Вы находитесь на странице: 1из 248

FortiGate CLI Reference Guide

FortiGate User Manual Volume 6

Version 2.50
30 July 2003
© Copyright 2003 Fortinet Inc. All rights reserved.

No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate CLI Reference Guide


Version 2.50
30 July 2003

Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective
holders.

Regulatory Compliance
FCC Class A Part 15 CSA/CUS

CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.


DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to
techdoc@fortinet.com.
Contents

Table of Contents
Introduction ............................................................................................................ 9
About this document ........................................................................................................... 9
Conventions ...................................................................................................................... 10
Fortinet documentation ..................................................................................................... 11
Comments on Fortinet technical documentation........................................................... 11
Customer service and technical support........................................................................... 12

Using the CLI........................................................................................................ 13


Access levels .................................................................................................................... 13
Connecting to the CLI ....................................................................................................... 13
Connecting to the FortiGate console ............................................................................ 14
Connecting to the FortiGate CLI using SSH ................................................................. 15
Connecting to the FortiGate CLI using telnet................................................................ 16
CLI basics ......................................................................................................................... 17
CLI command structure................................................................................................. 17
Navigating command branches .................................................................................... 17
Recalling commands..................................................................................................... 18
Editing commands ........................................................................................................ 18
Using command shortcuts ............................................................................................ 18
Using command help .................................................................................................... 18
Displaying the FortiGate configuration.......................................................................... 19
Changing the configuration by editing the configuration file ......................................... 19
Controlling the behavior of the command line console ................................................. 20
diagnose commands......................................................................................................... 20
Changing the FortiGate firmware...................................................................................... 21
Upgrade to a new firmware version .............................................................................. 21
Revert to a previous firmware version using the CLI .................................................... 22
Install a firmware image from a system reboot ............................................................. 23
Test a new firmware image before installing it .............................................................. 26
Installing and using a backup firmware image .............................................................. 28

set commands...................................................................................................... 33
set alertemail configuration ........................................................................................... 34
set alertemail setting ..................................................................................................... 35
set antivirus filepattern .................................................................................................. 36
set antivirus quarantine................................................................................................. 37
set antivirus service ...................................................................................................... 39
set console.................................................................................................................... 41
set emailfilter bannedword ............................................................................................ 42
set emailfilter blocklist ................................................................................................... 43
set emailfilter config ...................................................................................................... 44

FortiGate CLI Reference Guide 3


Contents

set emailfilter exemptlist................................................................................................ 45


set firewall address ....................................................................................................... 46
set firewall addrgrp........................................................................................................ 47
set firewall dnstranslation.............................................................................................. 48
set firewall ipmacbinding setting ................................................................................... 49
set firewall ipmacbinding table ...................................................................................... 50
set firewall ippool .......................................................................................................... 51
set firewall onetimeschedule ......................................................................................... 52
set firewall policy........................................................................................................... 53
set firewall profile .......................................................................................................... 57
set firewall recurringschedule ....................................................................................... 61
set firewall service custom ............................................................................................ 62
set firewall service group .............................................................................................. 63
set firewall vip ............................................................................................................... 64
set log policy ................................................................................................................. 66
set log setting................................................................................................................ 68
set log trafficfilter rule.................................................................................................... 70
set log trafficfilter setting ............................................................................................... 71
set nids detection .......................................................................................................... 72
set nids prevention........................................................................................................ 73
set nids rule................................................................................................................... 77
set system admin .......................................................................................................... 78
set system autoupdate.................................................................................................. 79
set system brctl ............................................................................................................. 81
set system dhcpserver .................................................................................................. 82
set system dns .............................................................................................................. 84
set system ha................................................................................................................ 85
set system hostname .................................................................................................... 88
set system interface ...................................................................................................... 89
set system mainregpage............................................................................................... 93
set system management............................................................................................... 94
set system opmode....................................................................................................... 95
set system option .......................................................................................................... 96
set system route number .............................................................................................. 97
set system route policy ................................................................................................. 99
set system route rip..................................................................................................... 101
set system route rip filter............................................................................................. 103
set system route rip interface...................................................................................... 106
set system route rip neighbor...................................................................................... 108
set system route rip timers.......................................................................................... 109
set system session_ttl................................................................................................. 110
set system snmp ......................................................................................................... 111
set system time ........................................................................................................... 113
set system vlan ........................................................................................................... 114

4 Fortinet Inc.
Contents

set system zone .......................................................................................................... 115


set user group ............................................................................................................. 116
set user ldap ............................................................................................................... 117
set user local............................................................................................................... 119
set user radius ............................................................................................................ 121
set vpn ipsec concentrator .......................................................................................... 122
set vpn ipsec manualkey............................................................................................. 123
set vpn ipsec phase1 .................................................................................................. 125
set vpn ipsec phase2 .................................................................................................. 130
set vpn l2tp.................................................................................................................. 133
set vpn pptp ................................................................................................................ 134
set webfilter cerberian ................................................................................................. 135
set webfilter content .................................................................................................... 136
set webfilter exempturl ................................................................................................ 137
set webfilter script ....................................................................................................... 138
set webfilter url............................................................................................................ 139

unset commands ............................................................................................... 141


unset firewall address ................................................................................................. 142
unset firewall addrgrp.................................................................................................. 143
unset firewall ipmacbinding......................................................................................... 144
unset firewall ippool .................................................................................................... 145
unset firewall onetimeschedule................................................................................... 146
unset firewall policy..................................................................................................... 147
unset firewall profile .................................................................................................... 148
unset firewall recurringschedule ................................................................................. 149
unset firewall service................................................................................................... 150
unset firewall vip ......................................................................................................... 151
unset log filter.............................................................................................................. 152
unset system admin .................................................................................................... 153
unset system dhcpserver ............................................................................................ 154
unset system hostname .............................................................................................. 155
unset system route number ........................................................................................ 156
unset system route policy ........................................................................................... 157
unset system secondip ............................................................................................... 158
unset system sessionttl............................................................................................... 159
unset system vlan ....................................................................................................... 160
unset system zone ...................................................................................................... 161
unset user group ......................................................................................................... 162
unset user ldap ........................................................................................................... 163
unset user local........................................................................................................... 164
unset user radius ........................................................................................................ 165
unset vpn certificates .................................................................................................. 166
unset vpn ipsec ........................................................................................................... 167

FortiGate CLI Reference Guide 5


Contents

get commands.................................................................................................... 169


get alertemail configuration......................................................................................... 170
get alertemail setting................................................................................................... 171
get antivirus filepattern................................................................................................ 172
get antivirus quarantine list ......................................................................................... 173
get antivirus quarantine settings ................................................................................. 174
get antivirus service .................................................................................................... 175
get config .................................................................................................................... 176
get console.................................................................................................................. 177
get emailfilter............................................................................................................... 178
get firewall address ..................................................................................................... 179
get firewall addrgrp ..................................................................................................... 180
get firewall dnstranslation ........................................................................................... 181
get firewall ipmacbinding............................................................................................. 182
get firewall ippool ........................................................................................................ 183
get firewall profile ........................................................................................................ 184
get firewall policy......................................................................................................... 185
get firewall schedule ................................................................................................... 186
get firewall service ...................................................................................................... 187
get firewall vip ............................................................................................................. 188
get log elog ................................................................................................................. 189
get log logsetting......................................................................................................... 190
get log policy ............................................................................................................... 191
get log trafficfilter......................................................................................................... 192
get nids detection........................................................................................................ 193
get nids prevention...................................................................................................... 194
get nids rule ................................................................................................................ 195
get system admin........................................................................................................ 196
get system autoupdate................................................................................................ 197
get system dhcpserver................................................................................................ 198
get system dns............................................................................................................ 199
get system ha.............................................................................................................. 200
get system interface.................................................................................................... 201
get system mainregpage............................................................................................. 202
get system management............................................................................................. 203
get system objver........................................................................................................ 204
get system option........................................................................................................ 205
get system performance ............................................................................................. 206
get system route policy ............................................................................................... 207
get system route rip .................................................................................................... 208
get system route table................................................................................................. 209
get system serialno ..................................................................................................... 210
get system sessionttl................................................................................................... 211

6 Fortinet Inc.
Contents

get system snmp......................................................................................................... 212


get system status ........................................................................................................ 213
get system time........................................................................................................... 214
get system vlan ........................................................................................................... 215
get system zone.......................................................................................................... 216
get user ....................................................................................................................... 217
get vpn certificates ...................................................................................................... 218
get vpn ipsec............................................................................................................... 219
get vpn l2tp range ....................................................................................................... 220
get vpn pptp range ...................................................................................................... 221
get webfilter................................................................................................................. 222

execute commands............................................................................................ 223


execute backup........................................................................................................... 224
execute factoryreset.................................................................................................... 225
execute formatlogdisk ................................................................................................. 226
execute ha manage .................................................................................................... 227
execute ha synchronize .............................................................................................. 228
execute ping................................................................................................................ 229
execute ping-option..................................................................................................... 230
execute reboot ............................................................................................................ 231
execute reload ............................................................................................................ 232
execute restore ........................................................................................................... 233
execute save config .................................................................................................... 234
execute shutdown ....................................................................................................... 235
execute traceroute ...................................................................................................... 236
execute updatecenter updatenow ............................................................................... 237
execute vpn certificates ca.......................................................................................... 238
execute vpn certificates local ...................................................................................... 239

FortiGate maximum values matrix ................................................................... 243

Index .................................................................................................................... 245

FortiGate CLI Reference Guide 7


Contents

8 Fortinet Inc.
FortiGate CLI Reference Guide Version 2.50

Introduction
The FortiGate Antivirus Firewall supports network-based deployment of application-level services,
including virus protection and full-scan content filtering. FortiGate units improve network security,
reduce network misuse and abuse, and help you use communications resources more efficiently
without compromising the performance of your network.
The FortiGate unit is a dedicated easily managed security device that delivers a full suite of capabilities
that include:
• application-level services such as virus protection and content filtering,
• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.
The FortiGate unit employs Fortinet’s Accelerated Behavior and Content Analysis System
(ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and
content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time,
enabling key applications to be deployed right at the network edge where they are most effective at
protecting your networks. The FortiGate series complements existing solutions, such as host-based
antivirus protection, and enables new applications and services while greatly lowering costs for
equipment, administration, and maintenance.

About this document


This CLI Reference Guide describes how to use the FortiGate command line interface (CLI). This
document contains the following chapters:
• Using the CLI describes how to connect to and use the FortiGate CLI.
• set commands is an alphabetic reference to the set commands, which are used to change the
FortiGate system configuration.
• unset commands is an alphabetic reference to the unset commands, which are used to remove an
entry from a table of values.
• get commands is an alphabetic reference to the get commands, which are used to display the
FortiGate system configuration.
• execute commands is an alphabetic reference to the execute commands, which are used to run
static commands (for example, commands to upload or download system configuration files or to
check network connectivity).
Note: Diagnose commands are also available from the FortiGate CLI. These commands are used to display
system information and for debugging. Diagnose commands are intended for advanced users only, and they are
not covered in detail this reference guide. Contact Fortinet technical support before using these commands.

• An appendix contains the FortiGate maximum values matrix that lists the limitations of each
FortiGate model, such as the maximum number of firewall policies that can be added.

FortiGate CLI Reference Guide 9


Introduction

Conventions
This guide uses the following conventions to describe command syntax.
• angle brackets < > to indicate variable keywords
For example:
execute restore config <filename_str>
You enter restore config myfile.bak
<xxx_str> indicates an ASCII string variable.
<xxx_integer> indicates an integer variable.
<xxx_ip> indicates an IP address variable.
<xxx_hex> indicates a hexadecimal variable.
• vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords
For example:
set system opmode {nat | transparent}
You can enter set system opmode nat or set system opmode transparent
• square brackets [ ] to indicate that a keyword is optional
For example:
get firewall ipmacbinding [dhcpipmac]
You can enter get firewall ipmacbinding or
get firewall ipmacbinding dhcpipmac
• a space to separate options that can be entered in any combination and must be separated by
spaces
For example:
set system interface internal config allowaccess
{ping https ssh snmp http telnet}
You can enter any of the following:
set system interface internal config allowaccess ping
set system interface internal config allowaccess ping https ssh
set system interface internal config allowaccess https ping ssh
set system interface internal config allowaccess snmp

10 Fortinet Inc.
Introduction Comments on Fortinet technical documentation

Fortinet documentation
Information about FortiGate products is available from the following FortiGate User Manual volumes:
• Volume 1: FortiGate Installation and Configuration Guide
Describes installation and basic configuration for the FortiGate unit. Also describes how to use
FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall
policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP and
email content passing through the FortiGate unit.
• Volume 2: FortiGate VPN Guide
Contains in-depth information about FortiGate IPSec VPN using certificates, pre-shared keys and
manual keys for encryption. Also contains basic configuration information for the Fortinet Remote
VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN
configuration examples.
• Volume 3: FortiGate Content Protection Guide
Describes how to configure antivirus protection, web content filtering, and email filtering to protect
content as it passes through the FortiGate unit.
• Volume 4: FortiGate NIDS Guide
Describes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from
network-based attacks.
• Volume 5: FortiGate Logging and Message Reference Guide
Describes how to configure FortiGate logging and alert email. Also contains the FortiGate log
message reference.
• Volume 6: FortiGate CLI Reference Guide
Describes the FortiGate CLI and contains a reference to all FortiGate CLI commands.
The FortiGate online help also contains procedures for using the FortiGate web-based manager to
configure and manage your FortiGate unit.

Comments on Fortinet technical documentation


You can send information about errors or omissions in this document or any Fortinet technical
documentation to techdoc@fortinet.com.

FortiGate CLI Reference Guide 11


Comments on Fortinet technical documentation Introduction

Customer service and technical support


For antivirus and attack definition updates, firmware updates, updated product documentation,
technical support information, and other resources, please visit the Fortinet technical support web site
at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your
registration information at any time.
Fortinet email support is available from the following addresses:

amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin


America and South America.
apac_support@fortinet.com For customers in Japan, Korea, China, Hong Kong, Singapore,
Malaysia, all other Asian countries, and Australia.
eu_support@fortinet.com For customers in the United Kingdom, Scandinavia, Mainland
Europe, Africa, and the Middle East.

For information on Fortinet telephone support, see http://support.fortinet.com.


When requesting technical support, please provide the following information:
• Your name
• Company name
• Location
• Email address
• Telephone number
• FortiGate unit serial number
• FortiGate model
• FortiGate FortiOS firmware version
• Detailed description of the problem

12 Fortinet Inc.
FortiGate CLI Reference Guide Version 2.50

Using the CLI


This chapter explains how to connect to the CLI and describes the basics of using the CLI. You can
use CLI commands to view all system information and to change all system configuration settings.
This chapter describes:
• Access levels
• Connecting to the CLI
• CLI basics
• diagnose commands
• Changing the FortiGate firmware

Access levels
There are three administration account access levels:

admin Has all permissions. Can view, add, edit, and delete administrator accounts. Can view and
change the FortiGate configuration. The admin user is the only user who can use execute
commands and can manually update FortiGate firmware, update the antivirus definitions, update
the attack definitions, download or upload system settings, restore the FortiGate to factory
defaults, restart the FortiGate, and shutdown the FortiGate. There is only one admin level user.
Read & Write Can view and change the FortiGate configuration. Can view but cannot add, edit, or delete
administrator accounts. Can change their own administrator account password. Administrators
with read and write access can use diagnose, get, set, and unset commands.
Read Only Can view the FortiGate configuration. Administrators with read only access can use get
commands to view the FortiGate configuration.

Connecting to the CLI


There are three methods to connect to the FortiGate CLI:
• Connecting to the FortiGate console
• Connecting to the FortiGate CLI using SSH
• Connecting to the FortiGate CLI using telnet

FortiGate CLI Reference Guide 13


Connecting to the FortiGate console Using the CLI

Connecting to the FortiGate console


You require:
• A computer with an available communications port,
• A null modem cable with a 9-pin connector to connect to the FortiGate console port (RS-232 serial
connection) and to a communications port on your computer,
• Terminal emulation software such as HyperTerminal for Windows.

Note: The following procedure describes how to connect to the FortiGate CLI using Windows HyperTerminal
software. You can use any terminal emulation program.

To connect to the CLI:


1 Connect the null modem cable to the FortiGate console port and to the available communications port
on your computer.
2 Make sure the FortiGate is powered on.
3 Start HyperTerminal, enter a name for the connection, select OK.
4 Configure HyperTerminal to connect directly to the communications port on the computer to which you
have connected the null-modem cable.
5 Select OK.
6 Select the following port settings and select OK.

Bits per second 9600 (115200 for the FortiGate-300)


Data bits 8
Parity None
Stop bits 1
Flow control None

7 Press Enter to connect to the FortiGate CLI.


A prompt similar to the following appears (shown for the FortiGate-300):
FortiGate-300 login:
8 Type a valid administrator name and press Enter.
9 Type the password for this administrator and press Enter.
The following prompt appears:
Type ? for a list of commands.

14 Fortinet Inc.
Using the CLI Connecting to the FortiGate CLI using SSH

Connecting to the FortiGate CLI using SSH


Secure Shell (SSH) provides strong secure authentication and secure communications to the
FortiGate CLI from your internal network or the Internet. Once the FortiGate is configured to accept
SSH connections, you can run an SSH client on your management computer and use this client to
connect to the FortiGate CLI.

Accepting SSH connections


To configure the FortiGate to accept SSH connections you must set management access to SSH for
the FortiGate interface to which you connect with your management computer. To use the web-based
manager to configure FortiGate interfaces for SSH management, see the FortiGate Installation and
Configuration Guide.
The following procedure describes how to use the CLI to configure a FortiGate interface to accept SSH
connections.
1 Connect and log into the CLI using the FortiGate console port and your terminal emulation software.
2 Use the following command to configure an interface to accept SSH connections:
set system interface <intf_str> config allowaccess ssh
Where <intf_str> is the name of the FortiGate interface to be configured to accept SSH
connections.
For example, to configure the internal interface to accept SSH connections, enter:
set system interface internal config allowaccess ssh

Note: For a list of available interfaces enter set system interface a space and a ?.

3 To confirm that you have configured SSH access correctly, enter the following command to view the
access settings for the interface:
get system interface
The CLI displays the interface settings including the management access settings for all interfaces.

Connecting to the CLI using SSH

Note: The FortiGate supports the following encryption algorithms for SSH access: 3DES and Blowfish.

To connect to the CLI using SSH, you must install an SSH client. Then:
1 Start the SSH client and connect to a FortiGate interface that is configured for SSH connections.
For example, if you are running the SSH client on the internal network, connect to the IP address of the
FortiGate internal interface.
2 Type a valid administrator name and press Enter.
3 Type the password for this administrator and press Enter.
The following prompt appears:
Type ? for a list of commands.
You have connected to the FortiGate CLI, and you can enter CLI commands.

FortiGate CLI Reference Guide 15


Connecting to the FortiGate CLI using telnet Using the CLI

Connecting to the FortiGate CLI using telnet


You can use telnet to connect to the FortiGate CLI from your internal network or the Internet. Once the
FortiGate is configured to accept telnet connections, you can run a telnet client on your management
computer and use this client to connect to the FortiGate CLI.

Accepting telnet connections


To configure the FortiGate to accept telnet connections you must set management access to telnet for
the FortiGate interface to which you connect with your management computer. To use the web-based
manager to configure FortiGate interfaces for telnet management, see the FortiGate Installation and
Configuration Guide.
The following procedure describes how to use the CLI to configure a FortiGate interface to accept
telnet connections.
1 Connect and log into the CLI using the FortiGate console port and your terminal emulation software.
2 Use the following command to configure an interface to accept telnet connections:
set system interface <intf_str> config allowaccess telnet
Where <intf_str> is the name of the FortiGate interface to be configured to accept telnet
connections.
For example, to configure the internal interface to accept telnet connections, enter:
set system interface internal config allowaccess telnet

Note: For a list of available interfaces enter set system interface a space and a ?.

3 To confirm that you have configured telnet access correctly, enter the following command to view the
access settings for the interface:
get system interface
The CLI displays the interface settings including the management access settings for all interfaces.

Connecting to the CLI using telnet


To connect to the CLI using telnet, you must install a telnet client. Then:
1 Start the telnet client and connect to a FortiGate interface that is configured for telnet connections.
For example, if you are running the telnet client on the internal network, connect to the IP address of
the FortiGate internal interface.
2 Type a valid administrator name and press Enter.
3 Type the password for this administrator and press Enter.
The following prompt appears:
Type ? for a list of commands.
You have connected to the FortiGate CLI, and you can enter CLI commands.

16 Fortinet Inc.
Using the CLI CLI command structure

CLI basics
This section describes entering commands using the FortiGate CLI.
• CLI command structure
• Navigating command branches
• Recalling commands
• Editing commands
• Using command shortcuts
• Using command help
• Displaying the FortiGate configuration
• Changing the configuration by editing the configuration file
• Controlling the behavior of the command line console

CLI command structure


Most FortiGate CLI commands consist of the following parts:

Command type diagnose, execute, exit, get, set, unset


Command Each command type has multiple branches. For example, the set command includes the
branch alertemail, antivirus, console, emailfilter, firewall, log, nids, system, user,
vpn, and webfilter branches.
Command Most command branches include one or more command keywords that specify the action of the
keywords command. Each command keyword must be followed by a keyword value. For example:
set system autoupdate schedule enable
schedule is the keyword and enable is the keyword value.

Navigating command branches


Many CLI commands require you to enter multiple parameters. You can move down the command
branch to where you can enter keywords and variables without retyping the complete command. You
can move back up the command branches one step at a time or return to the top level prompt in one
step.

Moving down a command branch


Using the command branch to configure firewall settings as an example, you can enter a full
command, or you can type the following and press Enter:
# set firewall
The command prompt changes to:
(set-fw)#
You have moved down the set branch to set firewall. You can now configure firewall settings.

Moving up a command branch


Type exit and press Enter to move one level higher in the command branch.
For example, from the (set-fw)# prompt, type exit and press Enter. The prompt changes to
(set)#. You can now access the other branches of the set command. You can also continue moving
up the set command branch by typing exit and pressing Enter.

FortiGate CLI Reference Guide 17


Recalling commands Using the CLI

Returning to the top level command prompt


To return to the top level command prompt from a command branch prompt, press CTRL+C.
For most commands you do not need to return to the top level prompt to enter them. If you do not
return to the top level prompt, you must enter the entire command path, starting with set, get and so
on to run the command.

Recalling commands
You can recall previously entered commands by using the Up and Down arrow keys to cycle through
commands you have entered. From lower level prompts within a branch of the command tree, the Up
and Down arrow keys will only recall commands from within that command branch.

Editing commands
Use the Left and Right arrow keys to move the cursor back and forth in a recalled command. You can
also use the Backspace and Delete keys and the control keys listed in Table 1 to edit the command.

