CLI Reference for FortiOS 5.4 202


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP64 name. (Empty)

id Custom defined id. 0

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

comment Comment. (Empty)

src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). (Empty)

extip Start-external-IP [-End-external-IP]. ::

mappedip Start-mapped-IP [-End-mapped-IP]. 0.0.0.0

arp-reply Enable ARP reply. enable

portforward Enable port forward. disable

protocol Mapped port protocol. tcp

extport External service port. 0

mappedport Mapped service port. 0

color GUI icon color. 0

CLI Reference for FortiOS 5.4 203


Fortinet Technologies Inc.
firewall/vipgrp
CLI Syntax
config firewall vipgrp
edit <name_str>
set name <string>
set uuid <uuid>
set interface <string>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 204


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

interface interface (Empty)

color GUI icon color. 0

comments Comment. (Empty)

member VIP group member. (Empty)

CLI Reference for FortiOS 5.4 205


Fortinet Technologies Inc.
firewall/vipgrp46
CLI Syntax
config firewall vipgrp46
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 206


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP46 group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

color GUI icon color. 0

comments Comment. (Empty)

member VIP46 group member. (Empty)

CLI Reference for FortiOS 5.4 207


Fortinet Technologies Inc.
firewall/vipgrp6
CLI Syntax
config firewall vipgrp6
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 208


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPv6 VIP group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

color GUI icon color. 0

comments Comment. (Empty)

member VIP group6 member. (Empty)

CLI Reference for FortiOS 5.4 209


Fortinet Technologies Inc.
firewall/vipgrp64
CLI Syntax
config firewall vipgrp64
edit <name_str>
set name <string>
set uuid <uuid>
set color <integer>
set comments <var-string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 210


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VIP64 group name. (Empty)

uuid Universally Unique IDentifier. 00000000-0000-0000-


0000-000000000000

color GUI icon color. 0

comments Comment. (Empty)

member VIP64 group member. (Empty)

CLI Reference for FortiOS 5.4 211


Fortinet Technologies Inc.
ftp-proxy/explicit
CLI Syntax
config ftp-proxy explicit
edit <name_str>
set status {enable | disable}
set incoming-port <integer>
set incoming-ip <ipv4-address-any>
set outgoing-ip <ipv4-address-any>
set sec-default-action {accept | deny}
end

CLI Reference for FortiOS 5.4 212


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable explicit ftp proxy. disable

incoming-port Accept incoming FTP requests on ports other 21


than port 21.

incoming-ip accept incoming ftp requests from this ip. An 0.0.0.0


interface must have this IP address.

outgoing-ip outgoing FTP requests will leave this ip. An (Empty)


interface must have this IP address.

sec-default-action Default action to allow or deny when no ftp-proxy deny


firewall policy exists.

CLI Reference for FortiOS 5.4 213


Fortinet Technologies Inc.
gui/console
CLI Syntax
config gui console
edit <name_str>
set preferences <user>
end

CLI Reference for FortiOS 5.4 214


Fortinet Technologies Inc.
Description
Configuration Description Default Value

preferences Preferences. "c2lkY2FyZQlGRkZGR


kYJMDAwMDAwCW1v
bm9zcGFjZQkxMHB0C
Tk5OTkJMAphZG1pbgl
GRkZGRkYJMDAw
MDAwCW1vbm9zcGFj
ZQkxMHB0CTUwMAk
wCg=="

CLI Reference for FortiOS 5.4 215


Fortinet Technologies Inc.
icap/profile
CLI Syntax
config icap profile
edit <name_str>
set replacemsg-group <string>
set name <string>
set request {disable | enable}
set response {disable | enable}
set streaming-content-bypass {disable | enable}
set request-server <string>
set response-server <string>
set request-failure {error | bypass}
set response-failure {error | bypass}
set request-path <string>
set response-path <string>
set methods {delete | get | head | options | post | put | trace | other}
end

CLI Reference for FortiOS 5.4 216


Fortinet Technologies Inc.
Description
Configuration Description Default Value

replacemsg-group Replacement message group. (Empty)

name ICAP profile name. (Empty)

request Enable/disable control of an HTTP request disable


passing tolerance to ICAP server.

response Enable/disable control of an HTTP response disable


passing to ICAP server.

streaming-content- Enable/disable control over streaming content disable


bypass being sent to ICAP server or bypassed.

request-server ICAP server to use for an HTTP request. (Empty)

response-server ICAP server to use for an HTTP response. (Empty)

request-failure Action to take if the ICAP server cannot be error


contacted when processing an HTTP request.

response-failure Action to take if the ICAP server cannot be error


contacted when processing an HTTP response.

request-path Path component of the ICAP URI that identifies (Empty)


the HTTP request processing service.

response-path Path component of the ICAP URI that identifies (Empty)


the HTTP response processing service.

methods The allowed HTTP methods that will be sent to delete get head options
ICAP server for further processing. post put trace other

CLI Reference for FortiOS 5.4 217


Fortinet Technologies Inc.
icap/server
CLI Syntax
config icap server
edit <name_str>
set name <string>
set ip-version {4 | 6}
set ip-address <ipv4-address-any>
set ip6-address <ipv6-address>
set port <integer>
set max-connections <integer>
end

CLI Reference for FortiOS 5.4 218


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Server name. (Empty)

ip-version IP version. 4

ip-address IPv4 address of the ICAP server. 0.0.0.0

ip6-address IPv6 address of the ICAP server. ::

port ICAP server port. 1344

max-connections Maximum number of concurrent connections to 100


ICAP server.

CLI Reference for FortiOS 5.4 219


Fortinet Technologies Inc.
ips/custom
CLI Syntax
config ips custom
edit <name_str>
set tag <string>
set signature <string>
set sig-name <string>
set rule-id <integer>
set severity <user>
set location <user>
set os <user>
set application <user>
set protocol <user>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block}
set comment <string>
end

CLI Reference for FortiOS 5.4 220


Fortinet Technologies Inc.
Description
Configuration Description Default Value

tag Signature tag. (Empty)

signature Signature text. (Empty)

sig-name Signature name. (Empty)

rule-id Signature ID. 0

severity severity (Empty)

location Vulnerable location. (Empty)

os Vulnerable operating systems. (Empty)

application Vulnerable applications. (Empty)

protocol Vulnerable service. (Empty)

status Enable/disable status. enable

log Enable/disable logging. enable

log-packet Enable/disable packet logging. disable

action Action. pass

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 221


Fortinet Technologies Inc.
ips/dbinfo
CLI Syntax
config ips dbinfo
edit <name_str>
set version <integer>
end

CLI Reference for FortiOS 5.4 222


Fortinet Technologies Inc.
Description
Configuration Description Default Value

version Internal category version. 0

CLI Reference for FortiOS 5.4 223


Fortinet Technologies Inc.
ips/decoder
CLI Syntax
config ips decoder
edit <name_str>
set name <string>
config parameter
edit <name_str>
set name <string>
set value <string>
end
end

CLI Reference for FortiOS 5.4 224


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Decoder name. (Empty)

parameter IPS group parameters. (Empty)

CLI Reference for FortiOS 5.4 225


Fortinet Technologies Inc.
ips/global
CLI Syntax
config ips global
edit <name_str>
set fail-open {enable | disable}
set database {regular | extended}
set traffic-submit {enable | disable}
set anomaly-mode {periodical | continuous}
set session-limit-mode {accurate | heuristic}
set intelligent-mode {enable | disable}
set socket-size <integer>
set engine-count <integer>
set algorithm {engine-pick | low | high | super}
set sync-session-ttl {enable | disable}
set np-accel-mode {none | basic}
set ips-reserve-cpu {disable | enable}
set cp-accel-mode {none | basic | advanced}
set skype-client-public-ipaddr <var-string>
set default-app-cat-mask <user>
set deep-app-insp-timeout <integer>
set deep-app-insp-db-limit <integer>
set exclude-signatures {none | industrial}
end

CLI Reference for FortiOS 5.4 226


Fortinet Technologies Inc.
Description
Configuration Description Default Value

fail-open Enable/disable IPS fail open option. enable

database IPS database selection. extended

traffic-submit Enable/disable submit attack characteristics to disable


FortiGuard Service.

anomaly-mode Blocking mode for rate-based anomaly. continuous

session-limit-mode Counter mode for session-limit anomaly. heuristic

intelligent-mode Enable/disable intelligent scan mode. enable

socket-size IPS socket buffer size. 128

engine-count Number of engines (0: use recommended 0


setting).

algorithm Signature matching algorithm. engine-pick

sync-session-ttl Enable/disable use of kernel session TTL for IPS disable


sessions.

np-accel-mode Network Processor acceleration mode. basic

ips-reserve-cpu Enable/disable IPS daemon's use of CPUs other disable


than CPU 0

cp-accel-mode Content Processor acceleration mode. advanced

skype-client-public- Comma-separated client external IP address for (Empty)


ipaddr decrypting Skype protocol.

default-app-cat-mask Default enabled application category mask. 1844674407370955161


5

deep-app-insp-timeout Timeout for Deep application inspection (1 - 0


2147483647 sec., 0 = use recommended setting).

deep-app-insp-db-limit Limit on number of entries in deep application 0


inspection database (1 - 2147483647, 0 = use
recommended setting)

CLI Reference for FortiOS 5.4 227


Fortinet Technologies Inc.
exclude-signatures Excluded signatures. industrial

CLI Reference for FortiOS 5.4 228


Fortinet Technologies Inc.
ips/rule
CLI Syntax
config ips rule
edit <name_str>
set name <string>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block}
set group <string>
set severity {}
set location {}
set os <user>
set application <user>
set service <user>
set rule-id <integer>
set rev <integer>
set date <integer>
config metadata
edit <name_str>
set id <integer>
set metaid <integer>
set valueid <integer>
end
end

CLI Reference for FortiOS 5.4 229


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Rule name. (Empty)

status Enable/disable status. enable

log Enable/disable logging. enable

log-packet Enable/disable packet logging. disable

action Action. pass

group Group. (Empty)

severity Severity. (Empty)

location Vulnerable location. (Empty)

os Vulnerable operation systems. (Empty)

application Vulnerable applications. (Empty)

service Vulnerable service. (Empty)

rule-id Rule ID. 0

rev Revision. 0

date Date. 0

metadata Meta data. (Empty)

CLI Reference for FortiOS 5.4 230


Fortinet Technologies Inc.
ips/rule-settings
CLI Syntax
config ips rule-settings
edit <name_str>
set id <integer>
config tags
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 231


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Rule ID. 0

tags Applied object tags. (Empty)

CLI Reference for FortiOS 5.4 232


Fortinet Technologies Inc.
ips/sensor
CLI Syntax
config ips sensor
edit <name_str>
set name <string>
set comment <var-string>
set replacemsg-group <string>
set block-malicious-url {disable | enable}
config entries
edit <name_str>
set id <integer>
config rule
edit <name_str>
set id <integer>
end
set location <user>
set severity <user>
set protocol <user>
set os <user>
set application <user>
config tags
edit <name_str>
set name <string>
end
set status {disable | enable | default}
set log {disable | enable}
set log-packet {disable | enable}
set log-attack-context {disable | enable}
set action {pass | block | reset | default}
set rate-count <integer>
set rate-duration <integer>
set rate-mode {periodical | continuous}
set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
set quarantine {none | attacker | both | interface}
set quarantine-expiry <user>
set quarantine-log {disable | enable}
end
config filter
edit <name_str>
set name <string>
set location <user>
set severity <user>
set protocol <user>
CLI Reference for FortiOS 5.4 233
Fortinet Technologies Inc.
set os <user>
set application <user>
set status {disable | enable | default}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block | reset | default}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <integer>
set quarantine-log {disable | enable}
end
config override
edit <name_str>
set rule-id <integer>
set status {disable | enable}
set log {disable | enable}
set log-packet {disable | enable}
set action {pass | block | reset}
set quarantine {none | attacker | both | interface}
set quarantine-expiry <integer>
set quarantine-log {disable | enable}
config exempt-ip
edit <name_str>
set id <integer>
set src-ip <ipv4-classnet>
set dst-ip <ipv4-classnet>
end
end
end

CLI Reference for FortiOS 5.4 234


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Sensor name. (Empty)

comment Comment. (Empty)

replacemsg-group Replacement message group. (Empty)

block-malicious-url Enable/disable malicious URL blocking. disable

entries IPS sensor filter. (Empty)

filter IPS sensor filter. (Empty)

override IPS override rule. (Empty)

CLI Reference for FortiOS 5.4 235


Fortinet Technologies Inc.
ips/settings
CLI Syntax
config ips settings
edit <name_str>
set packet-log-history <integer>
set packet-log-post-attack <integer>
set packet-log-memory <integer>
set ips-packet-quota <integer>
end

CLI Reference for FortiOS 5.4 236


Fortinet Technologies Inc.
Description
Configuration Description Default Value

packet-log-history Number of packets to be recorded before alert (1 1


- 255).

packet-log-post-attack Number of packets to be recorded after attack (0 0


- 255).

packet-log-memory Maximum memory can be used by packet log (64 256


- 8192 kB).

ips-packet-quota IPS packet quota. 0

CLI Reference for FortiOS 5.4 237


Fortinet Technologies Inc.
log.disk/filter
CLI Syntax
config log.disk filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set auth {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 238


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

event Enable/disable log event messages. enable

system Enable/disable log system activity messages. enable

radius Enable/disable log RADIUS messages. enable

ipsec Enable/disable log IPsec negotiation messages. enable

dhcp Enable/disable log DHCP service messages. enable

ppp Enable/disable log L2TP/PPTP/PPPoE enable


messages.

admin Enable/disable log admin login/logout messages. enable

ha Enable/disable log HA activity messages. enable

auth Enable/disable log firewall authentication enable


messages.

pattern Enable/disable log pattern update messages. enable

CLI Reference for FortiOS 5.4 239


Fortinet Technologies Inc.
sslvpn-log-auth Enable/disable log SSL user authentication. enable

sslvpn-log-adm Enable/disable log SSL administration. enable

sslvpn-log-session Enable/disable log SSL session. enable

vip-ssl Enable/disable log VIP SSL messages. enable

ldb-monitor Enable/disable log VIP real server health enable


monitoring messages.

wan-opt Enable/disable log WAN optimization messages. enable

wireless-activity Enable/disable log wireless activity. enable

cpu-memory-usage Enable/disable log CPU & memory usage every 5 disable


minutes.

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 240


Fortinet Technologies Inc.
log.disk/setting
CLI Syntax
config log.disk setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set max-log-file-size <integer>
set max-policy-packet-capture-size <integer>
set roll-schedule {daily | weekly}
set roll-day {sunday | monday | tuesday | wednesday | thursday | friday | saturday
}
set roll-time <user>
set diskfull {overwrite | nolog}
set log-quota <integer>
set dlp-archive-quota <integer>
set report-quota <integer>
set maximum-log-age <integer>
set upload {enable | disable}
set upload-destination {ftp-server}
set uploadip <ipv4-address>
set uploadport <integer>
set source-ip <ipv4-address>
set uploaduser <string>
set uploadpass <password>
set uploaddir <string>
set uploadtype {traffic | event | virus | webfilter | IPS | spamfilter | dlp-archi
ve | anomaly | voip | dlp | app-ctrl | waf | netscan | gtp}
set uploadzip {disable | enable}
set uploadsched {disable | enable}
set uploadtime <integer>
set upload-delete-files {enable | disable}
set upload-ssl-conn {default | high | low | disable}
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

CLI Reference for FortiOS 5.4 241


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable local disk log. disable

ips-archive Enable/disable IPS packet archive. enable

max-log-file-size Maximum log file size in MB before rolling. 20

max-policy-packet- Maximum size of policy sniffer in MB (0 = 10


capture-size unlimited).

roll-schedule Frequency to check log file for rolling. daily

roll-day Days of week to roll logs. sunday

roll-time Time to roll logs (hh:mm). 00:00

diskfull Policy to apply when disk is full. overwrite

log-quota Disk log quota (MB). 0

dlp-archive-quota DLP archive quota (MB). 0

report-quota Report quota (MB). 0

maximum-log-age Delete log files older than (days). 7

upload Enable/disable upload of log files upon rolling. disable

upload-destination Server type. ftp-server

uploadip IP address of log uploading server. 0.0.0.0

uploadport Port of the log uploading server. 21

source-ip Source IP address of the disk log uploading. 0.0.0.0

uploaduser User account in the uploading server. (Empty)

uploadpass Password of the user account in the uploading (Empty)


server.

uploaddir Log file uploading remote directory. (Empty)

CLI Reference for FortiOS 5.4 242


Fortinet Technologies Inc.
uploadtype Types of log files that need to be uploaded. traffic event virus
webfilter IPS spamfilter
dlp-archive anomaly
voip dlp app-ctrl waf
netscan gtp

uploadzip Enable/disable compression of uploaded logs. disable

uploadsched Scheduled upload (disable = upload when disable


rolling).

uploadtime Time of scheduled upload. 0

upload-delete-files Delete log files after uploading (default=enable). enable

upload-ssl-conn Enable/disable SSL communication when default


uploading.

full-first-warning- Log full first warning threshold (1 - 98, default = 75


threshold 75).

full-second-warning- Log full second warning threshold (2 - 99, default 90


threshold = 90).

full-final-warning- Log full final warning threshold (3 - 100, default = 95


threshold 95).

CLI Reference for FortiOS 5.4 243


Fortinet Technologies Inc.
log.fortianalyzer/filter
CLI Syntax
config log.fortianalyzer filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 244


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 245


Fortinet Technologies Inc.
log.fortianalyzer/override-filter
CLI Syntax
config log.fortianalyzer override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 246


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 247


Fortinet Technologies Inc.
log.fortianalyzer/override-setting
CLI Syntax
config log.fortianalyzer override-setting
edit <name_str>
set override {enable | disable}
set use-management-vdom {enable | disable}
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4 248


Fortinet Technologies Inc.
Description
Configuration Description Default Value

override Enable/disable override FortiAnalyzer settings or disable


use the global settings.

use-management- Enable/disable use of management VDOM IP disable


vdom address as source IP for logs sent to
FortiAnalyzer.

status Enable/disable FortiAnalyzer. disable

ips-archive Enable/disable IPS packet archive. enable

server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256

enc-algorithm Enable/disable sending of FortiAnalyzer log data high


with SSL encryption.

conn-timeout FortiAnalyzer connection time-out in seconds (for 10


status and log buffer).

monitor-keepalive- Time between OFTP keepalives in seconds (for 5


period status and log buffer).

monitor-failure-retry- Time between FortiAnalyzer connection retries in 5


period seconds (for status and log buffer).

mgmt-name Hidden management name of FortiAnalyzer. (Empty)

faz-type Hidden setting index of FortiAnalyzer. 4

source-ip Source IPv4 or IPv6 address used to (Empty)


communicate with FortiAnalyzer.

__change_ip Hidden attribute. 0

upload-option Enable/disable logging to hard disk and then realtime


upload to FortiAnalyzer.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week (month) to upload logs. (Empty)

CLI Reference for FortiOS 5.4 249


Fortinet Technologies Inc.
upload-time Time to upload logs (hh:mm). 00:59

reliable Enable/disable reliable logging to FortiAnalyzer. disable

CLI Reference for FortiOS 5.4 250


Fortinet Technologies Inc.
log.fortianalyzer/setting
CLI Syntax
config log.fortianalyzer setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4 251


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FortiAnalyzer. disable

ips-archive Enable/disable IPS packet archive. enable

server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256

enc-algorithm Enable/disable sending of FortiAnalyzer log data high


with SSL encryption.

conn-timeout FortiAnalyzer connection time-out in seconds (for 10


status and log buffer).

monitor-keepalive- Time between OFTP keepalives in seconds (for 5


period status and log buffer).

monitor-failure-retry- Time between FortiAnalyzer connection retries in 5


period seconds (for status and log buffer).

mgmt-name Hidden management name of FortiAnalyzer. FGh_Log1

faz-type Hidden setting index of FortiAnalyzer. 1

source-ip Source IPv4 or IPv6 address used to (Empty)


communicate with FortiAnalyzer.

__change_ip Hidden attribute. 0

upload-option Enable/disable logging to hard disk and then realtime


upload to FortiAnalyzer.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week (month) to upload logs. (Empty)

upload-time Time to upload logs (hh:mm). 00:59

reliable Enable/disable reliable logging to FortiAnalyzer. disable

CLI Reference for FortiOS 5.4 252


Fortinet Technologies Inc.
log.fortianalyzer2/filter
CLI Syntax
config log.fortianalyzer2 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 253


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 254


Fortinet Technologies Inc.
log.fortianalyzer2/setting
CLI Syntax
config log.fortianalyzer2 setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4 255


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FortiAnalyzer. disable

ips-archive Enable/disable IPS packet archive. enable

server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256

enc-algorithm Enable/disable sending of FortiAnalyzer log data high


with SSL encryption.

conn-timeout FortiAnalyzer connection time-out in seconds (for 10


status and log buffer).

monitor-keepalive- Time between OFTP keepalives in seconds (for 5


period status and log buffer).

monitor-failure-retry- Time between FortiAnalyzer connection retries in 5


period seconds (for status and log buffer).

mgmt-name Hidden management name of FortiAnalyzer. FGh_Log2

faz-type Hidden setting index of FortiAnalyzer. 2

source-ip Source IPv4 or IPv6 address used to (Empty)


communicate with FortiAnalyzer.

__change_ip Hidden attribute. 0

upload-option Enable/disable logging to hard disk and then realtime


upload to FortiAnalyzer.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week (month) to upload logs. (Empty)

upload-time Time to upload logs (hh:mm). 00:59

reliable Enable/disable reliable logging to FortiAnalyzer. disable

CLI Reference for FortiOS 5.4 256


Fortinet Technologies Inc.
log.fortianalyzer3/filter
CLI Syntax
config log.fortianalyzer3 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 257


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 258


Fortinet Technologies Inc.
log.fortianalyzer3/setting
CLI Syntax
config log.fortianalyzer3 setting
edit <name_str>
set status {enable | disable}
set ips-archive {enable | disable}
set server <string>
set hmac-algorithm {sha256 | sha1}
set enc-algorithm {default | high | low | disable}
set conn-timeout <integer>
set monitor-keepalive-period <integer>
set monitor-failure-retry-period <integer>
set mgmt-name <string>
set faz-type <integer>
set source-ip <string>
set __change_ip <integer>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set reliable {enable | disable}
end

CLI Reference for FortiOS 5.4 259


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FortiAnalyzer. disable

ips-archive Enable/disable IPS packet archive. enable

server IPv4 or IPv6 address of the remote FortiAnalyzer. (Empty)

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. sha256

enc-algorithm Enable/disable sending of FortiAnalyzer log data high


with SSL encryption.

conn-timeout FortiAnalyzer connection time-out in seconds (for 10


status and log buffer).

monitor-keepalive- Time between OFTP keepalives in seconds (for 5


period status and log buffer).

monitor-failure-retry- Time between FortiAnalyzer connection retries in 5


period seconds (for status and log buffer).

mgmt-name Hidden management name of FortiAnalyzer. FGh_Log3

faz-type Hidden setting index of FortiAnalyzer. 3

source-ip Source IPv4 or IPv6 address used to (Empty)


communicate with FortiAnalyzer.

__change_ip Hidden attribute. 0

upload-option Enable/disable logging to hard disk and then realtime


upload to FortiAnalyzer.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week (month) to upload logs. (Empty)

upload-time Time to upload logs (hh:mm). 00:59

reliable Enable/disable reliable logging to FortiAnalyzer. disable

CLI Reference for FortiOS 5.4 260


Fortinet Technologies Inc.
log.fortiguard/filter
CLI Syntax
config log.fortiguard filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 261


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 262


Fortinet Technologies Inc.
log.fortiguard/override-filter
CLI Syntax
config log.fortiguard override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set dlp-archive {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 263


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

dlp-archive Enable/disable log DLP archive. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 264


Fortinet Technologies Inc.
log.fortiguard/override-setting
CLI Syntax
config log.fortiguard override-setting
edit <name_str>
set override {enable | disable}
set status {enable | disable}
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
end

CLI Reference for FortiOS 5.4 265


Fortinet Technologies Inc.
Description
Configuration Description Default Value

override Enable/disable override FortiGuard settings or disable


use the global settings.

status Enable FortiCloud. disable

upload-option Enable/disable logging to hard disk and then realtime


upload to FortiCloud.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week to roll logs. (Empty)

upload-time Time to roll logs (hh:mm). 00:00

CLI Reference for FortiOS 5.4 266


Fortinet Technologies Inc.
log.fortiguard/setting
CLI Syntax
config log.fortiguard setting
edit <name_str>
set status {enable | disable}
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <user>
set upload-time <user>
set enc-algorithm {default | high | low | disable}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 267


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable FortiCloud. disable

upload-option Enable/disable logging to hard disk and then realtime


upload to FortiCloud.

upload-interval Frequency to check log file for upload. daily

upload-day Days of week to roll logs. (Empty)

upload-time Time to roll logs (hh:mm). 00:00

enc-algorithm Enable/disable sending of FortiCloud log data high


with SSL encryption.

source-ip Source IP address used to connect FortiCloud. 0.0.0.0

CLI Reference for FortiOS 5.4 268


Fortinet Technologies Inc.
log.memory/filter
CLI Syntax
config log.memory filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set event {enable | disable}
set system {enable | disable}
set radius {enable | disable}
set ipsec {enable | disable}
set dhcp {enable | disable}
set ppp {enable | disable}
set admin {enable | disable}
set ha {enable | disable}
set auth {enable | disable}
set pattern {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-session {enable | disable}
set vip-ssl {enable | disable}
set ldb-monitor {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
set cpu-memory-usage {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 269


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

event Enable/disable log event messages. enable

system Enable/disable log system activity messages. enable

radius Enable/disable log RADIUS messages. enable

ipsec Enable/disable log IPsec negotiation messages. enable

dhcp Enable/disable log DHCP service messages. enable

ppp Enable/disable log L2TP/PPTP/PPPoE enable


messages.

admin Enable/disable log admin login/logout messages. enable

ha Enable/disable log HA activity messages. enable

auth Enable/disable log firewall authentication enable


messages.

pattern Enable/disable log pattern update messages. enable

sslvpn-log-auth Enable/disable log SSL user authentication. enable

CLI Reference for FortiOS 5.4 270


Fortinet Technologies Inc.
sslvpn-log-adm Enable/disable log SSL administration. enable

sslvpn-log-session Enable/disable log SSL session. enable

vip-ssl Enable/disable log VIP SSL messages. enable

ldb-monitor Enable/disable log VIP real server health enable


monitoring messages.

wan-opt Enable/disable log WAN optimization messages. enable

wireless-activity Enable/disable log wireless activity. enable

cpu-memory-usage Enable/disable log CPU & memory usage every 5 disable


minutes.

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 271


Fortinet Technologies Inc.
log.memory/global-setting
CLI Syntax
config log.memory global-setting
edit <name_str>
set max-size <integer>
set full-first-warning-threshold <integer>
set full-second-warning-threshold <integer>
set full-final-warning-threshold <integer>
end

CLI Reference for FortiOS 5.4 272


Fortinet Technologies Inc.
Description
Configuration Description Default Value

max-size Maximum memory buffer size for log (byte). 163840

full-first-warning- Log full first warning threshold (1 - 98, default = 75


threshold 75).

full-second-warning- Log full second warning threshold (2 - 99, default 90


threshold = 90).

full-final-warning- Log full final warning threshold (3 - 100, default = 95


threshold 95).

CLI Reference for FortiOS 5.4 273


Fortinet Technologies Inc.
log.memory/setting
CLI Syntax
config log.memory setting
edit <name_str>
set status {enable | disable}
set diskfull {overwrite}
end

CLI Reference for FortiOS 5.4 274


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable memory buffer log. enable

diskfull Action when memory is full. overwrite

CLI Reference for FortiOS 5.4 275


Fortinet Technologies Inc.
log.syslogd/filter
CLI Syntax
config log.syslogd filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 276


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 277


Fortinet Technologies Inc.
log.syslogd/override-filter
CLI Syntax
config log.syslogd override-filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 278


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 279


Fortinet Technologies Inc.
log.syslogd/override-setting
CLI Syntax
config log.syslogd override-setting
edit <name_str>
set override {enable | disable}
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 280


Fortinet Technologies Inc.
Description
Configuration Description Default Value

override Enable/disable override syslog settings. disable

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 281


Fortinet Technologies Inc.
log.syslogd/setting
CLI Syntax
config log.syslogd setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 282


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 283


Fortinet Technologies Inc.
log.syslogd2/filter
CLI Syntax
config log.syslogd2 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 284


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 285


Fortinet Technologies Inc.
log.syslogd2/setting
CLI Syntax
config log.syslogd2 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 286


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 287


Fortinet Technologies Inc.
log.syslogd3/filter
CLI Syntax
config log.syslogd3 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 288


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 289


Fortinet Technologies Inc.
log.syslogd3/setting
CLI Syntax
config log.syslogd3 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 290


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 291


Fortinet Technologies Inc.
log.syslogd4/filter
CLI Syntax
config log.syslogd4 filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 292


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 293


Fortinet Technologies Inc.
log.syslogd4/setting
CLI Syntax
config log.syslogd4 setting
edit <name_str>
set status {enable | disable}
set server <string>
set reliable {enable | disable}
set port <integer>
set csv {enable | disable}
set facility {kernel | user | mail | daemon | auth | syslog | lpr | news | uucp |
cron | authpriv | ftp | ntp | audit | alert | clock | local0 | local1 | local2 | local
3 | local4 | local5 | local6 | local7}
set source-ip <string>
end

CLI Reference for FortiOS 5.4 294


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable remote syslog logging. disable

server Address of remote syslog server. (Empty)

reliable Enable/disable reliable logging (RFC3195). disable

port Server listen port. 514

csv Enable/disable CSV formatting of logs. disable

facility Remote syslog facility. local7

source-ip Source IP address of syslog. (Empty)

CLI Reference for FortiOS 5.4 295


Fortinet Technologies Inc.
log.webtrends/filter
CLI Syntax
config log.webtrends filter
edit <name_str>
set severity {emergency | alert | critical | error | warning | notification | info
rmation | debug}
set forward-traffic {enable | disable}
set local-traffic {enable | disable}
set multicast-traffic {enable | disable}
set sniffer-traffic {enable | disable}
set anomaly {enable | disable}
set netscan-discovery {enable | disable}
set netscan-vulnerability {enable | disable}
set voip {enable | disable}
set gtp {enable | disable}
set filter <string>
set filter-type {include | exclude}
end

CLI Reference for FortiOS 5.4 296


Fortinet Technologies Inc.
Description
Configuration Description Default Value

severity Lowest severity level to log. information

forward-traffic Enable/disable log through traffic messages. enable

local-traffic Enable/disable log local in or out traffic enable


messages.

multicast-traffic Enable/disable log multicast traffic messages. enable

sniffer-traffic Enable/disable log sniffer traffic messages. enable

anomaly Enable/disable log anomaly messages. enable

netscan-discovery Enable/disable log netscan discovery events. enable

netscan-vulnerability Enable/disable log netscan vulnerability events. enable

voip Enable/disable log VoIP messages. enable

gtp Enable/disable log GTP messages. enable

filter Log filter for the log device. (Empty)

filter-type Include/exclude logs that match the filter setting. include

CLI Reference for FortiOS 5.4 297


Fortinet Technologies Inc.
log.webtrends/setting
CLI Syntax
config log.webtrends setting
edit <name_str>
set status {enable | disable}
set server <string>
end

CLI Reference for FortiOS 5.4 298


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable WebTrends logging. disable

server Address of the remote WebTrends. (Empty)

CLI Reference for FortiOS 5.4 299


Fortinet Technologies Inc.
log/custom-field
CLI Syntax
config log custom-field
edit <name_str>
set id <string>
set name <string>
set value <string>
end

CLI Reference for FortiOS 5.4 300


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. (Empty)

name Field name. (Empty)

value Field value. (Empty)

CLI Reference for FortiOS 5.4 301


Fortinet Technologies Inc.
log/eventfilter
CLI Syntax
config log eventfilter
edit <name_str>
set event {enable | disable}
set system {enable | disable}
set vpn {enable | disable}
set user {enable | disable}
set router {enable | disable}
set wireless-activity {enable | disable}
set wan-opt {enable | disable}
set endpoint {enable | disable}
set ha {enable | disable}
set compliance-check {enable | disable}
end

CLI Reference for FortiOS 5.4 302


Fortinet Technologies Inc.
Description
Configuration Description Default Value

event Enable/disable log event messages. enable

system Enable/disable log system activity messages. enable

vpn Enable/disable log VPN messages. enable

user Enable/disable log user activity messages. enable

router Enable/disable log router activity. enable

wireless-activity Enable/disable log wireless activity. enable

wan-opt Enable/disable log WAN optimization messages. enable

endpoint Enable/disable log for endpoint events. enable

ha Enable/disable log for ha events. enable

compliance-check Enable/disable log for PCI DSS compliance enable


check.

CLI Reference for FortiOS 5.4 303


Fortinet Technologies Inc.
log/gui-display
CLI Syntax
config log gui-display
edit <name_str>
set resolve-hosts {enable | disable}
set resolve-apps {enable | disable}
set fortiview-unscanned-apps {enable | disable}
set fortiview-local-traffic {enable | disable}
set location {memory | disk | fortianalyzer | fortiguard}
end

CLI Reference for FortiOS 5.4 304


Fortinet Technologies Inc.
Description
Configuration Description Default Value

resolve-hosts Resolve IP addresses to hostnames on the GUI enable


using reverse DNS lookup.

resolve-apps Resolve unknown applications on the GUI using enable


remote application database.

fortiview-unscanned- Enable/disable inclusion of unscanned traffic in disable


apps FortiView application charts.

fortiview-local-traffic Enable/disable inclusion of local-in traffic in disable


FortiView realtime charts.

location GUI log location display. memory

CLI Reference for FortiOS 5.4 305


Fortinet Technologies Inc.
log/setting
CLI Syntax
config log setting
edit <name_str>
set resolve-ip {enable | disable}
set resolve-port {enable | disable}
set log-user-in-upper {enable | disable}
set fwpolicy-implicit-log {enable | disable}
set fwpolicy6-implicit-log {enable | disable}
set log-invalid-packet {enable | disable}
set local-in-allow {enable | disable}
set local-in-deny-unicast {enable | disable}
set local-in-deny-broadcast {enable | disable}
set local-out {enable | disable}
set daemon-log {enable | disable}
set neighbor-event {enable | disable}
set brief-traffic-format {enable | disable}
set user-anonymize {enable | disable}
set fortiview-weekly-data {enable | disable}
end

CLI Reference for FortiOS 5.4 306


Fortinet Technologies Inc.
Description
Configuration Description Default Value

resolve-ip Add resolved domain name into traffic log if disable


possible.

resolve-port Add resolved service name into traffic log if enable


possible.

log-user-in-upper Enable/disable collect log with user-in-upper. disable

fwpolicy-implicit-log Enable/disable collect firewall implicit policy log. disable

fwpolicy6-implicit-log Enable/disable collect firewall implicit policy6 log. disable

log-invalid-packet Enable/disable collect invalid packet traffic log. disable

local-in-allow Enable/disable collect local-in-allow log. disable

local-in-deny-unicast Enable/disable collect local-in-deny-unicast log. disable

local-in-deny-broadcast Enable/disable collect local-in-deny-broadcast disable


log.

local-out Enable/disable collect local-out log. disable

daemon-log Enable/disable collect daemon log. disable

neighbor-event Enable/disable collect neighbor event log. disable

brief-traffic-format Enable/disable use of brief format for traffic log. disable

user-anonymize Enable/disable anonymize log user name. disable

fortiview-weekly-data Enable/disable FortiView weekly data. disable

CLI Reference for FortiOS 5.4 307


Fortinet Technologies Inc.
log/threat-weight
CLI Syntax
config log threat-weight
edit <name_str>
set status {enable | disable}
config level
edit <name_str>
set low <integer>
set medium <integer>
set high <integer>
set critical <integer>
end
set blocked-connection {disable | low | medium | high | critical}
set failed-connection {disable | low | medium | high | critical}
set malware-detected {disable | low | medium | high | critical}
set url-block-detected {disable | low | medium | high | critical}
set botnet-connection-detected {disable | low | medium | high | critical}
config ips
edit <name_str>
set info-severity {disable | low | medium | high | critical}
set low-severity {disable | low | medium | high | critical}
set medium-severity {disable | low | medium | high | critical}
set high-severity {disable | low | medium | high | critical}
set critical-severity {disable | low | medium | high | critical}
end
config web
edit <name_str>
set id <integer>
set category <integer>
set level {disable | low | medium | high | critical}
end
config geolocation
edit <name_str>
set id <integer>
set country <string>
set level {disable | low | medium | high | critical}
end
config application
edit <name_str>
set id <integer>
set category <integer>
set level {disable | low | medium | high | critical}
end
end

CLI Reference for FortiOS 5.4 308


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable threat weight status. enable

level Level to score mapping. Details below

Configuration Default Value


low 5
medium 10
high 30
critical 50

blocked-connection Score level for blocked connections for threat high


weight.

failed-connection Score level for failed connections for threat low


weight.

malware-detected Score level for detected malware for threat critical


weight.

url-block-detected Score level for URL blocking for threat weight. high

botnet-connection- Score level for detected botnet connection for critical


detected threat weight.

ips IPS reputation settings. Details below

Configuration Default Value


info-severity disable
low-severity low
medium-severity medium
high-severity high
critical-severity critical

web Web-based threat weight settings. (Empty)

geolocation Geolocation-based threat weight settings. (Empty)

application Application-control based threat weight settings. (Empty)

CLI Reference for FortiOS 5.4 309


Fortinet Technologies Inc.
netscan/assets
CLI Syntax
config netscan assets
edit <name_str>
set asset-id <integer>
set name <string>
set scheduled {disable | enable}
set addr-type {ip | range}
set start-ip <ipv4-address-any>
set end-ip <ipv4-address-any>
set auth-windows {disable | enable}
set auth-unix {disable | enable}
set win-username <string>
set win-password <password>
set unix-username <string>
set unix-password <password>
end

CLI Reference for FortiOS 5.4 310


Fortinet Technologies Inc.
Description
Configuration Description Default Value

asset-id Asset ID. 0

name Name of this asset. (Empty)

scheduled Enable/disable include asset in scheduled disable


vulnerability scan.

addr-type IP address or range. ip

start-ip IP address of asset or start of asset range. 0.0.0.0

end-ip End of asset range. 0.0.0.0

auth-windows Enable/disable authenticate on Windows hosts. disable

auth-unix Enable/disable authenticate on UNIX hosts. disable

win-username User name for Windows hosts. (Empty)

win-password Password for Windows hosts. (Empty)

unix-username User name for Unix hosts. (Empty)

unix-password Password for Unix hosts. (Empty)

CLI Reference for FortiOS 5.4 311


Fortinet Technologies Inc.
netscan/settings
CLI Syntax
config netscan settings
edit <name_str>
set scan-mode {quick | standard | full}
set scheduled-pause {disable | enable}
set time <user>
set pause-from <user>
set pause-to <user>
set recurrence {daily | weekly | monthly}
set day-of-week {sunday | monday | tuesday | wednesday | thursday | friday | satur
day}
set day-of-month <integer>
set tcp-ports <user>
set udp-ports <user>
set tcp-scan {auto | enable | disable}
set udp-scan {auto | enable | disable}
set service-detection {auto | enable | disable}
set os-detection {auto | enable | disable}
end

CLI Reference for FortiOS 5.4 312


Fortinet Technologies Inc.
Description
Configuration Description Default Value

scan-mode Level of vulnerability scanning to perform on quick


ports.

scheduled-pause Enable/disable set time during which scanning disable


should pause.

time Time of day to start the scan. 00:00

pause-from Time of day to pause scanning. 00:00

pause-to Time of day to resume scanning. 00:00

recurrence Frequency at which the scans should recur. weekly

day-of-week Day of the week on which to run the scan. sunday

day-of-month Day of the month on which to run the scan. 1

tcp-ports TCP ports scanned. (Empty)

udp-ports UDP ports scanned. (Empty)

tcp-scan Enable/disable TCP port scan. auto

udp-scan Enable/disable UDP port scan. auto

service-detection Enable/disable service detection. auto

os-detection Enable/disable OS detection. auto

CLI Reference for FortiOS 5.4 313


Fortinet Technologies Inc.
report/chart
CLI Syntax
config report chart
edit <name_str>
set name <string>
set policy <integer>
set type {graph | table}
set period {last24h | last7d}
config drill-down-charts
edit <name_str>
set id <integer>
set chart-name <string>
set status {enable | disable}
end
set comments <string>
set dataset <string>
set category {misc | traffic | event | virus | webfilter | attack | spam | dlp | a
pp-ctrl | vulnerability}
set favorite {no | yes}
set graph-type {none | bar | pie | line | flow}
set style {auto | manual}
set dimension {2D | 3D}
config x-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set is-category {yes | no}
set scale-unit {minute | hour | day | month | year}
set scale-step <integer>
set scale-direction {decrease | increase}
set scale-format {YYYY-MM-DD-HH-MM | YYYY-MM-DD HH | YYYY-MM-DD | YYYY-MM | YY
YY | HH-MM | MM-DD}
set unit <string>
end
config y-series
edit <name_str>
set databind <string>
set caption <string>
set caption-font-size <integer>
set font-size <integer>
set label-angle {45-degree | vertical | horizontal}
set group <string>
set unit <string>
set extra-y {enable | disable}
set extra-databind <string>
set y-legend <string>
CLI Reference for FortiOS 5.4 314
Fortinet Technologies Inc.
set extra-y-legend <string>
end
config category-series
edit <name_str>
set databind <string>
set font-size <integer>
end
config value-series
edit <name_str>
set databind <string>
end
set title <string>
set title-font-size <integer>
set background <string>
set color-palette <string>
set legend {enable | disable}
set legend-font-size <integer>
config column
edit <name_str>
set id <integer>
set header-value <string>
set detail-value <string>
set footer-value <string>
set detail-unit <string>
set footer-unit <string>
config mapping
edit <name_str>
set id <integer>
set op {none | greater | greater-equal | less | less-equal | equal | betwe
en}
set value-type {integer | string}
set value1 <string>
set value2 <string>
set displayname <string>
end
end
end

CLI Reference for FortiOS 5.4 315


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Chart Widget Name (Empty)

policy Used by monitor policy. 0

type Chart type. graph

period Time period. last24h

drill-down-charts Drill down charts. (Empty)

comments Comment. (Empty)

dataset Bind dataset to chart. (Empty)

category Category. misc

favorite Favorite. no

graph-type Graph type. none

style Style. auto

dimension Dimension. 3D

x-series X-series of chart. Details below

Configuration Default Value


databind (Empty)
caption (Empty)
caption-font-size 0
font-size 0
label-angle 45-degree
is-category yes
scale-unit day
scale-step 1
scale-direction decrease
scale-format YYYY-MM-DD-HH-MM
unit (Empty)

y-series Y-series of chart. Details below

CLI Reference for FortiOS 5.4 316


Fortinet Technologies Inc.
Configuration Default Value
databind (Empty)
caption (Empty)
caption-font-size 0
font-size 0
label-angle horizontal
group (Empty)
unit (Empty)
extra-y disable
extra-databind (Empty)
y-legend (Empty)
extra-y-legend (Empty)

category-series Category series of pie chart. Details below

Configuration Default Value


databind (Empty)
font-size 0

value-series Value series of pie chart. Details below

Configuration Default Value


databind (Empty)

title Chart title. (Empty)

title-font-size Font size of chart title. 0

background Chart background. (Empty)

color-palette Color palette (system will pick color automatically (Empty)


by default).

legend Enable/Disable Legend area. enable

legend-font-size Font size of legend area. 0

column Table column definition. (Empty)

CLI Reference for FortiOS 5.4 317


Fortinet Technologies Inc.
report/dataset
CLI Syntax
config report dataset
edit <name_str>
set name <string>
set policy <integer>
set query <string>
config field
edit <name_str>
set id <integer>
set type {text | integer | double}
set name <string>
set displayname <string>
end
config parameters
edit <name_str>
set id <integer>
set display-name <string>
set field <string>
set data-type {text | integer | double | long-integer | date-time}
end
end

CLI Reference for FortiOS 5.4 318


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

policy Used by monitor policy. 0

query SQL query statement. (Empty)

field Fields. (Empty)

parameters Parameters. (Empty)

CLI Reference for FortiOS 5.4 319


Fortinet Technologies Inc.
report/layout
CLI Syntax
config report layout
edit <name_str>
set name <string>
set title <string>
set subtitle <string>
set description <string>
set style-theme <string>
set options {include-table-of-content | auto-numbering-heading | view-chart-as-hea
ding | show-html-navbar-before-heading | dummy-option}
set format {html | pdf}
set schedule-type {demand | daily | weekly}
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set time <user>
set cutoff-option {run-time | custom}
set cutoff-time <user>
set email-send {enable | disable}
set email-recipients <string>
set max-pdf-report <integer>
config page
edit <name_str>
set paper {a4 | letter}
set column-break-before {heading1 | heading2 | heading3}
set page-break-before {heading1 | heading2 | heading3}
set options {header-on-first-page | footer-on-first-page}
config header
edit <name_str>
set style <string>
config header-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image}
set style <string>
set content <string>
set img-src <string>
end
end
config footer
edit <name_str>
set style <string>
config footer-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image}
set style <string>
set content <string>
CLI Reference for FortiOS 5.4 320
Fortinet Technologies Inc.
set img-src <string>
end
end
end
config body-item
edit <name_str>
set id <integer>
set description <string>
set type {text | image | chart | misc}
set style <string>
set top-n <integer>
set hide {enable | disable}
config parameters
edit <name_str>
set id <integer>
set name <string>
set value <string>
end
set text-component {text | heading1 | heading2 | heading3}
set content <string>
set img-src <string>
set list-component {bullet | numbered}
config list
edit <name_str>
set id <integer>
set content <string>
end
set chart <string>
set chart-options {include-no-data | hide-title | show-caption}
set drill-down-items <string>
set drill-down-types <string>
set table-column-widths <string>
set table-caption-style <string>
set table-head-style <string>
set table-odd-row-style <string>
set table-even-row-style <string>
set misc-component {hline | page-break | column-break | section-start}
set column <integer>
set title <string>
end
end

CLI Reference for FortiOS 5.4 321


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Report layout name. (Empty)

title Report title. (Empty)

subtitle Report subtitle. (Empty)

description Description. (Empty)

style-theme Report style theme. (Empty)

options Report layout options. include-table-of-content


auto-numbering-
heading view-chart-as-
heading

format Report format. html

schedule-type Report schedule type. daily

day Schedule days of week to generate report. sunday

time Schedule time to generate report [hh:mm]. 00:00

cutoff-option Cutoff-option is either run-time or custom. run-time

cutoff-time Custom cutoff time to generate report [hh:mm]. 00:00

email-send Enable/disable sending emails after reports are disable


generated.

email-recipients Email recipients for generated reports. (Empty)

max-pdf-report Maximum number of PDF reports to keep at one 31


time (oldest report is overwritten).

page Configure report page. Details below

CLI Reference for FortiOS 5.4 322


Fortinet Technologies Inc.
Configuration Default Value
paper a4
column-break-before (Empty)
page-break-before (Empty)
options (Empty)
header {"style":"","header-item":[]}
footer {"style":"","footer-item":[]}

body-item Configure report body item. (Empty)

CLI Reference for FortiOS 5.4 323


Fortinet Technologies Inc.
report/setting
CLI Syntax
config report setting
edit <name_str>
set pdf-report {enable | disable}
set fortiview {enable | disable}
set report-source {forward-traffic | sniffer-traffic}
set web-browsing-threshold <integer>
end

CLI Reference for FortiOS 5.4 324


Fortinet Technologies Inc.
Description
Configuration Description Default Value

pdf-report Enable/disable PDF report. enable

fortiview Enable/disable historical FortiView. enable

report-source Report log source. forward-traffic

web-browsing- Web browsing time calculation threshold (3 - 15 3


threshold min).

CLI Reference for FortiOS 5.4 325


Fortinet Technologies Inc.
report/style
CLI Syntax
config report style
edit <name_str>
set name <string>
set options {font | text | color | align | size | margin | border | padding | colu
mn}
set font-family {Verdana | Arial | Helvetica | Courier | Times}
set font-style {normal | italic}
set font-weight {normal | bold}
set font-size <string>
set line-height <string>
set fg-color <string>
set bg-color <string>
set align {left | center | right | justify}
set width <string>
set height <string>
set margin-top <string>
set margin-right <string>
set margin-bottom <string>
set margin-left <string>
set border-top <user>
set border-right <user>
set border-bottom <user>
set border-left <user>
set padding-top <string>
set padding-right <string>
set padding-bottom <string>
set padding-left <string>
set column-span {none | all}
set column-gap <string>
end

CLI Reference for FortiOS 5.4 326


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Report style name. (Empty)

options Report style options. (Empty)

font-family Font family. (Empty)

font-style Font style. normal

font-weight Font weight. normal

font-size Font size. (Empty)

line-height Text line height. (Empty)

fg-color Foreground color. (Empty)

bg-color Background color. (Empty)

align Alignment. (Empty)

width Width. (Empty)

height Height. (Empty)

margin-top Margin top. (Empty)

margin-right Margin right. (Empty)

margin-bottom Margin bottom. (Empty)

margin-left Margin left. (Empty)

border-top Border top. " none "

border-right Border right. " none "

border-bottom Border bottom. " none "

border-left Border left. " none "

padding-top Padding top. (Empty)

padding-right Padding right. (Empty)

CLI Reference for FortiOS 5.4 327


Fortinet Technologies Inc.
padding-bottom Padding bottom. (Empty)

padding-left Padding left. (Empty)

column-span Column span. none

column-gap Column gap. (Empty)

CLI Reference for FortiOS 5.4 328


Fortinet Technologies Inc.
report/theme
CLI Syntax
config report theme
edit <name_str>
set name <string>
set page-orient {portrait | landscape}
set column-count {1 | 2 | 3}
set default-html-style <string>
set default-pdf-style <string>
set page-style <string>
set page-header-style <string>
set page-footer-style <string>
set report-title-style <string>
set report-subtitle-style <string>
set toc-title-style <string>
set toc-heading1-style <string>
set toc-heading2-style <string>
set toc-heading3-style <string>
set toc-heading4-style <string>
set heading1-style <string>
set heading2-style <string>
set heading3-style <string>
set heading4-style <string>
set normal-text-style <string>
set bullet-list-style <string>
set numbered-list-style <string>
set image-style <string>
set hline-style <string>
set graph-chart-style <string>
set table-chart-style <string>
set table-chart-caption-style <string>
set table-chart-head-style <string>
set table-chart-odd-row-style <string>
set table-chart-even-row-style <string>
end

CLI Reference for FortiOS 5.4 329


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Report theme name. (Empty)

page-orient Report page orientation. portrait

column-count Report page column count. 1

default-html-style Default HTML report style. (Empty)

default-pdf-style Default PDF report style. (Empty)

page-style Report page style. (Empty)

page-header-style Report page header style. (Empty)

page-footer-style Report page footer style. (Empty)

report-title-style Report title style. (Empty)

report-subtitle-style Report subtitle style. (Empty)

toc-title-style Table of contents title style. (Empty)

toc-heading1-style Table of contents heading style. (Empty)

toc-heading2-style Table of contents heading style. (Empty)

toc-heading3-style Table of contents heading style. (Empty)

toc-heading4-style Table of contents heading style. (Empty)

heading1-style Report heading style. (Empty)

heading2-style Report heading style. (Empty)

heading3-style Report heading style. (Empty)

heading4-style Report heading style. (Empty)

normal-text-style Normal text style. (Empty)

bullet-list-style Bullet list style. (Empty)

numbered-list-style Numbered list style. (Empty)

CLI Reference for FortiOS 5.4 330


Fortinet Technologies Inc.
image-style Image style. (Empty)

hline-style Horizontal line style. (Empty)

graph-chart-style Graph chart style. (Empty)

table-chart-style Table chart style. (Empty)

table-chart-caption- Table chart caption style. (Empty)


style

table-chart-head-style Table chart head row style. (Empty)

table-chart-odd-row- Table chart odd row style. (Empty)


style

table-chart-even-row- Table chart even row style. (Empty)


style

CLI Reference for FortiOS 5.4 331


Fortinet Technologies Inc.
router/access-list
CLI Syntax
config router access-list
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set wildcard <user>
set exact-match {enable | disable}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 332


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 333


Fortinet Technologies Inc.
router/access-list6
CLI Syntax
config router access-list6
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix6 <user>
set exact-match {enable | disable}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 334


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 335


Fortinet Technologies Inc.
router/aspath-list
CLI Syntax
config router aspath-list
edit <name_str>
set name <string>
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
end
end

CLI Reference for FortiOS 5.4 336


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name AS path list name. (Empty)

rule AS path list rule. (Empty)

CLI Reference for FortiOS 5.4 337


Fortinet Technologies Inc.
router/auth-path
CLI Syntax
config router auth-path
edit <name_str>
set name <string>
set device <string>
set gateway <ipv4-address>
end

CLI Reference for FortiOS 5.4 338


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name of the entry. (Empty)

device Output interface. (Empty)

gateway Gateway IP address. 0.0.0.0

CLI Reference for FortiOS 5.4 339


Fortinet Technologies Inc.
router/bfd
CLI Syntax
config router bfd
edit <name_str>
config neighbor
edit <name_str>
set ip <ipv4-address>
set interface <string>
end
end

CLI Reference for FortiOS 5.4 340


Fortinet Technologies Inc.
Description
Configuration Description Default Value

neighbor neighbor (Empty)

CLI Reference for FortiOS 5.4 341


Fortinet Technologies Inc.
router/bgp
CLI Syntax
config router bgp
edit <name_str>
set as <integer>
set router-id <ipv4-address-any>
set keepalive-timer <integer>
set holdtime-timer <integer>
set always-compare-med {enable | disable}
set bestpath-as-path-ignore {enable | disable}
set bestpath-cmp-confed-aspath {enable | disable}
set bestpath-cmp-routerid {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set client-to-client-reflection {enable | disable}
set dampening {enable | disable}
set deterministic-med {enable | disable}
set ebgp-multipath {enable | disable}
set ibgp-multipath {enable | disable}
set enforce-first-as {enable | disable}
set fast-external-failover {enable | disable}
set log-neighbour-changes {enable | disable}
set network-import-check {enable | disable}
set ignore-optional-capability {enable | disable}
set cluster-id <ipv4-address-any>
set confederation-identifier <integer>
config confederation-peers
edit <name_str>
set peer <string>
end
set dampening-route-map <string>
set dampening-reachability-half-life <integer>
set dampening-reuse <integer>
set dampening-suppress <integer>
set dampening-max-suppress-time <integer>
set dampening-unreachability-half-life <integer>
set default-local-preference <integer>
set scan-time <integer>
set distance-external <integer>
set distance-internal <integer>
set distance-local <integer>
set synchronization {enable | disable}
set graceful-restart {enable | disable}
set graceful-restart-time <integer>
set graceful-stalepath-time <integer>
set graceful-update-delay <integer>
config aggregate-address
edit <name_str>
set id <integer>
CLI Reference for FortiOS 5.4 342
Fortinet Technologies Inc.
set prefix <ipv4-classnet-any>
set as-set {enable | disable}
set summary-only {enable | disable}
end
config aggregate-address6
edit <name_str>
set id <integer>
set prefix6 <ipv6-prefix>
set as-set {enable | disable}
set summary-only {enable | disable}
end
config neighbor
edit <name_str>
set ip <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set allowas-in6 <integer>
set attribute-unchanged {as-path | med | next-hop}
set attribute-unchanged6 {as-path | med | next-hop}
set activate {enable | disable}
set activate6 {enable | disable}
set bfd {enable | disable}
set capability-dynamic {enable | disable}
set capability-orf {none | receive | send | both}
set capability-orf6 {none | receive | send | both}
set capability-graceful-restart {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-route-refresh {enable | disable}
set capability-default-originate {enable | disable}
set capability-default-originate6 {enable | disable}
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self6 {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}
set remove-private-as {enable | disable}
set remove-private-as6 {enable | disable}
set route-reflector-client {enable | disable}
set route-reflector-client6 {enable | disable}
set route-server-client {enable | disable}
set route-server-client6 {enable | disable}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set soft-reconfiguration6 {enable | disable}
set as-override {enable | disable}
set as-override6 {enable | disable}
set strict-capability-match {enable | disable}
set default-originate-routemap <string>
set default-originate-routemap6 <string>
set description <string>
CLI Reference for FortiOS 5.4 343
Fortinet Technologies Inc.
set description <string>
set distribute-list-in <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set ebgp-multihop-ttl <integer>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set interface <string>
set maximum-prefix <integer>
set maximum-prefix6 <integer>
set maximum-prefix-threshold <integer>
set maximum-prefix-threshold6 <integer>
set maximum-prefix-warning-only {enable | disable}
set maximum-prefix-warning-only6 {enable | disable}
set prefix-list-in <string>
set prefix-list-in6 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set holdtime-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set weight <integer>
set restart-time <integer>
set password <password>
config conditional-advertise
edit <name_str>
set advertise-routemap <string>
set condition-routemap <string>
set condition-type {exist | non-exist}
end
end
config neighbor-group
edit <name_str>
set name <string>
set advertisement-interval <integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set allowas-in <integer>
set allowas-in6 <integer>
CLI Reference for FortiOS 5.4 344
Fortinet Technologies Inc.
set allowas-in6 <integer>
set attribute-unchanged {as-path | med | next-hop}
set attribute-unchanged6 {as-path | med | next-hop}
set activate {enable | disable}
set activate6 {enable | disable}
set bfd {enable | disable}
set capability-dynamic {enable | disable}
set capability-orf {none | receive | send | both}
set capability-orf6 {none | receive | send | both}
set capability-graceful-restart {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-route-refresh {enable | disable}
set capability-default-originate {enable | disable}
set capability-default-originate6 {enable | disable}
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self6 {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}
set remove-private-as {enable | disable}
set remove-private-as6 {enable | disable}
set route-reflector-client {enable | disable}
set route-reflector-client6 {enable | disable}
set route-server-client {enable | disable}
set route-server-client6 {enable | disable}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set soft-reconfiguration6 {enable | disable}
set as-override {enable | disable}
set as-override6 {enable | disable}
set strict-capability-match {enable | disable}
set default-originate-routemap <string>
set default-originate-routemap6 <string>
set description <string>
set distribute-list-in <string>
set distribute-list-in6 <string>
set distribute-list-out <string>
set distribute-list-out6 <string>
set ebgp-multihop-ttl <integer>
set filter-list-in <string>
set filter-list-in6 <string>
set filter-list-out <string>
set filter-list-out6 <string>
set interface <string>
set maximum-prefix <integer>
set maximum-prefix6 <integer>
set maximum-prefix-threshold <integer>
set maximum-prefix-threshold6 <integer>
set maximum-prefix-warning-only {enable | disable}
set maximum-prefix-warning-only6 {enable | disable}
set prefix-list-in <string>
set prefix-list-in6 <string>
CLI Reference for FortiOS 5.4 345
Fortinet Technologies Inc.
set prefix-list-in6 <string>
set prefix-list-out <string>
set prefix-list-out6 <string>
set remote-as <integer>
set retain-stale-time <integer>
set route-map-in <string>
set route-map-in6 <string>
set route-map-out <string>
set route-map-out6 <string>
set send-community {standard | extended | both | disable}
set send-community6 {standard | extended | both | disable}
set keep-alive-timer <integer>
set holdtime-timer <integer>
set connect-timer <integer>
set unsuppress-map <string>
set unsuppress-map6 <string>
set update-source <string>
set weight <integer>
set restart-time <integer>
end
config neighbor-range
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set max-neighbor-num <integer>
set neighbor-group <string>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set backdoor {enable | disable}
set route-map <string>
end
config network6
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set backdoor {enable | disable}
set route-map <string>
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set route-map <string>
end
config redistribute6
edit <name_str>
set name <string>
set status {enable | disable}
set route-map <string>
end
CLI Reference for FortiOS 5.4 346
Fortinet Technologies Inc.
end
config admin-distance
edit <name_str>
set id <integer>
set neighbour-prefix <ipv4-classnet>
set route-list <string>
set distance <integer>
end
end

CLI Reference for FortiOS 5.4 347


Fortinet Technologies Inc.
Description
Configuration Description Default Value

as Router AS number. 0

router-id Router ID. 0.0.0.0

keepalive-timer Frequency to send keep alive requests. 60

holdtime-timer Number of seconds to mark peer as dead. 180

always-compare-med Enable/disable always compare MED. disable

bestpath-as-path- Enable/disable ignore AS path. disable


ignore

bestpath-cmp-confed- Enable/disable compare federation AS path disable


aspath length.

bestpath-cmp-routerid Enable/disable compare router ID for identical disable


EBGP paths.

bestpath-med-confed Enable/disable compare MED among disable


confederation paths.

bestpath-med-missing- Enable/disable treat missing MED as least disable


as-worst preferred.

client-to-client- Enable/disable client-to-client route reflection. enable


reflection

dampening Enable/disable route-flap dampening. disable

deterministic-med Enable/disable enforce deterministic comparison disable


of MED.

ebgp-multipath Enable/disable EBGP multi-path. disable

ibgp-multipath Enable/disable IBGP multi-path. disable

enforce-first-as Enable/disable enforce first AS for EBGP routes. enable

fast-external-failover Enable/disable reset peer BGP session if link enable


goes down.

log-neighbour-changes Enable logging of BGP neighbour's changes enable

CLI Reference for FortiOS 5.4 348


Fortinet Technologies Inc.
network-import-check Enable/disable ensure BGP network route exists enable
in IGP.

ignore-optional- Don't send unknown optional capability enable


capability notification message

cluster-id Route reflector cluster ID. 0.0.0.0

confederation-identifier Confederation identifier. 0

confederation-peers Confederation peers. (Empty)

dampening-route-map Criteria for dampening. (Empty)

dampening- Reachability half-life time for penalty (min). 15


reachability-half-life

dampening-reuse Threshold to reuse routes. 750

dampening-suppress Threshold to suppress routes. 2000

dampening-max- Maximum minutes a route can be suppressed. 60


suppress-time

dampening- Unreachability half-life time for penalty (min). 15


unreachability-half-life

default-local- Default local preference. 100


preference

scan-time Background scanner interval (sec). 60

distance-external Distance for routes external to the AS. 20

distance-internal Distance for routes internal to the AS. 200

distance-local Distance for routes local to the AS. 200

synchronization Enable/disable only advertise routes from iBGP if disable


routes present in an IGP.

graceful-restart Enable/disable BGP graceful restart capabilities. disable

graceful-restart-time Time needed for neighbors to restart (sec). 120

graceful-stalepath-time Time to hold stale paths of restarting neighbor 360


(sec).