Table 1: Control keys for editing commands

Function Key combination


Beginning of line CTRL+A
End of line CTRL+E
Back one character CTRL+B
Forward one character CTRL+F
Delete current character CTRL+D
Previous command CTRL+P
Next command CTRL+N
Cancel command and return to # prompt CTRL+C
Return to top level command prompt CTRL+C

Using command shortcuts


You can abbreviate commands and command options to the smallest number of non-ambiguous
characters. For example, the command get system status can be abbreviated to g sy st.

Using command help


You can press the tab key or the question mark (?) key to display command help.
• Press the tab key or the question mark (?) key at the command prompt to display a list of the
commands available and a description of each command.
• Type a command followed by a space and press the tab key or the question mark (?) key to display
a list of the options available for that command and a description of each option.
• Type a command followed by an option and press the tab key or the question mark (?) key to
display a list of additional options available for that command option combination and a description
of each option.

18 Fortinet Inc.
Using the CLI Displaying the FortiGate configuration

Displaying the FortiGate configuration


As you configure your FortiGate all of the changes you make to the configuration are saved in a
configuration file. The changes are saved in the CLI command format.
You can use the get config command to view the configuration file. You can use the get config
<keyword_str> command to view only those lines in the configuration file that contain the specified
keyword. For example entering:
get config option
returns the current configuration for the set system option command. For example:
set system option admintimeout 50
set system option language ENGLISH
set system option authtimeout 15
set system option interval 5 failtime 5
set system option lcdpin 123456
set system option lcdprotection disable
You can use the execute backup config command to backup your configuration by copying the
configuration file to a TFTP server.
You can use the execute restore config command to restore your configuration by copying a
configuration file from a TFTP server to your FortiGate.
You can also use these commands to transfer a configuration from one FortiGate to another as long as
both FortiGates are the same model and are running the same firmware version.
For more information, see “get config” on page 176, “execute backup” on page 224, and “execute
restore” on page 233.

Changing the configuration by editing the configuration file


You can change the FortiGate configuration by copying the configuration file to a TFTP server. Then
you can make changes to the file and copy it back to the FortiGate unit.
1 Use the execute backup config command to copy the configuration file to a TFTP server.
2 Edit the configuration file using a text editor.
Related commands are listed together in the configuration file. For instance, all the system commands
are grouped together, all the antivirus commands are grouped together and so on. You can edit the
configuration by adding, changing or deleting the CLI commands in the configuration file.
The first line of the configuration file contains information about the firmware version and FortiGate
model. Do not edit this line. If this information is changed your FortiGate will reject the configuration file
when you attempt to restore it.
3 Use the execute restore config command to copy the edited configuration file back to the
FortiGate.
The FortiGate receives the configuration file and checks to make sure the firmware version and model
information is correct. If it is, the configuration file is loaded and each command is checked for errors.
If the FortiGate finds an error, an error message is displayed after the command and the command is
rejected. Then the FortiGate restarts and loads the new configuration.

FortiGate CLI Reference Guide 19


Controlling the behavior of the command line console Using the CLI

Controlling the behavior of the command line console


Using the set console command you can specify the page setting of the command line console and
the mode in which it operates. The page setting determines the number of lines that appear on each
page of output. You can use the command set console line 30 to specify that the console page
is 30 lines long. This means that commands that display multiple lines of output, display 30 lines at a
time. The default line setting is 25 lines.
The command line console mode determines when commands are written to EEPROM. The console
can operate in batch or line mode. Line mode is the default mode. In line mode, when you enter a set
command it is immediately executed and written to EEPROM and to the FortiGate configuration file.
In batch mode when you enter a set command it is immediately executed. But the command is not
written to EEPROM and the FortiGate configuration until you enter the execute save config
command. The execute save command is only available when the console is set to batch mode.
Using the set console baudrate command you can change the console connection baud rate.

Note: The set console baudrate command is available for FortiGate units with BIOS 3.03 and higher and
FortiOS version 2.50 and higher.

!
Caution: If downgrading from FortiOS version 2.50 to FortiOS version 2.36 or lower you must reset the baud rate
to the default baud rate for the FortiGate model. (115200 for the FortiGate-300 and 9600 for all other models.)

For more information, see “set console” on page 41.

diagnose commands
Diagnose commands display information that can be used for debugging the operation of the FortiGate
unit. You can also use diagnose commands to set parameters for displaying different levels of
diagnostic information.

!
Caution: Diagnose commands are intended for advanced users only. Contact Fortinet technical support before
using these commands.

20 Fortinet Inc.
Using the CLI Upgrade to a new firmware version

Changing the FortiGate firmware


After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in
Table 2 to install the firmware image on your FortiGate unit.

Table 2: Firmware upgrade procedures

Procedure Description
Upgrade to a new firmware version The most commonly-used CLI procedure for upgrading to a new
FortiOS firmware version or to a more recent build of the same
firmware version.
Revert to a previous firmware version Use this procedure from the CLI to revert to a previous firmware
using the CLI version. This procedure reverts the FortiGate unit to its factory
default configuration.
Install a firmware image from a system Use this procedure to install a new fimware version or revert to a
reboot previous firmware version. You must run this procedure by
connecting to the CLI using the FortiGate console port and a
null-modem cable. This procedure reverts your FortiGate unit to its
factory default configuration.
Test a new firmware image before Use this procedure to test a new firmware image before installing
installing it it. You must run this procedure by connecting to the CLI using the
FortiGate console port and a null-modem cable. This procedure
temporarily installs a new firmware image using your current
configuration. You can test the firmware image before installing it
permanently. If the firmware image works correctly you can use
one of the other procedures listed in this table to install it
permanently.
Installing and using a backup firmware If the FortiGate unit is running BIOS version v3.x, you can install a
image backup firmware image. Once the backup firmware image is
installed you can switch to this backup image when required.
Installing a backup firmware image is not available for the
FortiGate-50 and 60.

Upgrade to a new firmware version


Use the following procedure to upgrade the FortiGate to a newer firmware version. You cannot use this
procedure to re-install the current firmware or to revert to an older version of the firmware. If you need
to re-install the current firmware or revert to an older firmware version, see “Revert to a previous
firmware version using the CLI” on page 22.
To use the following procedure you must have a TFTP server that you can connect to from the
FortiGate unit.

Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the
firmware release that you are installing. When you have installed new firmware, use the command execute
updatecenter updatenow to update the antivirus and attack definitions.

To upgrade the FortiGate firmware from the CLI:


1 Make sure that the TFTP server is running.
2 Copy the new firmware image file to the root directory of your TFTP server.
3 Log into the CLI as the admin administrative user.

FortiGate CLI Reference Guide 21


Revert to a previous firmware version using the CLI Using the CLI

4 Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server. For example, if the
TFTP server’s IP address is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate:
execute restore image <name_str> <tftp_ip>
Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the
IP address of the TFTP server. For example, if the firmware image file name is
FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is
192.168.1.23, enter:
execute restore image FGT_300-v250-build045-FORTINET.out 192.168.1.168
The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and
restarts. This process takes a few minutes.
6 Reconnect to the CLI.
7 To confirm that the new firmware image has been loaded, enter:
get system status
8 To update the antivirus and attack definitions to the most recent version, enter:
execute updatecenter updatenow
9 To confirm that the antivirus and attack definitions have been updated, enter the following command to
display the current firmware version as well as the current antivirus and attack definition versions.
get system status

Revert to a previous firmware version using the CLI


This procedure reverts the FortiGate unit to its factory default configuration and deletes NIDS
user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.
Before using this procedure you can:
• Backup the FortiGate unit configuration using the command execute backup config.
• Backup the NIDS user defined signatures using the command execute backup
nidsuserdefsig
• Backup web content and email filtering lists, see the FortiGate Content Protection Guide.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS
v2.36) you may not be able to restore your previous configuration from the backup configuration file.
To use the following procedure you must have a TFTP server that you can connect to from the
FortiGate unit.
1 Make sure that the TFTP server is running.
2 Copy the new firmware image file to the root directory of the TFTP server.
3 Login to the FortiGate CLI as the admin administrative user.
4 Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server. For example, if the
TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168

22 Fortinet Inc.
Using the CLI Install a firmware image from a system reboot

5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:
execute restore image <name_str> <tftp_ip>
Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the
IP address of the TFTP server. For example, if the firmware image file name is
FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is
192.168.1.168, enter:
execute restore image FGT_300-v250-build045-FORTINET.out 192.168.1.168
The FortiGate unit uploads the firmware image file. Once the file has been uploaded a message similar
to the following is displayed:
Get image from tftp server OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
6 Type Y
7 The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and
restarts. This process takes a few minutes.
8 ‘Reconnect to the CLI.
See “Connecting to the CLI” on page 13.
9 To confirm that the older version of the firmware image has been loaded, enter:
get system status
10 Restore your previous configuration. Use the following command:
execute restore config
11 To update the antivirus engine and the virus and attack definitions to the most recent version, enter:
execute updatecenter updatenow
12 To confirm that the antivirus engine and the virus and attack definitions have been updated, enter the
following command to display the current firmware version as well as the current antivirus and attack
definition versions.
get system status

Install a firmware image from a system reboot


This procedure installs a specified firmware image and resets the FortiGate unit to default settings.
You can use this procedure to upgrade to a new firmware version, revert to an older firmware version,
or to re-install the current firmware.

Note: There are a few variations on this procedure for different FortiGate BIOS versions. These variations are
explained in the procedure steps that are affected. The version of the BIOS running on your FortiGate unit is
displayed when you restart the FortiGate unit while accessing the CLI by connecting to the FortiGate console port
using a null-modem cable.

To use this procedure you:


• access the CLI by connecting to the FortiGate console port using a null-modem cable,
• install a TFTP server that you can connect to from the FortiGate interface required by your model
(see Table 3).

FortiGate CLI Reference Guide 23


Install a firmware image from a system reboot Using the CLI

Table 3: The interface that must connect to the TFTP server for each Fortigate model

FortiGate model Interface that connects to TFTP server


FortiGate-50 Internal interface
FortiGate-60
FortiGate-100
FortiGate-200
FortiGate-300
FortiGate-400 Interface 1
FortiGate-500 Internal interface
FortiGate-1000 Interface 3
FortiGate-2000 Interface 3
FortiGate-3000 Interface 1
FortiGate-3600 Interface 1

This procedure reverts your FortiGate unit to its factory default configuration and deletes NIDS
user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.
Before running this procedure you can:
• Backup the FortiGate unit configuration using the command execute backup config.
• Backup the NIDS user defined signatures using the command execute backup nidsuserdefsig
• Backup web content and email filtering lists, see the FortiGate Content Protection Guide.
If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS
v2.36) you may not be able to restore your previous configuration from the backup configuration file.

Note: Installing firmware replaces your current antivirus engine and virus and attack definitions with those
included with the firmware release that you are installing. When you have installed new firmware, use the
command execute updatecenter updatenow to update the antivirus engine and virus and attack definitions.

To install firmware from a system reboot


1 Connect to the CLI using the null modem cable and FortiGate console port.
See “Connecting to the FortiGate console” on page 14.
2 Make sure the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure the required interface of the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server. For example, if the
TFTP server’s IP address is 192.168.1.168:
execute ping 192.168.1.168

24 Fortinet Inc.
Using the CLI Install a firmware image from a system reboot

5 Enter the following command to restart the FortiGate unit:


execute reboot
As the FortiGate unit starts, a series of system startup messages are displayed.
When one of the following messages appears:
• FortiGate unit running v2.x BIOS
Press Any Key To Download Boot Image.
...
• FortiGate unit running v3.x BIOS
Press any key to enter configuration menu.....
......
6 Immediately press any key to interrupt the system startup.

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit
reboots and you must log in and repeat the execute reboot command.

When you successfully interrupt the startup process, one of the following messages appears:
• FortiGate unit running v2.x BIOS
Enter TFTP Server Address [192.168.1.168]:
Go to step 8.
• FortiGate unit running v3.x BIOS
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter G,F,Q,or H:
7 Type G to get the new firmware image from the TFTP server.
8 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
9 Type the current address of the interface of the FortiGate unit that must connect to the TFTP server
(see Table 3) and press Enter.

Note: The local IP address is only used to download the firmware image. After the firmware is installed the address
of this interface is changed back to the default IP address for this interface.

The following message appears:


Enter File Name [image.out]:

FortiGate CLI Reference Guide 25


Test a new firmware image before installing it Using the CLI

10 Enter the firmware image file name and press Enter.


The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the
following appear.
• FortiGate unit running v2.x BIOS
Do You Want To Save The Image? [Y/n]
Type Y.
• FortiGate unit running v3.x BIOS
Save as Default firmware/Run image without saving:[D/R]
Type D.
The FortiGate unit installs the new firmware image and restarts. The installation takes a few minutes to
complete.

Restoring your previous configuration


1 If required to connect to your network, change the IP address of the interface configured. You can do
this from the CLI using the set system interface command.
2 To restore your FortiGate unit configuration by uploading the saved configuration file, use the
command execute restore config. To restore NIDS user defined signatures, use the command
execute restore nidsuserdefsig. To restore web content and email filtering lists, see the
FortiGate Content Protection Guide.
If you are reverting to a previous firmware version (for example, reverting from FortiOS v2.50 to
FortiOS v2.36) you may not be able to restore your previous configuration from the backup
configuration file.
3 To update the antivirus engine and virus and attack definitions to the most recent version, use the
following command.
execute updatecenter updatenow

Note: To update the virus and attack definitions you must add DNS server IP addresses using set system dns.

4 To confirm that the antivirus engine and virus and attack definitions have been updated, enter:
get system status

Test a new firmware image before installing it


You can test a new firmware image by installing the firmware image from a system reboot and saving
it to system memory. After completing this procedure the FortiGate unit operates using the new
firmware image with the current configuration. This new firmware image is not permanently installed.
The next time the FortiGate unit restarts it will be operating with the originally installed firmware image
using the current configuration. If the new firmware image operates successfully, you can install it
permanently using the procedure “Upgrade to a new firmware version” on page 21.
To run this procedure you:
• access the CLI by connecting to the FortiGate console port using a null-modem cable,
• install a TFTP server that you can connect to from the FortiGate interface required by your model
(see Table 3).

26 Fortinet Inc.
Using the CLI Test a new firmware image before installing it

To test a new firmware image:


1 Connect to the CLI using a null modem cable and FortiGate console port.
2 Make sure the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure the required interface of the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server. For example, if the
TFTP server's IP address is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to restart the FortiGate unit:
execute reboot
6 As the FortiGate unit reboots, press any key to interrupt the system startup.
As the FortiGate units starts, a series of system startup messages are displayed.
When one of the following messages appears:
• FortiGate unit running v2.x BIOS
Press Any Key To Download Boot Image.
...
• FortiGate unit running v3.x BIOS
Press any key to enter configuration menu.....
......
7 Immediately press any key to interrupt the system startup.
I

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit
reboots and you must log in and repeat the execute reboot command.

When you successfully interrupt the startup process, one of the following messages appears:
• FortiGate unit running v2.x BIOS
Enter TFTP Server Address [192.168.1.168]:
Go to step 9.
• FortiGate unit running v3.x BIOS
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter G,F,Q,or H:
8 Type G to get the new firmware image from the TFTP server.
9 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type the current address of the interface of the FortiGate unit that must connect to the TFTP server
(see Table 3) and press Enter.

FortiGate CLI Reference Guide 27


Installing and using a backup firmware image Using the CLI

Note: The local IP address is only used to download the firmware image. After the firmware is installed the address
of this interface is changed back to the default IP address for this interface.

The following message appears:


Enter File Name [image.out]:
11 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the
following appear.
• FortiGate unit running v2.x BIOS
Do You Want To Save The Image? [Y/n]
Type N.
• FortiGate unit running v3.x BIOS
Save as Default firmware/Run image without saving:[D/R]
Type R.
The FortiGate image is installed to system memory and the FortiGate unit starts running the new
firmware image but with its current configuration.
12 You can login to the CLI or the web-based manager using any administrative account.
13 To confirm that the new firmware image has been loaded, from the CLI enter:
get system status
You can test the new firmware image as required.

Installing and using a backup firmware image


If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once the
backup firmware image is installed you can switch to this backup image when required.

Note: Installing a backup firmware image is not available for the FortiGate-50 and 60.

This section describes:


• Installing a backup firmware image
• Switching to the backup firmware image
• Switching back to the default firmware image

Installing a backup firmware image


To run this procedure you:
• access the CLI by connecting to the FortiGate console port using a null-modem cable,
• install a TFTP server that you can connect to from the FortiGate interface required by the FortiGate
model (see Table 3).
To install a backup firmware image:
1 Connect to the CLI using the null modem cable and FortiGate console port.
2 Make sure that the TFTP server is running.

28 Fortinet Inc.
Using the CLI Installing and using a backup firmware image

3 Copy the new firmware image file to the root directory of the TFTP server.
4 To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping
the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to restart the FortiGate unit:
execute reboot
As the FortiGate units starts, a series of system startup messages are displayed.
When the following message id displayed:
Press any key to enter configuration menu.....
......
6 Immediately press any key to interrupt the system startup.
I

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit
reboots and you must log in and repeat the execute reboot command.

If you successfully interrupt the startup process, the following messages are displayed:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter G,F,B,Q,or H:
7 Type G to get the new firmware image from the TFTP server.
8 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
9 Type the address of the interface of the FortiGate unit that can connect to the TFTP server and press
Enter.
The following message appears:
Enter File Name [image.out]:
10 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the
following appear.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]
11 Type B.
The FortiGate unit saves the backup firmware image and restarts. When the FortiGate unit restarts it is
running the previously installed firmware version.

Switching to the backup firmware image


Use this procedure to switch your FortiGate unit to operating with a backup firmware image that you
have previous installed. When you switch the FortiGate unit to the backup firmware image, the
FortiGate unit operates using the configuration that was saved with that firmware image.

FortiGate CLI Reference Guide 29


Installing and using a backup firmware image Using the CLI

If you install a new backup image from a reboot the configuration saved with this firmware image is the
factory default configuration. If you use the procedure “Switching back to the default firmware image”
on page 30 to switch to a backup firmware image that was previously running as the default firmware
image, the configuration saved with this firmware image is restored.
1 Connect to the CLI using the null modem cable and FortiGate console port.
2 Enter the following command to restart the FortiGate unit:
execute reboot
As the FortiGate units starts, a series of system startup messages are displayed.
When the following message is displayed:
Press any key to enter configuration menu.....
......
3 Immediately press any key to interrupt the system startup.
I

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit
reboots and you must log in and repeat the execute reboot command.

If you successfully interrupt the startup process, the following messages are displayed:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter G,F,B,Q,or H:
4 Type B to load the backup firmware image.
The FortiGate unit loads the backup firmware image and restarts. When the FortiGate unit restarts it is
running the backup firmware version and the configuration is set to factory default.

Switching back to the default firmware image


Use this procedure to switch the FortiGate unit to operating with the backup firmware image that had
been running as the default firmware image. When you switch to this backup firmware image, the
configuration saved with this firmware image is restored.
1 Connect to the CLI using the null modem cable and FortiGate console port.
2 Enter the following command to restart the FortiGate unit:
execute reboot
As the FortiGate unit starts, a series of system startup messages are displayed.
When the following message is displayed:
Press any key to enter configuration menu.....
......
3 Immediately press any key to interrupt the system startup.

30 Fortinet Inc.
Using the CLI Installing and using a backup firmware image

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit
reboots and you must log in and repeat the execute reboot command.

If you successfully interrupt the startup process, the following messages are displayed:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter G,F,B,Q,or H:
4 Type B to load the backup firmware image.
The FortiGate unit loads the backup firmware image and restarts. When the FortiGate unit restarts it is
running the backup firmware version with a restored configuration.

FortiGate CLI Reference Guide 31


Installing and using a backup firmware image Using the CLI

32 Fortinet Inc.
FortiGate CLI Reference Guide Version 2.50

set commands
Use the commands in this chapter to configure the functionality of the FortiGate Antivirus Firewall.

set alertemail configuration set log policy set system route rip neighbor
set alertemail setting set log setting set system route rip timers
set antivirus filepattern set log trafficfilter rule set system session_ttl
set antivirus quarantine set log trafficfilter setting set system snmp
set antivirus service set nids detection set system time
set console set nids prevention set system vlan
set emailfilter bannedword set nids rule set system zone

set emailfilter blocklist set system admin set user group

set emailfilter config set system autoupdate set user ldap

set emailfilter exemptlist set system brctl set user local

set system dhcpserver set user radius


set firewall address
set vpn ipsec concentrator
set firewall addrgrp set system dns
set vpn ipsec manualkey
set firewall dnstranslation set system ha
set vpn ipsec phase1
set firewall ipmacbinding setting set system hostname
set vpn ipsec phase2
set firewall ipmacbinding table set system interface
set vpn l2tp
set firewall ippool set system mainregpage
set vpn pptp
set firewall onetimeschedule set system management
set system opmode set webfilter cerberian
set firewall policy
set system option set webfilter content
set firewall profile
set system route number set webfilter exempturl
set firewall recurringschedule
set system route policy set webfilter script
set firewall service custom
set webfilter url
set firewall service group set system route rip

set firewall vip set system route rip filter


set system route rip interface

FortiGate CLI Reference Guide 33


set alertemail configuration set commands

set alertemail configuration


Use this command to configure the FortiGate unit to send alert email to up to three email addresses.
You can enable sending alert email for virus incidents, intrusions, and critical firewall or VPN events or
violations. If you have configured logging to a local disk, you can enable sending an alert email when
the hard disk is almost full.
Note: Because the FortiGate uses the SMTP server name to connect to the mail server, it must be able to look up
this name on your DNS server. See “set system dns” on page 84.

Syntax description
Keyword Description Default Availability
auth {enable | disable} Enable SMTP authentication if the FortiGate unit is disable All models.
required to authenticate before using the SMTP
server.
mailto {<email1_str> Enter up to three destination email addresses or No All models.
[<email2_str> none to clear all the addresses. These are the actual default.
[<email3_str>]] | none} email addresses to which the FortiGate sends alert
email.
passwd <password_str> Enter the password that the FortiGate unit needs to No All models.
access the SMTP server. default.
server <smtp-server_str> Enter the name of the SMTP server, in the format No All models.
smtp.domain.com, to which the FortiGate unit default.
should send email. The SMTP server can be located
on any network connected to the FortiGate unit.
user <smtp-user_str> Enter a valid email address in the format No All models.
user@domain.com. This address appears in the default.
From header of the alert email.

Examples
Use the following command to configure the FortiGate unit to send alert email with the following
settings:
• SMTP server: smtp.ourcompany.com
• SMTP user: fortigate@ourcompany.com
• SMTP authentication: enable
• SMTP user password: secret
• First email: admin@ourcompany.com
• Second email: admin2@ourcompany.com
set alertemail configuration server smtp.ourcompany.com user
fortigate@ourcompany.com auth enable passwd secret mailto
admin@ourcompany.com admin2@ourcompany.com
Use the following command to change the SMTP user password to bettersecret and to add the
administrator email address vpadmin@ourcompany.com:
set alertemail configuration passwd bettersecret mailto
admin@ourcompany.com admin2@ourcompany.com vpadmin@ourcompany.com
Related commands
• get alertemail configuration
• set alertemail setting
• set system dns
• get system dns

34 Fortinet Inc.
set commands set alertemail setting

set alertemail setting


Use this command to enable sending alert email for virus incidents, intrusions, and critical firewall or
VPN events or violations. If you have configured logging to a local disk, you can enable sending an
alert email when the hard disk is almost full.