CLI Reference for FortiOS 5.4 349


Fortinet Technologies Inc.
graceful-update-delay Route advertisement/selection delay after restart 120
(sec).

aggregate-address BGP aggregate address table. (Empty)

aggregate-address6 BGP IPv6 aggregate address table. (Empty)

neighbor BGP neighbor table. (Empty)

neighbor-group BGP neighbor group table. (Empty)

neighbor-range BGP neighbor range table. (Empty)

network BGP network table. (Empty)

network6 BGP IPv6 network table. (Empty)

redistribute BGP IPv4 redistribute table. (Empty)

redistribute6 BGP IPv6 redistribute table. (Empty)

admin-distance Administrative distance modifications. (Empty)

CLI Reference for FortiOS 5.4 350


Fortinet Technologies Inc.
router/community-list
CLI Syntax
config router community-list
edit <name_str>
set name <string>
set type {standard | expanded}
config rule
edit <name_str>
set id <integer>
set action {deny | permit}
set regexp <string>
set match <string>
end
end

CLI Reference for FortiOS 5.4 351


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Community list name. (Empty)

type Community list type. standard

rule Community list rule. (Empty)

CLI Reference for FortiOS 5.4 352


Fortinet Technologies Inc.
router/isis
CLI Syntax
config router isis
edit <name_str>
set is-type {level-1-2 | level-1 | level-2-only}
set auth-mode-l1 {password | md5}
set auth-mode-l2 {password | md5}
set auth-password-l1 <password>
set auth-password-l2 <password>
set auth-keychain-l1 <string>
set auth-keychain-l2 <string>
set auth-sendonly-l1 {enable | disable}
set auth-sendonly-l2 {enable | disable}
set ignore-lsp-errors {enable | disable}
set lsp-gen-interval-l1 <integer>
set lsp-gen-interval-l2 <integer>
set lsp-refresh-interval <integer>
set max-lsp-lifetime <integer>
set spf-interval-exp-l1 <user>
set spf-interval-exp-l2 <user>
set dynamic-hostname {enable | disable}
set adjacency-check {enable | disable}
set overload-bit {enable | disable}
set overload-bit-suppress {external | interlevel}
set overload-bit-on-startup <integer>
set default-originate {enable | disable}
set metric-style {narrow | narrow-transition | narrow-transition-l1 | narrow-trans
ition-l2 | wide | wide-l1 | wide-l2 | wide-transition | wide-transition-l1 | wide-tran
sition-l2 | transition | transition-l1 | transition-l2}
set redistribute-l1 {enable | disable}
set redistribute-l1-list <string>
set redistribute-l2 {enable | disable}
set redistribute-l2-list <string>
config isis-net
edit <name_str>
set id <integer>
set net <user>
end
config isis-interface
edit <name_str>
set name <string>
set status {enable | disable}
set network-type {broadcast | point-to-point}
set circuit-type {level-1-2 | level-1 | level-2}
set csnp-interval-l1 <integer>
set csnp-interval-l2 <integer>
set hello-interval-l1 <integer>
set hello-interval-l2 <integer>
set hello-multiplier-l1 <integer>
CLI Reference for FortiOS 5.4 353
Fortinet Technologies Inc.
set hello-multiplier-l2 <integer>
set hello-padding {enable | disable}
set lsp-interval <integer>
set lsp-retransmit-interval <integer>
set metric-l1 <integer>
set metric-l2 <integer>
set wide-metric-l1 <integer>
set wide-metric-l2 <integer>
set auth-password-l1 <password>
set auth-password-l2 <password>
set auth-keychain-l1 <string>
set auth-keychain-l2 <string>
set auth-send-only-l1 {enable | disable}
set auth-send-only-l2 {enable | disable}
set auth-mode-l1 {md5 | password}
set auth-mode-l2 {md5 | password}
set priority-l1 <integer>
set priority-l2 <integer>
set mesh-group {enable | disable}
set mesh-group-id <integer>
end
config summary-address
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set level {level-1-2 | level-1 | level-2}
end
config redistribute
edit <name_str>
set protocol <string>
set status {enable | disable}
set metric <integer>
set metric-type {external | internal}
set level {level-1-2 | level-1 | level-2}
set routemap <string>
end
end

CLI Reference for FortiOS 5.4 354


Fortinet Technologies Inc.
Description
Configuration Description Default Value

is-type IS type. level-1-2

auth-mode-l1 Level 1 authentication mode. password

auth-mode-l2 Level 2 authentication mode. password

auth-password-l1 Authentication password for level 1 PDUs. (Empty)

auth-password-l2 Authentication password for level 2 PDUs. (Empty)

auth-keychain-l1 Authentication key-chain for level 1 PDUs. (Empty)

auth-keychain-l2 Authentication key-chain for level 2 PDUs. (Empty)

auth-sendonly-l1 Enable/disable level 1 authentication send-only. disable

auth-sendonly-l2 Enable/disable level 2 authentication send-only. disable

ignore-lsp-errors Enable/disable ignoring of LSP errors with bad disable


checksums.

lsp-gen-interval-l1 Minimum interval for level 1 LSP regenerating. 30

lsp-gen-interval-l2 Minimum interval for level 2 LSP regenerating. 30

lsp-refresh-interval LSP refresh time in seconds. 900

max-lsp-lifetime Maximum LSP lifetime in seconds. 1200

spf-interval-exp-l1 Level 1 SPF calculation delay. 500 50000

spf-interval-exp-l2 Level 2 SPF calculation delay. 500 50000

dynamic-hostname Enable/disable dynamic hostname. disable

adjacency-check Enable/disable adjacency check. disable

overload-bit Enable/disable signal other routers not to use us disable


in SPF.

overload-bit-suppress Suppress overload-bit for the specific prefixes. (Empty)

overload-bit-on-startup Overload-bit only temporarily after reboot. 0

CLI Reference for FortiOS 5.4 355


Fortinet Technologies Inc.
default-originate Enable/disable control distribution of default disable
information.

metric-style Use old-style (ISO 10589) or new-style packet narrow


formats

redistribute-l1 Enable/disable redistribute level 1 routes into disable


level 2.

redistribute-l1-list Access-list for redistribute l1 to l2. (Empty)

redistribute-l2 Enable/disable redistribute level 2 routes into disable


level 1.

redistribute-l2-list Access-list for redistribute l2 to l1. (Empty)

isis-net IS-IS net configuration. (Empty)

isis-interface IS-IS interface configuration. (Empty)

summary-address IS-IS summary addresses. (Empty)

redistribute IS-IS redistribute protocols. (Empty)

CLI Reference for FortiOS 5.4 356


Fortinet Technologies Inc.
router/key-chain
CLI Syntax
config router key-chain
edit <name_str>
set name <string>
config key
edit <name_str>
set id <integer>
set accept-lifetime <user>
set send-lifetime <user>
set key-string <string>
end
end

CLI Reference for FortiOS 5.4 357


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Key-chain name. (Empty)

key Key. (Empty)

CLI Reference for FortiOS 5.4 358


Fortinet Technologies Inc.
router/multicast
CLI Syntax
config router multicast
edit <name_str>
set route-threshold <integer>
set route-limit <integer>
set igmp-state-limit <integer>
set multicast-routing {enable | disable}
config pim-sm-global
edit <name_str>
set message-interval <integer>
set join-prune-holdtime <integer>
set accept-register-list <string>
set bsr-candidate {enable | disable}
set bsr-interface <string>
set bsr-priority <integer>
set bsr-hash <integer>
set bsr-allow-quick-refresh {enable | disable}
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <string>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <string>
set register-source-ip <ipv4-address>
set register-supression <integer>
set null-register-retries <integer>
set rp-register-keepalive <integer>
set spt-threshold {enable | disable}
set spt-threshold-group <string>
set ssm {enable | disable}
set ssm-range <string>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip-address <ipv4-address>
set group <string>
end
end
config interface
edit <name_str>
set name <string>
set ttl-threshold <integer>
set pim-mode {sparse-mode | dense-mode}
set passive {enable | disable}
set bfd {enable | disable}
set neighbour-filter <string>
CLI Reference for FortiOS 5.4 359
Fortinet Technologies Inc.
set hello-interval <integer>
set hello-holdtime <integer>
set cisco-exclude-genid {enable | disable}
set dr-priority <integer>
set propagation-delay <integer>
set state-refresh-interval <integer>
set rp-candidate {enable | disable}
set rp-candidate-group <string>
set rp-candidate-priority <integer>
set rp-candidate-interval <integer>
set multicast-flow <string>
set static-group <string>
config join-group
edit <name_str>
set address <ipv4-address-any>
end
config igmp
edit <name_str>
set access-group <string>
set version {3 | 2 | 1}
set immediate-leave-group <string>
set last-member-query-interval <integer>
set last-member-query-count <integer>
set query-max-response-time <integer>
set query-interval <integer>
set query-timeout <integer>
set router-alert-check {enable | disable}
end
end
end

CLI Reference for FortiOS 5.4 360


Fortinet Technologies Inc.
Description
Configuration Description Default Value

route-threshold Generate warnings when number of multicast 2147483647


routes exceeds this number.

route-limit Maximum number of multicast routes. 2147483647

igmp-state-limit Maximum IGMP memberships (system wide). 3200

multicast-routing Enable/disable multicast routing. disable

pim-sm-global PIM sparse-mode global settings. Details below

Configuration Default Value


message-interval 60
join-prune-holdtime 210
accept-register-list (Empty)
bsr-candidate disable
bsr-interface (Empty)
bsr-priority 0
bsr-hash 10
bsr-allow-quick-refresh disable
cisco-register-checksum disable
cisco-register-checksum-group (Empty)
cisco-crp-prefix disable
cisco-ignore-rp-set-priority disable
register-rp-reachability enable
register-source disable
register-source-interface (Empty)
register-source-ip 0.0.0.0
register-supression 60
null-register-retries 1
rp-register-keepalive 185
spt-threshold enable
spt-threshold-group (Empty)
ssm disable
ssm-range (Empty)
register-rate-limit 0
rp-address (Empty)

interface PIM interfaces. (Empty)

CLI Reference for FortiOS 5.4 361


Fortinet Technologies Inc.
router/multicast-flow
CLI Syntax
config router multicast-flow
edit <name_str>
set name <string>
set comments <string>
config flows
edit <name_str>
set id <integer>
set group-addr <ipv4-address-any>
set source-addr <ipv4-address-any>
end
end

CLI Reference for FortiOS 5.4 362


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

flows Multicast-flow entries. (Empty)

CLI Reference for FortiOS 5.4 363


Fortinet Technologies Inc.
router/multicast6
CLI Syntax
config router multicast6
edit <name_str>
set multicast-routing {enable | disable}
config interface
edit <name_str>
set name <string>
set hello-interval <integer>
set hello-holdtime <integer>
end
config pim-sm-global
edit <name_str>
set register-rate-limit <integer>
config rp-address
edit <name_str>
set id <integer>
set ip6-address <ipv6-address>
end
end
end

CLI Reference for FortiOS 5.4 364


Fortinet Technologies Inc.
Description
Configuration Description Default Value

multicast-routing Enable/disable multicast routing. disable

interface PIM interfaces. (Empty)

pim-sm-global PIM sparse-mode global settings. Details below

Configuration Default Value


register-rate-limit 0
rp-address (Empty)

CLI Reference for FortiOS 5.4 365


Fortinet Technologies Inc.
router/ospf
CLI Syntax
config router ospf
edit <name_str>
set abr-type {cisco | ibm | shortcut | standard}
set auto-cost-ref-bandwidth <integer>
set distance-external <integer>
set distance-inter-area <integer>
set distance-intra-area <integer>
set database-overflow {enable | disable}
set database-overflow-max-lsas <integer>
set database-overflow-time-to-recover <integer>
set default-information-originate {enable | always | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set distance <integer>
set rfc1583-compatible {enable | disable}
set router-id <ipv4-address-any>
set spf-timers <user>
set bfd {enable | disable}
set log-neighbour-changes {enable | disable}
set distribute-list-in <string>
set distribute-route-map-in <string>
set restart-mode {none | lls | graceful-restart}
set restart-period <integer>
config area
edit <name_str>
set id <ipv4-address-any>
set shortcut {disable | enable | default}
set authentication {none | text | md5}
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | always | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set advertise {disable | enable}
set substitute <ipv4-classnet-any>
set substitute-status {enable | disable}
end
config virtual-link
CLI Reference for FortiOS 5.4 366
Fortinet Technologies Inc.
edit <name_str>
set name <string>
set authentication {none | text | md5}
set authentication-key <password>
set md5-key <user>
set dead-interval <integer>
set hello-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
config filter-list
edit <name_str>
set id <integer>
set list <string>
set direction {in | out}
end
end
config ospf-interface
edit <name_str>
set name <string>
set interface <string>
set ip <ipv4-address>
set authentication {none | text | md5}
set authentication-key <password>
set md5-key <user>
set prefix-length <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set cost <integer>
set priority <integer>
set dead-interval <integer>
set hello-interval <integer>
set hello-multiplier <integer>
set database-filter-out {enable | disable}
set mtu <integer>
set mtu-ignore {enable | disable}
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
set bfd {global | enable | disable}
set status {disable | enable}
set resync-timeout <integer>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set area <ipv4-address-any>
end
config neighbor
edit <name_str>
set id <integer>
set ip <ipv4-address>
CLI Reference for FortiOS 5.4 367
Fortinet Technologies Inc.
set ip <ipv4-address>
set poll-interval <integer>
set cost <integer>
set priority <integer>
end
config passive-interface
edit <name_str>
set name <string>
end
config summary-address
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
set tag <integer>
set advertise {disable | enable}
end
config distribute-list
edit <name_str>
set id <integer>
set access-list <string>
set protocol {connected | static | rip}
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set metric-type {1 | 2}
set tag <integer>
end
end

CLI Reference for FortiOS 5.4 368


Fortinet Technologies Inc.
Description
Configuration Description Default Value

abr-type Area border router type. standard

auto-cost-ref-bandwidth Reference bandwidth in terms of megabits per 1000


second.

distance-external Administrative external distance. 110

distance-inter-area Administrative inter-area distance. 110

distance-intra-area Administrative intra-area distance. 110

database-overflow Enable/disable database overflow. disable

database-overflow- Database overflow maximum LSAs. 10000


max-lsas

database-overflow- Database overflow time to recover (sec). 300


time-to-recover

default-information- Enable/disable generation of default route. disable


originate

default-information- Default information metric. 10


metric

default-information- Default information metric type. 2


metric-type

default-information- Default information route map. (Empty)


route-map

default-metric Default metric of redistribute routes. 10

distance Distance of the route. 110

rfc1583-compatible Enable/disable RFC1583 compatibility. disable

router-id Router ID. 0.0.0.0

spf-timers SPF calculation frequency. 5 10

bfd Bidirectional Forwarding Detection (BFD). disable

CLI Reference for FortiOS 5.4 369


Fortinet Technologies Inc.
log-neighbour-changes Enable logging of OSPF neighbour's changes enable

distribute-list-in Filter incoming routes. (Empty)

distribute-route-map-in Filter incoming external routes by route-map. (Empty)

restart-mode OSPF restart mode (graceful or LLS). none

restart-period Graceful restart period. 120

area OSPF area configuration. (Empty)

ospf-interface OSPF interface configuration. (Empty)

network OSPF network configuration. (Empty)

neighbor OSPF neighbor configuration are used when (Empty)


OSPF runs on non-broadcast media

passive-interface Passive interface configuration. (Empty)

summary-address IP address summary configuration. (Empty)

distribute-list Distribute list configuration. (Empty)

redistribute Redistribute configuration. (Empty)

CLI Reference for FortiOS 5.4 370


Fortinet Technologies Inc.
router/ospf6
CLI Syntax
config router ospf6
edit <name_str>
set abr-type {cisco | ibm | standard}
set auto-cost-ref-bandwidth <integer>
set default-information-originate {enable | always | disable}
set log-neighbour-changes {enable | disable}
set default-information-metric <integer>
set default-information-metric-type {1 | 2}
set default-information-route-map <string>
set default-metric <integer>
set router-id <ipv4-address-any>
set spf-timers <user>
config area
edit <name_str>
set id <ipv4-address-any>
set default-cost <integer>
set nssa-translator-role {candidate | never | always}
set stub-type {no-summary | summary}
set type {regular | nssa | stub}
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <integer>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
config range
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set advertise {disable | enable}
end
config virtual-link
edit <name_str>
set name <string>
set dead-interval <integer>
set hello-interval <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
set peer <ipv4-address-any>
end
end
config ospf6-interface
edit <name_str>
set name <string>
set area-id <ipv4-address-any>
set interface <string>
set retransmit-interval <integer>
set transmit-delay <integer>
set cost <integer>
CLI Reference for FortiOS 5.4 371
Fortinet Technologies Inc.
set priority <integer>
set dead-interval <integer>
set hello-interval <integer>
set status {disable | enable}
set network-type {broadcast | non-broadcast | point-to-point | point-to-multip
oint | point-to-multipoint-non-broadcast}
config neighbor
edit <name_str>
set ip6 <ipv6-address>
set poll-interval <integer>
set cost <integer>
set priority <integer>
end
end
config passive-interface
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set metric-type {1 | 2}
end
config summary-address
edit <name_str>
set id <integer>
set prefix6 <ipv6-network>
set advertise {disable | enable}
set tag <integer>
end
end

CLI Reference for FortiOS 5.4 372


Fortinet Technologies Inc.
Description
Configuration Description Default Value

abr-type Area border router type. standard

auto-cost-ref-bandwidth Reference bandwidth in terms of megabits per 1000


second.

default-information- Enable/disable generation of default route. disable


originate

log-neighbour-changes Enable logging of OSPFv3 neighbour's changes enable

default-information- Default information metric. 10


metric

default-information- Default information metric type. 2


metric-type

default-information- Default information route map. (Empty)


route-map

default-metric Default metric of redistribute routes. 20

router-id A.B.C.D, in IPv4 address format. 0.0.0.0

spf-timers SPF calculation frequency. 5 10

area OSPF6 area configuration. (Empty)

ospf6-interface OSPF6 interface configuration. (Empty)

passive-interface Passive interface configuration. (Empty)

redistribute Redistribute configuration. (Empty)

summary-address IPv6 address summary configuration. (Empty)

CLI Reference for FortiOS 5.4 373


Fortinet Technologies Inc.
router/policy
CLI Syntax
config router policy
edit <name_str>
set seq-num <integer>
config input-device
edit <name_str>
set name <string>
end
config src
edit <name_str>
set subnet <string>
end
config srcaddr
edit <name_str>
set name <string>
end
set src-negate {enable | disable}
config dst
edit <name_str>
set subnet <string>
end
config dstaddr
edit <name_str>
set name <string>
end
set dst-negate {enable | disable}
set action {deny | permit}
set protocol <integer>
set start-port <integer>
set end-port <integer>
set start-source-port <integer>
set end-source-port <integer>
set gateway <ipv4-address>
set output-device <string>
set tos <user>
set tos-mask <user>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 374


Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Sequence number. 0

input-device Incoming interface name. (Empty)

src Source IP and mask (x.x.x.x/x). (Empty)

srcaddr Source address name. (Empty)

src-negate Enable/disable negated source address match. disable

dst Destination IP and mask (x.x.x.x/x). (Empty)

dstaddr Destination address name. (Empty)

dst-negate Enable/disable negated destination address disable


match.

action Action of the policy route. permit

protocol Protocol number. 0

start-port Start destination port number. 1

end-port End destination port number. 65535

start-source-port Start source port number. 1

end-source-port End source port number. 65535

gateway IP address of gateway. 0.0.0.0

output-device Outgoing interface name. (Empty)

tos Type of service bit pattern. 0x00

tos-mask Type of service evaluated bits. 0x00

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 375


Fortinet Technologies Inc.
router/policy6
CLI Syntax
config router policy6
edit <name_str>
set seq-num <integer>
set input-device <string>
set src <ipv6-network>
set dst <ipv6-network>
set protocol <integer>
set start-port <integer>
set end-port <integer>
set gateway <ipv6-address>
set output-device <string>
set tos <user>
set tos-mask <user>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 376


Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Sequence number. 0

input-device Incoming interface name. (Empty)

src Source IPv6 prefix. ::/0

dst Destination IPv6 prefix. ::/0

protocol Protocol number. 0

start-port Start port number. 1

end-port End port number. 65535

gateway IPv6 address of gateway. ::

output-device Outgoing interface name. (Empty)

tos Terms of service bit pattern. 0x00

tos-mask Terms of service evaluated bits. 0x00

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 377


Fortinet Technologies Inc.
router/prefix-list
CLI Syntax
config router prefix-list
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 378


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 379


Fortinet Technologies Inc.
router/prefix-list6
CLI Syntax
config router prefix-list6
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set prefix6 <user>
set ge <integer>
set le <integer>
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 380


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 381


Fortinet Technologies Inc.
router/rip
CLI Syntax
config router rip
edit <name_str>
set default-information-originate {enable | disable}
set default-metric <integer>
set max-out-metric <integer>
set recv-buffer-size <integer>
config distance
edit <name_str>
set id <integer>
set prefix <ipv4-classnet-any>
set distance <integer>
set access-list <string>
end
config distribute-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set listname <string>
set interface <string>
end
config neighbor
edit <name_str>
set id <integer>
set ip <ipv4-address>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv4-classnet>
end
config offset-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set access-list <string>
set offset <integer>
set interface <string>
end
config passive-interface
edit <name_str>
set name <string>
end
config redistribute
edit <name_str>
set name <string>
CLI Reference for FortiOS 5.4 382
Fortinet Technologies Inc.
set status {enable | disable}
set metric <integer>
set routemap <string>
set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
set version {1 | 2}
config interface
edit <name_str>
set name <string>
set auth-keychain <string>
set auth-mode {none | text | md5}
set auth-string <password>
set receive-version {1 | 2}
set send-version {1 | 2}
set send-version2-broadcast {disable | enable}
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 383


Fortinet Technologies Inc.
Description
Configuration Description Default Value

default-information- Enable/disable generation of default route. disable


originate

default-metric Default metric. 1

max-out-metric Maximum metric allowed to output(0 means 'not 0


set').

recv-buffer-size Receiving buffer size. 655360

distance distance (Empty)

distribute-list Distribute list. (Empty)

neighbor neighbor (Empty)

network network (Empty)

offset-list Offset list. (Empty)

passive-interface Passive interface configuration. (Empty)

redistribute Redistribute configuration. (Empty)

update-timer Update timer. 30

timeout-timer Timeout timer. 180

garbage-timer Garbage timer. 120

version RIP version. 2

interface RIP interface configuration. (Empty)

CLI Reference for FortiOS 5.4 384


Fortinet Technologies Inc.
router/ripng
CLI Syntax
config router ripng
edit <name_str>
set default-information-originate {enable | disable}
set default-metric <integer>
set max-out-metric <integer>
config distance
edit <name_str>
set id <integer>
set distance <integer>
set prefix6 <ipv6-prefix>
set access-list6 <string>
end
config distribute-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set listname <string>
set interface <string>
end
config neighbor
edit <name_str>
set id <integer>
set ip6 <ipv6-address>
set interface <string>
end
config network
edit <name_str>
set id <integer>
set prefix <ipv6-prefix>
end
config aggregate-address
edit <name_str>
set id <integer>
set prefix6 <ipv6-prefix>
end
config offset-list
edit <name_str>
set id <integer>
set status {enable | disable}
set direction {in | out}
set access-list6 <string>
set offset <integer>
set interface <string>
end
config passive-interface
edit <name_str>
CLI Reference for FortiOS 5.4 385
Fortinet Technologies Inc.
set name <string>
end
config redistribute
edit <name_str>
set name <string>
set status {enable | disable}
set metric <integer>
set routemap <string>
set flags <integer>
end
set update-timer <integer>
set timeout-timer <integer>
set garbage-timer <integer>
config interface
edit <name_str>
set name <string>
set split-horizon-status {enable | disable}
set split-horizon {poisoned | regular}
set flags <integer>
end
end

CLI Reference for FortiOS 5.4 386


Fortinet Technologies Inc.
Description
Configuration Description Default Value

default-information- Enable/disable generation of default route. disable


originate

default-metric Default metric. 1

max-out-metric Maximum metric allowed to output(0 means 'not 0


set').

distance distance (Empty)

distribute-list Distribute list. (Empty)

neighbor neighbor (Empty)

network Network. (Empty)

aggregate-address Aggregate address. (Empty)

offset-list Offset list. (Empty)

passive-interface Passive interface configuration. (Empty)

redistribute Redistribute configuration. (Empty)

update-timer Update timer. 30

timeout-timer Timeout timer. 180

garbage-timer Garbage timer. 120

interface RIPng interface configuration. (Empty)

CLI Reference for FortiOS 5.4 387


Fortinet Technologies Inc.
router/route-map
CLI Syntax
config router route-map
edit <name_str>
set name <string>
set comments <string>
config rule
edit <name_str>
set id <integer>
set action {permit | deny}
set match-as-path <string>
set match-community <string>
set match-community-exact {enable | disable}
set match-origin {none | egp | igp | incomplete}
set match-interface <string>
set match-ip-address <string>
set match-ip6-address <string>
set match-ip-nexthop <string>
set match-ip6-nexthop <string>
set match-metric <integer>
set match-route-type {1 | 2}
set match-tag <integer>
set set-aggregator-as <integer>
set set-aggregator-ip <ipv4-address-any>
set set-aspath-action {prepend | replace}
config set-aspath
edit <name_str>
set as <string>
end
set set-atomic-aggregate {enable | disable}
set set-community-delete <string>
config set-community
edit <name_str>
set community <string>
end
set set-community-additive {enable | disable}
set set-dampening-reachability-half-life <integer>
set set-dampening-reuse <integer>
set set-dampening-suppress <integer>
set set-dampening-max-suppress <integer>
set set-dampening-unreachability-half-life <integer>
config set-extcommunity-rt
edit <name_str>
set community <string>
end
config set-extcommunity-soo
edit <name_str>
set community <string>
end
CLI Reference for FortiOS 5.4 388
Fortinet Technologies Inc.
set set-ip-nexthop <ipv4-address>
set set-ip6-nexthop <ipv6-address>
set set-ip6-nexthop-local <ipv6-address>
set set-local-preference <integer>
set set-metric <integer>
set set-metric-type {1 | 2}
set set-originator-id <ipv4-address-any>
set set-origin {none | egp | igp | incomplete}
set set-tag <integer>
set set-weight <integer>
set set-flags <integer>
set match-flags <integer>
end
end

CLI Reference for FortiOS 5.4 389


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

comments Comment. (Empty)

rule Rule. (Empty)

CLI Reference for FortiOS 5.4 390


Fortinet Technologies Inc.
router/setting
CLI Syntax
config router setting
edit <name_str>
set show-filter <string>
set hostname <string>
end

CLI Reference for FortiOS 5.4 391


Fortinet Technologies Inc.
Description
Configuration Description Default Value

show-filter Prefix-list as filter for showing routes. (Empty)

hostname Hostname for this virtual domain router. (Empty)

CLI Reference for FortiOS 5.4 392


Fortinet Technologies Inc.
router/static
CLI Syntax
config router static
edit <name_str>
set seq-num <integer>
set dst <ipv4-classnet>
set gateway <ipv4-address>
set distance <integer>
set weight <integer>
set priority <integer>
set device <string>
set comment <var-string>
set blackhole {enable | disable}
set dynamic-gateway {enable | disable}
set virtual-wan-link {enable | disable}
set dstaddr <string>
set internet-service <integer>
set internet-service-custom <string>
end

CLI Reference for FortiOS 5.4 393


Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Entry number. 0

dst Destination IP and mask for this route. 0.0.0.0 0.0.0.0

gateway Gateway IP for this route. 0.0.0.0

distance Administrative distance (1 - 255). 10

weight Administrative weight (0 - 255). 0

priority Administrative priority (0 - 4294967295). 0

device Enable/disable gateway out interface. (Empty)

comment Comment. (Empty)

blackhole Enable/disable black hole. disable

dynamic-gateway Enable use of dynamic gateway retrieved from a disable


DHCP or PPP server.

virtual-wan-link Enable/disable egress through the virtual-wan- disable


link.

dstaddr Name of firewall address or address group. (Empty)

internet-service Application ID in the Internet service database. 0

internet-service-custom Application name in the Internet service custom (Empty)


database.

CLI Reference for FortiOS 5.4 394


Fortinet Technologies Inc.
router/static6
CLI Syntax
config router static6
edit <name_str>
set seq-num <integer>
set dst <ipv6-network>
set gateway <ipv6-address>
set device <string>
set devindex <integer>
set distance <integer>
set priority <integer>
set comment <var-string>
set blackhole {enable | disable}
end

CLI Reference for FortiOS 5.4 395


Fortinet Technologies Inc.
Description
Configuration Description Default Value

seq-num Sequence number. 0

dst Destination IPv6 prefix for this route. ::/0

gateway Gateway IPv6 address for this route. ::

device Gateway out interface or tunnel. (Empty)

devindex Device index (0 - 4294967295). 0

distance Administrative distance (1 - 255). 10

priority Administrative priority (0 - 4294967295). 0

comment Comment. (Empty)

blackhole Enable/disable black hole. disable

CLI Reference for FortiOS 5.4 396


Fortinet Technologies Inc.
spamfilter/bwl
CLI Syntax
config spamfilter bwl
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set type {ip | email}
set action {reject | spam | clear}
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
set pattern-type {wildcard | regexp}
set email-pattern <string>
end
end

CLI Reference for FortiOS 5.4 397


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Anti-spam black/white list entries. (Empty)

CLI Reference for FortiOS 5.4 398


Fortinet Technologies Inc.
spamfilter/bword
CLI Syntax
config spamfilter bword
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set pattern <string>
set pattern-type {wildcard | regexp}
set action {spam | clear}
set where {subject | body | all}
set language {western | simch | trach | japanese | korean | french | thai | sp
anish}
set score <integer>
end
end

CLI Reference for FortiOS 5.4 399


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Spam filter banned word. (Empty)

CLI Reference for FortiOS 5.4 400


Fortinet Technologies Inc.
spamfilter/dnsbl
CLI Syntax
config spamfilter dnsbl
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set server <string>
set action {reject | spam}
end
end

CLI Reference for FortiOS 5.4 401


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Spam filter DNSBL and ORBL server. (Empty)

CLI Reference for FortiOS 5.4 402


Fortinet Technologies Inc.
spamfilter/fortishield
CLI Syntax
config spamfilter fortishield
edit <name_str>
set spam-submit-srv <string>
set spam-submit-force {enable | disable}
set spam-submit-txt2htm {enable | disable}
end

CLI Reference for FortiOS 5.4 403


Fortinet Technologies Inc.
Description
Configuration Description Default Value

spam-submit-srv Hostname of the spam submission server. www.nospammer.net

spam-submit-force Enable/disable force insertion of a new mime enable


entity for the submission text.

spam-submit-txt2htm Enable/disable conversion of text email to HTML enable


email.

CLI Reference for FortiOS 5.4 404


Fortinet Technologies Inc.
spamfilter/iptrust
CLI Syntax
config spamfilter iptrust
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set addr-type {ipv4 | ipv6}
set ip4-subnet <ipv4-classnet>
set ip6-subnet <ipv6-network>
end
end

CLI Reference for FortiOS 5.4 405


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Spam filter trusted IP addresses. (Empty)

CLI Reference for FortiOS 5.4 406


Fortinet Technologies Inc.
spamfilter/mheader
CLI Syntax
config spamfilter mheader
edit <name_str>
set id <integer>
set name <string>
set comment <var-string>
config entries
edit <name_str>
set status {enable | disable}
set id <integer>
set fieldname <string>
set fieldbody <string>
set pattern-type {wildcard | regexp}
set action {spam | clear}
end
end

CLI Reference for FortiOS 5.4 407


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

name Name of table. (Empty)

comment Comment. (Empty)

entries Spam filter mime header content. (Empty)

CLI Reference for FortiOS 5.4 408


Fortinet Technologies Inc.
spamfilter/options
CLI Syntax
config spamfilter options
edit <name_str>
set dns-timeout <integer>
end

CLI Reference for FortiOS 5.4 409


Fortinet Technologies Inc.
Description
Configuration Description Default Value

dns-timeout DNS query time out (1 - 30 sec). 7

CLI Reference for FortiOS 5.4 410


Fortinet Technologies Inc.
spamfilter/profile
CLI Syntax
config spamfilter profile
edit <name_str>
set name <string>
set comment <var-string>
set flow-based {enable | disable}
set replacemsg-group <string>
set spam-log {enable | disable}
set spam-filtering {enable | disable}
set external {enable | disable}
set options {bannedword | spambwl | spamfsip | spamfssubmit | spamfschksum | spamf
surl | spamhelodns | spamraddrdns | spamrbl | spamhdrcheck | spamfsphish}
config imap
edit <name_str>
set log {enable | disable}
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config pop3
edit <name_str>
set log {enable | disable}
set action {pass | tag}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
end
config smtp
edit <name_str>
set log {enable | disable}
set action {pass | tag | discard}
set tag-type {subject | header | spaminfo}
set tag-msg <string>
set hdrip {enable | disable}
set local-override {enable | disable}
end
config mapi
edit <name_str>
set log {enable | disable}
set action {pass | discard}
end
config msn-hotmail
edit <name_str>
set log {enable | disable}
end
config yahoo-mail
edit <name_str>
set log {enable | disable}
end
CLI Reference for FortiOS 5.4 411
Fortinet Technologies Inc.
config gmail
edit <name_str>
set log {enable | disable}
end
set spam-bword-threshold <integer>
set spam-bword-table <integer>
set spam-bwl-table <integer>
set spam-mheader-table <integer>
set spam-rbl-table <integer>
set spam-iptrust-table <integer>
end

CLI Reference for FortiOS 5.4 412


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

comment Comment. (Empty)

flow-based Enable/disable flow-based spam filtering. disable

replacemsg-group Replacement message group. (Empty)

spam-log Enable/disable spam logging for email filtering. enable

spam-filtering Enable/disable spam filtering. disable

external Enable/disable external Email inspection. disable

options Options. (Empty)

imap IMAP. Details below

Configuration Default Value


log disable
action tag
tag-type subject spaminfo
tag-msg Spam

pop3 POP3. Details below

Configuration Default Value


log disable
action tag
tag-type subject spaminfo
tag-msg Spam

smtp SMTP. Details below

Configuration Default Value


log disable
action discard
tag-type subject spaminfo
tag-msg Spam
hdrip disable
local-override disable

mapi MAPI. Details below

CLI Reference for FortiOS 5.4 413


Fortinet Technologies Inc.
Configuration Default Value
log disable
action discard

msn-hotmail MSN Hotmail. Details below

Configuration Default Value


log disable

yahoo-mail Yahoo! Mail. Details below

Configuration Default Value


log disable

gmail Gmail. Details below

Configuration Default Value


log disable

spam-bword-threshold Spam banned word threshold. 10

spam-bword-table Anti-spam banned word table ID. 0

spam-bwl-table Anti-spam black/white list table ID. 0

spam-mheader-table Anti-spam MIME header table ID. 0

spam-rbl-table Anti-spam DNSBL table ID. 0

spam-iptrust-table Anti-spam IP trust table ID. 0

CLI Reference for FortiOS 5.4 414


Fortinet Technologies Inc.
system.autoupdate/push-update
CLI Syntax
config system.autoupdate push-update
edit <name_str>
set status {enable | disable}
set override {enable | disable}
set address <ipv4-address-any>
set port <integer>
end

CLI Reference for FortiOS 5.4 415


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable push updates. disable

override Enable/disable push update override server. disable

address Push update override server. 0.0.0.0

port Push update override port. 9443

CLI Reference for FortiOS 5.4 416


Fortinet Technologies Inc.
system.autoupdate/schedule
CLI Syntax
config system.autoupdate schedule
edit <name_str>
set status {enable | disable}
set frequency {every | daily | weekly}
set time <user>
set day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday}
end

CLI Reference for FortiOS 5.4 417


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable scheduled updates. enable

frequency Update frequency. every

time Update time. 02:60

day Update day. Monday

CLI Reference for FortiOS 5.4 418


Fortinet Technologies Inc.
system.autoupdate/tunneling
CLI Syntax
config system.autoupdate tunneling
edit <name_str>
set status {enable | disable}
set address <string>
set port <integer>
set username <string>
set password <password>
end

CLI Reference for FortiOS 5.4 419


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable web proxy tunnelling. disable

address Web proxy IP address or FQDN. (Empty)

port Web proxy port. 0

username Web proxy username. (Empty)

password Web proxy password. (Empty)

CLI Reference for FortiOS 5.4 420


Fortinet Technologies Inc.
system.dhcp/server
CLI Syntax
config system.dhcp server
edit <name_str>
set id <integer>
set status {disable | enable}
set lease-time <integer>
set mac-acl-default-action {assign | block}
set forticlient-on-net-status {disable | enable}
set dns-service {local | default | specify}
set dns-server1 <ipv4-address>
set dns-server2 <ipv4-address>
set dns-server3 <ipv4-address>
set wifi-ac1 <ipv4-address>
set wifi-ac2 <ipv4-address>
set wifi-ac3 <ipv4-address>
set ntp-service {local | default | specify}
set ntp-server1 <ipv4-address>
set ntp-server2 <ipv4-address>
set ntp-server3 <ipv4-address>
set domain <string>
set wins-server1 <ipv4-address>
set wins-server2 <ipv4-address>
set default-gateway <ipv4-address>
set next-server <ipv4-address>
set netmask <ipv4-netmask>
set interface <string>
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
set timezone-option {disable | default | specify}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set tftp-server <string>
set filename <string>
set option1 <user>
set option2 <user>
set option3 <user>
set option4 <user>
set option5 <user>
set option6 <user>
set server-type {regular | ipsec}
CLI Reference for FortiOS 5.4 421
Fortinet Technologies Inc.
set ip-mode {range | usrgrp}
set conflicted-ip-timeout <integer>
set ipsec-lease-hold <integer>
set auto-configuration {disable | enable}
set ddns-update {disable | enable}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-ttl <integer>
set vci-match {disable | enable}
config vci-string
edit <name_str>
set vci-string <string>
end
config exclude-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
config reserved-address
edit <name_str>
set id <integer>
set ip <ipv4-address>
set mac <mac-address>
set action {assign | block | reserved}
set description <var-string>
end
end

CLI Reference for FortiOS 5.4 422


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

status Enable/disable use this DHCP configuration. enable

lease-time Lease time in seconds. 604800

mac-acl-default-action MAC access control default action. assign

forticlient-on-net-status Sending FortiGate serial number as a DHCP enable


option.

dns-service DNS service option. specify

dns-server1 DNS server 1. 0.0.0.0

dns-server2 DNS server 2. 0.0.0.0

dns-server3 DNS server 3. 0.0.0.0

wifi-ac1 WiFi AC 1. 0.0.0.0

wifi-ac2 WiFi AC 2. 0.0.0.0

wifi-ac3 WiFi AC 3. 0.0.0.0

ntp-service NTP service option. specify

ntp-server1 NTP server 1. 0.0.0.0

ntp-server2 NTP server 2. 0.0.0.0

ntp-server3 NTP server 3. 0.0.0.0

domain Domain name. (Empty)

wins-server1 WINS server 1. 0.0.0.0

wins-server2 WINS server 2. 0.0.0.0

default-gateway Enable/disable default gateway. 0.0.0.0

next-server Next bootstrap server. 0.0.0.0

netmask Netmask. 0.0.0.0

CLI Reference for FortiOS 5.4 423


Fortinet Technologies Inc.
interface Interface name. (Empty)

ip-range DHCP IP range configuration. (Empty)

timezone-option Time zone settings. disable

timezone Time zone. 00

tftp-server Hostname or IP address of the TFTP server. (Empty)

filename Boot file name. (Empty)

option1 Option 1. 0

option2 Option 2. 0

option3 Option 3. 0

option4 Option 4. 0

option5 Option 5. 0

option6 Option 6. 0

server-type Type of DHCP service to provide. regular

ip-mode Method used to assign client IP. range

conflicted-ip-timeout Time conflicted IP is removed from the range 1800


(seconds).

ipsec-lease-hold DHCP over IPsec leases expire this many 60


seconds after tunnel down (0 to disable forced-
expiry).

auto-configuration Enable/disable auto configuration. enable

ddns-update Enable/disable DDNS update for DHCP. disable

ddns-server-ip DDNS server IP. 0.0.0.0

ddns-zone Zone of your domain name (ex. DDNS.com). (Empty)

ddns-auth DDNS authentication mode. disable

ddns-keyname DDNS update key name. (Empty)

CLI Reference for FortiOS 5.4 424


Fortinet Technologies Inc.
ddns-key DDNS update key (base 64 encoding). 'ENC
AuAHaUUdY1NOrENe
FjxC6TXsIjntkrMvREw
MTLVsKksjKKAeHgnm
gOYHVJsx1EMp4Fsdx
XlBMGI9fs0Gob4fjHviV
670NU8ypyB+szhnVal
5VB5J/EQgo1R2WKM
='

ddns-ttl TTL. 300

vci-match Enable/disable VCI matching. disable

vci-string VCI strings. (Empty)

exclude-range DHCP exclude range configuration. (Empty)

reserved-address DHCP reserved IP address. (Empty)

CLI Reference for FortiOS 5.4 425


Fortinet Technologies Inc.
system.dhcp6/server
CLI Syntax
config system.dhcp6 server
edit <name_str>
set id <integer>
set status {disable | enable}
set rapid-commit {disable | enable}
set lease-time <integer>
set dns-service {delegated | default | specify}
set dns-server1 <ipv6-address>
set dns-server2 <ipv6-address>
set dns-server3 <ipv6-address>
set domain <string>
set subnet <ipv6-prefix>
set interface <string>
set option1 <user>
set option2 <user>
set option3 <user>
set upstream-interface <string>
set ip-mode {range | delegated}
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv6-address>
set end-ip <ipv6-address>
end
end

CLI Reference for FortiOS 5.4 426


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id ID. 0

status Enable/disable use this DHCP configuration. enable

rapid-commit Enable/disable allow/disallow rapid commit. disable

lease-time Lease time in seconds. 604800

dns-service DNS service option. specify

dns-server1 DNS server 1. ::

dns-server2 DNS server 2. ::

dns-server3 DNS server 3. ::

domain Domain name. (Empty)

subnet Subnet or subnet-id if the IP mode is delegated. ::/0

interface Interface name. (Empty)

option1 Option 1. 0

option2 Option 2. 0

option3 Option 3. 0

upstream-interface Interface name from where delegated information (Empty)


is provided.

ip-mode Method used to assign client IP. range

ip-range DHCP IP range configuration. (Empty)

CLI Reference for FortiOS 5.4 427


Fortinet Technologies Inc.
system.replacemsg/admin
CLI Syntax
config system.replacemsg admin
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 428


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 429


Fortinet Technologies Inc.
system.replacemsg/alertmail
CLI Syntax
config system.replacemsg alertmail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 430


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 431


Fortinet Technologies Inc.
system.replacemsg/auth
CLI Syntax
config system.replacemsg auth
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 432


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 433


Fortinet Technologies Inc.
system.replacemsg/device-detection-portal
CLI Syntax
config system.replacemsg device-detection-portal
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 434


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 435


Fortinet Technologies Inc.
system.replacemsg/ec
CLI Syntax
config system.replacemsg ec
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 436


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 437


Fortinet Technologies Inc.
system.replacemsg/fortiguard-wf
CLI Syntax
config system.replacemsg fortiguard-wf
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 438


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 439


Fortinet Technologies Inc.
system.replacemsg/ftp
CLI Syntax
config system.replacemsg ftp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 440


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 441


Fortinet Technologies Inc.
system.replacemsg/http
CLI Syntax
config system.replacemsg http
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 442


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 443


Fortinet Technologies Inc.
system.replacemsg/mail
CLI Syntax
config system.replacemsg mail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 444


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 445


Fortinet Technologies Inc.
system.replacemsg/nac-quar
CLI Syntax
config system.replacemsg nac-quar
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 446


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 447


Fortinet Technologies Inc.
system.replacemsg/nntp
CLI Syntax
config system.replacemsg nntp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 448


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 449


Fortinet Technologies Inc.
system.replacemsg/spam
CLI Syntax
config system.replacemsg spam
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 450


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 451


Fortinet Technologies Inc.
system.replacemsg/sslvpn
CLI Syntax
config system.replacemsg sslvpn
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 452


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 453


Fortinet Technologies Inc.
system.replacemsg/traffic-quota
CLI Syntax
config system.replacemsg traffic-quota
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 454


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 455


Fortinet Technologies Inc.
system.replacemsg/utm
CLI Syntax
config system.replacemsg utm
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 456


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 457


Fortinet Technologies Inc.
system.replacemsg/webproxy
CLI Syntax
config system.replacemsg webproxy
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end

CLI Reference for FortiOS 5.4 458


Fortinet Technologies Inc.
Description
Configuration Description Default Value

msg-type Message type. (Empty)

buffer Message string. (Empty)

header Header flag. none

format Format flag. none

CLI Reference for FortiOS 5.4 459


Fortinet Technologies Inc.
system.snmp/community
CLI Syntax
config system.snmp community
edit <name_str>
set id <integer>
set name <string>
set status {enable | disable}
config hosts
edit <name_str>
set id <integer>
set source-ip <ipv4-address>
set ip <user>
set interface <string>
set ha-direct {enable | disable}
set host-type {any | query | trap}
end
config hosts6
edit <name_str>
set id <integer>
set source-ipv6 <ipv6-address>
set ipv6 <ipv6-prefix>
set ha-direct {enable | disable}
set interface <string>
set host-type {any | query | trap}
end
set query-v1-status {enable | disable}
set query-v1-port <integer>
set query-v2c-status {enable | disable}
set query-v2c-port <integer>
set trap-v1-status {enable | disable}
set trap-v1-lport <integer>
set trap-v1-rport <integer>
set trap-v2c-status {enable | disable}
set trap-v2c-lport <integer>
set trap-v2c-rport <integer>
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-
pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
end

CLI Reference for FortiOS 5.4 460


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Community ID. 0

name Community name. (Empty)

status Enable/disable this community. enable

hosts Allow hosts configuration. (Empty)

hosts6 Allow hosts configuration for IPv6. (Empty)

query-v1-status Enable/disable SNMP v1 query. enable

query-v1-port SNMP v1 query port. 161

query-v2c-status Enable/disable SNMP v2c query. enable

query-v2c-port SNMP v2c query port. 161

trap-v1-status Enable/disable SNMP v1 trap. enable

trap-v1-lport SNMP v1 trap local port. 162

trap-v1-rport SNMP v1 trap remote port. 162

trap-v2c-status Enable/disable SNMP v2c trap. enable

trap-v2c-lport SNMP v2c trap local port. 162

trap-v2c-rport SNMP v2c trap remote port. 162

CLI Reference for FortiOS 5.4 461


Fortinet Technologies Inc.
events SNMP trap events. cpu-high mem-low log-
full intf-ip vpn-tun-up
vpn-tun-down ha-
switch ha-hb-failure
ips-signature ips-
anomaly av-virus av-
oversize av-pattern av-
fragmented fm-if-
change bgp-
established bgp-
backward-transition ha-
member-up ha-
member-down ent-
conf-change av-
conserve av-bypass
av-oversize-passed av-
oversize-blocked ips-
pkg-update ips-fail-
open temperature-high
voltage-alert power-
supply-failure faz-
disconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-real-
server-down

CLI Reference for FortiOS 5.4 462


Fortinet Technologies Inc.
system.snmp/sysinfo
CLI Syntax
config system.snmp sysinfo
edit <name_str>
set status {enable | disable}
set engine-id <string>
set description <string>
set contact-info <string>
set location <string>
set trap-high-cpu-threshold <integer>
set trap-low-memory-threshold <integer>
set trap-log-full-threshold <integer>
end

CLI Reference for FortiOS 5.4 463


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable SNMP. disable

engine-id Local SNMP engineID string (maximum 24 (Empty)


characters).

description System description. (Empty)

contact-info Contact information. (Empty)

location System location. (Empty)

trap-high-cpu-threshold CPU usage when trap is sent. 80

trap-low-memory- Memory usage when trap is sent. 80


threshold

trap-log-full-threshold Log disk usage when trap is sent. 90

CLI Reference for FortiOS 5.4 464


Fortinet Technologies Inc.
system.snmp/user
CLI Syntax
config system.snmp user
edit <name_str>
set name <string>
set status {enable | disable}
set trap-status {enable | disable}
set trap-lport <integer>
set trap-rport <integer>
set queries {enable | disable}
set query-port <integer>
set notify-hosts <ipv4-address>
set notify-hosts6 <ipv6-address>
set source-ip <ipv4-address>
set source-ipv6 <ipv6-address>
set ha-direct {enable | disable}
set events {cpu-high | mem-low | log-full | intf-ip | vpn-tun-up | vpn-tun-down |
ha-switch | ha-hb-failure | ips-signature | ips-anomaly | av-virus | av-oversize | av-
pattern | av-fragmented | fm-if-change | fm-conf-change | bgp-established | bgp-backwa
rd-transition | ha-member-up | ha-member-down | ent-conf-change | av-conserve | av-byp
ass | av-oversize-passed | av-oversize-blocked | ips-pkg-update | ips-fail-open | temp
erature-high | voltage-alert | power-supply-failure | faz-disconnect | fan-failure | w
c-ap-up | wc-ap-down | fswctl-session-up | fswctl-session-down | load-balance-real-ser
ver-down | device-new}
set security-level {no-auth-no-priv | auth-no-priv | auth-priv}
set auth-proto {md5 | sha}
set auth-pwd <password>
set priv-proto {aes | des | aes256 | aes256cisco}
set priv-pwd <password>
end

CLI Reference for FortiOS 5.4 465


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name SNMP user name. (Empty)

status Enable/disable this user. enable

trap-status Enable/disable traps for this user. enable

trap-lport SNMPv3 trap local port. 162

trap-rport SNMPv3 trap remote port. 162

queries Enable/disable queries for this user. enable

query-port SNMPv3 query port. 161

notify-hosts Hosts to send notifications (traps) to. (Empty)

notify-hosts6 IPv6 hosts to send notifications (traps) to. (Empty)

source-ip Source IP for SNMP trap. 0.0.0.0

source-ipv6 Source IPv6 for SNMP trap. ::

ha-direct Enable/disable direct management of HA cluster disable


members.

CLI Reference for FortiOS 5.4 466


Fortinet Technologies Inc.
events SNMP notifications (traps) to send. cpu-high mem-low log-
full intf-ip vpn-tun-up
vpn-tun-down ha-
switch ha-hb-failure
ips-signature ips-
anomaly av-virus av-
oversize av-pattern av-
fragmented fm-if-
change bgp-
established bgp-
backward-transition ha-
member-up ha-
member-down ent-
conf-change av-
conserve av-bypass
av-oversize-passed av-
oversize-blocked ips-
pkg-update ips-fail-
open temperature-high
voltage-alert power-
supply-failure faz-
disconnect fan-failure
wc-ap-up wc-ap-down
fswctl-session-up
fswctl-session-down
load-balance-real-
server-down

security-level Security level for message authentication and no-auth-no-priv


encryption.

auth-proto Authentication protocol. sha

auth-pwd Password for authentication protocol. (Empty)

priv-proto Privacy (encryption) protocol. aes

priv-pwd Password for privacy (encryption) protocol. (Empty)

CLI Reference for FortiOS 5.4 467


Fortinet Technologies Inc.
system/accprofile
CLI Syntax

CLI Reference for FortiOS 5.4 468


Fortinet Technologies Inc.
config system accprofile
edit <name_str>
set name <string>
set scope {vdom | global}
set comments <var-string>
set mntgrp {none | read | read-write}
set admingrp {none | read | read-write}
set updategrp {none | read | read-write}
set authgrp {none | read | read-write}
set sysgrp {none | read | read-write}
set netgrp {none | read | read-write}
set loggrp {none | read | read-write | custom | w | r | rw}
set routegrp {none | read | read-write}
set fwgrp {none | read | read-write | custom | w | r | rw}
set vpngrp {none | read | read-write}
set utmgrp {none | read | read-write | custom | w | r | rw}
set wanoptgrp {none | read | read-write}
set endpoint-control-grp {none | read | read-write}
set wifi {none | read | read-write}
config fwgrp-permission
edit <name_str>
set policy {none | read | read-write}
set address {none | read | read-write}
set service {none | read | read-write}
set schedule {none | read | read-write}
set packet-capture {none | read | read-write}
set others {none | read | read-write}
end
config loggrp-permission
edit <name_str>
set config {none | read | read-write}
set data-access {none | read | read-write}
set report-access {none | read | read-write}
set threat-weight {none | read | read-write}
end
config utmgrp-permission
edit <name_str>
set antivirus {none | read | read-write}
set ips {none | read | read-write}
set webfilter {none | read | read-write}
set spamfilter {none | read | read-write}
set data-loss-prevention {none | read | read-write}
set application-control {none | read | read-write}
set icap {none | read | read-write}
set casi {none | read | read-write}
set voip {none | read | read-write}
set waf {none | read | read-write}
set dnsfilter {none | read | read-write}
end
end

CLI Reference for FortiOS 5.4 469


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Profile name. (Empty)

scope Global or single VDOM access restriction. vdom

comments Comment. (Empty)

mntgrp Maintenance. none

admingrp Administrator Users. none

updategrp FortiGuard Update. none

authgrp User & Device. none

sysgrp System Configuration. none

netgrp Network Configuration. none

loggrp Log & Report. none

routegrp Router Configuration. none

fwgrp Firewall Configuration. none

vpngrp VPN Configuration. none

utmgrp Security Profile Configuration. none

wanoptgrp WAN Opt & Cache. none

endpoint-control-grp Endpoint Security. none

wifi Wireless controller. none

fwgrp-permission Custom firewall permission. Details below

Configuration Default Value


policy none
address none
service none
schedule none
packet-capture none
others none

CLI Reference for FortiOS 5.4 470


Fortinet Technologies Inc.
loggrp-permission Custom Log & Report permission. Details below

Configuration Default Value


config none
data-access none
report-access none
threat-weight none

utmgrp-permission Custom UTM permission. Details below

Configuration Default Value


antivirus none
ips none
webfilter none
spamfilter none
data-loss-prevention none
application-control none
icap none
casi none
voip none
waf none
dnsfilter none

CLI Reference for FortiOS 5.4 471


Fortinet Technologies Inc.
system/admin
CLI Syntax
config system admin
edit <name_str>
set name <string>
set wildcard {enable | disable}
set remote-auth {enable | disable}
set remote-group <string>
set password <password-2>
set peer-auth {enable | disable}
set peer-group <string>
set trusthost1 <ipv4-classnet>
set trusthost2 <ipv4-classnet>
set trusthost3 <ipv4-classnet>
set trusthost4 <ipv4-classnet>
set trusthost5 <ipv4-classnet>
set trusthost6 <ipv4-classnet>
set trusthost7 <ipv4-classnet>
set trusthost8 <ipv4-classnet>
set trusthost9 <ipv4-classnet>
set trusthost10 <ipv4-classnet>
set ip6-trusthost1 <ipv6-prefix>
set ip6-trusthost2 <ipv6-prefix>
set ip6-trusthost3 <ipv6-prefix>
set ip6-trusthost4 <ipv6-prefix>
set ip6-trusthost5 <ipv6-prefix>
set ip6-trusthost6 <ipv6-prefix>
set ip6-trusthost7 <ipv6-prefix>
set ip6-trusthost8 <ipv6-prefix>
set ip6-trusthost9 <ipv6-prefix>
set ip6-trusthost10 <ipv6-prefix>
set accprofile <string>
set allow-remove-admin-session {enable | disable}
set comments <var-string>
set hidden <integer>
config vdom
edit <name_str>
set name <string>
end
set is-admin <integer>
set ssh-public-key1 <user>
set ssh-public-key2 <user>
set ssh-public-key3 <user>
set ssh-certificate <string>
set schedule <string>
set accprofile-override {enable | disable}
set radius-vdom-override {enable | disable}
set password-expire <user>
set force-password-change {enable | disable}
CLI Reference for FortiOS 5.4 472
Fortinet Technologies Inc.
config dashboard
edit <name_str>
set id <integer>
set widget-type {sysinfo | licinfo | sysop | sysres | alert | jsconsole | raid
| tr-history | analytics | usb-modem}
set name <string>
set column <integer>
set refresh-interval <integer>
set time-period <integer>
set chart-color <integer>
set top-n <integer>
set sort-by {bytes | msg-counts | packets | bandwidth | sessions}
set report-by {source | destination | application | dlp-rule | dlp-sensor | po
licy | protocol | web-category | web-domain | all | profile}
set ip-version {ipboth | ipv4 | ipv6}
set resolve-host {enable | disable}
set resolve-service {enable | disable}
set aggregate-hosts {enable | disable}
set resolve-apps {enable | disable}
set display-format {chart | table | line}
set view-type {real-time | historical}
set cpu-display-type {average | each}
set interface <string>
set dst-interface <string>
set tr-history-period1 <integer>
set tr-history-period2 <integer>
set tr-history-period3 <integer>
set vdom <string>
set refresh {enable | disable}
set status {close | open}
set protocols <integer>
set show-system-restart {enable | disable}
set show-conserve-mode {enable | disable}
set show-firmware-change {enable | disable}
set show-fds-update {enable | disable}
set show-device-update {enable | disable}
set show-fds-quota {enable | disable}
set show-disk-failure {enable | disable}
set show-power-supply {enable | disable}
set show-admin-auth {enable | disable}
set show-fgd-alert {enable | disable}
set show-fcc-license {enable | disable}
set show-policy-overflow {enable | disable}
end
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set guest-auth {disable | enable}
config guest-usergroups
edit <name_str>
CLI Reference for FortiOS 5.4 473
Fortinet Technologies Inc.
edit <name_str>
set name <string>
end
set guest-lang <string>
set history0 <password-2>
set history1 <password-2>
config login-time
edit <name_str>
set usr-name <string>
set last-login <datetime>
set last-failed-login <datetime>
end
end

CLI Reference for FortiOS 5.4 474


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name User name. (Empty)

wildcard Enable/disable wildcard RADIUS authentication. disable

remote-auth Enable/disable remote authentication. disable

remote-group User group name used for remote auth. (Empty)

password Admin user password. ENC XXUp2ozpdysrQ

peer-auth Enable/disable peer authentication. disable

peer-group Peer group name. (Empty)

trusthost1 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

trusthost2 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

trusthost3 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

trusthost4 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

trusthost5 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

trusthost6 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

trusthost7 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

trusthost8 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

trusthost9 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

trusthost10 Admin user trust host IP, default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
for all.

CLI Reference for FortiOS 5.4 475


Fortinet Technologies Inc.
ip6-trusthost1 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost2 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost3 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost4 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost5 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost6 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost7 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost8 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost9 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

ip6-trusthost10 Admin user IPv6 trust host IP, default ::/0 for all. ::/0

accprofile Admin user access profile. (Empty)

allow-remove-admin- Enable/disable allow admin session to be enable


session removed by privileged admin users.

comments Comment. (Empty)

hidden Admin user hidden attribute. 0

vdom Virtual domains. (Empty)

is-admin Is user admin. 0

ssh-public-key1 SSH public key1. (Empty)

ssh-public-key2 SSH public key2. (Empty)

ssh-public-key3 SSH public key3. (Empty)

ssh-certificate SSH certificate. (Empty)

schedule Schedule name. (Empty)

accprofile-override Enable/disable allow access profile to be disable


overridden from remote auth server.

radius-vdom-override Enable/disable allow VDOM to be overridden disable


from RADIUS.