Syntax description
Keyword Description Default Availability
option {virusincidents | virusincidents: send alert email when antivirus No All models.
blockincidents | scanning detects a virus. default.
intrusions | critical | blockincidents: send alert email when the
diskfull | none} FortiGate unit blocks files, URLs, or emails.
intrusions: send alert email to notify the system
administrator of attacks detected by the NIDS.
critical: send alert email when a critical firewall or
VPN event occurs.
• Critical firewall events include failed authentication
attempts.
• Critical VPN events include when replay detection
detects a replay packet. Replay detection can be
configured for both manual key and AutoIKE Key
VPN tunnels.
diskfull: send an alert email when the hard disk is
almost full. Available only for models with a hard disk
and logging to local disk enabled.
none: clear all settings.

Examples
Use the following command to enable sending alert email for virus incidents and for attacks:
set alertemail setting virusincidents intrusions
Use the following command to disable sending alert email for all categories:
set alertemail setting none

Related commands
• get alertemail setting
• set alertemail configuration

FortiGate CLI Reference Guide 35


set antivirus filepattern set commands

set antivirus filepattern


Use this command to add or delete the file patterns used for virus blocking.

Syntax description
Keyword Description Default Availability
add <fp_str> Add a file pattern to the list of file patterns to block. No All models.
{enableall | disableall} Enable or disable it for all services. You can use the default.
asterisk (*) to represent any characters.
delete <fp_integer> The number of a file pattern to delete from the file No All models.
pattern list. Use the command get antivirus default.
filepattern for a numbered list of file patterns.

Examples
Use the following command to add the file pattern *.flw to the list of file patterns to block, and to
enable this file pattern for all services.
set antivirus filepattern add *.flw enableall
Use the following command to delete file pattern 5.
set antivirus filepattern delete 5

Related commands
• get antivirus filepattern
• set antivirus service
• set firewall profile

36 Fortinet Inc.
set commands set antivirus quarantine

set antivirus quarantine


Use this command to set file quarantine options.
FortiGate units with hard disks can be configured to quarantine blocked or infected files. The
quarantined files are removed from the content stream and stored on the FortiGate hard disk. Users
receive a message informing them that the removed files have been quarantined.

Syntax description
Keyword Description Default Availability
agelimit <hours_integer> Specify how long files are left in quarantine. 0 FortiGate
The maximum number of hours is 479. The FortiGate models
unit automatically deletes a file when the TTL (time to numbered
live) reaches 00:00. Enter 0 to keep files indefinitely. 200 and
higher.
deletefile Delete a quarantined file from the hard disk. The file No FortiGate
<all | checksum_hex> is identified by the checksum that was calculated for default. models
the file when it was put into quarantine. Use the numbered
command get antivirus quarantine list for 200 and
a list of quarantined files including the checksum for higher.
each file.
download <checksum_hex> Download a quarantined file from the FortiGate unit. No FortiGate
The file is identified by the checksum that was default. models
calculated for the file when it was put into quarantine. numbered
Use the command get antivirus quarantine 200 and
list for a list of quarantined files including the higher.
checksum for each file.
lowspace Select the method for handling additional files when ovwr_ FortiGate
<drop_new | ovwr_old> the FortiGate hard disk is running out of space. old models
Select ovwr_old to drop the oldest file (lowest TTL), numbered
or drop_new to drop new quarantine files. 200 and
higher.
maxfilesize Specify, in MB, the maximum file size to quarantine. 0 FortiGate
<filesize_integer> The FortiGate unit keeps any existing quarantined models
files over the limit.The FortiGate unit does not numbered
quarantine any new files larger than this value. The 200 and
file size range is 1-499 MB. Enter 0 for unlimited file higher.
size.
service {http | ftp | Select the service for which you want to quarantine No FortiGate
pop3 | imap | smtp} infected or blocked files. You can select http, ftp, default. models
pop3, imap or smtp to quarantine infected files. You numbered
can select pop3, imap, or smtp to quarantine 200 and
blocked files. You can enable or disable quarantining higher.
for one service at a time.
infected For a chosen service the file can be quarantined if it enable FortiGate
<enable | disable> is found to be infected. Quarantining infected files is models
available for http, ftp, pop3, imap or smtp. numbered
200 and
higher.
service
only.
blocked For a chosen service the file can be quarantined if it enable FortiGate
<enable | disable> is blocked by a filename pattern. Quarantining models
blocked files is available for pop3, imap, or smtp numbered
only. HTTP and FTP files are blocked during the 200 and
request; therefore, there is no data to quarantine. higher.
service
only.

FortiGate CLI Reference Guide 37


set antivirus quarantine set commands

Examples
Use the following commands to enable quarantining of infected HTTP files and blocked smtp files:
set antivirus quarantine service http infected enable
set antivirus quarantine service smtp blocked enable
Use the following commands to set the TTL of files in the quarantine to 60 and the maximum
quarantine file size to 50:
set antivirus quarantine agelimit 60
set antivirus quarantine maxfilesize 50

Related commands
• set antivirus filepattern
• set antivirus service
• get antivirus filepattern
• get antivirus quarantine list
• get antivirus service
• set firewall profile

38 Fortinet Inc.
set commands set antivirus service

set antivirus service


Use this command to configure antivirus protection settings to control how the FortiGate unit applies
antivirus protection to the web, FTP, and email traffic allowed by firewall policies.
You can also use this command to configure antivirus scanning on a non-standard port number or
multiple port numbers for HTTP, SMTP, POP3 and IMAP proxies. You can configure how the FortiGate
unit handles interaction with an SMTP server for delivery of email with infected email file attachments,
and how it handles buffering and uploading of files to an ftp server.

Syntax description
Keyword Description Default Availability
{http | smtp | Select a service for which to configure antivirus protection No All models.
pop3 | ftp | imap} settings. default.
block {fp_integer Enable or disable blocking for the selected service. Blocking No All models.
| all} {enable | deletes files that match enabled file patterns. default. All services.
disable> Enter a file pattern number to enable or disable the specified
file pattern. Use the command get antivirus
filepattern for a numbered list of file patterns.
Enter all to enable or disable all file patterns.
filesizelimit Enter the oversized file and email limit in Mbytes. Varies. All models.
value Because available memory varies for different FortiGate All services.
<MB_integer> models, use the command set antivirus service
{http | smtp | pop3 | ftp | imap} filesizelimit
value followed by a space and a ? to find the acceptable
range in MB for your model.
You can configure the FortiGate unit to use 1% to 15% of
available memory to store oversized files and email. The
FortiGate unit then blocks a file or email that exceeds this limit
instead of bypassing antivirus scanning and sending the file or
email directly to the server or receiver.
port Configure antivirus scanning on a nonstandard port number or http 80 All models.
{add multiple port numbers for HTTP and email proxies. smtp 25 HTTP,
<port_integer> | You can use ports from the range 1-65535. You can add up to pop3 110 SMTP,
delete 20 ports. You must re-enter the complete command for each imap 143 POP3,
port you want to add or delete. IMAP
<port_integer>) services.
Use the command get antivirus service
<service_str> ports for a list of ports used for antivirus
scanning for the specified service.

FortiGate CLI Reference Guide 39


set antivirus service set commands

Keyword Description Default Availability


splice {enable | Enable or disable splice for the smtp or ftp services. enable All models.
disable} SMTP splice SMTP, FTP
Configure how the FortiGate unit handles interaction with an services.
SMTP server for delivery of email with infected file
attachments.
When splice is enabled for smtp, the FortiGate unit
simultaneously scans an email and sends it to the SMTP
server. If the FortiGate unit detects a virus, it terminates the
server connection and returns an error message to the sender,
listing the virus name and infected filename. In this mode, the
SMTP server is not able to deliver the email if it was sent with
an infected attachment. Throughput is higher when splice is
enabled for smtp.
When splice is disabled for smtp, the FortiGate unit scans
the email first. If the FortiGate unit detects a virus, it removes
the infected attachment, adds a customizable message, and
sends the email to the SMTP server for delivery.
Selecting enable for the splice keyword returns an error
message to the sender if an attachment is infected. The
receiver does not receive the email or the attachment.
Selecting disable for the splice keyword removes an
infected attachment and forwards the email (without the
attachment) to the SMTP server for delivery to the receiver.
FTP splice
Configure how the FortiGate unit handles buffering and
uploading of files to an ftp server.
When splice is enabled for ftp, the FortiGate unit
simultaneously buffers the file for scanning and uploads the file
to an ftp server. If a virus is detected, the FortiGate unit stops
the upload and attempts to delete the partially uploaded file
from the FTP server. For deleting the file to work the server
permissions must be set to allow deletes. Enabling splice for
ftp reduces FTP timeouts when uploading large files.
When splice is disabled for ftp, the FortiGate unit buffers
the file for scanning before uploading it to the FTP server. If the
file is clean, the FortiGate unit will allow the upload to continue.

Examples
Use the following command to enable a block pattern for http.
set antivirus service http block 5 enable
Use the following command to add a port for http traffic.
set antivirus service http port add 8080
Use the following command to disable smtp splicing.
set antivirus service smtp splice disable
Use the following command to set a maximum file size limit for ftp to 8MB.
set antivirus service ftp filesizelimit value 8

Related commands
• get antivirus filepattern
• get antivirus service
• set antivirus filepattern
• set firewall policy

40 Fortinet Inc.
set commands set console

set console
Set the console command mode, the number of lines displayed by the console, and the baud rate.

Note: The set console baudrate command is available for FortiGate units with BIOS 3.03 and higher and
FortiOS version 2.50 and higher.

!
Caution: If downgrading from FortiOS version 2.50 to FortiOS version 2.36 or lower you must reset the baud rate
to the default baud rate for the FortiGate model. (115200 for the FortiGate-300 and 9600 for all other models.)

Syntax description
Keyword Description Default Availability
baudrate {9600 | 19200 | Select a baud rate for the FortiGate unit. The change Varies. All models.
38400 | 57600 | 115200} is effective immediately; therefore, you must change Version 2.5
the baud rate of the connected terminal to match the and higher.
new FortiGate console baud rate. BIOS 3.03
and higher
mode {line | batch} Set the console mode to line or batch. Line All models.
In line mode commands are immediately executed
and written to EEPROM.
In batch mode commands are executed immediately
but are only written to EEPROM when you enter the
execute save config command. The execute
save config command is available only when the
console is set to batch mode.
page {<page_integer> | 0} Set the number of lines that appear on each page of 25 All models.
command line console output.
Set this value to 0 to allow output to flow without
paging.

Examples
Use the following command to limit console output to 24 lines per page:
set console page 24
Use the following command to change the baud rate to 38400:
set console mode baudrate 38400

Related commands
• get console
• execute reload
• execute save config

FortiGate CLI Reference Guide 41


set emailfilter bannedword set commands

set emailfilter bannedword


Use this command to filter email containing banned words or phrases.
When the FortiGate unit detects email that contains a word or phrase in the banned word list, the
FortiGate unit adds a tag to the subject line of the email and writes a message to the event log.
Receivers can then use their mail client software to filter messages based on the subject tag.
You can add banned words to the list in many languages using Western, Simplified Chinese,
Traditional Chinese, Japanese, or Korean character sets.
Syntax description
Keyword Description Default Availability
add word <word_str> Add a word or phrase to the banned word list. No All models.
language {0 | 1 | 2 | 3 | If you enter a single word (for example, banned), the default.
4} state FortiGate unit tags all email containing that word.
{enable | disable} If you type a phrase, you must add + between the
words (for example, banned+phrase). The
FortiGate unit tags all email containing both of the
words.
If you type a phrase in quotes, you must also include
the + (for example, "banned+word"). The FortiGate
unit tags all email where the words are found together
as a phrase.
Email filtering is not case-sensitive. You cannot
include special characters in banned words.
The language or character set for the banned word or
phrase. You can choose 0 for Western, 1 for
Simplified Chinese, 2 for Traditional Chinese, 3 for
Japanese, or 4 for Korean.
Enable or disable email filtering for this word or
phrase.
delete {<word_integer> | Enter a number to delete the specified word or No All models.
all} phrase from the banned word list. Use the command default.
get emailfilter bannedword for a numbered
list of banned words. Enter all to delete all the
words on the banned word list.
edit <word_integer> word Edit a word or phrase on the banned word list. No All models.
<word_str> language {0 | Enter a number to edit the specified word or phrase default.
1 | 2 | 3 | 4} state from the banned word list. Use the command get
{enable | disable} emailfilter bannedword for a numbered list of
banned words.
You can make changes to any or all of the word or
phrase, language or character set, or state.

Examples
Use the following command to add the English phrase bad word to the email filter list and enable the
phrase:
set emailfilter bannedword add word bad+word language 0 state enable

Related commands
• get emailfilter
• set emailfilter blocklist
• set emailfilter config
• set emailfilter exemptlist
• set firewall profile

42 Fortinet Inc.
set commands set emailfilter blocklist

set emailfilter blocklist


Use this command to add or delete email address block patterns.
You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted
email addresses. When the FortiGate unit detects an email sent from an unwanted address pattern,
the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter
log. Receivers can then use their mail client software to filter messages based on the subject tag.
You can tag email from a specific sender address or from all address subdomains by adding the
top-level domain name. Alternatively, you can tag email sent from individual subdomains by including
the subdomain to block.

Syntax description
Keyword Description Default Availability
add <block-pattern_str> Add and enable or disable an email address block No All models.
state {enable | disable} pattern. default.
To tag email from a specific email address, type the
email address. For example,
sender@abccompany.com.
To tag email from a specific domain, type the domain
name. For example, abccompany.com.
To tag email from a specific subdomain, type the
subdomain name. For example,
mail.abccompany.com.
To tag email from an entire organization category,
type the top-level domain name. For example, type
com to tag emails sent from all organizations that use
.com as the top-level domain.
delete Delete the specified email address block pattern or No All models.
{<block-pattern_str> | delete the entire list. Use the command get default.
all} emailfilter blocklist for a list of email
address block patterns.
edit Edit an email address block pattern. No All models.
<block-pattern_integer> Enter a number to edit the specified address block default.
address pattern. Use the command get emailfilter
<block-pattern_str> state blocklist for a numbered list of address block
patterns.
{enable | disable}

Examples
Use the following command to add the email address sender@abccompany.com to the email
address pattern block list and to enable blocking the address:
set emailfilter blocklist add sender@abccompany.com state enable

Related commands
• get emailfilter
• set emailfilter bannedword
• set emailfilter config
• set emailfilter exemptlist
• set firewall profile

FortiGate CLI Reference Guide 43


set emailfilter config set commands

set emailfilter config


Use this command to configure the email filter subject tag.
When the FortiGate unit receives email from an unwanted address or email that contains an item in the
email banned word list, the FortiGate unit adds a tag to the subject line and sends the message to the
destination email address. Email users can use their mail client software to filter the messages based
on the subject tag.

Syntax description
Keyword Description Default Availability
subjecttag <tag_str> Type the subject tag that you want to display in the No All models.
subject line of email received from unwanted default.
addresses or containing banned words.

Examples
Use the following command to change the email filter subject tag to UNWANTED:
set emailfilter config subjecttag UNWANTED

Related commands
• get emailfilter
• set emailfilter bannedword
• set emailfilter blocklist
• set emailfilter exemptlist
• set firewall profile

44 Fortinet Inc.
set commands set emailfilter exemptlist

set emailfilter exemptlist


Use this command to add or delete email address exempt patterns
Add address patterns to the exempt list to allow legitimate IMAP and POP3 traffic that might otherwise
be tagged by email or content blocking. For example, if the email banned word list is set to block email
that contains pornography-related words and a reputable company sends email that contains these
words, the FortiGate unit would normally add a subject tag to the email. Adding the domain name of
the reputable company to the exempt list allows IMAP and POP3 traffic from the company to bypass
email and content blocking.

Syntax description
Keyword Description Default Availability
add <pattern_str> Add and enable or disable an email address exempt No All models.
state {enable | disable} pattern. default.
To exempt email sent from a specific email address,
type the email address. For example,
sender@abccompany.com.
To exempt email sent from a specific domain, type
the domain name. For example, abccompany.com.
To exempt email sent from a specific subdomain,
type the subdomain name. For example,
mail.abccompany.com.
To exempt email sent from an entire organization
category, type the top-level domain name. For
example, type net to exempt email sent from all
organizations that use .net as the top-level domain.
delete {<pattern_str> | Delete the specified email address exempt pattern or No All models.
all} delete the entire list. Use the command get default.
emailfilter exemptlist for a list of email
address block patterns.
edit <pattern_integer> Edit an email address exempt pattern. No All models.
address <pattern_str> Enter a number to edit the specified address exempt default.
state {enable | disable} pattern. Use the command get emailfilter
exemptlist for a numbered list of address exempt
patterns.

Examples
Use the following command to add the email address goodsender@abccompany.com to the email
address pattern exempt list and to enable exempting the address:
set emailfilter exemptlist add goodsender@abccompany.com state enable

Related commands
• get emailfilter
• set emailfilter bannedword
• set emailfilter blocklist
• set emailfilter config
• set firewall profile

FortiGate CLI Reference Guide 45


set firewall address set commands

set firewall address


Add and edit addresses used in firewall policies. Use the command unset firewall address to
delete addresses.
An address must be added to an interface before you can add policies for that interface. On FortiGate
models 400 and up, an address must be added to a VLAN subinterface or zone before you can add
policies for that VLAN subinterface or zone.

Syntax description
Keyword Description Default Availability
<interface_str> The name of the interface, VLAN subinterface, or No All models.
zone to which to add the address. default.
<name_str> Enter an address name to identify the address. No All models.
default.
subnet <address_ip> The IP Address can be the IP address of a single 0.0.0.0 All models.
<netmask_ip> computer (for example, 192.45.46.45) or the address 0.0.0.0
of a subnetwork (for example, 192.168.1.0).
The Netmask should correspond to the address that
you are adding. For example,
• The netmask for the IP address of a single
computer should be 255.255.255.255.
• The netmask for a class A subnet should be
255.0.0.0.
• The netmask for a class B subnet should be
255.255.0.0.
• The netmask for a class C subnet should be
255.255.255.0.

Examples
Use the following command to add the address of a network to the Internal address list. The address
name is User_Network, the IP address is 192.168.22.0, and the netmask is 255.255.255.0.
set firewall address internal User_Network subnet 192.168.1.0
255.255.255.0
Use the following command to edit this address to change its IP address to 192.168.2.0.
set firewall address internal User_Network subnet 192.168.2.0
255.255.255.0
Use the following command to add the address of a single computer on the 192.168.2.0 network.
set firewall address internal User_1 subnet 192.168.2.1 255.255.255.255
Use the following command to edit an address added to a VLAN subinterface named VLAN_1. The
name of the address is Web_Server. The command changes the IP address to 10.10.10.34 and
the netmask to 255.255.255.255.
set firewall address VLAN_1 Web_Server subnet 10.10.10.34 255.255.255.255
Related commands
• unset firewall address
• set firewall addrgrp
• set firewall policy
• get firewall address
• get firewall addrgrp

46 Fortinet Inc.
set commands set firewall addrgrp

set firewall addrgrp


Add and edit address groups used in firewall policies. Use the command unset firewall addrgrp
to delete address groups.
For all FortiGate models, you add address groups to interfaces. For FortiGate models 400 and up you
can also add address groups to VLAN subinterfaces and zones.

Syntax description
Keyword Description Default Availability
<interface_str> The name of the interface, VLAN subinterface, or No All models.
zone to which to add or edit the address group. The default.
interface can be physical or a VLAN. Enter set
firewall addrgrp followed by a space and a ? for
a list of available interfaces.
<adress-group_str> The name of the address group to add or edit. No All models.
default.
member <name_str> The names of the addresses to add to the address No All models
[<name_str> <name_str> group. The member addresses must already have default.
...] been added to the interface, VLAN subinterface, or
zone to which you are adding the address group.
Enter set firewall addrgrp
<interface_str> <address-group_str>
member followed by a space and a ? for a list of
addresses added to that interface, VLAN
subinterface, or zone. Use spaces to separate the
address names. Leaving an address name out of the
list removes it from the address group.

Examples
Use the following command to add an address group to the Internal address list. The address group is
User_Network, and its members include Internal_1, Internal_2, and Internal_4.
set firewall addrgrp Internal User_Network member Internal_1 Internal_2
Internal_4
Use the following command to edit an address group named User_Network, so that it contains the
addresses Internal_1, Internal_2, Internal_3, and Internal_4.
set firewall addrgrp Internal User_Network member Internal_1 Internal_2
Internal_3 Internal_4
Use the following command to remove Internal_1 from the address group named User_Group.
set firewall addrgrp Internal User_Network member Internal_2 Internal_3
Internal_4

Related commands
• unset firewall addrgrp
• set firewall address
• set firewall policy
• get firewall address
• get firewall addrgrp

FortiGate CLI Reference Guide 47


set firewall dnstranslation set commands

set firewall dnstranslation


Use this command to enable or disable DNS translation and to add or delete a DNS translation entry.
DNS translation translates IP addresses in packets sent by a DNS server from the internal network to
the external network. Use DNS translation if you have a DNS server on your internal network that can
be accessed by users on the external network to find the IP addresses of servers on your internal
network.
If users on the external network can access a server on your internal network using virtual IP mapping,
you may allow them to find the IP address of the server using a DNS query. If they query a DNS server
that is also on your internal network, the DNS server would return the internal IP address of the server.
The external users would not be able to use this IP address to access the internal server.
Using DNS translation, you can map the internal IP address of the server to an address that external
users can use to access this server. So, when the firewall receives DNS packets from the internal
network that match a DNS translation source address, DNS translation changes the IP address in the
DNS packet to the DNS translation destination IP address and forwards the packet through the firewall
to the external user.
Syntax description
Keyword Description Default Availability
add src <source_ip> Add a DNS translation entry. Specify the source address, No All models.
dst <destination_ip> destination address, and netmask. default.
netmask <netmask_ip> The source address can be a single IP address on your
internal network or the IP address of a subnet.
The destination address can be a single external IP
address or the IP address of a subnet accessible from
the external network. Set the netmask as required.
The source and destination addresses must both be
single IP addresses or must both be subnet addresses.
The netmask applies to both the source and destination
addresses.
del src <source_ip> Delete a DNS translation entry. Specify the source No All models.
dst <destination_ip> address, destination address, and netmask. default.
netmask <netmask_ip>
{enable | disable} Enable or disable DNS translation. disable All models.

Examples
Use the following commands to enable DNS translation and translate DNS addresses for one server
that has an IP address on your internal network of 192.168.1.23 but from the external network the IP
address of the server should be 64.23.2.23 (as set using virtual IP mapping).
set firewall dnstranslation enable
set firewall dnstranslation add src 192.168.1.23 dst 64.23.2.23 netmask
255.255.255.255
Use the following command if you have configured symmetrical IP mapping between the external and
internal networks and the subnet on the internal network is 192.168.20.0 and the subnet on the
external network is 64.28.4.0.
set firewall dnstranslation add src 192.168.20.0 dst 64.28.4.0 netmask
255.255.255.0
Related commands
• set firewall vip
• get firewall dnstranslation
• get firewall vip

48 Fortinet Inc.
set commands set firewall ipmacbinding setting

set firewall ipmacbinding setting


Use this command to configure IP/MAC binding settings. You can enable or disable IP/MAC binding for
traffic going to or through the FortiGate unit. You can allow or block traffic not defined in the IP/MAC
binding table.

Syntax description
Keyword Description Default Availability
bindthroughfw {enable | Enable or disable IP/MAC binding going through the disable All models.
disable} firewall.
bindtofw {enable | Enable or disable IP/MAC binding going to the disable All models.
disable} firewall.
undefinedhost {allow | Available when you enable either bindthroughfw block All models.
block} or bindtofw.
Configure how IP/MAC binding handles packets with
IP and MAC addresses that are not defined in the
IP/MAC list. Setting undefinedhost configures this
behavior for traffic going through the firewall and
traffic going to the firewall.
Enter allow to allow packets with IP and MAC
address pairs that are not added to the IP/MAC
binding list.
Enter block to block packets with IP and MAC
address pairs that are not added to the IP/MAC
binding list.

Example
Use the following command to enable IP/MAC binding for traffic through the firewall and to allow traffic
with IP and MAC addresses that are not defined in the IP/MAC list.
set firewall ipmacbinding setting bindthroughfw enable undefinedhost
allow
Use the following command to enable IP/MAC binding in traffic to the firewall and to block traffic with IP
and MAC addresses that are not defined in the IP/MAC list.
set firewall ipmacbinding setting bindtofw enable undefinedhost block

Related commands
• get firewall ipmacbinding
• unset firewall ipmacbinding
• set firewall ipmacbinding table

FortiGate CLI Reference Guide 49


set firewall ipmacbinding table set commands

set firewall ipmacbinding table


Use this command to add IP and MAC address pairs to the IP/MAC binding table or to edit IP and MAC
address pairs added to the IP/MAC binding table. Use the command unset firewall
ipmacbinding to delete IP and MAC address pairs from the IP/MAC binding table.

Syntax description
Keyword Description Default Availability
ip <address_ip> The IP address to add to the IP/MAC binding table. 0.0.0.0 All models.
You can bind multiple IP addresses to the same MAC
address. You cannot bind multiple MAC addresses to
the same IP address.
You can set the IP address to 0.0.0.0 for multiple
MAC address. This means that all packets with the
MAC address are allowed continue through the
firewall to be matched with a firewall policy.
mac <address_hex> The MAC address to add to the IP/MAC binding 00:00:00: All models.
table. You can set the MAC address to 00:00:00
00:00:00:00:00:00 for multiple IP addresses. This
means that all packets with these IP addresses are
allowed to continue through the firewall to be
matched with a firewall policy.
name <name_str> Optional name for this entry on the IP/MAC address No All models.
table. default.
status {enable | disable} Enable or disable IP/MAC binding for this address disable All models.
pair.

Examples
Use the following command to add an IP/MAC address pair with IP address 205.33.44.55 and MAC
address 00:10:F3:04:7A:4C. The name for the IP/MAC binding pair is remoteadmin.
set firewall ipmacbinding name remoteadmin ip 205.33.44.55 mac
00:10:F3:04:7A:4C
Use the following command to enable the IP/MAC address pair:
set firewall ipmacbinding name remoteadmin status enable

Related commands
• set firewall ipmacbinding setting
• get firewall ipmacbinding
• unset firewall ipmacbinding

50 Fortinet Inc.
set commands set firewall ippool

set firewall ippool


Use this command to add IP address pools used in NAT mode policies set to dynamic IP pool. Using
dynamic IP pools, NAT mode firewall policies translate source addresses to an address randomly
selected from the IP pool. You can add multiple IP pools to any interface, but only the first IP pool is
used by the Firewall.

Syntax description
Keyword Description Default Availability
interface <intf_str> Add an IP pool with the specified start and end IP No All models.
<start_ip-end_ip> addresses to the named interface. Separate the start default. Not
[<start_ip-end_ip> and end IP addresses with a hyphen. On FortiGate available in
models 400 and up the interface can also be a VLAN Transparent
[<start_ip-end_ip> ...]] subinterface. mode.
The start IP and end IP of an IP pool must define the
start and end of an address range. The start IP must
be lower than the end IP. The start IP and end IP
must be on the same subnet as the IP address of the
interface for which you are adding the IP pool.

Examples
Use the following command to add an IP pool with these characteristics to the firewall configuration.
• interface name: internal
• start of IP address range: 192.168.1.100
• end of IP address range: 192.168.1.200
set firewall ippool interface internal 192.168.1.100-192.168.1.200
Use the following command to add two IP pools with these characteristics to the firewall configuration:
• interface name: external
• start of first IP pool address range: 32.34.67.100
• end of first IP pool address range: 32.34.67.110
• start of second IP pool address range: 32.34.67.130
• end of second IP pool address range: 32.34.67.140
set firewall ippool interface internal 32.34.67.100-32.34.67.110
32.34.67.130-32.34.67.140

Related commands
• get firewall ippool
• get firewall policy
• unset firewall ippool

FortiGate CLI Reference Guide 51


set firewall onetimeschedule set commands

set firewall onetimeschedule


Add and edit one-time schedules.
Use scheduling to control when policies are active or inactive. You can use one-time schedules to
create policies that are effective once for the period of time specified in the schedule.

Note: To edit a schedule, you must redefine the entire schedule, including your changes. This means entering all
of the schedule parameters, both those that are changing and those that are not.

Syntax description
Keyword Description Default Availability
<name_str> Add or edit a one-time schedule. <name_str> is No All models.
the name of the one-time schedule to add or edit. default.
end <yyyy/mm/dd> <hh:mm> The ending day and time of the schedule. No All models.
• mm - 01 to 12 default.
• dd - 01 to 31
• hh - 00 to 23
• mm - 00, 15, 30, or 45
start <yyyy/mm/dd> <hh:mm> The starting day and time of the schedule. No All models.
• mm - 01 to 12 default.
• dd - 01 to 31
• hh - 00 to 23
• mm - 00, 15, 30, or 45

Example
Use the following command to add a one-time schedule named Holiday that is valid from 5:00 pm on
30 August 2003 until 8:45 am on 3 September 2003.
set firewall onetimeschedule Holiday start 2003/08/30 17:00 end
2003/09/03 08:45

Related commands
• set firewall policy
• set firewall recurringschedule
• get firewall schedule
• unset firewall onetimeschedule

52 Fortinet Inc.
set commands set firewall policy

set firewall policy


Use this command to add and edit firewall policies.
Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions
used by the FortiGate unit to decide what to do with a connection request. The policy directs the
firewall to allow the connection, deny the connection, require authentication before the connection is
allowed, or process the packet as an IPSec VPN packet.

Syntax description
Keyword Description Default Availability
srcintf <intf_str> Enter the source interface for the policy. On all No All models.
FortiGate models srcintf can be the name of a default.
FortiGate interface to which a firewall address has
been added.
In NAT/Route mode on FortiGate models 400 and up
this name can also be a VLAN subinterface to which
firewall addresses have been added.
In NAT/Route mode on FortiGate models 400 and up
this name can also be a zone if you have added
firewall addresses to the zone and if you have added
at least one interface or VLAN subinterface to the
zone.
You cannot add an interface or VLAN subinterface
that has been added to a zone.
dstintf <intf_str> Enter the destination interface for the policy. On all No All models.
FortiGate models dstintf can be the name of a default.
FortiGate interface to which a firewall address has
been added.
In NAT/Route mode on FortiGate models 400 and up
this name can also be a VLAN subinterface to which
firewall addresses have been added.
In NAT/Route mode on FortiGate models 400 and up
this name can also be a zone if you have added
firewall addresses to the zone and if you have added
at least one interface or VLAN subinterface to the
zone.
You cannot add an interface or VLAN subinterface
that has been added to a zone.
move Change the order of policies in a policy list by No All models.
<sequence-number_integer> changing the number of a policy. Changing the default.
to number of the policy moves it from its current place in
a policy list to another location in the same policy list.
<sequence-number_integer> Enter get firewall policy to list all policies.
policyid Enter an ID number for the policy. No All models.
<policy-id_integer> Every firewall policy is identified by its srcintf, default.
dstintf, and policyid. Every srcintf,
dstintf, and policyid combination must be
unique. If you enter a new srcintf, dstintf, and
policyid, this command adds a new policy. If you
enter a srcintf, dstintf, and policyid that
already exists, this command edits that policy.
The web-based manager assigns policy IDs
automatically. When using the CLI, policy IDs must
be assigned manually. Enter get firewall
policy to list the policy ID numbers already in use.

FortiGate CLI Reference Guide 53


set firewall policy set commands

Keyword Description Default Availability


action {accept | deny | Enter the action for the policy. deny All models.
encrypt} Enter accept to accept packets that match the
firewall policy. If you enter accept you can also enter
authentication to enable authentication for the
policy, nat to make this a NAT policy (NAT/Route
mode only), ippool so that the NAT policy selects a
source address for packets from a pool of IP
addresses added to the destination interface, and
fixedport so that the NAT policy does not translate
the packet source port.
Enter deny to deny packets that match the firewall
policy. If you enter deny you do not have to add
additional keywords.
Enter encrypt to configure the policy to be an
encrypt policy for IPSec tunnels. If you enter
encrypt you can also enter inbound,
natinbound, outbound, and natoutbound to
control the VPN traffic allowed by the policy.
encrypt is available in NAT/Route mode only.
avwebfilter Turn on antivirus protection, web content filtering, none action set
{<profile_str> | none} and email filtering for a policy and specify a content to accept
profile. Turn off antivirus protection, web content or
filtering, and email filtering for a policy. encrypt.
Enter a profile name to add the content profile to the
policy. profile_str is case-sensitive.
Enter none to remove the current content profile from
the policy.
comment <comment_str> Optionally add a description or other information No All models.
about the policy. comment_str is limited to 63 default.
characters and cannot contain spaces.
dstaddr <name_str> Enter the destination address for the policy. The No All models.
destination address must have been added to the default.
destination interface. For a NAT policy you can also
add a virtual IP. See “set firewall vip” on page 64.
name_str is case-sensitive.
logtraffic Enable or disable recording traffic log messages for disable action set
{enable | disable} connections accepted by this policy. to accept
or
encrypt.
schedule <name_str> Enter the name of the one-time or recurring schedule Always All models.
to use for the policy. name_str is case-sensitive.
service <name_str> Enter the name of the service to use for the policy. ANY All models.
name_str is case-sensitive.
srcaddr <name_str> Enter the source address for the policy. The source No All models.
address must have been added to the source default.
interface. name_str is case-sensitive.
status {enable | disable} Enable or disable a policy. enable All models.
trafficshaping {enable | Enable or disable traffic shaping. If you enable traffic disable action set
disable} shaping you can set gbandwidth, maxbandwidth, to accept
and priority. or
encrypt.

54 Fortinet Inc.
set commands set firewall policy

Dependent Keyword Description Default Availability


authentication Enable or disable authentication for the policy. If you disable NAT/Route
{enable <usrgrp_str> | enable authentication, enter the name of the user mode,
disable} group to be used for authenticating users that action set
connect using this policy. usrgrp_str is case to accept.
sensitive.
nat {enable | disable} Configure the policy for network address translation disable NAT/Route
(NAT). NAT translates the source address and the mode,
source port of packets accepted by the policy. If you action set
enable NAT you can enter ippool and fixedport. to accept.
fixedport Prevent a NAT policy from translating the source port. disable NAT/Route
{enable | disable} Some applications do not function correctly if the mode,
source port is changed. If you enter fixedport, you action set
should also enable IP pools. If you do not enable IP to accept,
pools a policy with fixedport can only allow one nat and
connection at a time for this port or service. ippool
enabled.
ippool {enable | disable} Configure a NAT policy to translate the source disable NAT/Route
address to an address randomly selected from the mode,
first IP pool added to the destination interface of the action set
policy. Use IP pools if you must specify fixedport to accept,
for a service or for dynamic NAT. nat
enabled.
inbound {allow | deny} Configure the policy to allow or deny inbound VPN allow action set
tunnels that match this policy. to
encrypt.
natinbound Enable or disable inbound NAT for VPN tunnels that disable action set
{enable | disable} match this policy. to
encrypt.
natoutbound Enable or disable outbound NAT for VPN tunnels that disable action set
{enable | disable} match this policy. to
encrypt.
outbound {allow | deny} Configure the policy to allow or deny outbound VPN allow action set
tunnels that match this policy. to
encrypt.
vpntunnel Enter the name of the AutoIKE key or manual key disable action set
<tunnel-name_str> tunnel for the IPSec policy. tunnel-name_str is to
case sensitive. encrypt.
gbandwidth Guarantee the amount of bandwidth available for 0 Traffic
<bandwidth_integer> traffic controlled by the policy. gband_integer can shaping
be 0 to 100000 Kbytes/second. enabled.
maxbandwidth Limit the maximum amount of bandwidth available for 0 Traffic
<bandwidth_integer> traffic controlled by the policy. maxband_integer shaping
can be 0 to 100000 Kbytes/second. If maximum enabled.
bandwidth is set to 0 no traffic is allowed by the
policy.
priority Set the priority for traffic controlled by the policy. The high Traffic
{high | medium | low} available settings are high for high priority traffic, shaping
medium for medium priority traffic, and low for low enabled.
priority traffic.

FortiGate CLI Reference Guide 55


set firewall policy set commands

Examples
On a FortiGate-100, 200, or 300, use the following command to add a policy that allows users on the
external network to access a web server on a DMZ network. The policy:
• Is for connections from the external interface (srcintf is external) to the DMZ interface
(dstintf is dmz)
• Has a policy ID of 100
• Is enabled
• Allows users from any IP address on the Internet to access the web server (srcaddr is
External_All)
• Allows access to an address on the DMZ network (dstaddr is an address previously added to the
DMZ interface and named DMZ_Web_Server)
• Sets the schedule to Always so that users can access the web server 24 hours a day, seven
days a week
• Sets the service to HTTP to limit access to the web server to HTTP connections
• Sets action to accept to allow connections
• Applies network address translation (nat is enabled)
• Applies traffic shaping to guarantee 100 KBytes/s of bandwidth is available, to limit the maximum
bandwidth to 500 KBytes/second, and to set the priority for the traffic accepted by this policy to
medium (trafficshaping enabled, gbandwidth set to 100, maxbandwidth set to 500,
priority set to medium)
• Applies virus scanning using the Web content profile (avwebfilter set to Web)
set firewall policy srcintf external dstintf dmz policyid 100 status
enable srcaddr External_All dstaddr DMZ_Web_Server schedule Always
action accept trafficshaping enable gbandwidth 100 maxbandwidth 500
priority medium avwebfilter Web

Related commands
• get firewall policy
• unset firewall policy

56 Fortinet Inc.
set commands set firewall profile

set firewall profile


Use this command to add or edit firewall content profiles. This command starts a shell to configure the
content profile. In this shell you can view and change the content profile settings.
Use content profiles to apply different protection settings for content traffic controlled by firewall
policies.

Syntax description
Keyword Description Default Availability
<profilename_str> The name of the profile to add or edit. Type in the No All models.
profile name and press return to access the profile default.
shell.
exit {Yes/No} Exit the profile shell without saving your changes. No All models.
Type Yes to exit the profile shell. Type No to return to default.
the profile setting shell prompt.
If you have just used set firewall profile to
add a new profile, typing exit in the profile shell
exits without saving the new profile. If you enter exit
while editing a profile that was previously added,
changes you have made to the profile are lost, but
the profile is not deleted.
Use the command unset firewall profile
<profilename_str> to delete a profile.
save Exit the profile shell and save your changes. No All models.
default.
show [<service_str>] In the content profile shell show the settings for all No All models.
services. Entering a <service_str> shows the default.
settings for that service. <service_str> can be
http, smtp, pop3, imap, or ftp.

For each profile, you can change settings for the HTTP, SMTP, POP3, IMAP, and FTP services.

ftp
Keyword Description Default Availability
block {enable | disable} For this content profile, enable or disable deleting disable All models.
files from FTP traffic with blocked file patterns.
oversize {pass | block} For this content profile, allow oversized files in FTP pass All models.
traffic to pass through the firewall or block oversized
files in FTP traffic from passing through the firewall.
quarantine {enable | For this content profile, enable or disable disable Models with
disable} quarantining blocked or infected files found in FTP a hard disk
traffic. only.
scan {enable | disable} For this content profile, enable or disable scanning disable All models.
FTP traffic for viruses and worms.

FortiGate CLI Reference Guide 57


set firewall profile set commands

http
Keyword Description Default Availability
bannedword {enable | For this content profile, enable or disable web content disable All models
disable} filtering content blocking (also called the banned
word list).
block {enable | disable} For this content profile, enable or disable deleting disable All models.
files from HTTP traffic with blocked file patterns.
oversize {pass | block} For this content profile, allow oversized files in HTTP pass All models
traffic to pass through the firewall or block oversized
files in HTTP traffic from passing through the firewall.
quarantine {enable | For this content profile, enable or disable disable Models with
disable} quarantining blocked or infected files found in HTTP a hard disk
traffic. only.
scan {enable | disable} For this content profile, enable or disable scanning disable All models.
HTTP traffic for viruses and worms.
scriptfilter {enable | For this content profile, enable or disable the web disable All models
disable} content filtering script filter.
urlblock {enable | For this content profile, enable or disable web content disable All models
disable} filtering URL blocking.
urlexempt {enable | For this content profile, enable or disable the web disable All models
disable} content filtering exempt URL list.

imap
Keyword Description Default Availability
bannedword For this content profile, enable or disable tagging of disable All models.
{enable | disable} IMAP email containing words on the email filter
content blocking (also called the banned word) list.
block {enable | disable} For this content profile, enable or disable deleting disable All models.
files from IMAP traffic with blocked file patterns.
blocklist For this content profile, enable or disable tagging of disable All models.
{enable | disable} IMAP email from email addresses on the email filter
block list.
exemptlist For this content profile, enable or disable exempting disable All models.
{enable | disable} IMAP email from email addresses on the email filter
exempt list.
fragmail {pass | block} For this content profile, allow fragmented IMAP email block All models.
messages to pass through the firewall or block
fragmented IMAP email messages from passing
through the firewall.
oversize {pass | block} For this content profile, allow oversized files in IMAP pass All models.
traffic to pass through the firewall or block oversized
files in IMAP traffic from passing through the firewall.
quarantine {enable | For this content profile, enable or disable disable Models with
disable} quarantining blocked or infected files found in IMAP a hard disk
traffic. only.
scan {enable | disable} For this content profile, enable or disable scanning disable All models.
IMAP traffic for viruses and worms.

58 Fortinet Inc.
set commands set firewall profile

pop3
Keyword Description Default Availability
bannedword For this content profile, enable or disable tagging of disable All models.
{enable | disable} POP3 email containing words on the email filter
content blocking (also called the banned word) list.
block {enable | disable} For this content profile, enable or disable deleting disable All models.
files from POP3 traffic with blocked file patterns.
blocklist For this content profile, enable or disable tagging of disable All models.
{enable | disable} POP3 email from email addresses on the email filter
block list.
exemptlist For this content profile, enable or disable exempting disable All models.
{enable | disable} POP3 email from email addresses on the email filter
exempt list.
fragmail {pass | block} Allow fragmented POP3 email messages to pass block All models.
through the firewall or block fragmented POP3 email
messages from passing through the firewall in this
content profile.
oversize {pass | block} For this content profile, allow oversized files in POP3 pass All models.
traffic to pass through the firewall or block oversized
files in POP3 traffic from passing through the firewall.
quarantine Enable or disable storing blocked or infected files disable Models with
{enable | disable} found in POP3 traffic in the file quarantine on the a hard disk
FortiGate hard disk in this content profile. only.
scan {enable | disable} For this content profile, enable or disable scanning disable All models.
POP3 traffic for viruses and worms.

smtp
Keyword Description Default Availability
block {enable | disable} For this content profile, enable or disable deleting disable All models.
files from SMTP traffic with blocked file patterns.
fragmail {pass | block} For this content profile, allow fragmented SMTP block All models
email messages to pass through the firewall or block
fragmented SMTP email messages from passing
through the firewall.
oversize {pass | block} For this content profile, allow oversized files in SMTP pass All models
traffic to pass through the firewall or block oversized
files in SMTP traffic from passing through the firewall.
quarantine {enable | For this content profile, enable or disable disable Models with
disable} quarantining blocked or infected files found in SMTP a hard disk
traffic. only.
scan {enable | disable} For this content profile, enable or disable scanning disable All models.
SMTP traffic for viruses and worms.

Examples
Use the following commands to add a new content profile named ScanPOP3 that applies virus
scanning to POP3 traffic and quarantines all infected files. In addition the following commands turn off
virus scanning for HTTP, FTP, SMTP, and IMAP traffic.
set firewall profile ScanPOP3
Entering configure mode for firewall profile "ScanPOP3" . . .
Use "save" to commit changes and "exit" to cancel

FortiGate CLI Reference Guide 59


set firewall profile set commands

Use the show command to view the default settings for the new content profile.
show
Enable quarantine for POP3.
pop3 quarantine enable
Disable scanning for HTTP, SMTP, IMAP, and FTP:
http scan disable
smtp scan disable
imap scan disable
ftp scan disable
Save your changes and exit from the profile shell.
save
View the configuration of the new content profile.
get firewall profile ScanPOP3

Related commands
• get firewall profile
• unset firewall profile

60 Fortinet Inc.
set commands set firewall recurringschedule

set firewall recurringschedule


Use this command to add and edit recurring schedules used in firewall policies.
Use scheduling to control when policies are active or inactive. Use recurring schedules to create
policies that repeat weekly. You can use recurring schedules to create policies that are effective only at
specified times of the day or on specified days of the week.

Note: If you create a recurring schedule with a stop time that occurs before the start time, the schedule will start at
the start time and finish at the stop time on the next day. You can use this technique to create recurring schedules
that run from one day to the next. You can also create a recurring schedule that runs for 24 hours by setting the
start and stop times to the same time.

Syntax description
Keyword Description Default Availability
<schedule-name_str> Add or edit a recurring schedule. No All models.
<schedule-name_str> is the name of the default.
recurring schedule to add or edit.
day {sunday monday Enter the names of one or more days of the week for No All models.
tuesday wednesday which the schedule is valid. Separate the names with default.
thursday friday saturday} a space.
end <hh:mm> The ending time of the schedule. 00:00 All models.
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45 only
start <hh:mm> The starting time of the schedule. 00:00 All models.
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45 only

Example
Use the following command to add a recurring schedule named access so that it is valid Monday to
Friday from 7:45 am to 5:30 pm.
set firewall recurringschedule access day monday tuesday wednesday
thursday friday start 07:45 end 17:30
Edit the recurring schedule named access so that it is no longer valid on Fridays.
set firewall recurringschedule access day monday tuesday wednesday
thursday start 07:45 end 17:30

Related commands
• set firewall policy
• set firewall onetimeschedule
• get firewall schedule
• unset firewall recurringschedule

FortiGate CLI Reference Guide 61


set firewall service custom set commands

set firewall service custom


Add or edit custom firewall services.
Add a custom service if you need to create a policy for a service that is not in the predefined service
list.