CLI Reference for FortiOS 5.4 476


Fortinet Technologies Inc.
password-expire Password expire time. 0000-00-00 00:00:00

force-password-change Enable/disable force password change on next disable


login.

dashboard GUI custom dashboard. (Empty)

two-factor Enable/disable two-factor authentication. disable

fortitoken Two-factor recipient's FortiToken serial number. (Empty)

email-to Two-factor recipient's email address. (Empty)

sms-server Send SMS through FortiGuard or other external fortiguard


server.

sms-custom-server Two-factor recipient's SMS server. (Empty)

sms-phone Two-factor recipient's mobile phone number. (Empty)

guest-auth Enable/disable guest authentication. disable

guest-usergroups Select guest user groups. (Empty)

guest-lang Guest management portal language. (Empty)

history0 history0 ENC

history1 history1 ENC

login-time Record user login time. (Empty)

CLI Reference for FortiOS 5.4 477


Fortinet Technologies Inc.
system/alarm
CLI Syntax
config system alarm
edit <name_str>
set status {enable | disable}
set audible {enable | disable}
set sequence <integer>
config groups
edit <name_str>
set id <integer>
set period <integer>
set admin-auth-failure-threshold <integer>
set admin-auth-lockout-threshold <integer>
set user-auth-failure-threshold <integer>
set user-auth-lockout-threshold <integer>
set replay-attempt-threshold <integer>
set self-test-failure-threshold <integer>
set log-full-warning-threshold <integer>
set encryption-failure-threshold <integer>
set decryption-failure-threshold <integer>
config fw-policy-violations
edit <name_str>
set id <integer>
set threshold <integer>
set src-ip <ipv4-address>
set dst-ip <ipv4-address>
set src-port <integer>
set dst-port <integer>
end
set fw-policy-id <integer>
set fw-policy-id-threshold <integer>
end
end

CLI Reference for FortiOS 5.4 478


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable alarm. disable

audible Enable/disable audible alarm. disable

sequence Sequence ID of alarms. 0

groups Alarm groups. (Empty)

CLI Reference for FortiOS 5.4 479


Fortinet Technologies Inc.
system/arp-table
CLI Syntax
config system arp-table
edit <name_str>
set id <integer>
set interface <string>
set ip <ipv4-address>
set mac <mac-address>
end

CLI Reference for FortiOS 5.4 480


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Unique integer ID of the entry. 0

interface Interface name. (Empty)

ip IP address. 0.0.0.0

mac MAC address. 00:00:00:00:00:00

CLI Reference for FortiOS 5.4 481


Fortinet Technologies Inc.
system/auto-install
CLI Syntax
config system auto-install
edit <name_str>
set auto-install-config {enable | disable}
set auto-install-image {enable | disable}
set default-config-file <string>
set default-image-file <string>
end

CLI Reference for FortiOS 5.4 482


Fortinet Technologies Inc.
Description
Configuration Description Default Value

auto-install-config Enable/disable auto install the config in USB disk. disable

auto-install-image Enable/disable auto install the image in USB disk. disable

default-config-file Default config file name in USB disk. fgt_system.conf

default-image-file Default image file name in USB disk. image.out

CLI Reference for FortiOS 5.4 483


Fortinet Technologies Inc.
system/auto-script
CLI Syntax
config system auto-script
edit <name_str>
set name <string>
set interval <integer>
set repeat <integer>
set start {manual | auto}
set script <var-string>
end

CLI Reference for FortiOS 5.4 484


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Auto script name. (Empty)

interval Repeat interval in seconds. 0

repeat Number of times to repeat this script (0 = infinite). 1

start Script starting mode. manual

script List of FortiOS CLI commands to repeat. (Empty)

CLI Reference for FortiOS 5.4 485


Fortinet Technologies Inc.
system/central-management
CLI Syntax
config system central-management
edit <name_str>
set mode {normal | backup}
set type {fortimanager | fortiguard | none}
set schedule-config-restore {enable | disable}
set schedule-script-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-pushd-firmware {enable | disable}
set allow-remote-firmware-upgrade {enable | disable}
set allow-monitor {enable | disable}
set serial-number <user>
set fmg <string>
set fmg-source-ip <ipv4-address>
set fmg-source-ip6 <ipv6-address>
set vdom <string>
config server-list
edit <name_str>
set id <integer>
set server-type {update | rating}
set addr-type {ipv4 | ipv6}
set server-address <ipv4-address>
set server-address6 <ipv6-address>
end
set include-default-servers {enable | disable}
set enc-algorithm {default | high | low}
end

CLI Reference for FortiOS 5.4 486


Fortinet Technologies Inc.
Description
Configuration Description Default Value

mode Normal/backup management mode. normal

type Type of management server. none

schedule-config-restore Enable/disable scheduled configuration restore. enable

schedule-script-restore Enable/disable scheduled script restore. enable

allow-push- Enable/disable push configuration. enable


configuration

allow-pushd-firmware Enable/disable push firmware. enable

allow-remote-firmware- Enable/disable remote firmware upgrade. enable


upgrade

allow-monitor Enable/disable remote monitoring of device. enable

serial-number Serial number. (Empty)

fmg Address of FortiManager (IP or FQDN name). (Empty)

fmg-source-ip Source IPv4 address to use when connecting to 0.0.0.0


FortiManager.

fmg-source-ip6 Source IPv6 address to use when connecting to ::


FortiManager.

vdom Virtual domain name. root

server-list FortiGuard override server list. (Empty)

include-default-servers Enable/disable inclusion of public FortiGuard enable


servers in the override server list.

enc-algorithm Use SSL encryption. high

CLI Reference for FortiOS 5.4 487


Fortinet Technologies Inc.
system/cluster-sync
CLI Syntax
config system cluster-sync
edit <name_str>
set sync-id <integer>
set peervd <string>
set peerip <ipv4-address>
config syncvd
edit <name_str>
set name <string>
end
config session-sync-filter
edit <name_str>
set srcintf <string>
set dstintf <string>
set srcaddr <ipv4-classnet-any>
set dstaddr <ipv4-classnet-any>
set srcaddr6 <ipv6-network>
set dstaddr6 <ipv6-network>
config custom-service
edit <name_str>
set id <integer>
set src-port-range <user>
set dst-port-range <user>
end
end
end

CLI Reference for FortiOS 5.4 488


Fortinet Technologies Inc.
Description
Configuration Description Default Value

sync-id Sync ID. 0

peervd Peer connecting VDOM. root

peerip Peer connecting IP. 0.0.0.0

syncvd VDOM of which sessions need to be synced. (Empty)

session-sync-filter Session sync filter. Details below

Configuration Default Value


srcintf (Empty)
dstintf (Empty)
srcaddr 0.0.0.0 0.0.0.0
dstaddr 0.0.0.0 0.0.0.0
srcaddr6 ::/0
dstaddr6 ::/0
custom-service (Empty)

CLI Reference for FortiOS 5.4 489


Fortinet Technologies Inc.
system/console
CLI Syntax
config system console
edit <name_str>
set mode {batch | line}
set baudrate {9600 | 19200 | 38400 | 57600 | 115200}
set output {standard | more}
set login {enable | disable}
set fortiexplorer {enable | disable}
end

CLI Reference for FortiOS 5.4 490


Fortinet Technologies Inc.
Description
Configuration Description Default Value

mode Console mode. line

baudrate Console baud rate. 9600

output Console output mode. more

login Enable/disable serial console and FortiExplorer. enable

fortiexplorer Enable/disable access for FortiExplorer. enable

CLI Reference for FortiOS 5.4 491


Fortinet Technologies Inc.
system/custom-language
CLI Syntax
config system custom-language
edit <name_str>
set name <string>
set filename <string>
set comments <var-string>
end

CLI Reference for FortiOS 5.4 492


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

filename Custom language file path. (Empty)

comments Comment. (Empty)

CLI Reference for FortiOS 5.4 493


Fortinet Technologies Inc.
system/ddns
CLI Syntax
config system ddns
edit <name_str>
set ddnsid <integer>
set ddns-server {dyndns.org | dyns.net | ods.org | tzo.com | vavic.com | dipdns.ne
t | now.net.cn | dhs.org | easydns.com | genericDDNS | FortiGuardDDNS}
set ddns-server-ip <ipv4-address>
set ddns-zone <string>
set ddns-ttl <integer>
set ddns-auth {disable | tsig}
set ddns-keyname <string>
set ddns-key <user>
set ddns-domain <string>
set ddns-username <string>
set ddns-sn <string>
set ddns-password <password>
set use-public-ip {disable | enable}
set bound-ip <ipv4-address>
config monitor-interface
edit <name_str>
set interface-name <string>
end
end

CLI Reference for FortiOS 5.4 494


Fortinet Technologies Inc.
Description
Configuration Description Default Value

ddnsid DDNS ID. 0

ddns-server DDNS server. (Empty)

ddns-server-ip Generic DDNS server IP. 0.0.0.0

ddns-zone Zone of your domain name (ex. DDNS.com). (Empty)

ddns-ttl TTL. 300

ddns-auth DDNS authentication mode. disable

ddns-keyname DDNS update key name. (Empty)

ddns-key DDNS update key (base 64 encoding). 'ENC


L97VaR0bKQoAAeh+O
+39Q85hAnL3Fl7t4UL1
eLfgKdgTSHZUCAnVY
M1U9oVgGyVRfy6HlP
mrFFsS9nlLExpJmd1p
wYrf7jCCjr0lx5+1WNFy
P50Fgz7fsLe43Lc='

ddns-domain Your domain name (ex. yourname.DDNS.com). (Empty)

ddns-username DDNS user name. (Empty)

ddns-sn DDNS Serial Number. (Empty)

ddns-password DDNS password. (Empty)

use-public-ip Enable/disable use of public IP address. disable

bound-ip Bound IP address. 0.0.0.0

monitor-interface Monitored interface. (Empty)

CLI Reference for FortiOS 5.4 495


Fortinet Technologies Inc.
system/dedicated-mgmt
CLI Syntax
config system dedicated-mgmt
edit <name_str>
set status {enable | disable}
set interface <string>
set default-gateway <ipv4-address>
set dhcp-server {enable | disable}
set dhcp-netmask <ipv4-netmask>
set dhcp-start-ip <ipv4-address>
set dhcp-end-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 496


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable dedicated management. disable

interface Dedicated management interface. (Empty)

default-gateway Default gateway for dedicated management 0.0.0.0


interface.

dhcp-server Enable/disable DHCP server on management disable


interface.

dhcp-netmask DHCP netmask. 0.0.0.0

dhcp-start-ip DHCP start IP for dedicated management. 0.0.0.0

dhcp-end-ip DHCP end IP for dedicated management. 0.0.0.0

CLI Reference for FortiOS 5.4 497


Fortinet Technologies Inc.
system/dns
CLI Syntax
config system dns
edit <name_str>
set primary <ipv4-address>
set secondary <ipv4-address>
set domain <string>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set dns-cache-limit <integer>
set dns-cache-ttl <integer>
set cache-notfound-responses {disable | enable}
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 498


Fortinet Technologies Inc.
Description
Configuration Description Default Value

primary Primary DNS IP. 0.0.0.0

secondary Secondary DNS IP. 0.0.0.0

domain Local domain name. (Empty)

ip6-primary IPv6 primary DNS IP. ::

ip6-secondary IPv6 secondary DNS IP. ::

dns-cache-limit Maximum number of entries in DNS cache. 5000

dns-cache-ttl TTL in DNS cache. 1800

cache-notfound- Enable/disable cache NOTFOUND responses disable


responses from DNS server.

source-ip Source IP for communications to DNS server. 0.0.0.0

CLI Reference for FortiOS 5.4 499


Fortinet Technologies Inc.
system/dns-database
CLI Syntax
config system dns-database
edit <name_str>
set name <string>
set status {enable | disable}
set domain <string>
set allow-transfer <user>
set type {master | slave}
set view {shadow | public}
set ip-master <ipv4-address-any>
set primary-name <string>
set contact <string>
set ttl <integer>
set authoritative {enable | disable}
set forwarder <user>
set source-ip <ipv4-address>
config dns-entry
edit <name_str>
set id <integer>
set status {enable | disable}
set type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}
set ttl <integer>
set preference <integer>
set ip <ipv4-address-any>
set ipv6 <ipv6-address>
set hostname <string>
set canonical-name <string>
end
end

CLI Reference for FortiOS 5.4 500


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Zone name. (Empty)

status Enable/disable DNS zone status. enable

domain Domain name. (Empty)

allow-transfer DNS zone transfer IP address list. (Empty)

type Zone type ('master' to manage entries directly, master


'slave' to import entries from outside).

view Zone view ('public' to serve public clients, shadow


'shadow' to serve internal clients).

ip-master IP address of master DNS server to import 0.0.0.0


entries of this zone.

primary-name Domain name of the default DNS server for this dns
zone.

contact Email address of the administrator for this zone. hostmaster


You can specify only the username (e.g. admin)
or full email address (e.g. admin.ca@test.com)
When using simple username, the domain of the
email will be this zone.

ttl Default time-to-live value in units of seconds for 86400


the entries of this zone (0 - 2147483647).

authoritative Enable/disable authoritative zone. enable

forwarder DNS zone forwarder IP address list. (Empty)

source-ip Source IP for forwarding to DNS server. 0.0.0.0

dns-entry DNS entry. (Empty)

CLI Reference for FortiOS 5.4 501


Fortinet Technologies Inc.
system/dns-server
CLI Syntax
config system dns-server
edit <name_str>
set name <string>
set mode {recursive | non-recursive | forward-only}
set dnsfilter-profile <string>
end

CLI Reference for FortiOS 5.4 502


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name DNS server name. (Empty)

mode DNS server mode. recursive

dnsfilter-profile DNS filter profile. (Empty)

CLI Reference for FortiOS 5.4 503


Fortinet Technologies Inc.
system/dscp-based-priority
CLI Syntax
config system dscp-based-priority
edit <name_str>
set id <integer>
set ds <integer>
set priority {low | medium | high}
end

CLI Reference for FortiOS 5.4 504


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Item ID. 0

ds DSCP(DiffServ) DS value (0 - 63). 0

priority DSCP based priority level. high

CLI Reference for FortiOS 5.4 505


Fortinet Technologies Inc.
system/email-server
CLI Syntax
config system email-server
edit <name_str>
set type {custom}
set reply-to <string>
set server <string>
set port <integer>
set source-ip <ipv4-address>
set source-ip6 <ipv6-address>
set authenticate {enable | disable}
set validate-server {enable | disable}
set username <string>
set password <password>
set security {none | starttls | smtps}
end

CLI Reference for FortiOS 5.4 506


Fortinet Technologies Inc.
Description
Configuration Description Default Value

type Use FortiGuard Message service or custom custom


server.

reply-to Reply-To email address. (Empty)

server SMTP server IP address or hostname. (Empty)

port SMTP server port. 25

source-ip SMTP server source IP. 0.0.0.0

source-ip6 SMTP server source IPv6. ::

authenticate Enable/disable authentication. disable

validate-server Enable/disable validation of server certificate. disable

username SMTP server user name for authentication. (Empty)

password SMTP server user password for authentication. (Empty)

security Connection security. none

CLI Reference for FortiOS 5.4 507


Fortinet Technologies Inc.
system/fips-cc
CLI Syntax
config system fips-cc
edit <name_str>
set status {enable | disable}
set entropy-token {enable | disable | dynamic}
set error-flag {error-mode | exit-ready}
set error-cause {none | memory | disk | syslog}
set self-test-period <integer>
set key-generation-self-test {enable | disable}
end

CLI Reference for FortiOS 5.4 508


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FIPS-CC mode. disable

entropy-token Enable/disable/dynamic entropy token. dynamic

error-flag Hidden CC error flag. (Empty)

error-cause Hidden CC error cause. none

self-test-period Self test period. 1440

key-generation-self-test Enable/disable self tests after key generation. disable

CLI Reference for FortiOS 5.4 509


Fortinet Technologies Inc.
system/fm
CLI Syntax
config system fm
edit <name_str>
set status {enable | disable}
set id <string>
set ip <ipv4-address>
set vdom <string>
set auto-backup {enable | disable}
set scheduled-config-restore {enable | disable}
set ipsec {enable | disable}
end

CLI Reference for FortiOS 5.4 510


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FM. disable

id ID. (Empty)

ip IP address. 0.0.0.0

vdom VDOM. root

auto-backup Enable/disable automatic backup. disable

scheduled-config- Enable/disable scheduled configuration restore. disable


restore

ipsec Enable/disable IPsec. disable

CLI Reference for FortiOS 5.4 511


Fortinet Technologies Inc.
system/fortiguard
CLI Syntax
config system fortiguard
edit <name_str>
set port {53 | 8888 | 80}
set service-account-id <string>
set load-balance-servers <integer>
set antispam-force-off {enable | disable}
set antispam-cache {enable | disable}
set antispam-cache-ttl <integer>
set antispam-cache-mpercent <integer>
set antispam-license <integer>
set antispam-expiration <integer>
set antispam-timeout <integer>
set avquery-force-off {}
set avquery-cache {}
set avquery-cache-ttl <integer>
set avquery-cache-mpercent <integer>
set avquery-license <integer>
set avquery-timeout <integer>
set webfilter-force-off {enable | disable}
set webfilter-cache {enable | disable}
set webfilter-cache-ttl <integer>
set webfilter-license <integer>
set webfilter-expiration <integer>
set webfilter-timeout <integer>
set sdns-server-ip <user>
set sdns-server-port <integer>
set source-ip <ipv4-address>
set source-ip6 <ipv6-address>
set ddns-server-ip <ipv4-address>
set ddns-server-port <integer>
end

CLI Reference for FortiOS 5.4 512


Fortinet Technologies Inc.
Description
Configuration Description Default Value

port Port used to communicate with the FortiGuard 53


servers.

service-account-id Service account ID. (Empty)

load-balance-servers Number of servers to alternate between as first 1


FortiGuard option.

antispam-force-off Enable/disable forcibly disable the service. disable

antispam-cache Enable/disable FortiGuard antispam cache. enable

antispam-cache-ttl Time-to-live for cache entries in seconds (300 - 1800


86400).

antispam-cache- Maximum percent of memory the cache is 2


mpercent allowed to use (1-15%).

antispam-license License type. 4294967295

antispam-expiration License expiration. 0

antispam-timeout Query time out (1 - 30 seconds). 7

avquery-force-off avquery-force-off

avquery-cache avquery-cache

avquery-cache-ttl avquery-cache-ttl

avquery-cache- avquery-cache-mpercent
mpercent

avquery-license avquery-license

avquery-timeout avquery-timeout

webfilter-force-off Enable/disable forcibly disable the service. disable

webfilter-cache Enable/disable FortiGuard webfilter cache. enable

webfilter-cache-ttl Time-to-live for cache entries in seconds (300 - 3600


86400).

CLI Reference for FortiOS 5.4 513


Fortinet Technologies Inc.
webfilter-license License type. 4294967295

webfilter-expiration License expiration. 0

webfilter-timeout Query time out (1 - 30 seconds). 15

sdns-server-ip IP address of the FortiDNS server. (Empty)

sdns-server-port Port used to communicate with the FortiDNS 53


servers.

source-ip Source IPv4 address used to communicate with 0.0.0.0


the FortiGuard service.

source-ip6 Source IPv6 address used to communicate with ::


the FortiGuard service.

ddns-server-ip IP address of the FortiDDNS server. 0.0.0.0

ddns-server-port Port used to communicate with the FortiDDNS 443


servers.

CLI Reference for FortiOS 5.4 514


Fortinet Technologies Inc.
system/fortimanager
CLI Syntax
config system fortimanager
edit <name_str>
set ip <ipv4-address-any>
set vdom <string>
set ipsec {enable | disable}
set central-management {enable | disable}
set central-mgmt-auto-backup {enable | disable}
set central-mgmt-schedule-config-restore {enable | disable}
set central-mgmt-schedule-script-restore {enable | disable}
end

CLI Reference for FortiOS 5.4 515


Fortinet Technologies Inc.
Description
Configuration Description Default Value

ip IP address. 0.0.0.0

vdom Virtual domain name. root

ipsec Enable/disable FortiManager IPsec tunnel. disable

central-management Enable/disable FortiManager central disable


management.

central-mgmt-auto- Enable/disable central management auto backup. disable


backup

central-mgmt-schedule- Enable/disable central management schedule disable


config-restore config restore.

central-mgmt-schedule- Enable/disable central management schedule disable


script-restore script restore.

CLI Reference for FortiOS 5.4 516


Fortinet Technologies Inc.
system/fortisandbox
CLI Syntax
config system fortisandbox
edit <name_str>
set status {enable | disable}
set server <ipv4-address-any>
set source-ip <ipv4-address>
set enc-algorithm {default | high | low | disable}
set email <string>
end

CLI Reference for FortiOS 5.4 517


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FortiSandbox. disable

server Server IP. 0.0.0.0

source-ip Source IP for communications to FortiSandbox. 0.0.0.0

enc-algorithm Enable/disable sending of FortiSandbox data with default


SSL encryption.

email Notifier email address. (Empty)

CLI Reference for FortiOS 5.4 518


Fortinet Technologies Inc.
system/fsso-polling
CLI Syntax
config system fsso-polling
edit <name_str>
set status {enable | disable}
set listening-port <integer>
set authentication {enable | disable}
set auth-password <password>
end

CLI Reference for FortiOS 5.4 519


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FSSO Polling Mode status. enable

listening-port Listening port to accept clients. 8000

authentication Enable/disable FSSO Agent Authentication disable


status.

auth-password Password to connect to FSSO Agent. (Empty)

CLI Reference for FortiOS 5.4 520


Fortinet Technologies Inc.
system/geoip-override
CLI Syntax
config system geoip-override
edit <name_str>
set name <string>
set description <string>
set country-id <string>
config ip-range
edit <name_str>
set id <integer>
set start-ip <ipv4-address>
set end-ip <ipv4-address>
end
end

CLI Reference for FortiOS 5.4 521


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Location name. (Empty)

description Description. (Empty)

country-id Country ID. (Empty)

ip-range IP range. (Empty)

CLI Reference for FortiOS 5.4 522


Fortinet Technologies Inc.
system/global
CLI Syntax
config system global
edit <name_str>
set language {english | french | spanish | portuguese | japanese | trach | simch |
korean}
set gui-ipv6 {enable | disable}
set gui-certificates {enable | disable}
set gui-custom-language {enable | disable}
set gui-wireless-opensecurity {enable | disable}
set gui-display-hostname {enable | disable}
set gui-lines-per-page <integer>
set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3}
set admin-https-banned-cipher {rc4 | low}
set admintimeout <integer>
set admin-console-timeout <integer>
set admin-concurrent {enable | disable}
set admin-lockout-threshold <integer>
set admin-lockout-duration <integer>
set refresh <integer>
set interval <integer>
set failtime <integer>
set daily-restart {enable | disable}
set restart-time <user>
set radius-port <integer>
set admin-login-max <integer>
set remoteauthtimeout <integer>
set ldapconntimeout <integer>
set batch-cmdb {enable | disable}
set max-dlpstat-memory <integer>
set dst {enable | disable}
set timezone {01 | 02 | 03 | 04 | 05 | 81 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13
| 74 | 14 | 77 | 15 | 16 | 17 | 18 | 19 | 20 | 75 | 21 | 22 | 23 | 24 | 80 | 79 | 25 |
26 | 27 | 28 | 78 | 29 | 30 | 31 | 85 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 83 | 84 |
40 | 41 | 42 | 43 | 39 | 44 | 46 | 47 | 51 | 48 | 45 | 49 | 50 | 52 | 53 | 54 | 55 | 5
6 | 57 | 58 | 59 | 60 | 62 | 63 | 61 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 00
| 82 | 73 | 86 | 76}
set ntpserver <string>
set ntpsync {enable | disable}
set syncinterval <integer>
set traffic-priority {tos | dscp}
set traffic-priority-level {low | medium | high}
set anti-replay {disable | loose | strict}
set send-pmtu-icmp {enable | disable}
set honor-df {enable | disable}
set split-port <user>
set revision-image-auto-backup {enable | disable}
set revision-backup-on-logout {enable | disable}
set management-vdom <string>
CLI Reference for FortiOS 5.4 523
Fortinet Technologies Inc.
set hostname <string>
set strong-crypto {enable | disable}
set ssh-cbc-cipher {enable | disable}
set ssh-hmac-md5 {enable | disable}
set snat-route-change {enable | disable}
set cli-audit-log {enable | disable}
set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}
set fds-statistics {enable | disable}
set fds-statistics-period <integer>
set multicast-forward {enable | disable}
set mc-ttl-notchange {enable | disable}
set asymroute {enable | disable}
set tcp-option {enable | disable}
set phase1-rekey {enable | disable}
set lldp-transmission {enable | disable}
set explicit-proxy-auth-timeout <integer>
set sys-perf-log-interval <integer>
set check-protocol-header {loose | strict}
set vip-arp-range {unlimited | restricted}
set optimize {antivirus | session-setup | throughput}
set reset-sessionless-tcp {enable | disable}
set allow-traffic-redirect {enable | disable}
set strict-dirty-session-check {enable | disable}
set tcp-halfclose-timer <integer>
set tcp-halfopen-timer <integer>
set tcp-timewait-timer <integer>
set udp-idle-timer <integer>
set block-session-timer <integer>
set ip-src-port-range <user>
set pre-login-banner {enable | disable}
set post-login-banner {disable | enable}
set tftp {enable | disable}
set av-failopen {pass | idledrop | off | one-shot}
set av-failopen-session {enable | disable}
set check-reset-range {strict | disable}
set vdom-admin {enable | disable}
set admin-port <integer>
set admin-sport <integer>
set admin-https-redirect {enable | disable}
set admin-ssh-password {enable | disable}
set admin-ssh-port <integer>
set admin-ssh-grace-time <integer>
set admin-ssh-v1 {enable | disable}
set admin-telnet-port <integer>
set admin-maintainer {enable | disable}
set admin-server-cert <string>
set user-server-cert <string>
set admin-https-pki-required {enable | disable}
set wifi-certificate <string>
set wifi-ca-certificate <string>
set auth-http-port <integer>
set auth-https-port <integer>
set auth-keepalive {enable | disable}
CLI Reference for FortiOS 5.4 524
Fortinet Technologies Inc.
set auth-keepalive {enable | disable}
set policy-auth-concurrent <integer>
set auth-cert <string>
set clt-cert-req {enable | disable}
set endpoint-control-portal-port <integer>
set endpoint-control-fds-access {enable | disable}
set tp-mc-skip-policy {enable | disable}
set cfg-save {automatic | manual | revert}
set cfg-revert-timeout <integer>
set reboot-upon-config-restore {enable | disable}
set admin-scp {enable | disable}
set registration-notification {enable | disable}
set service-expire-notification {enable | disable}
set wireless-controller {enable | disable}
set wireless-controller-port <integer>
set fortiextender-data-port <integer>
set fortiextender {enable | disable}
set switch-controller {disable | enable}
set switch-controller-reserved-network <ipv4-classnet>
set proxy-worker-count <integer>
set scanunit-count <integer>
set ssl-worker-count <integer>
set proxy-kxp-hardware-acceleration {disable | enable}
set proxy-cipher-hardware-acceleration {disable | enable}
set fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attac
k | new-antivirus-db | new-attack-db}
set ipsec-hmac-offload {enable | disable}
set ipv6-accept-dad <integer>
set csr-ca-attribute {enable | disable}
set wimax-4g-usb {enable | disable}
set cert-chain-max <integer>
set sslvpn-max-worker-count <integer>
set sslvpn-kxp-hardware-acceleration {enable | disable}
set sslvpn-cipher-hardware-acceleration {enable | disable}
set sslvpn-plugin-version-check {enable | disable}
set two-factor-email-expiry <integer>
set two-factor-sms-expiry <integer>
set two-factor-ftm-expiry <integer>
set per-user-bwl {enable | disable}
set virtual-server-count <integer>
set virtual-server-hardware-acceleration {disable | enable}
set wad-worker-count <integer>
set login-timestamp {enable | disable}
set miglogd-children <integer>
set special-file-23-support {disable | enable}
set log-uuid {disable | policy-only | extended}
set arp-max-entry <integer>
set ips-affinity <string>
set av-affinity <string>
set miglog-affinity <string>
set ndp-max-entry <integer>
set br-fdb-max-entry <integer>
set ipsec-asic-offload {enable | disable}
CLI Reference for FortiOS 5.4 525
Fortinet Technologies Inc.
set ipsec-asic-offload {enable | disable}
set device-idle-timeout <integer>
set compliance-check {enable | disable}
set compliance-check-time <time>
set gui-device-latitude <string>
set gui-device-longitude <string>
set private-data-encryption {disable | enable}
set auto-auth-extension-device {enable | disable}
set gui-theme {green | red | blue | melongene}
end

CLI Reference for FortiOS 5.4 526


Fortinet Technologies Inc.
Description
Configuration Description Default Value

language GUI display language. english

gui-ipv6 Enable/disable IPv6 settings in GUI. disable

gui-certificates Enable/disable certificates configuration in GUI. enable

gui-custom-language Enable/disable custom languages in GUI. disable

gui-wireless- Enable/disable wireless open security option in disable


opensecurity GUI.

gui-display-hostname Enable/disable display of hostname on GUI login disable


page.

gui-lines-per-page Number of lines to display per page for web 50


administration.

admin-https-ssl- Allowed SSL/TLS versions for web tlsv1-1 tlsv1-2


versions administration.

admin-https-banned- Banned ciphers for web administration. rc4 low


cipher

admintimeout Idle time-out for firewall administration. 5

admin-console-timeout Idle time-out for console. 0

admin-concurrent Enable/disable admin concurrent login. enable

admin-lockout- Lockout threshold for firewall administration. 3


threshold

admin-lockout-duration Lockout duration (sec) for firewall administration. 60

refresh Statistics refresh interval in GUI. 0

interval Dead gateway detection interval. 5

failtime Fail-time for server lost. 5

daily-restart Enable/disable firewall daily reboot. disable

restart-time Daily restart time (hh:mm). 00:00

CLI Reference for FortiOS 5.4 527


Fortinet Technologies Inc.
radius-port RADIUS service port number. 1812

admin-login-max Maximum number admin users logged in at one 100


time (1 - 100).

remoteauthtimeout Remote authentication (RADIUS/LDAP) time-out. 5

ldapconntimeout LDAP connection time-out (0 - 4294967295 500


milliseconds).

batch-cmdb Enable/disable batch mode to execute in CMDB enable


server.

max-dlpstat-memory Maximum DLP stat memory (0 - 4294967295).

dst Enable/disable daylight saving time. enable

timezone Time zone. 00

ntpserver IP address/hostname of NTP Server. (Empty)

ntpsync Enable/disable synchronization with NTP Server. disable

syncinterval NTP synchronization interval. 0

traffic-priority Traffic priority type. tos

traffic-priority-level Default TOS/DSCP priority level. medium

anti-replay Anti-replay control. strict

send-pmtu-icmp Enable/disable sending of PMTU ICMP enable


destination unreachable packet.

honor-df Enable/disable honoring Don't-Fragment flag. enable

split-port Split port(s) to multiple 10Gbps ports. none

revision-image-auto- Enable/disable revision image backup disable


backup automatically when upgrading image.

revision-backup-on- Enable/disable revision config backup disable


logout automatically when logout.

management-vdom Management virtual domain name. root

hostname Firewall hostname. (Empty)

CLI Reference for FortiOS 5.4 528


Fortinet Technologies Inc.
strong-crypto Enable/disable strong crypto for HTTPS/SSH enable
access.

ssh-cbc-cipher Enable/disable CBC cipher for SSH access. enable

ssh-hmac-md5 Enable/disable HMAC-MD5 for SSH access. enable

snat-route-change Enable/disable SNAT route change. disable

cli-audit-log Enable/disable CLI audit log. disable

dh-params Minimum size of Diffie-Hellman prime for 2048


HTTPS/SSH.

fds-statistics Enable/disable FortiGuard statistics. enable

fds-statistics-period FortiGuard statistics update period (1 - 1440 min, 60


default = 60 min).

multicast-forward Enable/disable multicast forwarding. enable

mc-ttl-notchange Enable/disable no modification of multicast TTL. disable

asymroute Enable/disable asymmetric route. disable

tcp-option Enable/disable TCP option. enable

phase1-rekey Enable/disable phase1 rekey. enable

lldp-transmission Enable/disable Link Layer Discovery Protocol disable


(LLDP) transmission.

explicit-proxy-auth- Authentication timeout (sec) for idle sessions in 300


timeout explicit web proxy.

sys-perf-log-interval The interval of performance statistics logging. 5

check-protocol-header Level of checking protocol header. loose

vip-arp-range Control ARP behavior for VIP ranges. restricted

optimize Firmware optimization option. antivirus

reset-sessionless-tcp Enable/disable reset session-less TCP. disable

allow-traffic-redirect Enable/disable allow traffic redirect. enable

CLI Reference for FortiOS 5.4 529


Fortinet Technologies Inc.
strict-dirty-session- Enable/disable strict dirty-session check. enable
check

tcp-halfclose-timer TCP half close timeout (1 - 86400 sec, default = 120


120).

tcp-halfopen-timer TCP half open timeout (1 - 86400 sec, default = 10


10).

tcp-timewait-timer TCP time wait timeout (0 - 300 sec, default = 1). 1

udp-idle-timer UDP idle timeout (1 - 86400 sec, default = 180). 180

block-session-timer Block-session timeout (1-300 sec, default = 30 30


sec).

ip-src-port-range IP source port range for firewall originated traffic. 1024-25000

pre-login-banner Enable/disable pre-login-banner. disable

post-login-banner Enable/disable post-login-banner. disable

tftp Enable/disable TFTP. enable

av-failopen AV fail open option. pass

av-failopen-session Enable/disable AV fail open session option. disable

check-reset-range Drop RST packets if out-of-window. disable

vdom-admin Enable/disable multiple VDOMs mode. disable

admin-port Admin access HTTP port (1 - 65535). 80

admin-sport Admin access HTTPS port (1 - 65535). 443

admin-https-redirect Enable/disable redirection of HTTP admin traffic enable


to HTTPS.

admin-ssh-password Enable/disable password authentication for SSH enable


admin access.

admin-ssh-port Admin access SSH port (1 - 65535). 22

admin-ssh-grace-time Admin access login grace time (10 - 3600 sec). 120

admin-ssh-v1 Enable/disable SSH v1 compatibility. disable

CLI Reference for FortiOS 5.4 530


Fortinet Technologies Inc.
admin-telnet-port Admin access TELNET port (1 - 65535). 23

admin-maintainer Enable/disable login of maintainer user. enable

admin-server-cert Admin HTTPS server certificate. Fortinet_Factory

user-server-cert User HTTPS server certificate. Fortinet_Factory

admin-https-pki- Enable/disable require HTTPS login page when disable


required PKI is enabled.

wifi-certificate WiFi certificate for WPA. Fortinet_Wifi

wifi-ca-certificate WiFi CA certificate for WPA. PositiveSSL_CA

auth-http-port Authentication HTTP port (1 - 65535). 1000

auth-https-port Authentication HTTPS port (1 - 65535). 1003

auth-keepalive Enable/disable use of keep alive to extend disable


authentication.

policy-auth-concurrent Concurrent user to pass firewall authentication. 0

auth-cert HTTPS server certificate for policy authentication. Fortinet_Factory

clt-cert-req Enable/disable require client certificate for GUI disable


login.

endpoint-control-portal- Endpoint control portal port (1 - 65535). 8009


port

endpoint-control-fds- Enable/disable access to FortiGuard servers for enable


access non-compliant endpoints.

tp-mc-skip-policy Enable/disable skip policy check and allow disable


multicast through.

cfg-save Configuration file save mode for changes made automatic


using the CLI.

cfg-revert-timeout Time-out for reverting to the last saved 600


configuration.

reboot-upon-config- Enable/disable reboot of system upon restoring enable


restore configuration.