Syntax description
Keyword Description Default Availability
<service-name_str> Add or edit a custom service. <service-name_str> No All models.
is the name of the custom service to add or edit. default.
{tcp | udp} The protocol used by the service (tcp or udp). No All models.
default.
<srcport-low_integer- The source port range for the service. No All models.
srcport-high_integer> If the source port range can be any port, enter default.
1-65535.
To specify a single port, enter the same port number for
srcport-low_integer and
srcport-high_integer. For example, if the single
port is 5003, enter 5003-5003.
<dstport-low_integer- The destination port range for the service. No All models.
dstport-high_integer> If the destination port range can be any port, enter default.
1-65535.
To specify a single port, enter the same port number for
dstport-low_integer and
dstport-high_integer. For example, if the single
port is 5003, enter 5003-5003.

Example
Use the following command to add a custom service called Custom_1. The service can use any
source port. The service destination port range is TCP 4501 to 4503.
set firewall service custom Custom_1 tcp 1-65535 4501-4503
Use the following command to edit Custom_1 to add a udp destination port of 5632.
set firewall service custom Custom_1 tcp 1-65535 4501-4503 udp 1-65535
5632-5632

Related commands
• unset firewall service
• set firewall policy
• set firewall service group
• get firewall service

62 Fortinet Inc.
set commands set firewall service group

set firewall service group


Add or edit firewall service groups.
To make it easier to add policies, you can create groups of services and then add one policy to provide
or block access for all the services in the group. A service group can contain predefined services and
custom services in any combination. You cannot add service groups to another service group.

Note: To edit a service group, you must enter all of the members of the service group, both those you are
changing and those that are staying the same.

Syntax description
Keyword Description Default Availability
<group-name_str> Add or edit a service group. <group-name_str> is No All models.
the name of the service group to add or edit. default.
member {<service_str> The names, separated by spaces, of the predefined No All models.
<service_str> and custom firewall services to add to the service default.
<service_str> ...} group. Use the command get firewall service
group <group-name_str> followed by a space
and a ? to list the predefined custom services.
<service_str> is case-sensitive.

Example
Use the following command to add a service group called Web_Services that includes the FTP,
HTTP, HTTPS, and Real Audio services.
set firewall service group Web_Services member FTP HTTP HTTPS RAUDIO
Use the following command to add the TELNET service to the Web_Services service group.
set firewall service group Web_Services member FTP HTTP HTTPS RAUDIO
TELNET

Related commands
• unset firewall service
• set firewall policy
• set firewall service custom
• get firewall service

FortiGate CLI Reference Guide 63


set firewall vip set commands

set firewall vip


Add and edit virtual IPs. You can add static NAT virtual IPs or port forwarding virtual IPs.
Use virtual IPs to provide access to IP addresses on a destination network that are hidden from the
source network by NAT security policies. To allow connections between these networks, you must
create a mapping between an address on the source network and the real address on the destination
network. This mapping is called a virtual IP.
You can create two types of virtual IPs:

Static NAT Used to translate an address on a source network to a hidden address on a destination
network. Static NAT translates the source address of return packets to the address on the
source network.
Port Forwarding Used to translate an address and a port number on a source network to a hidden address and,
optionally, a different port number on a destination network. Using port forwarding you can also
route packets with a specific port number and a destination address that matches the IP
address of the interface that receives the packets. This technique is called port forwarding or
port address translation (PAT). You can also use port forwarding to change the destination port
of the forwarded packets.

Note: Virtual IPs are not available in transparent mode.

Syntax description
Keyword Description Default Availability
<vip-name_str> Enter the name for the VIP. If the name is new, this No All models.
command adds a new VIP. If the name already exists, default.
this command edits the VIP.
extintf <intf_str> The name of the interface connected to the source No All models.
network that receives the packets to be forwarded to default.
the destination network.
On the FortiGate-400 and up <intf_str> can be
the name of an interface or VLAN subinterface.
extip <external_ip> The external IP address to be mapped to an address No All models.
on the destination network. default.
For example, if the virtual IP provides access from
the Internet to a web server on a destination network,
the external IP address must be a static IP address
obtained from your ISP for your web server.
For a static NAT virtual IP, this address must be a
unique address that is not used by another host and
cannot be the same as the IP address of the
extintf <intf_str>. However, this address must
be routed to this interface.
For port forwarding virtual IP, this address can be any
IP address including the IP address of the extintf
<intf_str>.
For FortiGate models 50, 60, 100, 200, and 300 if the
IP address of extintf <intf_str> is set using
PPPoE or DHCP, <external_ip> can be
0.0.0.0. The FortiGate unit substitutes the IP
address set for this interface using PPPoE or DHCP.

64 Fortinet Inc.
set commands set firewall vip

Keyword Description Default Availability


extport The external service port number for which to No All models.
<ext-port_integer> configure port forwarding. Required for port default. Required if
forwarding virtual IPs. Not required for static NAT type is set to
virtual IPs. portforward
The external port number must match the destination
port of the packets to be forwarded. For example, if
the virtual IP provides access from the Internet to a
Web server, the external service port number would
be 80 (the HTTP port).
mappedip <mapped_ip> The real IP address in the more secure network or No All models.
zone to which to map the <external_ip>. default.
mappedport Enter mappedport <map-port_integer> if you No All models.
<map-port_integer> want the port forwarding virtual IP to translate the default. Required if
destination port to a different port number. type is set to
You only have to specify the mappedport if you want portforward
to translate the port.
protocol {tcp | upd} The protocol, TCP or UDP, to be used by the No All models.
forwarded packets. default. Required if
type is set to
portforward
type {portforward | The type of virtual IP to add or edit. No All models.
staticnat} Enter portforward to add or edit a port forwarding default.
virtual IP.
Enter staticnat to add or edit a static NAT virtual
IP.

Example
Use the following command to add a static NAT virtual IP named Web_Server that allows users on
the Internet to connect to a web server on your internal network. The internet address of the web
server is 64.32.21.34 and the real IP address of the web server on the internal network is
192.168.1.44.
set firewall vip Web_Server type staticnat extintf external extip
64.32.21.34 mappedip 192.168.1.44
Use the following command to edit the static NAT virtual IP named Web_Server to change the real IP
address of the web server on the internal network to 192.168.110.23.
set firewall vip Web_Server type staticnat mappedip 192.168.110.23
Use the following command to add a port forwarding virtual IP that uses port address translation to
allow external access to a web server on your internal network if you do not have a separate external
IP address for the web server. In this example, the IP address of the external interface is
192.168.100.99 and the real IP address of the web server on the internal network is 192.168.1.93.
set firewall vip Web_Server type portforward extintf external extip
192.168.100.99 extport 80 mappedip 192.168.1.93 mappedport 80

Related commands
• set firewall policy
• get firewall vip
• unset firewall vip

FortiGate CLI Reference Guide 65


set log policy set commands

set log policy


A logging configuration consists of enabling logging on an interface, selecting a location or locations to
which to log, and selecting the type of log to record. If the FortiGate unit has a hard drive you can also
view, search and maintain logs saved to the hard disk.

Syntax description
Keyword Description Default Availability
destination {syslog | Select the log locations: No All models.
webtrends | local | • syslog - record logs on a remote computer. default.
console} • webtrends - record logs on a NetIQ WebTrends
server.
• local - record logs on the FortiGate hard disk or if
no hard disk is available record logs to system
memory.
• console - record logs to the console.
Use the command set log setting to enable
logging to a destination and to set the log severity
level.
{emailfilter | event | Select a log type. You can select one log type at a No All models.
ids | traffic | update | time. The traffic log type is not available if set log default.
virus | webfilter} policy destination is set to local and the
FortiGate unit does not have a hard disk.
status {enable | disable} Enable or disable the specified log type. disable All models.
category <category_str> See the Category table for the list of categories for No All models.
[<category_str> each log type. default.
[<category_str> ... ]]

Category
Log type Category Description
emailfilter email Blocklist email detected.
bword Banned word email detected.
none Turn off emailfilter log categories.
event configuration Configuration change event.
ipsec IPSec negotiation event.
dhcp DHCP service event.
ppp L2TP, PPTP, PPPoE service event.
login Administrator login/logout event.
ipmac IP/MAC binding event.
system System activity event.
ha High Availability activity event.
auth Firewall authentication event.
routegateway Route gateway event.
none Turn off event log categories.
ids detection Attack detection activity.
prevention Attack prevention activity.

66 Fortinet Inc.
set commands set log policy

Log type Category Description


none Turn off ids log categories.
traffic See “set log trafficfilter rule” on
page 70.
update failed Failed update incident.
succeeded Successful update incident.
fdn Fortinet Distribution Network error.
none Turn off update log categories.
virus infected Infected file incidents.
filename Blocked file incidents.
oversize Oversized file incidents.
none Turn off Virus log categories.
webfilter content File blocked by content block list.
urlblock File blocked by URL block list.
urlexempt File exempted by URL exempt list.
none Turn off webfilter log categories.

Examples
Use the following command to record High Availability activities authentication events to the event log
on the FortiGate local hard disk:
set log policy destination local event status enable category ha auth

Related commands
• get log elog
• get log logsetting
• get log policy
• set log setting
• set log trafficfilter rule
• set log trafficfilter setting

FortiGate CLI Reference Guide 67


set log setting set commands

set log setting


You can configure logging to record logs to one or more of:
• a computer running a syslog server,
• a computer running a WebTrends firewall reporting server,
• the FortiGate hard disk (if your FortiGate unit contains a hard disk),
• the console (using the CLI).
You can also configure logging to record some logs to the FortiGate system memory if your FortiGate
unit does not contain a hard disk. Logging to memory allows quick access to only the most recent log
entries. If the FortiGate unit restarts, the log entries are lost.

Note: The optional hard disk is not available for all FortiGate models and the FortiGate-50 does not have the
option to record logs to memory. Use the command get system status to confirm whether or not a hard disk
is available on the FortiGate unit.

You can select the same or different severity level for each log location. For example, you might want
to record only emergency and alert level messages to the FortiGate memory and record all levels of
messages on a remote computer.

Syntax description
Keyword Description Default Availability
{console | local | memory Select a log location. To log to more than one No All models.
| syslog | webtrends} location, configure each log location separately. If the default.
FortiGate unit contains a hard disk, local is
displayed as a choice. If the FortiGate unit does not
contain a hard disk, memory is displayed instead of
local.
Neither local nor memory are available for
FortiGate-50 units.
csv {enable | disable} Enable or disable saving logs in comma separated disable All models.
value (CSV) format. syslog only.
diskfull {overwrite | Set the options to use when the FortiGate hard disk over Not available
blocktraffic | nolog} runs out of space: write on the
• overwrite deletes the oldest log file when the FortiGate-50.
hard disk is full. local only.
• blocktraffic blocks all network traffic when the
hard disk is full.
• nolog stops logging messages when the hard disk
is full.
filesz Set a maximum log file size in Mbytes. 10 Not available
<file-size_integer> When the log file reaches this size, the current log file Mbytes on the
is closed and saved and a new active log file is FortiGate-50.
started. The default maximum log file size is 10 local only.
Mbytes and the maximum allowed is 2 Gbytes.

68 Fortinet Inc.
set commands set log setting

Keyword Description Default Availability


loglevel Set the log severity level. Enter the command set 0 All models.
<severity_integer> log setting <location_str> loglevel All log
followed by a space and a ? for a list of severity levels locations.
and their corresponding numbers.
0 - Emergency - The system has become unusable.
1 - Alert - Immediate action is required.
2 - Critical - Functionality is affected.
3 - Error - An erroneous condition exists and
functionality is probably affected.
4 - Warning - Functionality might be affected.
5 - Notification - Information about normal
events.
6 - Information - General information about
system operations.
The FortiGate unit will log all levels of severity up to
but not higher than the number you select. For
example, if you want to record emergency, alert,
critical, and error messages, select 3.
If you do not select a severity level, the default level 0
will be used.
logtime <days_integer> Set a log time interval in days. 10 days Not available
After the specified time interval, the current log file is on the
closed and saved and a new one is started. The FortiGate-50.
default log time interval is 10 days. local only.
port <port_integer> Set the remote host (syslog) server port. 514 All models.
syslog only.
server <server_ip> Set the server IP address. The server IP address No All models.
must be set separately for the webtrends keyword default. syslog
and the syslog keyword. and
webtrends
status {enable | disable} Enable or disable logging to the specified log disable All models.
location. All log
locations.

Examples
Use the following command to enable logging to a syslog server with the IP address 192.168.23.95
and a log level of 3:
set log setting syslog server 192.168.23.95 loglevel 3

Related commands
• get log logsetting
• set log policy
• set log trafficfilter rule
• set log trafficfilter setting

FortiGate CLI Reference Guide 69


set log trafficfilter rule set commands

set log trafficfilter rule


The FortiGate unit can filter traffic logs for any source and destination address and service.

Note: Traffic logging is not available when logging to system memory.

Syntax description
Keyword Description Default Availability
<name_str> Type a name to identify the traffic log filter. No All models.
default.
dst Type the destination IP address and netmask for No All models.
<destination _ip> which you want the FortiGate unit to log traffic default.
<netmask_ip> messages. The address can be an individual
computer, subnetwork, or network.
service <name_str> Select the service group or individual service for No All models.
which you want the FortiGate unit to log traffic default.
messages. Use the command set log
trafficfilter rule <name_str> service
followed by a space and a ? for a list of available
services.
src Type the source IP address and netmask for which No All models.
<souce_ip> <netmask_ip> you want the FortiGate unit to log traffic messages. default.
The address can be an individual computer,
subnetwork, or network.

Example
Use the following command to log the HTTP traffic coming from 192.168.0.0 and going to
192.168.23.10:
set log trafficfilter rule rule1 src 192.168.0.0 255.255.0.0
dst 192.168.23.10 service http

Related commands
• get log trafficfilter
• unset log filter
• set log trafficfilter setting
• set log policy

70 Fortinet Inc.
set commands set log trafficfilter setting

set log trafficfilter setting


You can enable the following global settings for traffic log entries:
• resolve IP addresses to host names,
• record session or packet information,
• display the port number or service.

Note: Traffic logging is not available when logging to system memory.

Syntax description
Keyword Description Default Availability
display {port | name} Select port if you want traffic log messages to list port All models.
the port number, for example, 80/tcp. Select name if
you want traffic log messages to list the name of the
service, for example, TCP.
resolve Select enable if you want traffic log messages to list disable All models.
{enable | disable} the IP address and the domain name stored on the
DNS. If the primary and secondary DNS addresses
provided to you by your ISP have not already been
added, see “set system dns” on page 84 for
information on how to add DNS addresses.
type {session | packet} If you select session, the FortiGate unit records the session All models.
number of packets sent and received for each
session. If you select packet, the FortiGate unit
records the average packet length, in bytes, for each
session.

Examples
Use the following command to set the trafficfilter setting to session and the display to name:
set log trafficfilter setting type session display name

Related commands
• get log trafficfilter
• set log trafficfilter rule
• set system dns

FortiGate CLI Reference Guide 71


set nids detection set commands

set nids detection


Use this command to configure how the FortiGate network intrusion detection system (NIDS) detects
network attacks. You can select the interface on which the NIDS monitors network traffic for attacks,
and you can also set the NIDS for checksum verification. Checksum verification tests the integrity of
packets received at the monitored interface.

Syntax description
Keyword Description Default Availability
checksum Enter one or more protocols, separated by commas, none All models.
{none | ip,tcp,udp,icmp} to enable checksum verification for that type of traffic.
Enter none to turn off all checksum verification.
Configure the NIDS to run checksums to verify that
packets passing through the FortiGate have not been
altered. For maximum protection, you can turn on
checksum verification for all types of protocols.
However, if the FortiGate does not need to do
checksum verification, you can turn it off for some or
all types of traffic to improve performance. You may
not need to run checksum verifications if your
FortiGate is installed behind a router that also does
checksum verification.
interface <name_str> Enable or disable NIDS monitoring on the specified disable All models.
status {enable | disable} interface. Enter set nids detection
interface followed by a space and ? for a list of
available interfaces. For all models except the
FortiGate-50, you can enable NIDS monitoring for up
to four interfaces. For the FortiGate-50 you can
enable NIDS monitoring for one interface.

Examples
Use the following command to enable NIDS monitoring on the internal interface.
set nids detection interface internal status enable
Use the following command to run checksum verification for the IP and ICMP protocols.
set nids detection checksum ip,icmp

Related commands
• get nids detection
• set nids prevention
• set nids rule

72 Fortinet Inc.
set commands set nids prevention

set nids prevention


Use this command to enable or disable NIDS prevention signatures.
The NIDS Prevention module contains signatures that are designed to protect your network against
attacks. The signatures detect anomalies in the data packets and protocol definitions for ICMP, IP, TCP
and UDP. When anomalies are found, the system takes action to prevent damage. In some cases
packets are dropped; in other cases network access is blocked.
In addition to being able to enable and disable all signatures, you can also modify the threshold value
for some signatures. When the threshold is exceeded, the NIDS Prevention module will take action to
block the attack.
Some signatures are enabled by default.

Syntax description
Keyword Description Default Availability
icmp <attack_str> Enter the name of the Internet Control Message Protocol No All models.
(ICMP) NIDS prevention signature that you want to enable, or default.
disable or for which to change the threshold value. Use the
command set nids prevention icmp followed by a
space and a ? for list of ICMP NIDS prevention signatures.
ip <attack_str> Enter the name of the Internet Protocol (IP) NIDS prevention No All models.
signature that you want to enable, or disable or for which to default.
change the threshold value. Use the command set nids
prevention ip followed by a space and a ? for list of IP
NIDS prevention signatures.
reset Select Reset to restore the default status for all NIDS No All models.
Prevention signatures and to restore default threshold values. default.
status {enable | Enable or disable the NIDS Prevention module. disable All models.
disable} The NIDS Prevention module is disabled by default. You must
enable it when you configure a new FortiGate unit, or when
you reboot a FortiGate unit.
tcp <attack_str> Enter the name of the Transmission Control Protocol (TCP) No All models
NIDS prevention signature that you want to enable, or disable default.
or for which to change the threshold value. Use the command
set nids prevention tcp followed by a space and a ?
for list of TCP NIDS prevention signatures.
udp <attack_str> Enter the name of the User Datagram Protocol (UDP) NIDS No All models.
prevention signature that you want to enable, or disable or for default.
which to change the threshold value. Use the command set
nids prevention udp followed by a space and a ? for list
of UDP NIDS prevention signatures.

Syntax description for icmp NIDS prevention signatures


Keyword Description Default Availability
icmpdeath Enable or disable the ICMP Death (ping of death) enable All models.
status {enable | disable} prevention signature.
icmpflood Enable or disable the ICMP Flood prevention enable All models.
status {enable | disable} signature. 256
threshold Threshold unit - maximum number of packets per
<packets/sec_integer> second to a single destination.
• Minimum value - 128
• Maximum value - 102400

FortiGate CLI Reference Guide 73


set nids prevention set commands

Keyword Description Default Availability


icmpfrag Enable or disable the ICMP Fragment prevention disable All models.
status {enable | disable} signature.
icmpland Enable or disable the ICMP Land prevention enable All models.
status {enable | disable} signature.
icmplarge Enable or disable the large ICMP packet prevention enable All models.
status {enable | disable} signature. 32000
threshold <bytes_integer> Threshold unit - maximum packet size in bytes.
• Minimum value - 1024
• Maximum value - 64000
icmpsrcsession Enable or disable the ICMP Source Session Limit disable All models.
status {enable | disable} prevention signature. 128
threshold Threshold unit - maximum ICMP sessions from a
<sessions/source_integer> single source.
• Minimum value - 64
• Maximum value - 2048
icmpsweep Enable or disable the ICMP Sweep prevention enable All models.
status {enable | disable} signature. 32
threshold Threshold unit - maximum ICMP echo requests per
<requests/second_integer> second from a single source.
• Minimum value - 16
• Maximum value - 2048

Syntax description for ip NIDS prevention signatures


Keyword Description Default Availability
ipfrag Enable or disable the IP Fragmentation prevention disable All models.
status {enable | disable} signature.
ipland Enable or disable the IP Land prevention signature. disable All models.
status {enable | disable}
iplsrr Enable or disable the IP Loose Source Record disable All models.
status {enable | disable} Routing prevention signature.
iprr Enable or disable the IP Record Routing prevention disable All models.
status {enable | disable} signature.
ipsecurity Enable or disable the IP Security Option prevention disable All models.
status {enable | disable} signature.
ipspoofing Enable or disable the IP Spoofing prevention enable All models.
status {enable | disable} signature.
ipssrr Enable or disable the IP Strict Source Record disable All models.
status {enable | disable} Routing prevention signature.
ipstream Enable or disable the IP Stream Option prevention disable All models.
status {enable | disable} signature.
iptimestamp Enable or disable the IP Timestamp Option disable All models.
status {enable | disable} prevention signature.
ipunknoption Enable or disable the IP Unknown Option prevention enable All models.
status {enable | disable} signature.
ipunknproto Enable or disable the IP Unknown Protocol enable All models.
status {enable | disable} prevention signature.

74 Fortinet Inc.
set commands set nids prevention

Syntax description for tcp NIDS prevention signatures


Keyword Description Default Availability
finnoack Enable or disable the TCP FIN without ACK enable All models.
status {enable | disable} prevention signature.
ftpovfl Enable or disable the TCP FTP Buffer Overflow enable All models.
status {enable | disable} prevention signature. 256
threshold <bytes_integer> Threshold unit - maximum command buffer size in
bytes.
• Minimum value - 128
• Maximum value - 1024
land Enable or disable the TCP Land prevention enable All models.
status {enable | disable} signature.
noflag Enable or disable the TCP with No Flag prevention enable All models.
status {enable | disable} signature.
pop3ovfl Enable or disable the TCP POP3 Buffer Overflow enable All models.
status {enable | disable} prevention signature. 512
threshold <bytes_integer> Threshold unit - maximum command buffer size in
bytes.
• Minimum value - 128
• Maximum value - 1024
portscan Enable or disable the TCP Port Scan prevention enable All models.
status {enable | disable} signature. 128
threshold Threshold unit - SYN per second.
<syn/second_integer> • Minimum value - 10
• Maximum value - 256
smtpovfl Enable or disable the TCP SMTP Buffer Overflow enable All models.
status {enable | disable} prevention signature. 512
threshold <bytes_integer> Threshold unit - maximum command buffer size in
bytes.
• Minimum value - 128
• Maximum value - 1024
srcsession Enable or disable the TCP Source Session Limit disable All models.
status {enable | disable} prevention signature. 2048
threshold Threshold unit - maximum TCP sessions from a
<sessions_integer> single source.
• Minimum value - 128
• Maximum value - 10240
synfin Enable or disable the TCP SYN with FIN prevention enable All models.
status {enable | disable} signature.
synflood Enable or disable the TCP SYN Flood prevention disable All models.
queue_size signature. See
<prox-connect_integer> Threshold unit - SYN per second. descrip-
status {enable | disable} • Minimum value - 30 tion
threshold • Maximum value - 3000
<syn/second_integer> • Default value - 200
timeout <seconds_integer> Queue size unit - maximum proxied connections.
• Minimum value - 10
• Maximum value - 1024
• Default value - 1024
Timeout unit - seconds.
• Minimum value - 3
• Maximum value - 60
• Default value - 15

FortiGate CLI Reference Guide 75


set nids prevention set commands

Keyword Description Default Availability


synfrag Enable or disable the TCP SYN Fragment prevention enable All models.
status {enable | disable} signature.
url Enable or disable the TCP Invalid URL prevention enable All models.
status {enable | disable} signature.
winnuke Enable or disable the TCP Winnuke prevention enable All models.
status {enable | disable} signature.