CLI Reference for FortiOS 5.4 531


Fortinet Technologies Inc.
admin-scp Enable/disable allow system configuration disable
download by SCP.

registration-notification Enable/disable allow license registration enable


notification.

service-expire- Enable/disable service expiration notification. enable


notification

wireless-controller Enable/disable wireless controller. enable

wireless-controller-port Local wireless controller port (1024 - 49150). 5246

fortiextender-data-port Fortiextender controller data port (1024 - 49150). 25246

fortiextender Enable/disable FortiExtender controller. disable

switch-controller Enable/disable switch controller feature. disable

switch-controller- Reserved network for switch-controller. 169.254.254.0


reserved-network 255.255.254.0

proxy-worker-count Proxy worker count. 16

scanunit-count Scanunit count. 39

ssl-worker-count SSL worker count (0 - 4294967295).

proxy-kxp-hardware- Enable/disable use of content processor to enable


acceleration encrypt or decrypt traffic.

proxy-cipher-hardware- Enable/disable use of content processor to enable


acceleration encrypt or decrypt traffic.

fgd-alert-subscription FortiGuard alert subscription. (Empty)

ipsec-hmac-offload Enable/disable offload HMAC to hardware for enable


IPsec VPN.

ipv6-accept-dad Enable/disable acceptance of IPv6 DAD 1


(Duplicate Address Detection). 0: Disable DAD; 1:
Enable DAD (default); 2: Enable DAD, and
disable IPv6 operation if MAC-based duplicate
link-local address has been found.

csr-ca-attribute Enable/disable CSR CA attribute. enable

CLI Reference for FortiOS 5.4 532


Fortinet Technologies Inc.
wimax-4g-usb Enable/disable WiMAX USB device. disable

cert-chain-max Maximum depth for certificate chain. 8

sslvpn-max-worker- Maximum number of worker processes for SSL- 39


count VPN.

sslvpn-kxp-hardware- Enable/disable KXP SSL-VPN hardware disable


acceleration acceleration.

sslvpn-cipher- Enable/disable SSL-VPN cipher hardware disable


hardware-acceleration acceleration.

sslvpn-plugin-version- Enable/disable SSL-VPN automatic checking of enable


check browser plug-in version.

two-factor-email-expiry Expiration time for email token (30 - 300 sec, 60


default = 60 sec).

two-factor-sms-expiry Expiration time for SMS token (30 - 300 sec, 60


default = 60 sec).

two-factor-ftm-expiry Expiration time for FortiToken mobile provision (1 72


- 168 hr, default = 72 hr).

per-user-bwl Enable/disable per-user black/white list filter. disable

virtual-server-count Number of concurrent virtual server workers. 20

virtual-server- Enable/disable use of content processor to enable


hardware-acceleration encrypt or decrypt traffic.

wad-worker-count Number of concurrent WAD workers. 20

login-timestamp Enable/disable login time recording. disable

miglogd-children Number of miglog children. 0

special-file-23-support Enable/disable support for special file 23. disable

log-uuid Universally Unique Identifier (UUID) log option. policy-only

arp-max-entry Maximum number of ARP table entries (set to 131072


131,072 or higher).

CLI Reference for FortiOS 5.4 533


Fortinet Technologies Inc.
ips-affinity Affinity setting for IPS (64-bit hexadecimal value 0
in the format of xxxxxxxxxxxxxxxx; allowed CPUs
must be less than total number of IPS engine
daemons).

av-affinity Affinity setting for AV scanning (64-bit 0


hexadecimal value in the format of
xxxxxxxxxxxxxxxx).

miglog-affinity Affinity setting for logging (64-bit hexadecimal 0


value in the format of xxxxxxxxxxxxxxxx).

ndp-max-entry Maximum number of NDP table entries (set to 0


65,536 or higher; if set to 0, kernel holds 65,536
entries).

br-fdb-max-entry Maximum number of bridge forwarding database 8192


entries (set to 8192 or higher).

ipsec-asic-offload Enable/disable ASIC offload for IPsec VPN. enable

device-idle-timeout Device idle timeout (30 - 31536000 sec, default = 300


300 sec).

compliance-check Enable/disable global PCI DSS compliance enable


check.

compliance-check-time PCI DSS compliance check time. 00:00:00

gui-device-latitude Physical device latitude coordinate. (Empty)

gui-device-longitude Physical device longitude coordinate. (Empty)

private-data-encryption Enable/disable private data encryption using an disable


AES 128-bit key.

auto-auth-extension- Enable/disable automatic authorization of enable


device dedicated Fortinet extension device globally.

gui-theme Color scheme to use for the administration GUI. green

CLI Reference for FortiOS 5.4 534


Fortinet Technologies Inc.
system/gre-tunnel
CLI Syntax
config system gre-tunnel
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set sequence-number-transmission {disable | enable}
set sequence-number-reception {disable | enable}
set checksum-transmission {disable | enable}
set checksum-reception {disable | enable}
set key-outbound <integer>
set key-inbound <integer>
set auto-asic-offload {enable | disable}
set keepalive-interval <integer>
set keepalive-failtimes <integer>
end

CLI Reference for FortiOS 5.4 535


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tunnel name. (Empty)

interface Interface name. (Empty)

remote-gw IP address of the remote gateway. 0.0.0.0

local-gw IP address of the local gateway. 0.0.0.0

sequence-number- Enable/disable inclusion of sequence number in disable


transmission transmitted GRE packets.

sequence-number- Enable/disable validation of sequence number in disable


reception received GRE packets.

checksum-transmission Enable/disable inclusion of checksum in disable


transmitted GRE packets.

checksum-reception Enable/disable validation of checksum in disable


received GRE packets.

key-outbound Include this key in transmitted GRE packets (0 - 0


4294967295).

key-inbound Require received GRE packets contain this key (0 0


- 4294967295).

auto-asic-offload Enable/disable tunnel ASIC offloading. enable

keepalive-interval Keepalive message interval (0 - 32767, 0 = 0


disabled).

keepalive-failtimes Number of consecutive unreturned keepalive 10


messages before GRE connection is considered
down (1 - 255).

CLI Reference for FortiOS 5.4 536


Fortinet Technologies Inc.
system/ha
CLI Syntax
config system ha
edit <name_str>
set group-id <integer>
set group-name <string>
set mode {standalone | a-a | a-p}
set password <password>
set key <password>
set hbdev <user>
set session-sync-dev <user>
set route-ttl <integer>
set route-wait <integer>
set route-hold <integer>
set load-balance-all {enable | disable}
set sync-config {enable | disable}
set encryption {enable | disable}
set authentication {enable | disable}
set hb-interval <integer>
set hb-lost-threshold <integer>
set helo-holddown <integer>
set gratuitous-arps {enable | disable}
set arps <integer>
set arps-interval <integer>
set session-pickup {enable | disable}
set session-pickup-connectionless {enable | disable}
set session-pickup-expectation {enable | disable}
set session-pickup-nat {enable | disable}
set session-pickup-delay {enable | disable}
set session-sync-daemon-number <integer>
set link-failed-signal {enable | disable}
set uninterruptible-upgrade {enable | disable}
set standalone-mgmt-vdom {enable | disable}
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface <string>
set ha-mgmt-interface-gateway <ipv4-address>
set ha-mgmt-interface-gateway6 <ipv6-address>
set ha-eth-type <string>
set hc-eth-type <string>
set l2ep-eth-type <string>
set ha-uptime-diff-margin <integer>
set standalone-config-sync {enable | disable}
set vcluster2 {enable | disable}
set vcluster-id <integer>
set override {enable | disable}
set priority <integer>
set override-wait-time <integer>
set schedule {none | hub | leastconnection | round-robin | weight-round-robin | ra
ndom | ip | ipport}
CLI Reference for FortiOS 5.4 537
Fortinet Technologies Inc.
set weight <user>
set cpu-threshold <user>
set memory-threshold <user>
set http-proxy-threshold <user>
set ftp-proxy-threshold <user>
set imap-proxy-threshold <user>
set nntp-proxy-threshold <user>
set pop3-proxy-threshold <user>
set smtp-proxy-threshold <user>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set pingserver-flip-timeout <integer>
set vdom <user>
config secondary-vcluster
edit <name_str>
set vcluster-id <integer>
set override {enable | disable}
set priority <integer>
set override-wait-time <integer>
set monitor <user>
set pingserver-monitor-interface <user>
set pingserver-failover-threshold <integer>
set pingserver-slave-force-reset {enable | disable}
set vdom <user>
end
set ha-direct {enable | disable}
end

CLI Reference for FortiOS 5.4 538


Fortinet Technologies Inc.
Description
Configuration Description Default Value

group-id Group ID (0 - 255). 0

group-name Group name. (Empty)

mode Mode. standalone

password password (Empty)

key key (Empty)

hbdev Heartbeat interfaces. "mgmt1" 50

session-sync-dev Session sync interfaces. (Empty)

route-ttl HA route TTL on master (5 - 3600 sec). 10

route-wait Route update wait time (0 - 3600 sec). 0

route-hold Wait time between route updates (0 - 3600 sec). 10

load-balance-all Enable/disable load balance. disable

sync-config Enable/disable configuration synchronization. enable

encryption Enable/disable HA message encryption. disable

authentication Enable/disable HA message authentication. disable

hb-interval Configure heartbeat interval (1 - 20 (100*ms)). 2

hb-lost-threshold Lost heartbeat threshold (1 - 60). 6

helo-holddown Configure hello state hold-down time (5 - 300 20


sec).

gratuitous-arps Enable/disable gratuitous ARPs. enable

arps Configure number of gratuitous ARPs (1 - 60). 5

arps-interval Configure gratuitous ARPs interval (1 - 20 sec). 8

session-pickup Enable/disable session pickup. disable

CLI Reference for FortiOS 5.4 539


Fortinet Technologies Inc.
session-pickup- Enable/disable pickup non-TCP sessions. disable
connectionless

session-pickup- Enable/disable pickup expectation sessions. disable


expectation

session-pickup-nat Enable/disable pickup of NATed sessions. disable

session-pickup-delay Enable/disable delay session sync by 30 disable


seconds.

session-sync-daemon- Session sync daemon process number. 1


number

link-failed-signal Enable/disable link failed signal. disable

uninterruptible-upgrade Enable/disable uninterruptible HA upgrade. enable

standalone-mgmt-vdom Enable/disable standalone management VDOM. disable

ha-mgmt-status Enable/disable HA management interface disable


reservation.

ha-mgmt-interface Reserved interface of HA management. (Empty)

ha-mgmt-interface- Gateway for reserved interface of HA 0.0.0.0


gateway management.

ha-mgmt-interface- IPv6 gateway for reserved interface of HA ::


gateway6 management.

ha-eth-type HA Ethernet type (4-digit hex). 8890

hc-eth-type HC Ethernet type (4-digit hex). 8891

l2ep-eth-type L2EP Ethernet type (4-digit hex). 8893

ha-uptime-diff-margin HA uptime difference margin (sec). 300

standalone-config-sync Enable/disable standalone config sync. disable

vcluster2 Enable/disable secondary virtual cluster. disable

vcluster-id Cluster ID. 0

override Enable/disable master HA unit overriding. disable

CLI Reference for FortiOS 5.4 540


Fortinet Technologies Inc.
priority Priority value (0 - 255). 128

override-wait-time Override wait time (0 - 3600 sec). 0

schedule Schedule. round-robin

weight Weight for weight-round-robin schedule. 40

cpu-threshold CPU threshold weight. 500

memory-threshold Memory threshold weight. 500

http-proxy-threshold HTTP proxy threshold. 500

ftp-proxy-threshold FTP proxy threshold. 500

imap-proxy-threshold IMAP proxy threshold. 500

nntp-proxy-threshold NNTP proxy threshold. 500

pop3-proxy-threshold POP3 proxy threshold. 500

smtp-proxy-threshold SMTP proxy threshold. 500

monitor Interfaces to monitor. (Empty)

pingserver-monitor- Monitor interfaces that has PING server enabled. (Empty)


interface

pingserver-failover- Threshold at which HA failover occurs upon PING 0


threshold server failure (0 - 50).

pingserver-slave-force- Enable/disable force reset of slave after PING enable


reset server failure.

pingserver-flip-timeout Minutes to wait before HA failover flip-flop. 60

vdom VDOM members. (Empty)

secondary-vcluster Secondary virtual cluster. Details below

CLI Reference for FortiOS 5.4 541


Fortinet Technologies Inc.
Configuration Default Value
vcluster-id 1
override enable
priority 128
override-wait-time 0
monitor (Empty)
pingserver-monitor-interface (Empty)
pingserver-failover-threshold 0
pingserver-slave-force-reset enable
vdom (Empty)

ha-direct Enable/disable sending of messages (logs, disable


SNMP, RADIUS) directly from ha-mgmt interface.

CLI Reference for FortiOS 5.4 542


Fortinet Technologies Inc.
system/ha-monitor
CLI Syntax
config system ha-monitor
edit <name_str>
set monitor-vlan {enable | disable}
set vlan-hb-interval <integer>
set vlan-hb-lost-threshold <integer>
end

CLI Reference for FortiOS 5.4 543


Fortinet Technologies Inc.
Description
Configuration Description Default Value

monitor-vlan Enable/disable monitor VLAN interfaces. disable

vlan-hb-interval Configure heartbeat interval (seconds). 5

vlan-hb-lost-threshold VLAN lost heartbeat threshold (1 - 60). 3

CLI Reference for FortiOS 5.4 544


Fortinet Technologies Inc.
system/interface
CLI Syntax
config system interface
edit <name_str>
set name <string>
set vdom <string>
set cli-conn-status <integer>
set mode {static | dhcp | pppoe}
set distance <integer>
set priority <integer>
set dhcp-relay-service {disable | enable}
set dhcp-relay-ip <user>
set dhcp-relay-type {regular | ipsec}
set ip <ipv4-classnet-host>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec | r
adius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
set ha-priority <integer>
set fail-detect {enable | disable}
set fail-detect-option {detectserver | link-down}
set fail-alert-method {link-failed-signal | link-down}
set fail-action-on-extender {soft-restart | hard-restart | reboot}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
set dhcp-client-identifier <string>
set ipunnumbered <ipv4-address>
set username <string>
set pppoe-unnumbered-negotiate {enable | disable}
set password <password>
set idle-timeout <integer>
set detected-peer-mtu <integer>
set disc-retry-timeout <integer>
set padt-retry-timeout <integer>
set service-name <string>
set ac-name <string>
set lcp-echo-interval <integer>
set lcp-max-echo-fails <integer>
set defaultgw {enable | disable}
set dns-server-override {enable | disable}
set auth-type {auto | pap | chap | mschapv1 | mschapv2}
set pptp-client {enable | disable}
set pptp-user <string>
set pptp-password <password>
set pptp-server-ip <ipv4-address>
CLI Reference for FortiOS 5.4 545
Fortinet Technologies Inc.
set pptp-auth-type {auto | pap | chap | mschapv1 | mschapv2}
set pptp-timeout <integer>
set arpforward {enable | disable}
set ndiscforward {enable | disable}
set broadcast-forward {enable | disable}
set bfd {global | enable | disable}
set bfd-desired-min-tx <integer>
set bfd-detect-mult <integer>
set bfd-required-min-rx <integer>
set l2forward {enable | disable}
set icmp-redirect {enable | disable}
set vlanforward {enable | disable}
set stpforward {enable | disable}
set stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | rpl-nothing}
set ips-sniffer-mode {enable | disable}
set ident-accept {enable | disable}
set ipmac {enable | disable}
set subst {enable | disable}
set macaddr <mac-address>
set substitute-dst-mac <mac-address>
set speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half | 1000
auto | 10000full | 10000auto | 40000full}
set status {up | down}
set netbios-forward {disable | enable}
set wins-ip <ipv4-address>
set type {physical | vlan | aggregate | redundant | fortilink | tunnel | vdom-link
| loopback | switch | hard-switch | vap-switch | wl-mesh | fext-wan | hdlc | switch-v
lan}
set dedicated-to {none | management}
set trust-ip-1 <ipv4-classnet-any>
set trust-ip-2 <ipv4-classnet-any>
set trust-ip-3 <ipv4-classnet-any>
set trust-ip6-1 <ipv6-prefix>
set trust-ip6-2 <ipv6-prefix>
set trust-ip6-3 <ipv6-prefix>
set mtu-override {enable | disable}
set mtu <integer>
set wccp {enable | disable}
set nst {enable | disable}
set netflow-sampler {disable | tx | rx | both}
set sflow-sampler {enable | disable}
set drop-overlapped-fragment {enable | disable}
set drop-fragment {enable | disable}
set scan-botnet-connections {disable | block | monitor}
set sample-rate <integer>
set polling-interval <integer>
set sample-direction {tx | rx | both}
set explicit-web-proxy {enable | disable}
set explicit-ftp-proxy {enable | disable}
set tcp-mss <integer>
set mediatype {serdes-sfp | sgmii-sfp | serdes-copper-sfp}
set fp-anomaly {pass_winnuke | pass_tcpland | pass_udpland | pass_icmpland | pass_
ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas
CLI Reference for FortiOS 5.4 546
Fortinet Technologies Inc.
ipland | pass_iprr | pass_ipssrr | pass_iplsrr | pass_ipstream | pass_ipsecurity | pas
s_iptimestamp | pass_ipunknown_option | pass_ipunknown_prot | pass_icmp_frag | pass_tc
p_no_flag | pass_tcp_fin_noack | drop_winnuke | drop_tcpland | drop_udpland | drop_icm
pland | drop_ipland | drop_iprr | drop_ipssrr | drop_iplsrr | drop_ipstream | drop_ips
ecurity | drop_iptimestamp | drop_ipunknown_option | drop_ipunknown_prot | drop_icmp_f
rag | drop_tcp_no_flag | drop_tcp_fin_noack}
set inbandwidth <integer>
set outbandwidth <integer>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set weight <integer>
set interface <string>
set external {enable | disable}
set vlanid <integer>
set forward-domain <integer>
set remote-ip <ipv4-address-any>
config member
edit <name_str>
set interface-name <string>
end
set lacp-mode {static | passive | active}
set lacp-ha-slave {enable | disable}
set lacp-speed {slow | fast}
set min-links <integer>
set min-links-down {operational | administrative}
set algorithm {L2 | L3 | L4}
set link-up-delay <integer>
set priority-override {enable | disable}
set aggregate <string>
set redundant-interface <string>
set fortilink <string>
set managed-device <string>
set devindex <integer>
set vindex <integer>
set switch <string>
set description <var-string>
set alias <string>
set security-mode {none | captive-portal | 802.1X}
set security-mac-auth-bypass {enable | disable}
set security-external-web <string>
set replacemsg-override-group <string>
set security-redirect-url <string>
set security-exempt-list <string>
config security-groups
edit <name_str>
set name <string>
end
set device-identification {enable | disable}
set device-user-identification {enable | disable}
set device-identification-active-scan {enable | disable}
set device-access-list <string>
set device-netscan {disable | enable}
set lldp-transmission {enable | disable | vdom}
CLI Reference for FortiOS 5.4 547
Fortinet Technologies Inc.
set lldp-transmission {enable | disable | vdom}
set listen-forticlient-connection {enable | disable}
set broadcast-forticlient-discovery {enable | disable}
set endpoint-compliance {enable | disable}
set estimated-upstream-bandwidth <integer>
set estimated-downstream-bandwidth <integer>
set vrrp-virtual-mac {enable | disable}
config vrrp
edit <name_str>
set vrid <integer>
set vrgrp <integer>
set vrip <ipv4-address-any>
set priority <integer>
set adv-interval <integer>
set start-time <integer>
set preempt {enable | disable}
set vrdst <ipv4-address-any>
set status {enable | disable}
end
set role {lan | wan | dmz | undefined}
set snmp-index <integer>
set secondary-IP {enable | disable}
config secondaryip
edit <name_str>
set id <integer>
set ip <ipv4-classnet-host>
set allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | auto-ipsec
| radius-acct | probe-response | capwap}
set gwdetect {enable | disable}
set ping-serv-status <integer>
set detectserver <user>
set detectprotocol {ping | tcp-echo | udp-echo}
set ha-priority <integer>
end
set auto-auth-extension-device {enable | disable}
set ap-discover {enable | disable}
config ipv6
edit <name_str>
set ip6-mode {static | dhcp | pppoe | delegated}
set ip6-dns-server-override {enable | disable}
set ip6-address <ipv6-prefix>
config ip6-extra-addr
edit <name_str>
set prefix <ipv6-prefix>
end
set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap
}
set ip6-send-adv {enable | disable}
set ip6-manage-flag {enable | disable}
set ip6-other-flag {enable | disable}
set ip6-max-interval <integer>
set ip6-min-interval <integer>
set ip6-link-mtu <integer>
CLI Reference for FortiOS 5.4 548
Fortinet Technologies Inc.
set ip6-link-mtu <integer>
set ip6-reachable-time <integer>
set ip6-retrans-time <integer>
set ip6-default-life <integer>
set ip6-hop-limit <integer>
set autoconf {enable | disable}
set ip6-upstream-interface <string>
set ip6-subnet <ipv6-prefix>
config ip6-prefix-list
edit <name_str>
set prefix <ipv6-network>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set valid-life-time <integer>
set preferred-life-time <integer>
end
config ip6-delegated-prefix-list
edit <name_str>
set prefix-id <integer>
set upstream-interface <string>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set subnet <ipv6-network>
end
set dhcp6-relay-service {disable | enable}
set dhcp6-relay-type {regular}
set dhcp6-relay-ip <user>
set dhcp6-client-options {rapid | iapd | iana | dns | dnsname}
set dhcp6-prefix-delegation {enable | disable}
end
end

CLI Reference for FortiOS 5.4 549


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

vdom Virtual domain name. (Empty)

cli-conn-status CLI connection status. 0

mode Addressing mode (static, DHCP, PPPoE). static

distance Distance of learned routes. 5

priority Priority of learned routes. 0

dhcp-relay-service Enable/disable use DHCP relay service. disable

dhcp-relay-ip DHCP relay IP address. (Empty)

dhcp-relay-type DHCP relay type. regular

ip IP address of interface. 0.0.0.0 0.0.0.0

allowaccess Allow management access to the interface. (Empty)

gwdetect Enable/disable detect gateway alive for first. disable

ping-serv-status PING server status. 0

detectserver Gateway's ping server for this IP. (Empty)

detectprotocol Protocols used to detect the server. ping

ha-priority HA election priority for the PING server. 1

fail-detect Enable/disable interface failed option status. disable

fail-detect-option Interface fail detect option. link-down

fail-alert-method Interface fail alert. link-down

fail-action-on-extender Action on extender when interface fail . soft-restart

fail-alert-interfaces Physical interfaces that will be alerted. (Empty)

dhcp-client-identifier DHCP client identifier. (Empty)

CLI Reference for FortiOS 5.4 550


Fortinet Technologies Inc.
ipunnumbered PPPoE unnumbered IP. 0.0.0.0

username User name. (Empty)

pppoe-unnumbered- Enable/disable PPPoE unnumbered negotiation. enable


negotiate

password Password (Empty)

idle-timeout PPPoE auto disconnect after idle timeout 0


seconds.

detected-peer-mtu MTU of detected peer (0 - 4294967295). 0

disc-retry-timeout PPPoE discovery init timeout value in sec. 1

padt-retry-timeout PPPoE terminate timeout value in sec. 1

service-name PPPoE service name. (Empty)

ac-name PPPoE AC name. (Empty)

lcp-echo-interval PPPoE LCP echo interval (sec). 5

lcp-max-echo-fails Maximum missed LCP echo messages before 3


disconnect.

defaultgw Enable/disable default gateway. enable

dns-server-override Enable/disable use DNS acquired by DHCP or enable


PPPoE.

auth-type PPP authentication type to use. auto

pptp-client Enable/disable PPTP client. disable

pptp-user PPTP user name. (Empty)

pptp-password PPTP password. (Empty)

pptp-server-ip PPTP server IP address. 0.0.0.0

pptp-auth-type PPTP authentication type. auto

pptp-timeout Idle timer in minutes (0 for disabled). 0

arpforward Enable/disable ARP forwarding. enable

CLI Reference for FortiOS 5.4 551


Fortinet Technologies Inc.
ndiscforward Enable/disable NDISC forwarding. enable

broadcast-forward Enable/disable broadcast forwarding. disable

bfd Bidirectional Forwarding Detection (BFD). global

bfd-desired-min-tx BFD desired minimal transmit interval. 250

bfd-detect-mult BFD detection multiplier. 3

bfd-required-min-rx BFD required minimal receive interval. 250

l2forward Enable/disable l2 forwarding. disable

icmp-redirect Enable/disable ICMP redirect. enable

vlanforward Enable/disable VLAN forwarding. disable

stpforward Enable/disable STP forwarding. disable

stpforward-mode Configure STP forwarding mode. rpl-all-ext-id

ips-sniffer-mode Enable/disable IPS sniffer mode. disable

ident-accept Enable/disable accept ident protocol. disable

ipmac Enable/disable IP/MAC binding status. disable

subst Enable/disable substitute MAC. disable

macaddr MAC address. 00:00:00:00:00:00

substitute-dst-mac Substitute destination MAC address. 00:00:00:00:00:00

speed Speed auto

status Interface status. up

netbios-forward Enable/disable NETBIOS forwarding. disable

wins-ip WINS server IP. 0.0.0.0

type Interface type. vlan

dedicated-to Configure interface for single purpose. none

trust-ip-1 Trusted host for dedicated management traffic 0.0.0.0 0.0.0.0


(0.0.0.0/24 for all hosts).

CLI Reference for FortiOS 5.4 552


Fortinet Technologies Inc.
trust-ip-2 Trusted host for dedicated management traffic 0.0.0.0 0.0.0.0
(0.0.0.0/24 for all hosts).

trust-ip-3 Trusted host for dedicated management traffic 0.0.0.0 0.0.0.0


(0.0.0.0/24 for all hosts).

trust-ip6-1 Trusted IPv6 host for dedicated management ::/0


traffic (::/0 for all hosts).

trust-ip6-2 Trusted IPv6 host for dedicated management ::/0


traffic (::/0 for all hosts).

trust-ip6-3 Trusted IPv6 host for dedicated management ::/0


traffic (::/0 for all hosts).

mtu-override Enable/disable use custom MTU. disable

mtu Maximum transportation unit. 1500

wccp Enable/disable WCCP protocol on this interface. disable

nst Enable/disable NST protocol on this interface. disable

netflow-sampler NetFlow measurement status. disable

sflow-sampler Enable/disable sFlow protocol. disable

drop-overlapped- Enable/disable drop overlapped fragment disable


fragment packets.

drop-fragment Enable/disable drop fragment packets. disable

scan-botnet- Enable/disable scanning of connections to Botnet disable


connections servers.

sample-rate sFlow sampler sample rate. 2000

polling-interval sFlow sampler counter polling interval. 20

sample-direction sFlow sample direction. both

explicit-web-proxy Enable/disable explicit Web proxy. disable

explicit-ftp-proxy Enable/disable explicit FTP proxy. disable

tcp-mss Maximum sending TCP packet size. 0

CLI Reference for FortiOS 5.4 553


Fortinet Technologies Inc.
mediatype Select SFP media interface type serdes-sfp

fp-anomaly Pass or drop different types of anomalies using (Empty)


Fastpath

inbandwidth Bandwidth limit for incoming traffic (0 - 16776000 0


kbps).

outbandwidth Bandwidth limit for outgoing traffic (0 - 16776000 0


kbps).

spillover-threshold Egress Spillover threshold (0 - 16776000 kbps). 0

ingress-spillover- Ingress Spillover threshold (0 - 16776000 kbps). 0


threshold

weight Default weight for static routes (if route has no 0


weight configured).

interface Interface name. (Empty)

external Enable/disable identifying interface as connected disable


to external side.

vlanid VLAN ID. 0

forward-domain TP mode forward domain. 0

remote-ip Remote IP address of tunnel. 0.0.0.0

member Physical interfaces that belong to the (Empty)


aggregate/redundant interface.

lacp-mode LACP mode. active

lacp-ha-slave LACP HA slave. enable

lacp-speed LACP speed. slow

min-links Minimum number of aggregated ports that must 1


be up.

min-links-down Action to take when there are less than min-links operational
active members.

algorithm Frame distribution algorithm. L4

CLI Reference for FortiOS 5.4 554


Fortinet Technologies Inc.
link-up-delay Number of milliseconds to wait before 50
considering a link is up.

priority-override Enable/disable fail back to higher priority port enable


once recovered.

aggregate Aggregate interface. (Empty)

redundant-interface Redundant interface. (Empty)

fortilink FortiLink interface. (Empty)

managed-device FortiLink interface managed device. (Empty)

devindex Device Index. 0

vindex Switch control interface VLAN ID. 0

switch Contained in switch. (Empty)

description Description. (Empty)

alias Alias. (Empty)

security-mode Security mode. none

security-mac-auth- Enable/disable MAC authentication bypass. disable


bypass

security-external-web URL of external authentication web server. (Empty)

replacemsg-override- Specify replacement message override group. (Empty)


group

security-redirect-url URL redirection after disclaimer/authentication. (Empty)

security-exempt-list Name of security-exempt-list. (Empty)

security-groups Group name. (Empty)

device-identification Enable/disable passive gathering of identity disable


information about source hosts on this interface.

device-user- Enable/disable passive gathering of user identity enable


identification information about source hosts on this interface.

CLI Reference for FortiOS 5.4 555


Fortinet Technologies Inc.
device-identification- Enable/disable active gathering of identity enable
active-scan information about source hosts on this interface.

device-access-list Device access list. (Empty)

device-netscan Enable/disable inclusion of devices detected on disable


this interface in network vulnerability scans.

lldp-transmission Enable/disable Link Layer Discovery Protocol vdom


(LLDP) transmission.

listen-forticlient- Enable/disable listen for FortiClient connections. disable


connection

broadcast-forticlient- Enable/disable broadcast FortiClient discovery disable


discovery messages.

endpoint-compliance Enable/disable endpoint compliance disable


enforcement.

estimated-upstream- Estimated maximum upstream bandwidth (kbps). 0


bandwidth Used to estimate link utilization.

estimated-downstream- Estimated maximum downstream bandwidth 0


bandwidth (kbps). Used to estimate link utilization.

vrrp-virtual-mac Enable/disable use of virtual MAC for VRRP. disable

vrrp VRRP configuration. (Empty)

role Interface role. undefined

snmp-index Permanent SNMP Index of the interface. 0

secondary-IP Enable/disable secondary IP. disable

secondaryip Second IP address of interface. (Empty)

auto-auth-extension- Enable/disable automatic authorization of disable


device dedicated Fortinet extension device on this
interface.

ap-discover Enable/disable automatic registration of unknown enable


FortiAP devices.

ipv6 IPv6 of interface. Details below

CLI Reference for FortiOS 5.4 556


Fortinet Technologies Inc.
Configuration Default Value
ip6-mode static
ip6-dns-server-override enable
ip6-address ::/0
ip6-extra-addr (Empty)
ip6-allowaccess (Empty)
ip6-send-adv disable
ip6-manage-flag disable
ip6-other-flag disable
ip6-max-interval 600
ip6-min-interval 198
ip6-link-mtu 0
ip6-reachable-time 0
ip6-retrans-time 0
ip6-default-life 1800
ip6-hop-limit 0
autoconf disable
ip6-upstream-interface (Empty)
ip6-subnet ::/0
ip6-prefix-list (Empty)
ip6-delegated-prefix-list (Empty)
dhcp6-relay-service disable
dhcp6-relay-type regular
dhcp6-relay-ip (Empty)
dhcp6-client-options dns
dhcp6-prefix-delegation disable

CLI Reference for FortiOS 5.4 557


Fortinet Technologies Inc.
system/ipip-tunnel
CLI Syntax
config system ipip-tunnel
edit <name_str>
set name <string>
set interface <string>
set remote-gw <ipv4-address>
set local-gw <ipv4-address-any>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 558


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name IPIP Tunnel name. (Empty)

interface Interface name. (Empty)

remote-gw IP address of the remote gateway. 0.0.0.0

local-gw Enable/disable IP address of the local gateway. 0.0.0.0

auto-asic-offload Enable/disable tunnel ASIC offloading. enable

CLI Reference for FortiOS 5.4 559


Fortinet Technologies Inc.
system/ips-urlfilter-dns
CLI Syntax
config system ips-urlfilter-dns
edit <name_str>
set address <ipv4-address>
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 560


Fortinet Technologies Inc.
Description
Configuration Description Default Value

address DNS server IP address. 0.0.0.0

status Enable/disable this server for queries. enable

CLI Reference for FortiOS 5.4 561


Fortinet Technologies Inc.
system/ipv6-neighbor-cache
CLI Syntax
config system ipv6-neighbor-cache
edit <name_str>
set id <integer>
set interface <string>
set ipv6 <ipv6-address>
set mac <mac-address>
end

CLI Reference for FortiOS 5.4 562


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Unique integer ID of the entry. 0

interface Interface name. (Empty)

ipv6 IPv6 address. ::

mac MAC address. 00:00:00:00:00:00

CLI Reference for FortiOS 5.4 563


Fortinet Technologies Inc.
system/ipv6-tunnel
CLI Syntax
config system ipv6-tunnel
edit <name_str>
set name <string>
set source <ipv6-address>
set destination <ipv6-address>
set interface <string>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 564


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tunnel name. (Empty)

source Local IPv6 address of tunnel. ::

destination Remote IPv6 address of tunnel. ::

interface Interface name. (Empty)

auto-asic-offload Enable/disable tunnel ASIC offloading. enable

CLI Reference for FortiOS 5.4 565


Fortinet Technologies Inc.
system/link-monitor
CLI Syntax
config system link-monitor
edit <name_str>
set name <string>
set srcintf <string>
config server
edit <name_str>
set address <string>
end
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set gateway-ip <ipv4-address-any>
set source-ip <ipv4-address-any>
set http-get <string>
set http-match <string>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set security-mode {none | authentication}
set password <password>
set packet-size <integer>
set ha-priority <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set status {enable | disable}
end

CLI Reference for FortiOS 5.4 566


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Link monitor name. (Empty)

srcintf Interface where the monitor traffic is sent. (Empty)

server Server address(es). (Empty)

protocol Protocols used to detect the server. ping

port Port number to poll. 80

gateway-ip Gateway IP used to PING the server. 0.0.0.0

source-ip Source IP used in packet to the server. 0.0.0.0

http-get HTTP GET URL string. /

http-match Response value from detected server in http-get. (Empty)

interval Detection interval. 5

timeout Detect request timeout. 1

failtime Number of retry attempts before bringing server 5


down.

recoverytime Number of retry attempts before bringing server 5


up.

security-mode Twamp controller security mode. none

password Twamp controller password in authentication (Empty)


mode

packet-size Packet size of a twamp test session, 64

ha-priority HA election priority (1 - 50). 1

update-cascade- Enable/disable update cascade interface. enable


interface

update-static-route Enable/disable update static route. enable

status Enable/disable Link monitor administrative status. enable

CLI Reference for FortiOS 5.4 567


Fortinet Technologies Inc.
system/mac-address-table
CLI Syntax
config system mac-address-table
edit <name_str>
set mac <mac-address>
set interface <string>
set reply-substitute <mac-address>
end

CLI Reference for FortiOS 5.4 568


Fortinet Technologies Inc.
Description
Configuration Description Default Value

mac MAC address. 00:00:00:00:00:00

interface Interface name. (Empty)

reply-substitute New MAC for reply traffic. 00:00:00:00:00:00

CLI Reference for FortiOS 5.4 569


Fortinet Technologies Inc.
system/management-tunnel
CLI Syntax
config system management-tunnel
edit <name_str>
set status {enable | disable}
set allow-config-restore {enable | disable}
set allow-push-configuration {enable | disable}
set allow-push-firmware {enable | disable}
set allow-collect-statistics {enable | disable}
set authorized-manager-only {enable | disable}
set serial-number <user>
end

CLI Reference for FortiOS 5.4 570


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable FGFM tunnel. enable

allow-config-restore Enable/disable allow config restore. enable

allow-push- Enable/disable push configuration. enable


configuration

allow-push-firmware Enable/disable push firmware. enable

allow-collect-statistics Enable/disable collection of run time statistics. enable

authorized-manager- Enable/disable restriction of authorized manager enable


only only.

serial-number Serial number. (Empty)

CLI Reference for FortiOS 5.4 571


Fortinet Technologies Inc.
system/mobile-tunnel
CLI Syntax
config system mobile-tunnel
edit <name_str>
set name <string>
set status {disable | enable}
set roaming-interface <string>
set home-agent <ipv4-address>
set home-address <ipv4-address>
set renew-interval <integer>
set lifetime <integer>
set reg-interval <integer>
set reg-retry <integer>
set n-mhae-spi <integer>
set n-mhae-key-type {ascii | base64}
set n-mhae-key <user>
set hash-algorithm {hmac-md5}
set tunnel-mode {gre}
config network
edit <name_str>
set id <integer>
set interface <string>
set prefix <ipv4-classnet>
end
end

CLI Reference for FortiOS 5.4 572


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tunnel name. (Empty)

status Enable/disable this mobile tunnel. enable

roaming-interface Roaming interface name. (Empty)

home-agent IP address of the NEMO HA. 0.0.0.0

home-address Home IP address. 0.0.0.0

renew-interval Time before lifetime expiraton to send NMMO HA 60


re-registration.

lifetime NMMO HA registration request lifetime. 65535

reg-interval NMMO HA registration interval. 5

reg-retry NMMO HA registration maximal retries. 3

n-mhae-spi NEMO authentication spi. 256

n-mhae-key-type NEMO authentication key type. ascii

n-mhae-key NEMO authentication key. 'ENC


AQAAAMfMADGjaE1u
XnMNcglZAOU1olJLaQ
Tpy1cUY+iM/eyN61pZ
cd9q4u4lzUZ7Ar7ptVw
gtfiB3PJBXT+jqecFU7F
l7T9EREz21rRkr3XeQ
A6OfVhpJuk3/ZQ='

hash-algorithm Hash Algorithm. hmac-md5

tunnel-mode NEMO tunnnel mode. gre

network NEMO network configuration. (Empty)

CLI Reference for FortiOS 5.4 573


Fortinet Technologies Inc.
system/nat64
CLI Syntax
config system nat64
edit <name_str>
set status {enable | disable}
set nat64-prefix <ipv6-prefix>
set always-synthesize-aaaa-record {enable | disable}
set generate-ipv6-fragment-header {enable | disable}
end

CLI Reference for FortiOS 5.4 574


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable NAT64. disable

nat64-prefix NAT64 prefix must be ::/96. 64:ff9b::/96

always-synthesize- Enable/disable AAAA record synthesis. enable


aaaa-record

generate-ipv6- Enable/disable IPv6 fragment header generation. disable


fragment-header

CLI Reference for FortiOS 5.4 575


Fortinet Technologies Inc.
system/netflow
CLI Syntax
config system netflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
set active-flow-timeout <integer>
set inactive-flow-timeout <integer>
set template-tx-timeout <integer>
set template-tx-counter <integer>
end

CLI Reference for FortiOS 5.4 576


Fortinet Technologies Inc.
Description
Configuration Description Default Value

collector-ip Collector IP. 0.0.0.0

collector-port NetFlow collector port. 2055

source-ip Source IP for NetFlow agent. 0.0.0.0

active-flow-timeout Timeout to report active flows (min). 30

inactive-flow-timeout Timeout for periodic report of finished flows (sec). 15

template-tx-timeout Timeout for periodic template flowset 30


transmission (min).

template-tx-counter Counter of flowset records before resending a 20


template flowset record.

CLI Reference for FortiOS 5.4 577


Fortinet Technologies Inc.
system/network-visibility
CLI Syntax
config system network-visibility
edit <name_str>
set destination-visibility {disable | enable}
set source-location {disable | enable}
set destination-hostname-visibility {disable | enable}
set hostname-ttl <integer>
set hostname-limit <integer>
set destination-location {disable | enable}
end

CLI Reference for FortiOS 5.4 578


Fortinet Technologies Inc.
Description
Configuration Description Default Value

destination-visibility Enable/disable logging of destination visibility. enable

source-location Enable/disable logging of source geographical enable


location visibility.

destination-hostname- Enable/disable logging of destination hostname enable


visibility visibility.

hostname-ttl TTL of hostname table entries. 86400

hostname-limit Limit of hostname table entries. 5000

destination-location Enable/disable logging of destination enable


geographical location visibility.

CLI Reference for FortiOS 5.4 579


Fortinet Technologies Inc.
system/ntp
CLI Syntax
config system ntp
edit <name_str>
set ntpsync {enable | disable}
set type {fortiguard | custom}
set syncinterval <integer>
config ntpserver
edit <name_str>
set id <integer>
set server <string>
set ntpv3 {enable | disable}
set authentication {enable | disable}
set key <password>
set key-id <integer>
end
set source-ip <ipv4-address>
set server-mode {enable | disable}
config interface
edit <name_str>
set interface-name <string>
end
end

CLI Reference for FortiOS 5.4 580


Fortinet Technologies Inc.
Description
Configuration Description Default Value

ntpsync Enable/disable synchronization with NTP Server. disable

type FortiGuard or custom NTP Server. fortiguard

syncinterval NTP synchronization interval. 1

ntpserver NTP Server. (Empty)

source-ip Source IP for communications to NTP server. 0.0.0.0

server-mode Enable/disable NTP Server Mode. disable

interface List of interfaces with NTP server mode enabled. (Empty)

CLI Reference for FortiOS 5.4 581


Fortinet Technologies Inc.
system/object-tag
CLI Syntax
config system object-tag
edit <name_str>
set name <string>
end

CLI Reference for FortiOS 5.4 582


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tag name. (Empty)

CLI Reference for FortiOS 5.4 583


Fortinet Technologies Inc.
system/password-policy
CLI Syntax
config system password-policy
edit <name_str>
set status {enable | disable}
set apply-to {admin-password | ipsec-preshared-key}
set minimum-length <integer>
set min-lower-case-letter <integer>
set min-upper-case-letter <integer>
set min-non-alphanumeric <integer>
set min-number <integer>
set change-4-characters {enable | disable}
set expire-status {enable | disable}
set expire-day <integer>
set reuse-password {enable | disable}
end

CLI Reference for FortiOS 5.4 584


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable password policy. disable

apply-to Apply password policy to. admin-password

minimum-length Minimum password length. 8

min-lower-case-letter Minimum number of lowercase characters in 0


password.

min-upper-case-letter Minimum number of uppercase characters in 0


password.

min-non-alphanumeric Minimum number of non-alphanumeric 0


characters in password.

min-number Minimum number of numeric characters in 0


password.

change-4-characters Enable/disable changing at least 4 characters for disable


new password.

expire-status Enable/disable password expiration. disable

expire-day Number of days after which admin users' 90


password will expire.

reuse-password Enable/disable reuse of password. enable

CLI Reference for FortiOS 5.4 585


Fortinet Technologies Inc.
system/probe-response
CLI Syntax
config system probe-response
edit <name_str>
set port <integer>
set http-probe-value <string>
set ttl-mode {reinit | decrease | retain}
set mode {none | http-probe | twamp}
set security-mode {none | authentication}
set password <password>
set timeout <integer>
end

CLI Reference for FortiOS 5.4 586


Fortinet Technologies Inc.
Description
Configuration Description Default Value

port Port number to response. 8008

http-probe-value Value to respond to the monitoring server. OK

ttl-mode Mode for TWAMP packet TTL modification. retain

mode SLA response mode. none

security-mode Twamp respondor security mode. none

password Twamp respondor password in authentication (Empty)


mode

timeout An inactivity timer for a twamp test session. 300

CLI Reference for FortiOS 5.4 587


Fortinet Technologies Inc.
system/proxy-arp
CLI Syntax
config system proxy-arp
edit <name_str>
set id <integer>
set interface <string>
set ip <ipv4-address>
set end-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 588


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Unique integer ID of the entry. 0

interface Interface acting proxy-ARP. (Empty)

ip IP address or start IP to be proxied. 0.0.0.0

end-ip End IP of IP range to be proxied. 0.0.0.0

CLI Reference for FortiOS 5.4 589


Fortinet Technologies Inc.
system/replacemsg-group
CLI Syntax
config system replacemsg-group
edit <name_str>
set name <string>
set comment <var-string>
set group-type {default | utm | auth | ec}
config mail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config http
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config webproxy
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config ftp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config nntp
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config fortiguard-wf
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
CLI Reference for FortiOS 5.4 590
Fortinet Technologies Inc.
config spam
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config alertmail
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config admin
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config auth
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config sslvpn
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config ec
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config device-detection-portal
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config nac-quar
edit <name_str>
set msg-type <string>
set buffer <var-string>
CLI Reference for FortiOS 5.4 591
Fortinet Technologies Inc.
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config traffic-quota
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config utm
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
config custom-message
edit <name_str>
set msg-type <string>
set buffer <var-string>
set header {none | http | 8bit}
set format {none | text | html | wml}
end
end

CLI Reference for FortiOS 5.4 592


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Group name. (Empty)

comment Comment. (Empty)

group-type Group type. default

mail Replacement message table entries. (Empty)

http Replacement message table entries. (Empty)

webproxy Replacement message table entries. (Empty)

ftp Replacement message table entries. (Empty)

nntp Replacement message table entries. (Empty)

fortiguard-wf Replacement message table entries. (Empty)

spam Replacement message table entries. (Empty)

alertmail Replacement message table entries. (Empty)

admin Replacement message table entries. (Empty)

auth Replacement message table entries. (Empty)

sslvpn Replacement message table entries. (Empty)

ec Replacement message table entries. (Empty)

device-detection-portal Replacement message table entries. (Empty)

nac-quar Replacement message table entries. (Empty)

traffic-quota Replacement message table entries. (Empty)

utm Replacement message table entries. (Empty)

custom-message Replacement message table entries. (Empty)

CLI Reference for FortiOS 5.4 593


Fortinet Technologies Inc.
system/replacemsg-image
CLI Syntax
config system replacemsg-image
edit <name_str>
set name <string>
set image-type {gif | jpg | tiff | png}
set image-base64 <var-string>
end

CLI Reference for FortiOS 5.4 594


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Image name. (Empty)

image-type Image type. (Empty)

image-base64 Image data. (null)

CLI Reference for FortiOS 5.4 595


Fortinet Technologies Inc.
system/resource-limits
CLI Syntax
config system resource-limits
edit <name_str>
set session <integer>
set ipsec-phase1 <integer>
set ipsec-phase2 <integer>
set dialup-tunnel <integer>
set firewall-policy <integer>
set firewall-address <integer>
set firewall-addrgrp <integer>
set custom-service <integer>
set service-group <integer>
set onetime-schedule <integer>
set recurring-schedule <integer>
set user <integer>
set user-group <integer>
set sslvpn <integer>
set proxy <integer>
set log-disk-quota <integer>
end

CLI Reference for FortiOS 5.4 596


Fortinet Technologies Inc.
Description
Configuration Description Default Value

session Maximum number of sessions. 0

ipsec-phase1 Maximum number of VPN IPsec phase1 tunnels. 0

ipsec-phase2 Maximum number of VPN IPsec phase2 tunnels. 0

dialup-tunnel Maximum number of dial-up tunnels. 0

firewall-policy Maximum number of firewall policies. 0

firewall-address Maximum number of firewall addresses. 0

firewall-addrgrp Maximum number of firewall address groups. 0

custom-service Maximum number of firewall custom services. 0

service-group Maximum number of firewall service groups. 0

onetime-schedule Maximum number of firewall one-time schedules. 0

recurring-schedule Maximum number of firewall recurring schedules. 0

user Maximum number of local users. 0

user-group Maximum number of user groups. 0

sslvpn Maximum number of SSL-VPN. 0

proxy Maximum number of concurrent explicit proxy 0


users.

log-disk-quota Log disk quota in MB. 0

CLI Reference for FortiOS 5.4 597


Fortinet Technologies Inc.
system/session-helper
CLI Syntax
config system session-helper
edit <name_str>
set id <integer>
set name {ftp | tftp | ras | h323 | h245O | h245I | tns | mms | sip | pptp | rtsp
| dns-udp | dns-tcp | pmap | rsh | dcerpc | mgcp | gtp-c | gtp-u | gtp-b}
set protocol <integer>
set port <integer>
end

CLI Reference for FortiOS 5.4 598


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Session helper ID. 0

name Helper name. (Empty)

protocol Protocol number. 0

port Protocol port. 0

CLI Reference for FortiOS 5.4 599


Fortinet Technologies Inc.
system/session-ttl
CLI Syntax
config system session-ttl
edit <name_str>
set default <user>
config port
edit <name_str>
set id <integer>
set protocol <integer>
set start-port <integer>
set end-port <integer>
set timeout <user>
end
end

CLI Reference for FortiOS 5.4 600


Fortinet Technologies Inc.
Description
Configuration Description Default Value

default Default timeout. 3600

port Session TTL port. (Empty)

CLI Reference for FortiOS 5.4 601


Fortinet Technologies Inc.
system/settings
CLI Syntax
config system settings
edit <name_str>
set comments <var-string>
set opmode {nat | transparent}
set inspection-mode {proxy | flow}
set http-external-dest {fortiweb | forticache}
set firewall-session-dirty {check-all | check-new | check-policy-option}
set manageip <user>
set gateway <ipv4-address>
set ip <ipv4-classnet-host>
set manageip6 <ipv6-prefix>
set gateway6 <ipv6-address>
set ip6 <ipv6-prefix>
set device <string>
set bfd {enable | disable}
set bfd-desired-min-tx <integer>
set bfd-required-min-rx <integer>
set bfd-detect-mult <integer>
set bfd-dont-enforce-src-port {enable | disable}
set utf8-spam-tagging {enable | disable}
set wccp-cache-engine {enable | disable}
set vpn-stats-log {ipsec | pptp | l2tp | ssl}
set vpn-stats-period <integer>
set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-ba
sed}
set mac-ttl <integer>
set fw-session-hairpin {enable | disable}
set snat-hairpin-traffic {enable | disable}
set dhcp-proxy {enable | disable}
set dhcp-server-ip <user>
set dhcp6-server-ip <user>
set central-nat {enable | disable}
config gui-default-policy-columns
edit <name_str>
set name <string>
end
set lldp-transmission {enable | disable | global}
set asymroute {enable | disable}
set asymroute-icmp {enable | disable}
set tcp-session-without-syn {enable | disable}
set ses-denied-traffic {enable | disable}
set strict-src-check {enable | disable}
set asymroute6 {enable | disable}
set asymroute6-icmp {enable | disable}
set sip-helper {enable | disable}
set sip-nat-trace {enable | disable}
set status {enable | disable}
CLI Reference for FortiOS 5.4 602
Fortinet Technologies Inc.
set sip-tcp-port <integer>
set sip-udp-port <integer>
set sip-ssl-port <integer>
set sccp-port <integer>
set multicast-forward {enable | disable}
set multicast-ttl-notchange {enable | disable}
set multicast-skip-policy {enable | disable}
set allow-subnet-overlap {enable | disable}
set deny-tcp-with-icmp {enable | disable}
set ecmp-max-paths <integer>
set discovered-device-timeout <integer>
set email-portal-check-dns {disable | enable}
set default-voip-alg-mode {proxy-based | kernel-helper-based}
set gui-icap {enable | disable}
set gui-nat46-64 {enable | disable}
set gui-implicit-policy {enable | disable}
set gui-dns-database {enable | disable}
set gui-load-balance {enable | disable}
set gui-multicast-policy {enable | disable}
set gui-dos-policy {enable | disable}
set gui-object-colors {enable | disable}
set gui-replacement-message-groups {enable | disable}
set gui-voip-profile {enable | disable}
set gui-ap-profile {enable | disable}
set gui-dynamic-profile-display {enable | disable}
set gui-ipsec-manual-key {enable | disable}
set gui-local-in-policy {enable | disable}
set gui-local-reports {enable | disable}
set gui-wanopt-cache {enable | disable}
set gui-explicit-proxy {enable | disable}
set gui-dynamic-routing {enable | disable}
set gui-dlp {enable | disable}
set gui-sslvpn-personal-bookmarks {enable | disable}
set gui-sslvpn-realms {enable | disable}
set gui-policy-based-ipsec {enable | disable}
set gui-threat-weight {enable | disable}
set gui-multiple-utm-profiles {enable | disable}
set gui-spamfilter {enable | disable}
set gui-application-control {enable | disable}
set gui-casi {enable | disable}
set gui-ips {enable | disable}
set gui-endpoint-control {enable | disable}
set gui-dhcp-advanced {enable | disable}
set gui-vpn {enable | disable}
set gui-wireless-controller {enable | disable}
set gui-switch-controller {enable | disable}
set gui-fortiap-split-tunneling {enable | disable}
set gui-webfilter-advanced {enable | disable}
set gui-traffic-shaping {enable | disable}
set gui-wan-load-balancing {enable | disable}
set gui-antivirus {enable | disable}
set gui-webfilter {enable | disable}
set gui-dnsfilter {enable | disable}
CLI Reference for FortiOS 5.4 603
Fortinet Technologies Inc.
set gui-dnsfilter {enable | disable}
set gui-waf-profile {enable | disable}
set gui-fortiextender-controller {enable | disable}
set gui-advanced-policy {enable | disable}
set gui-allow-unnamed-policy {enable | disable}
set gui-email-collection {enable | disable}
set gui-domain-ip-reputation {enable | disable}
set compliance-check {enable | disable}
set ike-session-resume {enable | disable}
set ike-quick-crash-detect {enable | disable}
end

CLI Reference for FortiOS 5.4 604


Fortinet Technologies Inc.
Description
Configuration Description Default Value

comments VDOM comments. (Empty)

opmode Firewall operation mode. nat

inspection-mode Inspection mode. proxy

http-external-dest HTTP service external inspection destination. fortiweb

firewall-session-dirty Packet session management. check-all

manageip IP address and netmask. (Empty)

gateway Default gateway IP address. 0.0.0.0

ip IP address and netmask. 0.0.0.0 0.0.0.0

manageip6 Management IPv6 address prefix for transparent ::/0


mode.

gateway6 Default gateway IPv6 address. ::

ip6 IPv6 address prefix for NAT mode. ::/0

device Interface. (Empty)

bfd Enable/disable Bi-directional Forwarding disable


Detection (BFD) on all interfaces.

bfd-desired-min-tx BFD desired minimal transmit interval. 250

bfd-required-min-rx BFD required minimal receive interval. 250

bfd-detect-mult BFD detection multiplier. 3

bfd-dont-enforce-src- Enable/disable verify source port of BFD Packets. disable


port

utf8-spam-tagging Convert spam tags to UTF-8 for better non-ASCII enable


character support.

wccp-cache-engine Enable/disable WCCP cache engine. disable

vpn-stats-log Enable/disable periodic VPN log statistics. ipsec pptp l2tp ssl

CLI Reference for FortiOS 5.4 605


Fortinet Technologies Inc.
vpn-stats-period Period to send VPN log statistics (sec). 600

v4-ecmp-mode IPv4 ECMP mode. source-ip-based

mac-ttl Bridge MAC address expiration time (sec). 300

fw-session-hairpin Check every cross. disable

snat-hairpin-traffic Enable/disable SNAT hairpin traffic. enable

dhcp-proxy Enable/disable DHCP Proxy. disable

dhcp-server-ip DHCP Server IP address. (Empty)

dhcp6-server-ip DHCPv6 server IP address. (Empty)

central-nat Enable/disable central NAT. disable

gui-default-policy- Default columns to display for firewall policy list (Empty)


columns on GUI.

lldp-transmission Enable/disable Link Layer Discovery Protocol global


(LLDP) transmission.

asymroute Enable/disable asymmetric route. disable

asymroute-icmp Enable/disable asymmetric ICMP route. disable

tcp-session-without-syn Enable/disable creation of TCP session without disable


SYN flag.

ses-denied-traffic Enable/disable insertion of denied traffic into disable


session table.

strict-src-check Enable/disable strict source verification. disable

asymroute6 Enable/disable asymmetric IPv6 route. disable

asymroute6-icmp Enable/disable asymmetric ICMPv6 route. disable

sip-helper Enable/disable helper to add dynamic SIP firewall enable


allow rule.

sip-nat-trace Enable/disable adding original IP if NATed. enable

status Enable/disable this VDOM. enable

CLI Reference for FortiOS 5.4 606


Fortinet Technologies Inc.
sip-tcp-port TCP port the SIP proxy will monitor for SIP traffic. 5060

sip-udp-port UDP port the SIP proxy will monitor for SIP traffic. 5060

sip-ssl-port TCP SSL port the SIP proxy will monitor for SIP 5061
traffic.

sccp-port TCP port the SCCP proxy will monitor for SCCP 2000
traffic.

multicast-forward Enable/disable multicast forwarding. enable

multicast-ttl-notchange Enable/disable modification of multicast TTL. disable

multicast-skip-policy Enable/disable skip policy check and allow disable


multicast through.

allow-subnet-overlap Enable/disable allow one interface subnet overlap disable


with other interfaces.

deny-tcp-with-icmp Enable/disable deny TCP with ICMP. disable

ecmp-max-paths Maximum number of ECMP next-hops. 10

discovered-device- Discard discovered devices after N days of 28


timeout inactivity.

email-portal-check-dns Enable/disable DNS to validate domain names enable


used in the email address collection captive
portal.

default-voip-alg-mode Default ALG mode for VoIP traffic (when no VoIP proxy-based
profile on firewall policy).

gui-icap Enable/disable ICAP settings in GUI. disable

gui-nat46-64 Enable/disable NAT46 and NAT64 settings in disable


GUI.

gui-implicit-policy Enable/disable implicit firewall policies in GUI. enable

gui-dns-database Enable/disable DNS database in GUI. disable

gui-load-balance Enable/disable load balance in GUI. disable

gui-multicast-policy Enable/disable multicast firewall policies in GUI. disable

CLI Reference for FortiOS 5.4 607


Fortinet Technologies Inc.
gui-dos-policy Enable/disable DoS policy display in GUI. enable

gui-object-colors Enable/disable object colors in GUI. enable

gui-replacement- Enable/disable replacement message groups in disable


message-groups GUI.

gui-voip-profile Enable/disable VoIP profiles in GUI. disable

gui-ap-profile Enable/disable AP profiles in GUI. enable

gui-dynamic-profile- Enable/disable dynamic profiles in GUI. disable


display

gui-ipsec-manual-key Enable/disable IPsec manual Key configuration in disable


GUI.

gui-local-in-policy Enable/disable Local-In policies in GUI. disable

gui-local-reports Enable/disable local reports in the GUI. disable

gui-wanopt-cache Enable/disable WAN Opt & Cache configuration disable


in GUI.

gui-explicit-proxy Enable/disable explicit proxy configuration in GUI. disable

gui-dynamic-routing Enable/disable dynamic routing menus in GUI. enable

gui-dlp Enable/disable DLP settings in GUI. disable

gui-sslvpn-personal- Enable/disable SSL-VPN personal bookmark disable


bookmarks management in GUI.

gui-sslvpn-realms Enable/disable SSL-VPN custom login pages in disable


GUI.

gui-policy-based-ipsec Enable/disable policy-based IPsec VPN. disable

gui-threat-weight Enable/disable threat weight feature in GUI. enable

gui-multiple-utm- Enable/disable multiple UTM profiles in GUI. enable


profiles

gui-spamfilter Enable/disable spamfilter profiles in GUI. disable

gui-application-control Enable/disable application control profiles in GUI. enable

CLI Reference for FortiOS 5.4 608


Fortinet Technologies Inc.
gui-casi Enable/disable CASI profiles in GUI. enable

gui-ips Enable/disable IPS sensors in GUI. enable

gui-endpoint-control Enable/disable endpoint control in GUI. enable

gui-dhcp-advanced Enable/disable advanced DHCP configuration in enable


GUI.

gui-vpn Enable/disable VPN tunnels in GUI. enable

gui-wireless-controller Enable/disable wireless controller in GUI. enable

gui-switch-controller Enable/disable switch controller in GUI. enable

gui-fortiap-split- Enable/disable FortiAP split tunneling in GUI. disable


tunneling

gui-webfilter-advanced Enable/disable advanced web filter configuration disable


in GUI.

gui-traffic-shaping Enable/disable traffic shaping in GUI. enable

gui-wan-load-balancing Enable/disable WAN link load balancing in GUI. enable

gui-antivirus Enable/disable AntiVirus profile display in GUI. enable

gui-webfilter Enable/disable WebFilter profile display in GUI. enable

gui-dnsfilter Enable/disable DNS Filter profile display in GUI. enable

gui-waf-profile Enable/disable Web Application Firewall Profile disable


display in GUI.

gui-fortiextender- Enable/disable FortiExtender controller in GUI. disable


controller

gui-advanced-policy Enable/disable advanced policy configuration in disable


GUI.

gui-allow-unnamed- Enable/disable relaxation of requirement for disable


policy policy to have a name when created in GUI.

gui-email-collection Enable/disable email collection feature. disable

gui-domain-ip- Enable/disable Domain and IP Reputation disable


reputation feature.