Syntax description for udp NIDS prevention signatures


Keyword Description Default Availability
udpflood Enable or disable the UDP Flood prevention disable All models.
status {enable | disable} signature. 2048
threshold Threshold unit - maximum packets per second to a
<packets/second_integer> single destination.
• Minimum value - 512
• Maximum value - 102400
udpland Enable or disable the UDP Land prevention enable All models.
status {enable | disable} signature.
udpsrcsession Enable or disable the UDP Source Session Limit disable All models.
status {enable | disable} prevention signature. 1024
threshold Threshold unit - maximum UDP sessions from a
<sessions_integer> single source.
• Minimum value - 512
• Maximum value - 102400

Examples
Use the following command to enable the NIDS Prevention module:
set nids prevention status enable
Use the following command to restore the NIDS Prevention to its default configuration:
set nids prevention reset
Use the following command to enable TCP Port Scan signature and set the threshold to 200 SYN per
second:
set nids prevention tcp portscan status enable threshold 130
Use the following command to change the TCP Port Scan attack threshold to 100 SYN per second:
set nids prevention tcp portscan threshold 100

Related commands
• get nids prevention
• set nids detection
• set nids rule

76 Fortinet Inc.
set commands set nids rule

set nids rule


Use this command to enable or disable the NIDS Detection signature groups.
The NIDS Detection module uses over 1,000 signatures. These signatures are arranged into groups
based on the type of attack. By default, all signature groups are enabled. For a list of all the signatures
in a signature group, see “get nids rule” on page 195.
You cannot enable or disable individual signatures contained within a signature group. All signatures
within a group are either enabled or disabled when you enable or disable the group.
By disabling a signature group, you can improve system performance and reduce the number of log
messages and alert emails that the NIDS generates. For example, the NIDS detects a large number of
web server attacks. If you do not provide access to a web server behind your firewall, you might want
to disable all web server attack signatures.
You can also add a user-defined attack signature to detect attacks not included in the current attack
definitions file.
Use the syntax described in the “Creating user-defined signatures” chapter of the FortiGate NIDS
Guide to create user-defined signature rules in a text file. You can then upload the text file to the
FortiGate unit using the command “execute restore” on page 233. The FortiGate unit assigns a unique
ID to each rule in the file, and adds the signatures to the User Defined Signature group on the
signature groups list.
Once you have created and uploaded a user-defined signature list, you can then use the command
“execute backup” on page 224 to download the list from the FortiGate unit. You can edit existing
signature rules or add new signature rules, and then restore the edited list to the FortiGate unit.

Note: User-defined signatures are an advanced feature and should only be created and added to the FortiGate
unit by IT specialists who are familiar with programming concepts and with network intrusion detection systems.

Syntax description
Keyword Description Default Availability
<group-name_str> The name of the signature group to enable or disable. No All models.
Use the command set nids rule followed by a default.
space and ? or the command get nids rule for a
list of signature groups.
status {enable | disable} Enable or disable the specified signature group. enable All models.

Examples
Use the following command to disable the web-apache signature group:
set nids rule web-apache status disable

Related commands
• get nids rule
• execute backup
• execute restore

FortiGate CLI Reference Guide 77


set system admin set commands

set system admin


Use this command to add or edit administrative user accounts.
When the FortiGate unit is initially installed, it is configured with a single administrator account with the
user name admin. From this administrator account, you can add and edit administrator accounts. You
can also control the access level of each of these administrator accounts and, optionally, control the IP
address from which the administrator can connect to the FortiGate unit.

Syntax description
Keywords Description Default Availability
username <name_str> A name for this administrator account. If the No default. All models.
administrator account name already exists, this
command changes its account settings. If the
administrator account name does not exist, this
command adds a new administrator account
name.
password <passwd_str> Enter a password for the administrator account. No default. All models.
For improved security, the password should be
at least 6 characters long.
permission If you set the permission level for the readonly All models.
{readonly | readwrite} administrator to readwrite, the administrator You cannot
can: change the
• view and change the FortiGate configuration admin
from the web-based manager, or from the CLI administrator
using get and set commands, account
• change his or her administrator account permissions.
password using the web-based manager.
The administrator cannot use the set system
admin command from the CLI and can not add,
edit, or delete administrator accounts using the
web-based manager.
If you set the permission level for the
administrator to readonly, the administrator
can view the FortiGate configuration using the
web-based manager or using the CLI get
commands. See “Access levels” on page 13 for
more information.
trusthost <address_ip> The IP address or subnet address and netmask 0.0.0.0/0.0.0.0 All models.
<netmask_ip> from which the administrator can connect to the
FortiGate.
If you want the administrator to be able to
access the FortiGate from any address, set the
trusted host to 0.0.0.0 and the netmask to
0.0.0.0.

Examples
You can use the following commands to add a readonly administrator account with the name
new_adm.
set system admin username new_adm password a2b4c6 permission readonly
Then you can use the following command to edit this account.
set system admin username new_adm permission readwrite

Related commands
• get system admin
• unset system admin

78 Fortinet Inc.
set commands set system autoupdate

set system autoupdate


Use this command to configure scheduled and push updates.
You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) and
automatically update the antivirus and attack definitions and antivirus engine. You can also configure
the FortiGate unit to accept push updates from the FDN.
Before the FortiGate unit can receive scheduled updates and push updates, you must register the
FortiGate unit on the Fortinet Support web page.
For more information on registering your FortiGate unit and customizing and troubleshooting the
connection to the FDN, see the Installation and Configuration Guide.
For server and push update availability status, see “get system autoupdate” on page 197.
For current update status including version information, see “get system objver” on page 204.

Note: You can also initiate an update at any time using the command execute updatecenter updatenow.

Syntax description
Keywords Description Default Availability
pushaddressoverride Enable or disable a push address override. disable All models.
{enable <server_ip> You must enable pushupdate before
<port> | disable} enabling pushaddressoverride.
If the FDN must connect to the FortiGate
unit through a NAT device, you must
configure port forwarding on the NAT device
and add the port forwarding information to
the push update configuration. See “set
firewall vip” on page 64.
Enter the External IP address that the FDN
connects to. This is the address of the
external interface of the FortiGate NAT
device.
Enter the External Service Port that the FDN
connects to. This can be port 9443 or an
override push port that you assign.
You cannot receive push updates through a
NAT device if the external IP address of the
NAT device is dynamic (for example, set
using PPPoE or DHCP).
pushupdate Enable or disable updates initiated by the disable All models.
{enable | disable} update center.
schedule {enable | Enable or disable scheduled updates, at disable All models.
disable} regular intervals throughout the day, once a
day, or once a week.
every <hh:mm> Schedule updates at regular intervals No default. All models.
throughout the day. schedule
<hh:mm> is the time interval to wait between must be
updates. enabled.
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45

FortiGate CLI Reference Guide 79


set system autoupdate set commands

Keywords Description Default Availability


daily <hh:mm> Schedule updates once a day. No default. All models.
<hh:mm> is the time of day at which to schedule
update. must be
• hh can be 00 to 23 enabled.
• mm can be 00, 15, 30, or 45
weekly <day_integer> Schedule updates once a week. No default. All models.
<hh:mm>] <day_integer> is the day of the week on schedule
which to update. must be
• 0 Sunday enabled.
• 1 Monday
• 2 Tuesday
• 3 Wednesday
• 4 Thursday
• 5 Friday
• 6 Saturday
<hh:mm> is the time of day at which to
update.
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45
serveroverride {enable If you cannot connect to the FDN or if your disable All models.
<server_ip> | disable} organization provides updates using their
own FortiResponse server, you can enable
serveroverride and add the IP address
of an override FortiResponse server.
tunneling {enable Configure the FortiGate unit to use a proxy disable All models.
[address server to connect to the FDN. To use the
<proxy-address_ip> proxy server you must enable tunnelling and
add the IP address and port required to
[port <proxy-port> connect to the proxy server. If the proxy
[username <username_str> server requires authentication, add the user
[password name and password required to connect to
<password_str>]]]] | the proxy server.
disable [address To disable connecting to a proxy server,
enter the command set system
<proxy-address_ip> autoupdate tunneling disable
[port <proxy-port> address <address_ip>. Where
[username <username_str> <address_ip> can be any IP address.
[password To change the tunnelling configuration, re-
<password_str>]]]]} enter the complete new tunnelling
configuration, including the parameters that
do not change.

Examples
You can use the following command to schedule updates once a day at 07:30:
set system autoupdate schedule enable daily 07:30
Related commands
• get system autoupdate
• execute updatecenter updatenow
• set firewall vip

80 Fortinet Inc.
set commands set system brctl

set system brctl


Use this command to create a static MAC table.

Syntax description
Keyword Description Default Availability
add interface <intf_str> Enter an interface name. Use the command set No All models.
mac <address_hex> system brctl add interface followed by a default. Transparent
space and a ? for a list of available interfaces. Enter a mode only.
MAC address.
del mac [interface] Delete entries from the mac table. You can enter No All models.
[<mac-address_hex>] either an interface name or a MAC address. default. Transparent
mode only.
list Show the static MAC entries. No All models.
default. Transparent
mode only.

Example
Use the following command to add a static MAC entry for the internal interface:
set system brctl add interface internal mac 11:00:aa:ff:33:22

FortiGate CLI Reference Guide 81


set system dhcpserver set commands

set system dhcpserver


Configure the FortiGate to be a DHCP server for your internal network.

Syntax description
Keywords Description Default Availability
defaultroute The default route to be assigned to DHCP clients. FortiGate-50 All models.
<gateway_ip> The defaultroute, exclusionrange, and 60:
iprange, and reserve IP addresses must all be 192.168.1.99.
on the same subnet as the internal interface. Other models,
no default.
dns <dns_ip> The IP addresses of up to 3 DNS servers that the No default. All models.
[<dns_ip>] [<dns_ip>] DHCP clients can use for looking up domain
names. Use a space to separate the IP addresses.
To remove a DNS IP, set the IP to 0.0.0.0.
domain <domain_str> The domain name that the DHCP server assigns No default. All models.
to the DHCP clients.
exclusionrange Enter up to 4 exclusion ranges of IP addresses FortiGate-50 All models.
{<start1_ip-end1_ip> within the starting IP and ending IP addresses that and 60:
| none} cannot be assigned to DHCP clients. Separate the 192.168.1.99-
IP addresses in the range with a dash (-). Do not 192.168.1.99
[{<start2_ip-end2_ip> add spaces. Use a space to separate ranges. The Other models,
| none}] defaultroute, exclusionrange, iprange, no default.
[{<start3_ip-end3_ip> and reserve IP addresses must all be on the
| none}] same subnet as the internal interface.
[{<start4_ip-end4_ip> To change an exclusion range you must redefine
all of the exclusion ranges. To remove all exclusion
| none}] ranges, replace the first exclusion range with
none.
iprange The starting IP and the ending IP for the range of FortiGate-50 All models.
<start_ip-end_ip> IP addresses that the FortiGate unit can assign to and 60:
DHCP clients. The defaultroute, 192.168.1.1-
exclusionrange, iprange, and reserve IP 192.168.1.254.
addresses must all be on the same subnet as the Other models,
internal interface. no default.
leaseduration The interval in seconds after which a DHCP client FortiGate-50 All models.
<lease_int> must ask the DHCP server for a new address. The and 60: 604800
lease duration must be between 300 and 8000000 (7 days).
seconds. Other models,
no default.
netmask <netmask_ip> The Netmask that the FortiGate DHCP server FortiGate-50 All models.
assigns to the DHCP clients. and 60:
255.255.255.0.
Other models,
no default.
reserve <reserve_ip> Reserve an IP address so that the FortiGate No default. All models.
<reserve_mac> DHCP server always assigns this IP address to the
[<name_str> | none] device with the specified MAC address. Optionally
specify a name for the IP and MAC address pair.
The reserved IP cannot be assigned to any other
device. You can only add a given IP address or
MAC address once. The defaultroute,
exclusionrange, iprange, and reserve IP
addresses must all be on the same subnet as the
internal interface.

82 Fortinet Inc.
set commands set system dhcpserver

Keywords Description Default Availability


status Enable or disable the FortiGate DHCP server for disable All models.
{enable | disable} your internal network.
winsserver Enter one or two WINS server IP addresses that No default. All models.
{<server1_ip> | none} are assigned to DHCP clients.
[{<server2_ip> |
none}]

Examples
Use the following command to create a DHCP configuration that assigns IPs in the range
192.168.1.100 to 192.168.1.200 with a netmask of 255.255.255.0, configures DHCP clients to request
a new IP address once a day, and assigns DHCP clients a default route of 192.168.1.99.
set system dhcpserver iprange 192.168.1.100-192.168.1.200 netmask
255.255.255.0 leaseduration 1440 defaultroute 192.168.1.99
Use the following command to enable the FortiGate DHCP server.
set system dhcpserver status enable
Use the following command to assign the address 205.34.123.1 to the first DNS server assigned to
DHCP clients.
set system dhcpserver dns 205.34.123.1
Use the following command to set up the first exclusion range for DHCP clients and to exclude IP
addresses from 192.168.1.120 to 192.168.1.130 from that range.
set system dhcpserver exclusionrange 192.168.1.120-192.168.1.130

Related commands
• get system dhcpserver
• unset system dhcpserver

FortiGate CLI Reference Guide 83


set system dns set commands

set system dns


Use this command to set the DNS server addresses. Several FortiGate functions, including sending
email alerts and URL blocking, use DNS.

Syntax description
Keyword Description Default Availability
primary Enter the primary DNS server IP address. 207.194.200.1 All models.
{<server_ip> | none} Enter none to delete the primary DNS server
IP address.
secondary Enter the secondary DNS IP server address. 207.194.200.129 All models.
{<server_ip> | none} Enter none to delete the secondary DNS
server IP address.

Examples
Use the following command to set the primary DNS server to 207.194.200.2:
set system dns primary 207.194.200.2
Use the following command to delete the primary DNS server:
set system dns primary none

Related commands
• get system dns

84 Fortinet Inc.
set commands set system ha

set system ha
Use this command to configure FortiGate high availability (HA). HA is supported on FortiGate units
300 and up. On all FortiGate units that support HA, except the FortiGate-500, you must use the
command set system interface <int_str> config hamode enable to configure the HA
interface for HA operation before the set system ha command is available.
Except for priority, override, and monitor the HA configuration that you create using the set
system ha command must be identical for each FortiGate unit in the cluster.

Syntax description
Keyword Description Default Availability
groupid <id_integer> The HA group ID. The group ID range is from 0 to 63. 0 Models
All members of the HA cluster must have the same numbered
group ID. 300 and
higher.
mode {standalone | a-a The HA mode. standalone Models
| a-p} Enter standalone to remove the FortiGate unit from numbered
an HA cluster. 300 and
Enter a-a to create an active-active HA cluster. In an higher.
active-active cluster, all units process traffic and the
primary unit performs load balancing to share
connections among all units in the cluster.
Enter a-p to create an active-passive HA cluster,
where one FortiGate in the HA cluster is the primary
unit that processes all connections and the others are
in active standby, monitoring the status and remaining
synchronized with the primary FortiGate unit.
monitor <intf_str> Enter the names of the FortiGate interfaces that are none Models
<intf_str> <intf_str> to be monitored. Separate each name with a space. numbered
... none Configure monitor to monitor FortiGate interfaces to 300 and
make sure they are up and actively processing higher.
network traffic. If the interface fails or is disconnected
the FortiGate unit reverts to a standby state and is
removed from the cluster.
Enter none to remove all the interface names.
override {enable | Configure the FortiGate unit to override another disable Models
disable} primary unit in the cluster with the same priority and numbered
become the primary unit. 300 and
higher.
password <passwd_str> Enter a password for the HA cluster. The password No default. Models
must be the same for all FortiGate units in the HA numbered
cluster. The maximum password length is 8 300 and
characters. higher.
priority Set the clustering priority of the FortiGate unit. The 255 Models
{<priority_int> | unit with the lowest priority becomes the primary unit. numbered
default} The priority range is 0 to 255. If more than one unit in 300 and
the cluster has the same priority, the cluster higher.
negotiates between these units to select the primary
unit.

FortiGate CLI Reference Guide 85


set system ha set commands

Keyword Description Default Availability


schedule {none | hub | A-A load balancing schedule. round- Models
leastconnection | none: no load balancing. Use none when the cluster robin numbered
round-robin | interfaces are connected to load balancing switches. 300 and
hub: load balancing if the cluster interfaces are higher.
weight-round-robin |
connected to a hub. Traffic is distributed to units in a a-a mode
random | ip | ipport} only.
cluster based on the Source IP and Destination IP of
the packet.
leastconnection: least connection load
balancing. If the FortiGate units are connected using
switches, use leastconnection to distribute traffic
to the cluster unit currently processing the fewest
connections.
round-robin: round robin load balancing. If the
FortiGate units are connected using switches, use
round-robin to distribute traffic to the next
available cluster unit.
weight-round-robin: weighted round robin load
balancing. Similar to round robin, but weighted values
are assigned to each of the units in a cluster based
on their capacity and on how many connections they
are currently processing. For example, the primary
unit should have a lower weighted value because it
handles scheduling and forwards traffic. Weighted
round robin distributes traffic more evenly because
units that are not processing traffic will be more likely
to receive new connections than units that are very
busy. You can optionally use the weight keyword to
set a weighting for each FortiGate unit.
random: random load balancing. If the FortiGate
units are connected using switches, use random to
randomly distribute traffic to cluster units.
ip: load balancing according to IP address. If the
FortiGate units are connected using switches, use ip
to distribute traffic to units in a cluster based on the
Source IP and Destination IP of the packet.
ipport: load balancing according to IP address and
port. If the FortiGate units are connected using
switches, use ipport to distribute traffic to units in a
cluster based on the source IP, source port,
destination IP, and destination port of the packet.
weight For weighted-round robin scheduling, the weight to All priority Models
<p1_weight_ integer> assign to each unit in the cluster according to its IDs set to 1. numbered
[<p2_weight_integer> priority. Weights are assigned by priority and the unit 300 and
with that priority is assigned that weight. higher.
[<p3_weight_integer>]
By default the weight for all priorities is 1. Increase a-a mode
... the weight of a priority to increase the number of only
[<p32_weight_integer>] connections processed by the cluster unit with that weight-
priority. Weight can be from 0 to 32. round-robin
only

Examples
Use the following commands to configure a FortiGate-500 for active-active HA mode with a group ID of
23 and an HA password of hapass. Also configure the FortiGate-500 to monitor the internal, external,
and port1 interfaces:
set system ha mode a-a
set system ha groupid 23
set system ha password hapass
set system ha monitor internal external port1

86 Fortinet Inc.
set commands set system ha

Use the following command to set the HA priority of a FortiGate unit to 0 so that this unit always
becomes the primary unit in the cluster.
set system ha priority 0

Related commands
• get system ha
• execute ha manage
• execute ha synchronize
• set system interface

FortiGate CLI Reference Guide 87


set system hostname set commands

set system hostname


Change the host name of the FortiGate unit.
The FortiGate host name is used as the SNMP system name. By default the host name is the
FortiGate model name.

Syntax description
Keyword Description Default Availability
<hostname_str> Type a name for this FortiGate unit. The host name Model All models.
can be up to 31 characters long and can contain name.
numbers (0-9), uppercase and lowercase letters (A-
Z, a-z), and the special characters - and _. Spaces
and the \ < > [ ] ` $ % & characters are not allowed.

Examples
Use the following command to change the FortiGate unit host name to Main_Office:
set system hostname Main_Office

Related commands
• get system status
• unset system hostname
• set system snmp

88 Fortinet Inc.
set commands set system interface

set system interface


Use this command to edit the configuration of a FortiGate interface.
For FortiGate models 400 and up, use this command to edit the configuration of a VLAN subinterface.
In the following table, VLAN subinterface can be substituted for interface in most places except that
you can only configure VLAN subinterfaces with static IP addresses. Use the command set system
vlan to add a VLAN subinterface.

Syntax description
Keywords Description Default Availability
<intf_str> The name of the interface to configure. Enter No default. All models.
set system interface followed by a space
and a ? to display the list of interfaces. For
FortiGate models 400 and up <intf_str> can
also be a VLAN subinterface.
mode {dhcp | pppoe | Configure the connection mode for the interface No default. All models.
static} and configure the primary IP address for the dhcp and pppoe
interface. are available for
static, configure a static IP address for the the FortiGate-50,
interface. 100, 200, and
dhcp, configure the interface to receive its IP 300 external
address from a DHCP server. interface and
pppoe, configure the interface to receive its IP FortiGate-60
address from a PPPoE server. wan1 interface.
Not available in
Transparent
mode.
config Set interface parameters. No default. All models.

Keyword for dhcp Description Default Availability


connection Enable or disable connecting to a DHCP server FortiGate- FortiGate-50,
{enable | disable} to configure the external interface. 100, 200, 100, 200, and
300: 300 external
disable. interface.
FortiGate- FortiGate-60
50 and 60: wan1 interface.
enable. Not available in
Transparent
mode.

Keywords for pppoe Description Default Availability


connection Enable or disable connecting to a PPPoE FortiGate- FortiGate-50,
{enable | disable} server to configure the external interface. 100, 200, 100, 200, and
300: 300 external
disable. interface.
FortiGate- FortiGate-60
50 and 60: wan1 interface.
enable. Not available in
Transparent
mode.
ipunnumbered {enable Enable or disable IP unnumbered mode for disable FortiGate-50,
[borrow <address_ip>] PPPoE. Specify the IP address to be borrowed 100, 200, and
| disable} by the interface. This IP address can be the 300 external
same as the IP address of another interface or interface.
can be any IP address. FortiGate-60
wan1 interface.
Not available in
Transparent
mode.