CLI Reference for FortiOS 5.4 609


Fortinet Technologies Inc.
compliance-check Enable/disable PCI DSS compliance check. disable

ike-session-resume Enable/disable IKEv2 session resumption (RFC disable


5723).

ike-quick-crash-detect Enable/disable IKEv2 quick crash detection (RFC disable


6290).

CLI Reference for FortiOS 5.4 610


Fortinet Technologies Inc.
system/sflow
CLI Syntax
config system sflow
edit <name_str>
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 611


Fortinet Technologies Inc.
Description
Configuration Description Default Value

collector-ip Collector IP. 0.0.0.0

collector-port sFlow collector port. 6343

source-ip Source IP for sFlow agent. 0.0.0.0

CLI Reference for FortiOS 5.4 612


Fortinet Technologies Inc.
system/sit-tunnel
CLI Syntax
config system sit-tunnel
edit <name_str>
set name <string>
set source <ipv4-address>
set destination <ipv4-address>
set ip6 <ipv6-prefix>
set interface <string>
set auto-asic-offload {enable | disable}
end

CLI Reference for FortiOS 5.4 613


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Tunnel name. (Empty)

source Source IP address of tunnel. 0.0.0.0

destination Destination IP address of tunnel. 0.0.0.0

ip6 IPv6 address of tunnel. ::/0

interface Interface name. (Empty)

auto-asic-offload Enable/disable tunnel ASIC offloading. enable

CLI Reference for FortiOS 5.4 614


Fortinet Technologies Inc.
system/sms-server
CLI Syntax
config system sms-server
edit <name_str>
set name <string>
set mail-server <string>
end

CLI Reference for FortiOS 5.4 615


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name of SMS server. (Empty)

mail-server Email-to-SMS server domain name. (Empty)

CLI Reference for FortiOS 5.4 616


Fortinet Technologies Inc.
system/storage
CLI Syntax
config system storage
edit <name_str>
set name <string>
set partition <string>
set media-type <string>
set device <string>
set size <integer>
end

CLI Reference for FortiOS 5.4 617


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Storage name. default_n

partition Label of underlying partition. <unknown>

media-type Media of underlying disk. ?

device Partition device. ?

size Partition size. 0

CLI Reference for FortiOS 5.4 618


Fortinet Technologies Inc.
system/switch-interface
CLI Syntax
config system switch-interface
edit <name_str>
set name <string>
set vdom <string>
set span-dest-port <string>
config span-source-port
edit <name_str>
set interface-name <string>
end
config member
edit <name_str>
set interface-name <string>
end
set type {switch | hub}
set intra-switch-policy {implicit | explicit}
set span {disable | enable}
set span-direction {rx | tx | both}
end

CLI Reference for FortiOS 5.4 619


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Interface name. (Empty)

vdom VDOM. (Empty)

span-dest-port Span destination port. (Empty)

span-source-port Span source ports. (Empty)

member Interfaces compose the virtual switch. (Empty)

type Type. switch

intra-switch-policy Enable/disable policies between the members of implicit


the switch interface.

span Enable/disable span port. disable

span-direction SPAN direction. both

CLI Reference for FortiOS 5.4 620


Fortinet Technologies Inc.
system/tos-based-priority
CLI Syntax
config system tos-based-priority
edit <name_str>
set id <integer>
set tos <integer>
set priority {low | medium | high}
end

CLI Reference for FortiOS 5.4 621


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Item ID. 0

tos IP ToS value (0 - 15). 0

priority ToS based priority level. high

CLI Reference for FortiOS 5.4 622


Fortinet Technologies Inc.
system/vdom
CLI Syntax
config system vdom
edit <name_str>
set name <string>
set vcluster-id <integer>
set temporary <integer>
end

CLI Reference for FortiOS 5.4 623


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VDOM name. (Empty)

vcluster-id Virtual cluster ID (0 - 4294967295). 0

temporary Temporary. 0

CLI Reference for FortiOS 5.4 624


Fortinet Technologies Inc.
system/vdom-dns
CLI Syntax
config system vdom-dns
edit <name_str>
set vdom-dns {enable | disable}
set primary <ipv4-address>
set secondary <ipv4-address>
set ip6-primary <ipv6-address>
set ip6-secondary <ipv6-address>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 625


Fortinet Technologies Inc.
Description
Configuration Description Default Value

vdom-dns Enable/disable DNS per VDOM. disable

primary VDOM primary DNS IP. 0.0.0.0

secondary VDOM secondary DNS IP. 0.0.0.0

ip6-primary VDOM IPv6 primary DNS IP. ::

ip6-secondary VDOM IPv6 Secondary DNS IP. ::

source-ip Source IP for communications to DNS server. 0.0.0.0

CLI Reference for FortiOS 5.4 626


Fortinet Technologies Inc.
system/vdom-link
CLI Syntax
config system vdom-link
edit <name_str>
set name <string>
set vcluster {vcluster1 | vcluster2}
set type {ppp | ethernet}
end

CLI Reference for FortiOS 5.4 627


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VDOM link name. (Empty)

vcluster Virtual cluster. vcluster1

type Type. ppp

CLI Reference for FortiOS 5.4 628


Fortinet Technologies Inc.
system/vdom-netflow
CLI Syntax
config system vdom-netflow
edit <name_str>
set vdom-netflow {enable | disable}
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 629


Fortinet Technologies Inc.
Description
Configuration Description Default Value

vdom-netflow Enable/disable NetFlow per VDOM. disable

collector-ip Collector IP. 0.0.0.0

collector-port NetFlow collector port. 2055

source-ip Source IP for NetFlow agent. 0.0.0.0

CLI Reference for FortiOS 5.4 630


Fortinet Technologies Inc.
system/vdom-property
CLI Syntax
config system vdom-property
edit <name_str>
set name <string>
set description <string>
set snmp-index <integer>
set session <user>
set ipsec-phase1 <user>
set ipsec-phase2 <user>
set dialup-tunnel <user>
set firewall-policy <user>
set firewall-address <user>
set firewall-addrgrp <user>
set custom-service <user>
set service-group <user>
set onetime-schedule <user>
set recurring-schedule <user>
set user <user>
set user-group <user>
set sslvpn <user>
set proxy <user>
set log-disk-quota <user>
end

CLI Reference for FortiOS 5.4 631


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name VDOM name. (Empty)

description Description. (Empty)

snmp-index Permanent SNMP Index of the virtual domain. 0

session Maximum number (guaranteed number) of 00


sessions.

ipsec-phase1 Maximum number (guaranteed number) of VPN 00


IPsec phase1 tunnels.

ipsec-phase2 Maximum number (guaranteed number) of VPN 00


IPsec phase2 tunnels.

dialup-tunnel Maximum number (guaranteed number) of dial- 00


up tunnels.

firewall-policy Maximum number (guaranteed number) of 00


firewall policies.

firewall-address Maximum number (guaranteed number) of 00


firewall addresses.

firewall-addrgrp Maximum number (guaranteed number) of 00


firewall address groups.

custom-service Maximum number (guaranteed number) of 00


firewall custom services.

service-group Maximum number (guaranteed number) of 00


firewall service groups.

onetime-schedule Maximum number (guaranteed number) of 00


firewall one-time schedules.

recurring-schedule Maximum number (guaranteed number) of 00


firewall recurring schedules.

user Maximum number (guaranteed number) of local 00


users.

CLI Reference for FortiOS 5.4 632


Fortinet Technologies Inc.
user-group Maximum number (guaranteed number) of user 00
groups.

sslvpn Maximum number (guaranteed number) of SSL- 00


VPN.

proxy Maximum number (guaranteed number) of 00


concurrent proxy users.

log-disk-quota Log disk quota in MB. 00

CLI Reference for FortiOS 5.4 633


Fortinet Technologies Inc.
system/vdom-radius-server
CLI Syntax
config system vdom-radius-server
edit <name_str>
set name <string>
set status {enable | disable}
set radius-server-vdom <string>
end

CLI Reference for FortiOS 5.4 634


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name of virtual domain for server settings. (Empty)

status Enable/disable or disable the entry. disable

radius-server-vdom Virtual domain of dynamic profile radius server to (Empty)


use for dynamic profile traffic in the current vdom.

CLI Reference for FortiOS 5.4 635


Fortinet Technologies Inc.
system/vdom-sflow
CLI Syntax
config system vdom-sflow
edit <name_str>
set vdom-sflow {enable | disable}
set collector-ip <ipv4-address>
set collector-port <integer>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 636


Fortinet Technologies Inc.
Description
Configuration Description Default Value

vdom-sflow Enable/disable sFlow per VDOM. disable

collector-ip Collector IP. 0.0.0.0

collector-port sFlow collector port. 6343

source-ip Source IP for sFlow agent. 0.0.0.0

CLI Reference for FortiOS 5.4 637


Fortinet Technologies Inc.
system/virtual-wan-link
CLI Syntax
config system virtual-wan-link
edit <name_str>
set status {disable | enable}
set load-balance-mode {source-ip-based | weight-based | usage-based | source-dest-
ip-based | measured-volume-based}
set fail-detect {enable | disable}
config fail-alert-interfaces
edit <name_str>
set name <string>
end
config members
edit <name_str>
set seq-num <integer>
set interface <string>
set gateway <ipv4-address>
set weight <integer>
set priority <integer>
set spillover-threshold <integer>
set ingress-spillover-threshold <integer>
set volume-ratio <integer>
set status {disable | enable}
end
config health-check
edit <name_str>
set name <string>
set server <string>
set protocol {ping | tcp-echo | udp-echo | http | twamp}
set port <integer>
set security-mode {none | authentication}
set password <password>
set packet-size <integer>
set http-get <string>
set http-match <string>
set interval <integer>
set timeout <integer>
set failtime <integer>
set recoverytime <integer>
set update-cascade-interface {enable | disable}
set update-static-route {enable | disable}
set threshold-warning-packetloss <integer>
set threshold-alert-packetloss <integer>
set threshold-warning-latency <integer>
set threshold-alert-latency <integer>
set threshold-warning-jitter <integer>
set threshold-alert-jitter <integer>
end
config service
CLI Reference for FortiOS 5.4 638
Fortinet Technologies Inc.
edit <name_str>
set name <string>
set mode {auto | manual | priority}
set quality-link <integer>
set member <integer>
set tos <user>
set tos-mask <user>
set protocol <integer>
set start-port <integer>
set end-port <integer>
config dst
edit <name_str>
set name <string>
end
config src
edit <name_str>
set name <string>
end
config users
edit <name_str>
set name <string>
end
config groups
edit <name_str>
set name <string>
end
set internet-service {enable | disable}
config internet-service-custom
edit <name_str>
set name <string>
end
config internet-service-id
edit <name_str>
set id <integer>
end
set health-check <string>
set link-cost-factor {latency | jitter | packet-loss}
config priority-members
edit <name_str>
set seq-num <integer>
end
end
end

CLI Reference for FortiOS 5.4 639


Fortinet Technologies Inc.
Description
Configuration Description Default Value

status Enable/disable using the virtual-wan-link settings. disable

load-balance-mode Load balance mode among virtual WAN link source-ip-based


members.

fail-detect Enable/disable fail detection. disable

fail-alert-interfaces Physical interfaces that will be alerted. (Empty)

members Members belong to the virtual-wan-link. (Empty)

health-check Health check. (Empty)

service Service to be distributed. (Empty)

CLI Reference for FortiOS 5.4 640


Fortinet Technologies Inc.
system/virtual-wire-pair
CLI Syntax
config system virtual-wire-pair
edit <name_str>
set name <string>
config member
edit <name_str>
set interface-name <string>
end
set wildcard-vlan {enable | disable}
end

CLI Reference for FortiOS 5.4 641


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name virtual-wire-pair name. (Empty)

member Interfaces belong to the port pair. (Empty)

wildcard-vlan Enable/disable wildcard VLAN. disable

CLI Reference for FortiOS 5.4 642


Fortinet Technologies Inc.
system/wccp
CLI Syntax
config system wccp
edit <name_str>
set service-id <string>
set router-id <ipv4-address>
set cache-id <ipv4-address>
set group-address <ipv4-address-multicast>
set server-list <user>
set router-list <user>
set ports-defined {source | destination}
set ports <user>
set authentication {enable | disable}
set password <password>
set forward-method {GRE | L2 | any}
set cache-engine-method {GRE | L2}
set service-type {auto | standard | dynamic}
set primary-hash {src-ip | dst-ip | src-port | dst-port}
set priority <integer>
set protocol <integer>
set assignment-weight <integer>
set assignment-bucket-format {wccp-v2 | cisco-implementation}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
end

CLI Reference for FortiOS 5.4 643


Fortinet Technologies Inc.
Description
Configuration Description Default Value

service-id Service ID. (Empty)

router-id IP address which is known by all web cache 0.0.0.0


servers.

cache-id IP address which is known by all routers. 0.0.0.0

group-address IP multicast address. 0.0.0.0

server-list Addresses of potential cache servers. (Empty)

router-list Addresses of potential routers. (Empty)

ports-defined Match method. (Empty)

ports Service ports. (Empty)

authentication Enable/disable MD5 authentication. disable

password Password of MD5 authentication. (Empty)

forward-method Method traffic is forwarded to cache servers. GRE

cache-engine-method Method traffic is forwarded to route or returned to GRE


cache engine.

service-type Service type auto/standard/dynamic. auto

primary-hash Hash method. dst-ip

priority Service priority. 0

protocol Service protocol. 0

assignment-weight Cache server hash weight. 0

assignment-bucket- Hash table bucket format. cisco-implementation


format

return-method Method traffic is returned back to firewall. GRE

assignment-method Assignment method preference. HASH

CLI Reference for FortiOS 5.4 644


Fortinet Technologies Inc.
system/zone
CLI Syntax
config system zone
edit <name_str>
set name <string>
set intrazone {allow | deny}
config interface
edit <name_str>
set interface-name <string>
end
end

CLI Reference for FortiOS 5.4 645


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Zone name. (Empty)

intrazone Intra-zone traffic. deny

interface Interfaces belong to the zone. (Empty)

CLI Reference for FortiOS 5.4 646


Fortinet Technologies Inc.
user/adgrp
CLI Syntax
config user adgrp
edit <name_str>
set name <string>
set server-name <string>
set polling-id <integer>
end

CLI Reference for FortiOS 5.4 647


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

server-name FSSO agent name. (Empty)

polling-id FSSO polling ID. 0

CLI Reference for FortiOS 5.4 648


Fortinet Technologies Inc.
user/device
CLI Syntax
config user device
edit <name_str>
set alias <string>
set mac <mac-address>
set user <string>
set master-device <string>
set comment <var-string>
set avatar <var-string>
set type {ipad | iphone | gaming-console | blackberry-phone | blackberry-playbook
| linux-pc | mac | windows-pc | android-phone | android-tablet | media-streaming | win
dows-phone | windows-tablet | fortinet-device | ip-phone | router-nat-device | printer
| other-network-device}
end

CLI Reference for FortiOS 5.4 649


Fortinet Technologies Inc.
Description
Configuration Description Default Value

alias Device alias. (Empty)

mac Device MAC address(es). 00:00:00:00:00:00

user User name. (Empty)

master-device Master device (optional). (Empty)

comment Comment. (Empty)

avatar Image file for avatar (maximum 4K base64 (Empty)


encoded).

type Device type. other-network-device

CLI Reference for FortiOS 5.4 650


Fortinet Technologies Inc.
user/device-access-list
CLI Syntax
config user device-access-list
edit <name_str>
set name <string>
set default-action {accept | deny}
config device-list
edit <name_str>
set id <integer>
set device <string>
set action {accept | deny}
end
end

CLI Reference for FortiOS 5.4 651


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Device access list name. (Empty)

default-action Allow or block unknown devices. accept

device-list Device list. (Empty)

CLI Reference for FortiOS 5.4 652


Fortinet Technologies Inc.
user/device-category
CLI Syntax
config user device-category
edit <name_str>
set name <string>
set desc <var-string>
set comment <var-string>
end

CLI Reference for FortiOS 5.4 653


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Device category name. (Empty)

desc Device category description. (Empty)

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 654


Fortinet Technologies Inc.
user/device-group
CLI Syntax
config user device-group
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
set comment <var-string>
end

CLI Reference for FortiOS 5.4 655


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Device group name. (Empty)

member Device group member. (Empty)

comment Comment. (Empty)

CLI Reference for FortiOS 5.4 656


Fortinet Technologies Inc.
user/fortitoken
CLI Syntax
config user fortitoken
edit <name_str>
set serial-number <string>
set status {active | lock}
set seed <string>
set comments <var-string>
set license <string>
set activation-code <string>
set activation-expire <integer>
end

CLI Reference for FortiOS 5.4 657


Fortinet Technologies Inc.
Description
Configuration Description Default Value

serial-number Serial number. (Empty)

status Status active

seed Token seed. (Empty)

comments Comment. (Empty)

license Mobile token license. (Empty)

activation-code Mobile token user activation-code. (Empty)

activation-expire Mobile token user activation-code expire time. 0

CLI Reference for FortiOS 5.4 658


Fortinet Technologies Inc.
user/fsso
CLI Syntax
config user fsso
edit <name_str>
set name <string>
set server <string>
set port <integer>
set password <password>
set server2 <string>
set port2 <integer>
set password2 <password>
set server3 <string>
set port3 <integer>
set password3 <password>
set server4 <string>
set port4 <integer>
set password4 <password>
set server5 <string>
set port5 <integer>
set password5 <password>
set ldap-server <string>
set source-ip <ipv4-address>
end

CLI Reference for FortiOS 5.4 659


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Name. (Empty)

server Address of the 1st FSSO agent. (Empty)

port Port of the 1st FSSO agent. 8000

password Password of the 1st FSSO agent. (Empty)

server2 Address of the 2nd FSSO agent. (Empty)

port2 Port of the 2nd FSSO agent. 8000

password2 Password of the 2nd FSSO agent. (Empty)

server3 Address of the 3rd FSSO agent. (Empty)

port3 Port of the 3rd FSSO agent. 8000

password3 Password of the 3rd FSSO agent. (Empty)

server4 Address of the 4th FSSO agent. (Empty)

port4 Port of the 4th FSSO agent. 8000

password4 Password of the 4th FSSO agent. (Empty)

server5 Address of the 5th FSSO agent. (Empty)

port5 Port of the 5th FSSO agent. 8000

password5 Password of the 5th FSSO agent. (Empty)

ldap-server LDAP server to get group information. (Empty)

source-ip Source IP for communications to FSSO agent. 0.0.0.0

CLI Reference for FortiOS 5.4 660


Fortinet Technologies Inc.
user/fsso-polling
CLI Syntax
config user fsso-polling
edit <name_str>
set id <integer>
set status {enable | disable}
set server <string>
set default-domain <string>
set port <integer>
set user <string>
set password <password>
set ldap-server <string>
set logon-history <integer>
set polling-frequency <integer>
config adgrp
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 661


Fortinet Technologies Inc.
Description
Configuration Description Default Value

id Active Directory server ID. 0

status Enable/disable poll Active Directory status. enable

server Active Directory server name/IP address. (Empty)

default-domain Default domain in this server. (Empty)

port Port of the Active Directory server. 0

user Active Directory server user account. (Empty)

password Password to connect to Active Directory server. (Empty)

ldap-server LDAP Server NAME for group name and users. (Empty)

logon-history hours to keep as an active logon. 0 means 8


keeping forever

polling-frequency Polling frequency (1 - 30 s). 10

adgrp LDAP Group Info. (Empty)

CLI Reference for FortiOS 5.4 662


Fortinet Technologies Inc.
user/group
CLI Syntax

CLI Reference for FortiOS 5.4 663


Fortinet Technologies Inc.
config user group
edit <name_str>
set name <string>
set group-type {firewall | sslvpn | fsso-service | directory-service | active-dire
ctory | rsso | guest}
set authtimeout <integer>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
set http-digest-realm <string>
set sso-attribute-value <string>
config member
edit <name_str>
set name <string>
end
config match
edit <name_str>
set id <integer>
set server-name <string>
set group-name <string>
end
set user-id {email | auto-generate | specify}
set password {auto-generate | specify | disable}
set user-name {disable | enable}
set sponsor {optional | mandatory | disabled}
set company {optional | mandatory | disabled}
set email {disable | enable}
set mobile-phone {disable | enable}
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set expire-type {immediately | first-successful-login}
set expire <integer>
set max-accounts <integer>
set multiple-guest-add {disable | enable}
config guest
edit <name_str>
set user-id <string>
set name <string>
set group <string>
set password <password>
set mobile-phone <string>
set sponsor <string>
set company <string>
set email <string>
set expiration <user>
set comment <var-string>
end
end

CLI Reference for FortiOS 5.4 664


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Group name. (Empty)

group-type Type of user group. firewall

authtimeout Authentication timeout. 0

auth-concurrent- Enable/disable concurrent authentication disable


override override.

auth-concurrent-value Maximum number of concurrent authenticated 0


connections per user (0 - 100).

http-digest-realm Realm attribute for MD5-digest authentication. (Empty)

sso-attribute-value Single Sign On Attribute Value. (Empty)

member Group members. (Empty)

match Group matches. (Empty)

user-id User ID. email

password Password. auto-generate

user-name Enable/disable user name. disable

sponsor Sponsor. optional

company Company. optional

email Enable/disable email address. enable

mobile-phone Enable/disable mobile phone. disable

sms-server Send SMS through FortiGuard or other external fortiguard


server.

sms-custom-server SMS server. (Empty)

expire-type Point at which expiration count down begins. immediately

expire Expiration (1 - 31536000 sec). 14400

CLI Reference for FortiOS 5.4 665


Fortinet Technologies Inc.
max-accounts Maximum number of guest accounts that can be 0
created for this group (0 = unlimited).

multiple-guest-add Enable/disable addition of multiple guests. disable

guest Guest User. (Empty)

CLI Reference for FortiOS 5.4 666


Fortinet Technologies Inc.
user/ldap
CLI Syntax
config user ldap
edit <name_str>
set name <string>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set source-ip <ipv4-address>
set cnid <string>
set dn <string>
set type {simple | anonymous | regular}
set username <string>
set password <password>
set group-member-check {user-attr | group-object}
set group-object-filter <string>
set secure {disable | starttls | ldaps}
set ca-cert <string>
set port <integer>
set password-expiry-warning {enable | disable}
set password-renewal {enable | disable}
set member-attr <string>
set search-type {nested}
end

CLI Reference for FortiOS 5.4 667


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name LDAP server entry name. (Empty)

server {<name_str|ip_str>} LDAP server CN domain (Empty)


name or IP.

secondary-server {<name_str|ip_str>} secondary LDAP server CN (Empty)


domain name or IP.

tertiary-server {<name_str|ip_str>} tertiary LDAP server CN (Empty)


domain name or IP.

source-ip Source IP for communications to LDAP server. 0.0.0.0

cnid Common Name Identifier (default = "cn"). cn

dn Distinguished Name. (Empty)

type Type of LDAP binding. simple

username Username (full DN) for initial binding. (Empty)

password Password for initial binding. (Empty)

group-member-check Group-member checking options. user-attr

group-object-filter Filter used for group searching. (&


(objectcategory=group)
(member=*))

secure SSL connection. disable

ca-cert CA certificate name. (Empty)

port Port number of the LDAP server (default = 389). 389

password-expiry- Enable/disable password expiry warnings. disable


warning

password-renewal Enable/disable online password renewal. disable

member-attr Name of attribute from which to get group memberOf


membership.

CLI Reference for FortiOS 5.4 668


Fortinet Technologies Inc.
search-type Search type. (Empty)

CLI Reference for FortiOS 5.4 669


Fortinet Technologies Inc.
user/local
CLI Syntax
config user local
edit <name_str>
set name <string>
set status {enable | disable}
set type {password | radius | tacacs+ | ldap}
set passwd <password>
set ldap-server <string>
set radius-server <string>
set tacacs+-server <string>
set two-factor {disable | fortitoken | email | sms}
set fortitoken <string>
set email-to <string>
set sms-server {fortiguard | custom}
set sms-custom-server <string>
set sms-phone <string>
set passwd-policy <string>
set passwd-time <user>
set authtimeout <integer>
set workstation <string>
set auth-concurrent-override {enable | disable}
set auth-concurrent-value <integer>
end

CLI Reference for FortiOS 5.4 670


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name User name. (Empty)

status Enable/disable user. enable

type Authentication type. (Empty)

passwd User password. (Empty)

ldap-server LDAP server name. (Empty)

radius-server RADIUS server name. (Empty)

tacacs+-server TACACS+ server name. (Empty)

two-factor Enable/disable two-factor authentication. disable

fortitoken Two-factor recipient's FortiToken serial number. (Empty)

email-to Two-factor recipient's email address. (Empty)

sms-server Send SMS through FortiGuard or other external fortiguard


server.

sms-custom-server Two-factor recipient's SMS server. (Empty)

sms-phone Two-factor recipient's mobile phone number. (Empty)

passwd-policy Password policy. (Empty)

passwd-time Password last update time. 0000-00-00 00:00:00

authtimeout Authentication timeout. 0

workstation Name of remote user workstation. (Empty)

auth-concurrent- Enable/disable concurrent authentication disable


override override.

auth-concurrent-value Maximum number of concurrent authenticated 0


connections per user.

CLI Reference for FortiOS 5.4 671


Fortinet Technologies Inc.
user/password-policy
CLI Syntax
config user password-policy
edit <name_str>
set name <string>
set expire-days <integer>
set warn-days <integer>
end

CLI Reference for FortiOS 5.4 672


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Password policy name. (Empty)

expire-days Number of days password will expire. 180

warn-days Number of days to warn before password 15


expires.

CLI Reference for FortiOS 5.4 673


Fortinet Technologies Inc.
user/peer
CLI Syntax
config user peer
edit <name_str>
set name <string>
set mandatory-ca-verify {enable | disable}
set ca <string>
set subject <string>
set cn <string>
set cn-type {string | email | FQDN | ipv4 | ipv6}
set ldap-server <string>
set ldap-username <string>
set ldap-password <password>
set ldap-mode {password | principal-name}
set ocsp-override-server <string>
set two-factor {enable | disable}
set passwd <password>
end

CLI Reference for FortiOS 5.4 674


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Peer name. (Empty)

mandatory-ca-verify Enable/disable mandatory CA verify. disable

ca Peer certificate CA (CA name in local). (Empty)

subject Peer certificate name constraints. (Empty)

cn Peer certificate common name. (Empty)

cn-type Peer certificate common name type. string

ldap-server LDAP server for access rights check. (Empty)

ldap-username Username for LDAP server bind. (Empty)

ldap-password Password for LDAP server bind. (Empty)

ldap-mode Peer LDAP mode. password

ocsp-override-server OSCP server. (Empty)

two-factor Enable/disable 2-factor authentication (certificate disable


+ password).

passwd User password. (Empty)

CLI Reference for FortiOS 5.4 675


Fortinet Technologies Inc.
user/peergrp
CLI Syntax
config user peergrp
edit <name_str>
set name <string>
config member
edit <name_str>
set name <string>
end
end

CLI Reference for FortiOS 5.4 676


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name Peer group name. (Empty)

member Peer group members. (Empty)

CLI Reference for FortiOS 5.4 677


Fortinet Technologies Inc.
user/pop3
CLI Syntax
config user pop3
edit <name_str>
set name <string>
set server <string>
set port <integer>
set secure {none | starttls | pop3s}
end

CLI Reference for FortiOS 5.4 678


Fortinet Technologies Inc.
Description
Configuration Description Default Value

name POP3 server entry name. (Empty)

server {<name_str|ip_str>} server domain name or IP. (Empty)

port POP3 service port number. 0

secure SSL connection. starttls

CLI Reference for FortiOS 5.4 679


Fortinet Technologies Inc.
user/radius
CLI Syntax
config user radius
edit <name_str>
set name <string>
set server <string>
set secret <password>
set secondary-server <string>
set secondary-secret <password>
set tertiary-server <string>
set tertiary-secret <password>
set timeout <integer>
set all-usergroup {disable | enable}
set use-management-vdom {enable | disable}
set nas-ip <ipv4-address>
set acct-interim-interval <integer>
set radius-coa {enable | disable}
set radius-port <integer>
set h3c-compatibility {enable | disable}
set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}
set source-ip <ipv4-address>
set username-case-sensitive {enable | disable}
set password-renewal {enable | disable}
set rsso {enable | disable}
set rsso-radius-server-port <integer>
set rsso-radius-response {enable | disable}
set rsso-validate-request-secret {enable | disable}
set rsso-secret <password>
set rsso-endpoint-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Ad
dress | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netm
ask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | L
ogin-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed
-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termina
tion-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State |
Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-
AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-
Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Ti
me | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Sess
ion-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Por
t}
set rsso-endpoint-block-attribute {User-Name | User-Password | CHAP-Password | NAS
-IP-Address | NAS-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-I
P-Netmask | Framed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Ho
st | Login-Service | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id |
Framed-Route | Framed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | T
ermination-Action | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-St
ate | Login-LAT-Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | F
ramed-AppleTalk-Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time |
Acct-Input-Octets | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Sess
CLI Reference for FortiOS 5.4 680
Fortinet Technologies Inc.
ion-Time | Acct-Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Mult
i-Session-Id | Acct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-L
AT-Port}
set sso-attribute {User-Name | User-Password | CHAP-Password | NAS-IP-Address | NA
S-Port | Service-Type | Framed-Protocol | Framed-IP-Address | Framed-IP-Netmask | Fram
ed-Routing | Filter-Id | Framed-MTU | Framed-Compression | Login-IP-Host | Login-Servi
ce | Login-TCP-Port | Reply-Message | Callback-Number | Callback-Id | Framed-Route | F
ramed-IPX-Network | State | Class | Session-Timeout | Idle-Timeout | Termination-Actio
n | Called-Station-Id | Calling-Station-Id | NAS-Identifier | Proxy-State | Login-LAT-
Service | Login-LAT-Node | Login-LAT-Group | Framed-AppleTalk-Link | Framed-AppleTalk-
Network | Framed-AppleTalk-Zone | Acct-Status-Type | Acct-Delay-Time | Acct-Input-Octe
ts | Acct-Output-Octets | Acct-Session-Id | Acct-Authentic | Acct-Session-Time | Acct-
Input-Packets | Acct-Output-Packets | Acct-Terminate-Cause | Acct-Multi-Session-Id | A
cct-Link-Count | CHAP-Challenge | NAS-Port-Type | Port-Limit | Login-LAT-Port}
set sso-attribute-key <string>
set sso-attribute-value-override {enable | disable}
set rsso-context-timeout <integer>
set rsso-log-period <integer>
set rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | ac
counting-event | endpoint-block | radiusd-other | none}
set rsso-flush-ip-session {enable | disable}
config accounting-server
edit <name_str>
set id <integer>
set status {enable | disable}
set server <string>
set secret <password>
set port <integer>
set source-ip <ipv4-address>
end
end

CLI Reference for FortiOS 5.4 681


Fortinet Technologies Inc.
Description