FortiGate CLI Reference Guide 89


set system interface set commands

Keywords for pppoe Description Default Availability


password <password_str> Enter the password to connect to the PPPoE No default. FortiGate-50,
server. 100, 200, and
300 external
interface.
FortiGate-60
wan1 interface.
Not available in
Transparent
mode.
username <name_str> Enter the user name to connect to the PPPoE No default. FortiGate-50,
server. 100, 200, and
300 external
interface.
FortiGate-60
wan1 interface.
Not available in
Transparent
mode.

Note: The first time you configure a FortiGate external interface for PPPoE you must enter both the username
and password keywords.

Keyword for static Description Default Availability


ip <intf_ip> The interface IP address and netmask. Varies for All models.
<netmask_ip> each Not available in
interface. Transparent
mode.

Keywords for config Description Default Availability


allowaccess Allow management access to the interface. You Varies for All models.
{ping https snmp ssh can enter one or more of the management each
http telnet} access types separated by spaces. interface.

arpforward Enable or disable layer 2 ARP forwarding for an disable All models.
{enable | disable} interface.
denyaccess Deny management access to the interface. You No default. All models.
{ping https snmp ssh can enter one or more of the management
http telnet} access types separated by spaces.

detectserver <ping_ip> Add the IP address of a ping server. A ping No default. All models.
server is usually the next hop router on the Not available in
network connected to the interface. If Transparent
gwdetect is enabled, the FortiGate unit mode.
confirms connectivity with the server at this IP
address. Adding a ping server is required for
routing failover.
gwdetect Enable or disable confirming connectivity with disable All models.
{enable | disable} the server at the detectserv <ping_ip> IP Not available in
address. The frequency with which the Transparent
FortiGate unit confirms connectivity is set using mode.
the set system option interval
command.

90 Fortinet Inc.
set commands set system interface

Keywords for config Description Default Availability


hamode Enable or disable high availability (HA) mode disable FortiGate-300
{enable | disable} for this interface and for the FortiGate unit. dmz/ha interface.
Except for the FortiGate-500, which has a FortiGate-400,
dedicated HA interface, HA cannot be 1000, 2000 and
configured until the interface to be used for HA 3000 4/ha
operation has been set to HA mode. interface.
When the interface is configured for HA mode, FortiGate-3600
you cannot connect a network to it. 5/ha interface.
log {enable | disable} Enable or disable traffic logging of connections disable All models.
to this interface.
macaddr {<new_mac> | Override the factory set MAC address of this Factory All models.
factorydefault} interface by specifying a new MAC address. If set.
you have changed the MAC address, you can
use factorydefault to revert to the factory
set MAC address.
mtu <mtu_integer> Enter the maximum transmission unit size in 1500 All models.
bytes. Ideally mtu should be the same as the Not available in
smallest MTU of all the networks between this Transparent
FortiGate unit and the destination of the mode.
packets. The <mtu_integer> range is 68 to
1500 bytes.
secallowaccess Allow management access to the secondary IP Varies for All models.
{ping https snmp ssh address of the interface. You can enter one or each Not available in
http telnet} more of the management access types interface. Transparent
separated by spaces. mode.
secdenyaccess Deny management access to the secondary IP No default. All models.
{ping https snmp ssh address of the interface. You can enter one or Not available in
http telnet} more of the management access types Transparent
separated by spaces. mode.
secdetectserv <ping_ip> Add the IP address of a ping server for the No default. All models.
secondary IP address. A ping server is usually Not available in
the next hop router on the network connected Transparent
to the interface. If secgwdetect is enabled, mode.
the FortiGate unit confirms connectivity with the
server at this IP address. Adding a ping server
is required for routing failover. The primary and
the secondary ping_ip can be the same IP
address.
secgwdetect Enable or disable confirming connectivity with disable All models.
{enable | disable} the server at the secdetectserv <ping_ip> Not available in
IP address. The frequency with which the Transparent
FortiGate unit confirms connectivity is set using mode.
the set system option interval
command.
secip <intf_ip> Add or change the secondary static IP address 0.0.0.0 All models.
<netmask_ip> and netmask for the interface. The secondary 0.0.0.0 Not available in
IP address can be on any subnet, including the Transparent
same subnet as the primary IP address. The mode.
secondary IP address cannot be the same as
the primary IP address.

FortiGate CLI Reference Guide 91


set system interface set commands

Keywords for config Description Default Availability


speed {auto | 10full | The interface speed: auto Speed options
10half | 100full | • auto, the default speed. The interface uses vary for different
100half | 1000full | auto-negotiation to determine the connection models and
speed. Change the speed only if the interface interfaces. Enter
1000half} a space and a ?
is connected to a device that does not
support auto-negotiation. after the speed
• 10full, 10 Mbps, full duplex keyword to see a
list of speeds
• 10half, 10 Mbps, half duplex available for that
• 100full, 100 Mbps, full duplex model and
• 100half, 100 Mbps, half duplex interface.
• 1000full, 1000 Mbps, full duplex
• 1000half, 1000 Mbps, half duplex
status {down | up} Start or stop the interface. If the interface is up All models.
stopped it does not accept or send packets.
zone <zone_str> Enter the name of the zone to add this interface No default. FortiGate-400
to. You can add one or more interfaces to a and up.
zone. If you have added firewall addresses to Not available in
an interface, you must delete these firewall Transparent
addresses before you can add the interface to a mode.
zone. When you add an interface to a zone,
you cannot add firewall addresses to the
interface and the interface does not appear on
the policy grid.

Example:
Use the following commands to set the FortiGate-500 port1 interface IP address and netmask to
192.168.100.159 255.255.255.0, the management access to ping and https and to add the
interface to a zone named Zone1.
set system interface port1 mode static ip 192.168.100.159 255.255.255.0
set system interface port1 config allowaccess ping https zone Zone1
Use the following commands to set the IP address and netmask of a VLAN subinterface named
VLAN_1 to 192.168.200.20 255.255.255.0, the management access to ping and https and to
add the VLAN subinterface to a zone named Zone2.
set system interface VLAN_1 mode static ip 192.168.200.20 255.255.255.0
set system interface VLAN_1 config allowaccess ping https zone Zone2
Use the following command to add a secondary IP address to the internal interface. The secondary IP
address and netmask is 192.176.23.180 255.255.255.0. Also configure ping and https
management access to this secondary IP address.
set system interface internal config secip 192.176.23.180 255.255.255.0
set system interface internal config secallowaccess ping https

Related commands
• set system vlan
• set system zone
• get system interface
• unset system secondip
• unset system vlan
• unset system zone

92 Fortinet Inc.
set commands set system mainregpage

set system mainregpage


Show or hide the registration window that appears when an administration user logs into the FortiGate
web-based manager.
You can use the information on this registration window to register your FortiGate. Register your
FortiGate so that Fortinet can contact you for firmware updates. Registering is also required to receive
updates to your antivirus and intrusion detection databases.

Syntax description
Keyword Description Default Availability
mainregpage {hide | show} Show or hide the registration window on the show All models.
web-based manager.

Example:
Use the following command to hide the registration window on the web-based manager:
set system mainregpage hide

Related commands
• get system mainregpage

FortiGate CLI Reference Guide 93


set system management set commands

set system management


Configure the Transparent mode management IP address. Use the management IP address for
management access to the FortiGate unit running in Transparent mode. The FortiResponse
Distribution Network (FDN) also connects to the management IP address for antivirus engine, antivirus
definition, and attack definition updates.

Syntax description
Keyword Description Default Availability
ip <manage_ip> <netmask_ip> Set the IP address and netmask of the 10.10.10.1 All models.
Transparent mode management 255.255.255.0 Only
interface. available in
Transparent
mode.

Example
Use the following command to set the transparent mode management IP address to 192.168.1.80 and
the netmask to 255.255.255.0:
set system management ip 192.168.1.80 255.255.255.0

Related commands
• get system management

94 Fortinet Inc.
set commands set system opmode

set system opmode


Change the FortiGate operation mode.

Syntax description
Keyword Description Default Availability
opmode {nat | transparent} Change the FortiGate operation to nat All models.
NAT/Route or Transparent mode.

Example
Use the following command to set firewall operation mode to Transparent:
set system opmode transparent

Related commands
• get system status

FortiGate CLI Reference Guide 95


set system option set commands

set system option


Set the system timeout and the firewall authorization timeout. Set the web-based manager display
language and automatic refresh interval. For models with an LCD, set the front panel LCD pin.
You can also change dead gateway detection settings. Change dead gateway detection settings to
control how the FortiGate unit confirms connectivity with a ping server added to an interface
configuration. For more information on adding a ping server to an interface, see “set system interface”
on page 89.

Syntax description
Keyword Description Default Availability
admintimeout Set the administrator idle time out to control the 5 minutes All models.
<timeout_integer> amount of inactive time before the administrator
must log in again. The maximum
admintimeout is 480 minutes (8 hours).
authtimeout Set the firewall user authentication time out to 15 minutes All models.
<timeout_integer> control the amount of inactive time before the
user must authenticate again. The maximum
authtimeout is 480 minutes (8 hours).
failtime Set the Dead gateway detection failover number. 5 All models.
<failover_integer> Enter the number of times that ping fails before
the FortiGate unit assumes that the gateway is
no longer functioning.
interval Set the Dead gateway detection failover interval. 5 seconds All models.
<interval_integer> Enter a number in seconds to specify how often
the FortiGate unit pings the target.
language {english | Set the web-based manager display language. english All models.
simplifiedchinese | You can enter English, Simplified Chinese,
traditionalchinese | Japanese, Korean, or Traditional Chinese.
korean | japanese}
lcdpin <pin_integer> Set the 6 digit PIN administrators must enter to 123456 FortiGate
use the LCD panel. models
numbered 300
and higher.
lcdprotection (enable Enable or disable LCD panel PIN protection. disable FortiGate
| disable} models
numbered 300
and higher.
refresh Set the Automatic Refresh Interval, in seconds, none All models.
{<interval_integer> | for the web-based manager System > Status >
none} Monitor.

Examples
Use the following command to set the idle timeout to 50 minutes:
set system option admintimeout 50
Use the following command to require administrators to enter 654321 to access the LCD panel:
set system option lcdprotection enable lcdpin 654321

Related commands
• get system option
• set system interface

96 Fortinet Inc.
set commands set system route number

set system route number


Use this command to add or edit destination-based routes in the FortiGate routing table. Add
destination-based routes to control the destination of traffic exiting the FortiGate unit. You configure
routes by adding destination IP addresses and netmasks and adding gateways for these destination
addresses. The gateways are the next hop routers to which to route traffic that matches the destination
addresses in the route.
You can add one or two gateways to a route. If you add one gateway, the FortiGate unit routes the
traffic to that gateway. You can add a second gateway to route traffic to the second gateway if the first
gateway fails.
To support routing failover, the IP address of each gateway must be added to the ping server of the
interface connected to the same network as the gateway. See “set system interface” on page 89.

‘Syntax description
Keyword Description Default Availability
<route_integer> The number of the route to specify the location No All models.
of the route in the routing table. Entering a new default.
route number adds a new route. Entering an
existing route number edits that route.
Enter set system route number followed
by a space and ? to see a list of existing routes
and their numbers.
dev1 {<intf_str> | auto} The name of the FortiGate interface through auto All models.
which to route traffic. If dev1 is set to auto, NAT/Route
the FortiGate routes traffic to the interface that mode only.
is on the same subnet as gw1.
dev2 <intf_str> The name of the FortiGate interface through auto All models.
which to route traffic. If dev2 is set to auto, NAT/Route
the FortiGate routes traffic to the interface that mode only.
is on the same subnet as gw2.
dst <destination_ip> The destination IP address and netmask for 0.0.0.0 All models.
<netmask_ip> this route. 0.0.0.0
Enter 0.0.0.0 0.0.0.0 for the destination
IP and netmask to add a default route.
gw1 <gateway1_ip> The IP address of the first next hop router to No All models.
which this route directs traffic. default.
In NAT/Route mode, <gateway1_ip> must
be on the same subnet as one of the FortiGate
interfaces. If you specify dev1 the
<gateway1_ip> must be on the same subnet
as the dev1 interface.
In Transparent mode, <gateway1_ip> must
be on the same subnet as the Transparent
mode management IP.
gw2 <gateway2_ip> The IP address of the second next hop router No All models.
to which this route directs traffic. default. NAT/Route
In NAT/Route mode, <gateway2_ip> must mode only.
be on the same subnet as one of the FortiGate
interfaces. If you specify dev2 the
<gateway2_ip> must be on the same subnet
as the dev2 interface.
In Transparent mode, <gateway2_ip> must
be on the same subnet as the Transparent
mode management IP.

FortiGate CLI Reference Guide 97


set system route number set commands

Example
Use the following command in NAT/Route mode to add a default gateway with the IP address
192.168.100.1:
set system route number 0 gw1 192.168.100.1
Use the following command in NAT/Route mode to add a route with the number 0, the destination IP
address and netmask 64.23.11.0 255.255.255.0 and using a gateway with the IP address
192.168.100.1:
set system route number 0 dst 64.23.11.0 255.255.255.0 gw1 192.168.100.1
Use the following command in NAT/Route mode for route 0 to change gateway 1 to a gateway with the
IP address 172.168.200.1 and to add a second gateway with the IP address 192.168.1.12:
set system route number 0 gw1 172.168.200.1 gw2 192.168.1.12
Use the following command in NAT/Route mode to add a route for primary and backup links to the
Internet. In this route, the external interface is the primary link to the Internet and the IP address of the
next hop router on the network connected to the external interface is 1.1.1.1. The DMZ interface is the
secondary link to the Internet and the IP address of the next hop router in the network connected to the
DMZ interface is 2.2.2.2:
set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 external
gw2 2.2.2.1 dev2 dmz
Use the following command in transparent mode to add a default to a gateway with the IP address
192.168.100.1:
set system route number 0 gw1 192.168.100.1
Use the following command in Transparent mode to add a route with the number 1, the destination IP
address and netmask 64.23.11.0 255.255.255.0 and using a gateway with the IP address
192.168.100.1:
set system route number 1 dst 64.23.11.0 255.255.255.0 gw1 192.168.100.1

Related commands
• get system route table
• unset system route number

98 Fortinet Inc.
set commands set system route policy

set system route policy


Policy routing extends the functions of destination routing. Using policy routing you can route traffic
based on:
• Source address
• Protocol, service type, or port range
• Incoming or source interface
Using policy routing you can build a routing policy database (RPDB) that selects the appropriate route
for traffic by executing a set of routing rules. To select a route for traffic the FortiGate unit matches the
traffic with the policy routes added to the RPDB starting at the top of the list. The first policy route to
match the traffic is used to set the route for the traffic. The route supplies the next hop gateway as well
the FortiGate interface to be used by the traffic.
For policy routing to work as expected, the gateway added to a policy route must also be added to a
destination route (using the set system route number command). When the FortiGate unit
matches packets with a route in the RPDB, the FortiGate unit looks in the destination routing table for
the gateway that was added to the policy route. If a match is found, the FortiGate routes the packet
using the matched destination route. If a match is not found, the FortiGate routes the packet using
normal routing.

Syntax description
Keyword Description Default Availability
<policy_integer> The number of the route to specify the location of the No All models.
route in the routing table. Entering a new route default. NAT/Route
number adds a new route. Entering an existing route mode only.
number edits that route.
Enter set system route number followed by a
space and ? to see a list of existing routes and their
numbers.
dst <destination_ip> The destination IP address and netmask for this 0.0.0.0 All models.
<netmask_ip> route. 0.0.0.0 NAT/Route
mode only.
gw <gateway_ip> The IP address of the first next hop router to which 0.0.0.0 All models.
this route directs traffic. NAT/Route
In NAT/Route mode, <gateway1_ip> must be on mode only.
the same subnet as one of the FortiGate interfaces. If
you specify dev1 the <gateway1_ip> must be on
the same subnet as the dev1 interface.
iifname <intf_str> The source interface for the route. <intf_str> is No All models.
the name of the FortiGate interface from which this default. NAT/Route
route directs traffic. mode only.
oifname <intf_str> The destination interface for the route. <intf_str> No All models.
is the name of the FortiGate interface through which default. NAT/Route
to route traffic. mode only.
port <low_integer> Add a port range to a policy route. If you add a port 00 All models.
<high_integer> range, the policy route will route packets with a NAT/Route
matching destination port range. mode only.

FortiGate CLI Reference Guide 99


set system route policy set commands

Keyword Description Default Availability


protocol Add a protocol number to a policy route. If you add a 0 All models.
<protocol_integer> protocol, the policy route will route packets with a NAT/Route
matching protocol number. mode only.
src <source_ip> The source IP address and netmask for this route. 0.0.0.0 All models.
<netmask_ip> 0.0.0.0 NAT/Route
mode only.

Examples
If a FortiGate unit provides internet access for multiple internal subnets, you can use policy routing to
control the route that traffic from each network takes to the Internet. For example, if the internal
network includes the subnets 192.168.10.0 and 192.168.20.0 you can enter the following policy
routes:
• Enter the following command to route traffic from the 192.168.10.0 subnet to the 100.100.100.0
external network:
set system route policy 1 src 192.168.10.0 255.255.255.0 dst
100.100.100.0 255.255.255.0 gw 1.1.1.1
• Enter the following command to route traffic from the 192.168.20.0 subnet to the 200.200.200.0
external network:
set system route policy 2 src 192.168.20.0 255.255.255.0 dst
200.200.200.0 255.255.255.0 gw 2.2.2.1
You can use the following policy routes to direct all HTTP traffic (using port 80) to one external network
and all other traffic to the other external network.
• Enter the following command to route all HTTP traffic using port 80 to the next hop gateway with IP
address 1.1.1.1.
set system route policy 1 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0
protocol 6 port 1 1000 gw 1.1.1.1
• Enter the following command to route all other traffic to the next hop gateway with IP address
2.2.2.1.
Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0 gw
2.2.2.1

Related commands
• unset system route policy
• get system route policy

100 Fortinet Inc.


set commands set system route rip

set system route rip


Set routing information protocol (RIP) settings to enable basic RIP functionality and metrics and to
configure RIP timers.
The FortiGate implementation of RIP supports both RIP version 1 (as defined by RFC 1058) and RIP
version 2 (also called RIP2 and defined by RFC 2453). RIP2 enables RIP messages to carry more
information and support simple authentication. RIP2 also supports subnet masks, a feature not
available in RIP.

Syntax description
Keyword Description Default Availability
{enable | disable} Enable or disable RIP server support. When you enable disable All models
RIP server support, the FortiGate acts like a RIP server, except
broadcasting RIP packets to other nearby routers. FortiGate-50.
NAT/Route
mode only.
advertise-default Enable or disable including the FortiGate default route in disable All models
{enable | disable} RIP routing table updates. except
FortiGate-50.
NAT/Route
mode only.
auto-summary Enable or disable automatically summarizing subnet disable All models
{enable | disable} routes into network-level routes. except
If auto-summary is not enabled, the FortiGate unit FortiGate-50.
transmits sub-prefix routing information across classfull NAT/Route
network boundaries. mode only.
default-metric Change the default metric that is applied to routes with 2 All models
<metric_integer> incompatible metrics. The default metric assists in except
resolving how routes with incompatible metrics are FortiGate-50.
redistributed. Whenever metrics do not convert, RIP uses NAT/Route
the default metric to provide a reasonable substitute and mode only.
allows the redistribution to proceed.
input-queue Change the depth of the RIP input queue. The larger the 50 All models
<queue-size_integer> numerical value, the larger the depth of the queue. except
Consider changing the input-queue depth if you have a FortiGate-50.
FortiGate unit sending at high speed to a low-speed NAT/Route
router that might not be able to receive at the high speed. mode only.
Configuring this command will help prevent the routing
table losing information. <queue-size_integer> can
be from 0 to 1024. A queue size of 0 means there is no
input queue.
output-delay Change the output delay to add a delay in milliseconds 0 All models
<delay_integer> between packets in a multiple-packet RIP update. A except
typical output delay is 8 to 50 milliseconds. Add an output FortiGate-50.
delay if you are configuring RIP on a FortiGate unit that NAT/Route
could be sending packets to a router that cannot receive mode only.
the packets at the rate the FortiGate unit is sending them.
The default output delay is 0 milliseconds.

Example:
Use the following command to enable RIP server support:
set system route rip enable
Use the following command to change the RIP default metric to 5:
set system route rip default-metric 5

FortiGate CLI Reference Guide 101


set system route rip set commands

Related commands
• get system route rip
• set system route rip filter
• set system route rip interface
• set system route rip neighbor
• set system route rip timers

102 Fortinet Inc.


set commands set system route rip filter

set system route rip filter


Use RIP filters to control the routing information received by the FortiGate unit and sent by the
FortiGate unit. You can create filters for two purposes:

Neighbors filter For filtering routes received from neighboring routers. When the FortiGate unit receives routes
from a neighboring router, the neighbors filter defines what routes received from the neighbor
will be stored in the FortiGate routing table and what routes will be discarded.
Routes filter For filtering routes before a routing table update is sent to neighboring routers. Before the
FortiGate unit sends routes to neighboring routers, the routes filter defines what routes can be
sent and what routes cannot be sent.

A RIP filter consists of the IP address and netmask of a route, the action the filter should perform for
this route (allow or deny), and the interface on which this filter entry should be applied. Routes that do
not match a route added to a RIP filter are allowed.
A single RIP filter contains instructions for allowing or denying a single route. You can add multiple RIP
filter entries under the same RIP filter name to create a RIP filter list. Using a RIP filter list you can filter
multiple routes.
After creating RIP filters and filter lists you can configure the neighbors filter or routes filter by selecting
a filter or filter list for each of these filter types. If you do not select a RIP filter for neighbors or routes,
no filtering is applied. You can add a total of four RIP filters or RIP filter lists, but you can only have one
active neighbors filter and one active routes filter.

Syntax description
Keyword Description Default Availability
add name Add and specify the name of a RIP filter list. Each No All models
<filter-name_str> RIP filter and RIP filter list must have a unique default. except
name. The name can be 15 characters long and can FortiGate-50.
contain upper and lower case letters, numbers, and NAT/Route
special characters. The name cannot contain mode only.
spaces.
del name Delete the named RIP filter or RIP filter list. No All models
<filter-name_str> default. except
FortiGate-50.
NAT/Route
mode only.
name [<filter-name_str> Add a route prefix to a filter list or delete a route No All models
{add | del} address prefix from a filter list. A route prefix consists of the default. except
<route_ip> <netmask_ip> IP address and netmask for the route, the action to FortiGate-50.
be performed by the filter (allow or deny), and the NAT/Route
action {allow | deny} name of the interface on which to apply the route mode only.
interface <intf_str>] filter.
To add or delete a route prefix you must enter all of
the parameters of the route prefix.
Set action to allow so that the filter permits this
route to be communicated. Set action to deny to
stop this route from being communicated.
Enter set system route rip filter name to
view the list of filter lists. You must add the route
prefix to one of these filter lists. Use the command
set system route rip filter add name to
add a filter list.

FortiGate CLI Reference Guide 103


set system route rip filter set commands

Keyword Description Default Availability


neighbors {filter-list Enable or disable the neighbors filter. Specify a filter The All models
[<filter-name_str>] | or filter list to become the neighbors filter. default except
mode [none | filtered]} mode filtered enables the neighbors filter. mode mode is FortiGate-50.
none disables the neighbors filter. none. NAT/Route
filter-list <filter-name_str> selects the mode only.
<filter-name_str> to be the neighbors filter.
Only one filter list can be the neighbors filter. To
change the neighbors filter, re-enter this command
and specify a different <filter-name_str>.
Enter set system route rip filter
neighbors filter-list to view the current
neighbors filter list.
routes {filter-list Enable or disable the routes filter. Specify a filter or The All models
[<filter-name_str>] | filter list to become the routes filter. default except
mode [none | filtered]} mode filtered enables the routes filter. mode mode is FortiGate-50.
none disables the routes filter. none. NAT/Route
filter-list <filter-name_str> selects the mode only.
<filter-name_str> to be the routes filter. Only
one filter list can be the routes filter. To change the
routes filter, re-enter this command and specify a
different <filter-name_str>.
Enter set system route rip filter routes
filter-list to view the current routes filter list.

Example:
Use the following commands to add two filter lists named Filter_List1 and Filter_List2:
set system route rip filter add name Filter_List1
set system route rip filter add name Filter_List2
Use the following command to add route prefixes to each filter list:
set system route rip filter name Filter_List1 add address 1.2.3.4
255.255.255.0 action allow interface internal
set system route rip filter name Filter_List1 add address 4.5.6.7
255.255.255.0 action deny interface internal
set system route rip filter name Filter_List2 add address 11.22.33.44
255.255.255.0 action allow interface internal
set system route rip filter name Filter_List2 add address 44.55.66.77
255.255.255.0 action deny interface internal
Use the following commands to set the neighbors filter to Filter_List1 and enable the neighbors
filter:
set system route rip filter neighbors filter-list Filter_List1
set system route rip filter neighbors mode filtered
Use the following commands to set the routes filter to Filter_List2 and enable the routes filter:
set system route rip filter routes filter-list Filter_List2
set system route rip filter routes mode filtered
Use the following command to view RIP filter settings:
get system route rip filter

104 Fortinet Inc.


set commands set system route rip filter

Route RIP filter settings:


Filter: Filter_List1
ip = 1.2.3.4, mask = 255.255.255.0, action = allow, interface = internal
ip = 4.5.6.7, mask = 255.255.255.0, action = deny, interface = internal
Filter: Filter_List2
ip = 11.22.33.44, mask = 255.255.255.0, action = allow, interface = internal
ip = 44.55.66.77, mask = 255.255.255.0, action = deny, interface = internal
Filter neighbors mode = filtered
Filter neighbors filter-list = Filter_List1
Filter routes mode = filtered
Filter routes filter-list = Filter_List2

Related commands
• get system route rip
• set system route rip
• set system route rip interface
• set system route rip neighbor
• set system route rip timers

FortiGate CLI Reference Guide 105


set system route rip interface set commands

set system route rip interface


You can create a unique RIP configuration for each FortiGate interface. On FortiGate models 400 and
up you can also create a unique RIP configuration for each VLAN subinterface. This allows you to
customize RIP for the network to which each interface or each VLAN subinterface is connected. For
example:
• If you have a complex internal network containing other devices that use the RIP2 protocol, you
might want to configure RIP2 send and receive for the internal interface.
• If the external interface is connected to the Internet you may not want to enable RIP send for this
interface so that the internal routes are not exposed to the Internet. However, you may want to
configure RIP receive so that the FortiGate unit receives routes from your ISP.
• If the DMZ interface is connected to a small DMZ network you may not need to configure RIP for
this interface.
Syntax description
Keyword Description Default Availability
<intf_str> The name of the interface or VLAN subinterface for No All models
which to configure RIP settings. default. except
FortiGate-50.
NAT/Route
mode only.
auth Enable or disable authentication for RIP2 packets sent disable All models
{enable <password_str> and received by an interface. Authentication is only except
mode supported by the RIP2 standard. Disable FortiGate-50.
authentication if receive or send are set to v1 or NAT/Route
{clear | md5} | v12. mode only.
disable} The <password_str> can be up to 16 characters
long.
mode defines how the FortiGate authenticates RIP2
packets. clear means send the password as plain
text. md5 means use MD5 authentication.
passive {enable | Passive mode is not supported in this version.
disable}
receive {v1 | v2 | Enable or disable listening on an interface on port 520 disable All models
v12} {enable | for RIP broadcasts. except
disable} v1 the interface listens for RIP1 messages. FortiGate-50.
v2 the interface listens for RIP2 messages. NAT/Route
mode only.
v12 the interface listens for RIP1 and RIP2 messages.
send {v1 | v2 | v12} Enable or disable sending RIP broadcasts from an disable All models
metric <metric_int> interface to the network it is connected to. The routing Default except
{enable | disable} messages are UDP packets with a destination port of metric is FortiGate-50.
520. 1. NAT/Route
v1 the interface sends RIP1 messages. mode only.
v2 the interface sends RIP2 messages.
v12 the interface sends RIP1 and RIP2 messages.
Optionally change the metric for routes sent by this
interface. All routes sent from this interface will have
this metric added to their current metric value. You can
change the interface metric to give higher priorities to
some interfaces. For example, if you have two
interfaces that can be used to route packets to the
same destination, if you set the metric of one interface
higher than the other, the routes to the interface with
the lower metric will seem to have a lower cost, so
more traffic will use routes to the interface with the
lower metric. <metric_int> can be from 1 to 16.

106 Fortinet Inc.


set commands set system route rip interface

Keyword Description Default Availability


split-horizon {enable Enable or disable split-horizon for an interface to enable All models
| disable} prevent routing loops. Split-horizon should only be except
disabled if you are sure that routing loops cannot be FortiGate-50.
created from this interface. NAT/Route
mode only.
Note: MD5 authentication is used to verify the integrity of the routing message sent by the FortiGate unit. Using
MD5 authentication, the password is added to the routing message and MD5 is applied to create the MD5 digest
of the routing message. The password is replaced in the routing message with this MD5 digest and this message
is broadcast. When a router receives the routing message, it replaces the MD5 digest with the password,
computes the MD5 digest of this new message and then compares the result with the MD5 digest sent with the
original message. If the two MD5 digests are identical, the receiver accepts the message. If they are not, the
receiver rejects the message.

Examples
Use the following commands to configure the internal interface to send and receive RIP2 routes.
set system route rip interface internal send v2 metric 1 enable
set system route rip interface internal receive v2 enable
Use the following command to configure RIP2 authentication for the internal interface, set the
password to RIPpass and set the authentication mode to MD5:
set system route rip interface internal auth enable RIPpass mode md5

Related commands
• get system route rip
• set system route rip
• set system route rip filter
• set system route rip neighbor
• set system route rip timers

FortiGate CLI Reference Guide 107


set system route rip neighbor set commands

set system route rip neighbor


Add RIP neighbors to define a neighboring router with which to exchange routing information. Add
neighbors on non-broadcast networks.
When you add neighbors, the FortiGate unit exchanges routing information with the neighbor router
directly, instead of relying on broadcasting routes. This point-to-point exchange of routing information
between the FortiGate unit and the routers added to the neighbor list is more secure and reduces
network traffic. Adding neighbors is required to be able to exchange routes over non-broadcast
networks.
When used in combination with the RIP filters, the FortiGate unit can be configured to exchange
routing information with a subset of routers and access servers on a LAN.

Syntax description
Keyword Description Default Availability
<neighbor_ip> The IP address of a neighbor router that you want the No All models
FortiGate unit to exchange routing information with. default. except
FortiGate-50.
NAT/Route
mode only.
send {v1 | v2 } {enable | Enable or disable sending RIP1 and RIP2 messages No All models
disable} to the <neighbor_ip>. default. except
v1 the interface sends RIP1 messages. FortiGate-50.
v2 the interface sends RIP2 messages. NAT/Route
mode only.
To send by RIP1 and RIP2 messages configure the
neighbor twice, once for RIP1 and once for RIP

Examples
Use the following commands to add a neighbor at IP address 192.168.110.94 and configure the
FortiGate unit to send RIP1 and RIP2 messages to this neighbor:
set system route rip neighbor 192.168.110.94 send v1 enable
set system route rip neighbor 192.168.110.94 send v2 enable
Use the following command to disable sending RIP2 messages to this neighbor:
set system route rip neighbor 192.168.110.94 send v2 disable

Related commands
• get system route rip
• set system route rip
• set system route rip filter
• set system route rip interface
• set system route rip timers

108 Fortinet Inc.


set commands set system route rip timers

set system route rip timers


Change the RIP timers to fine tune RIP performance. RIP timer defaults are effective in most
configurations. You should only have to change these timers to troubleshoot problems with your RIP
configuration. Using the set system route rip timers command you can change individual RIP
timers by entering the keyword for the timer and the new timer setting.

Syntax description
Keyword Description Default Availability
flush The amount of time in seconds that must pass 240 All models
<flush-timer_integer> before a route is removed from the routing except
table. The value for flush should be greater FortiGate-50.
than the value for invalid. If the value for NAT/Route
flush is less than this sum, the proper mode only.
holddown interval cannot elapse, which results
in a new route being accepted before the
holddown interval expires.
holddown The time interval in seconds during which 180 All models
<holddown-timer_integer> routing information regarding better paths is except
suppressed. holddown should be at least three FortiGate-50.
times the value of update. A route enters into a NAT/Route
holddown state when an update packet is mode only.
received that indicates the route is unreachable.
The route is marked inaccessible and
advertised as unreachable and is no longer
used for forwarding packets. When holddown
expires, the route can be flushed from the
routing table.
invalid The time interval in seconds after which a route 180 All models
<invalid-timer_integer> is declared invalid. invalid should be at least except
three times the value of update. A route FortiGate-50.
becomes invalid when there is an absence of NAT/Route
updates that refresh the route. The route then mode only.
enters holddown. The route is marked
inaccessible and advertised as unreachable.
However, the route is still used for forwarding
packets.
update The time interval in seconds between sending 30 All models
<update-timer_integer> routing table updates. except
FortiGate-50.
NAT/Route
mode only.

Example
Use the following command to change the RIP update timer:
set system route rip update 50

Related commands
• get system route rip
• set system route rip
• set system route rip filter
• set system route rip interface
• set system route rip neighbor

FortiGate CLI Reference Guide 109


set system session_ttl set commands

set system session_ttl


Use this command when you want to extend the length of time a TCP session can be idle.

Syntax description
Keyword Description Default Availability
default <default_integer> Enter a number of seconds to change the default 300 All models.
session timeout.
port <port_integer> To increase the session timeout for a specific port, No All models.
timeout <timeout_integer> enter the port number and the number of seconds the default.
session can be idle.

Examples
Use the following command to change the default session timeout to 3600 seconds:
set system session_ttl default 3600
Use the following command to change the session timeout for SSH on port 22 to 3600 seconds:
set system session_ttl port 22 timeout 3600

Related commands
• get system sessionttl
• unset system sessionttl

110 Fortinet Inc.


set commands set system snmp

set system snmp


Configure FortiGate SNMP support. The default system name is the FortiGate unit host name. By
default the FortiGate unit host name is the FortiGate model name. To change the FortiGate unit host
name, see “set system hostname” on page 88.

Syntax description
Keyword Description Default Availability
{enable | disable | Enable or disable FortiGate SNMP support. Use disable All models.
value} the value keyword to configure SNMP support on
the FortiGate unit.
<location_str> The physical location of the FortiGate. The system No All models.
location description can be up to 31 characters default.
long and can contain spaces, numbers (0-9), upper
and lower case letters (A-Z, a-z), and the special
characters - and _. The \ < > [ ] ` $ % & characters
are not allowed. If you add spaces, enclose the
system-location in quotes.
<info_str> Contact information for the person responsible for No All models.
this FortiGate. The contact information can be up default.
to 31 characters long and can contain spaces,
numbers (0-9), upper and lower case letters (A-Z,
a-z), and the special characters - and _. The \ < > [
] ` $ % & characters are not allowed. If you add
spaces, enclose the contact-information in
quotes.
<get-community_str> A password to identify SNMP get requests sent to No All models.
the FortiGate. Also called read community. When default.
an SNMP manager sends a get request to the
FortiGate, it must include the correct get
community string.
The default get community string is “public”.
Change the default get community string to keep
intruders from using get requests to retrieve
information about your network configuration. The
get community string must be used in your SNMP
manager to enable it to access FortiGate SNMP
information.
The get community string can be up to 31
characters long and can contain numbers (0-9),
upper and lower case letters (A-Z, a-z), and the
special characters - and _. Spaces and the \ < > [ ]
` $ % & characters are not allowed.
<set-community>_str A string sent with SNMP traps that functions like a No All models.
password. default.
The default trap community string is “public”.
Change the trap community string to the one
accepted by your trap receivers.
The trap community string can be up to 31
characters long and can contain numbers (0-9),
upper and lower case letters (A-Z, a-z), and the
special characters - and _. Spaces and the \ < > [ ]
` $ % & characters are not allowed.
<first-receiver_ip> The IP addresses of up to three trap receivers on 0.0.0.0 All models.
[<second-receiver_ip> your network configured to receive traps from your
<third-receiver_ip>]] FortiGate. Traps are sent only to these addresses.

FortiGate CLI Reference Guide 111


set system snmp set commands

Example
Use the following command to create an SNMP configuration with the following parameters:
• The location of the system is Server room (entered on the command line as "Server room")
• The contact information for the system administrator is ext 3345 (entered on the command line
as "ext 3345")
• The get community string is our_get_com
• The trap community string is our_trap_com
• The IP address of the first trap receiver is 192.33.44.55
• The IP address of the second trap receiver is 143.44.52.7
• There is no third trap receiver
set system snmp enable
set system snmp value "Server room" "ext 3345" our_get_com our_trap_com
192.33.44.55 143.44.52.7

Related commands
• get system snmp
• set system hostname

112 Fortinet Inc.


set commands set system time

set system time


Set the system date and time or configure the FortiGate to connect to a network time protocol (NTP)
server to automatically update the system date and time.

Syntax description
Keyword Description Default Availability
manual Manually set the system date and time. No default. All models.
ntp Automatically update the system date and No default. All models.
time by connecting to an NTP server.
clock <hh:mm:ss> Set the system time. System time All models.
• hh is the hour and can be 00 to 23 manual only
• mm is the minutes and can be 00 to 59
• ss is the seconds and can be 00 to 59
date <mm/dd/yyyy> Set the system date: System date All models.
• mm is the month and can be 01 to 12 manual only
• dd is the day of the month and can be 01
to 31
• yyyy is the year and can be set from 2001
to 2100
dst {enable | disable} Enable or disable daylight saving time. disable All models.
ntpserver <server_ip> Enter the IP address of an NTP server. 132.246.168.148 All models.
ntp only
ntpsync Enable or disable synchronizing system disable All models.
{enable | disable} time with an NTP server time. ntp only
syncinterval Enter how often, in minutes, the FortiGate 60 All models.
<interval_integer> should synchronize its time with the NTP ntp only
server. The syncinterval number can be
1 to 1440.
zone <timezone_integer> The number corresponding to your time GMT-8 All models.
zone. Enter set system time manual
zone or set system time ntp zone
and a space followed by ? to list time zones
and their numbers. Choose your time zone
from the list and enter the correct number.

Example
Use the following command to set the system date and time manually, the time zone to 4, and daylight
saving time to disable:
set system time manual date 12/23/2002 clock 13:55:30 zone 4 dst disable
Use the following command to synchronize the time with an NTP server:
set system time ntp ntpsync enable ntpserver 1.1.1.1 syncinterval 60

Related commands
• get system time

FortiGate CLI Reference Guide 113


set system vlan set commands

set system vlan


Use this command to add VLAN subinterfaces. Use “set system interface” on page 89 to configure the
VLAN IP address, netmask, and management access and to add the VLAN to a zone.
Using Virtual LAN (VLAN) technology, a single FortiGate unit can provide security services and control
connections between multiple security domains.

Syntax description
Keyword Description Default Availability
<name_str> Enter a name to identify the VLAN No default. Models
subinterface. numbered 400
and higher.
NAT/Route
mode only.
id <id_integer> Enter a VLAN ID that matches the VLAN ID of No default. Models
the packets to be received by this VLAN numbered 400
subinterface. and higher.
The VLAN ID can be any number between 1 NAT/Route
and 4096 but must match the VLAN ID added mode only.
by the IEEE 802.1Q-compliant router. Two
VLAN subinterfaces added to the same
physical interface cannot have the same
VLAN ID. However, you can add two or more
VLAN subinterfaces with the same VLAN IDs
to difference physical interfaces.
interface <name_str> Enter the name of the interface that receives No default. Models
the VLAN packets intended for this VLAN numbered 400
subinterface. and higher.
NAT/Route
mode only.

Example:
Use the following command to add a VLAN subinterface with the following settings:
• name: newvlan
• id: 10
• interface: internal
set system vlan newvlan id 10 interface internal

Related commands
• get system vlan
• unset system vlan

114 Fortinet Inc.


set commands set system zone

set system zone


Use this command to add or edit zones.
In NAT/Route mode, you can group related interfaces or VLAN subinterfaces into zones. Grouping
interfaces and subinterfaces into zones simplifies policy creation. For example, if you have two
interfaces connected to the Internet, you can add both of these interfaces to the same zone. Then you
can configure policies for connections to and from this zone, rather than to and from each interface.
To add interfaces to zones, see “set system zone” on page 115.

Syntax description
Keyword Description Default Availability
<name_str> Enter the name for the zone. If the name is No default. Models
new, this command adds a new zone. If the numbered 400
name already exists, this command edits the and higher.
zone. Use the command set system NAT/Route
zone followed by a space and a ? for a list of mode only.
zones to edit.
intrazone {allow | deny} Allow or deny traffic routing between allow Models
different interfaces in the same zone. numbered 400
and higher.
NAT/Route
mode only.

Example
Use the following command to add a zone named Internal and to deny routing between different
interfaces in the zone.
set system zone Internal intrazone deny

Related commands
• get system zone
• unset system zone

FortiGate CLI Reference Guide 115


set user group set commands

set user group


Add or edit user groups.
To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or
more user groups. You can then select a user group when you require authentication. You can select a
user group to configure authentication for:
• Policies that require authentication. Only users in the selected user group or that can authenticate
with the RADIUS or LDAP servers added to the user group can authenticate with these policies.
• IPSec VPN Phase 1 configurations for dialup users. Only users in the selected user group can
authenticate to use the VPN tunnel.
• XAuth for IPSec VPN Phase 1 configurations. Only users in the selected user group can be
authenticated using XAuth.
• The FortiGate PPTP and L2TP configurations. Only users in the selected user group can use PPTP
or L2TP
When you add user names, RADIUS servers, and LDAP servers to a user group the order in which
they are added affects the order in which the FortiGate unit checks for authentication. If user names
are first, then the FortiGate unit checks for a match with these local users. If a match is not found, the
FortiGate unit checks the RADIUS or LDAP server. If a RADIUS or LDAP server is added first, the
FortiGate unit checks the server and then the local users.
If the user group contains users, RADIUS servers, and LDAP servers, the FortiGate unit checks them
in the order in which they have been added to the user group.

Syntax description
Keyword Description Default Availability
<name_str> A name for the user group. If the user group name is No All models.
new, this command adds a new user group. If the default.
user group name already exists, this command edits
the user group.
The name can contain numbers (0-9), uppercase and
lowercase letters (A-Z, a-z), and the special
characters - and _. Other special characters and
spaces are not allowed.
member {<name_str> The name of a user RADIUS or LDAP server to add No All models.
[<name_str> [<name_str> to the user group. default.
[<name_str> ... ]]]| Enter set user group <name_str> member
none} then a space and a ? for a list of possible group
members.
Enter all the user names you want to include in the
user group. Use a space to separate the names.
Enter none to remove names from the user group.

Examples
Use the following command to add a group named User_Grp_1, and add User_2, User_3, Radius_2
and LDAP_1 as members of the group:
set user group User_Grp_1 member User_2 User_3 Radius_2 LDAP_1
Related commands
• get user
• set user local
• set user ldap
• set user radius
• unset user group

116 Fortinet Inc.


set commands set user ldap

set user ldap


Add or edit the information used for LDAP authentication.
If you have configured LDAP support and a user is required to authenticate using an LDAP server, the
FortiGate unit contacts the LDAP server for authentication.
The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and
validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with
LDAP v3.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of password
expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply
information to the user about why authentication failed.
LDAP user authentication is supported for PPTP, L2TP, IPSec VPN and firewall authentication. With
PPTP, L2TP, and IPSec VPN, PAP (packet authentication protocol) is supported and CHAP
(Challenge-Handshake Authentication Protocol) is not.

Syntax description
Keyword Description Default Availability
<name_str> Enter the name of the LDAP server. If the server No All models.
name is new, this command adds a new server. If the default.
server name already exists, this command edits the
server information.
The name can contain numbers (0-9), uppercase and
lowercase letters (A-Z, a-z), and the special
characters - and _. Other special characters and
spaces are not allowed.
cnid <identifier_str> Enter the common name identifier for the LDAP No All models.
server. default.
The common name identifier for most LDAP servers
is cn. However some servers use other common
name identifiers such as uid.
dn <name_str> Enter the distinguished name used to look up entries No All models.
on the LDAP server. default.
Enter the base distinguished name for the server
using the correct X.509 format. The FortiGate unit
passes this distinguished name unchanged to the
server.
port Enter the port used to communicate with the LDAP 389 All models.
<port-number_integer> server.
By default LDAP uses port 389.
server {<domain-name_str> Enter the domain name or IP address of the LDAP No All models.
| <address_ip>} server. default.

Examples
Use the following command to add an LDAP server using the IP address 23.64.67.44, the default
port, the common name cn and the distinguished name ou=marketing,dc=fortinet,dc=com:
set user ldap LDAP_1 server 23.64.67.44 cnid cn
dn ou=marketing,dc=fortinet,dc=com

FortiGate CLI Reference Guide 117


set user ldap set commands

Use the following command to change the distinguished name in the example above to
ou=accounts,ou=marketing,dc=fortinet,dc=com:
set user ldap LDAP_1 dn ou=accounts,ou=marketing,dc=fortinet,dc=com

Related commands
• get user
• set user group
• set user local
• set user radius
• unset user ldap

118 Fortinet Inc.


set commands set user local

set user local


Add user names to the FortiGate user database and then add a password to allow the user to
authenticate using the internal database. You can also allow the user to authenticate using specified
RADIUS or LDAP servers. You can enable or disable user authentication.
FortiGate units support user authentication to the FortiGate user database, to a RADIUS server, and to
an LDAP server.
To enable authentication, you must add user names to one or more user groups. You can also add
RADIUS servers and LDAP servers to user groups. You can then select a user group when you require
authentication.

Syntax description
Keyword Description Default Availability
<name_str> A name for the user. If the user name is new, No default. All models.
this command adds a new user. If the user
name already exists, this command edits the
user information.
The name can contain numbers (0-9),
uppercase and lowercase letters (A-Z, a-z), and
the special characters - and _. Other special
characters and spaces are not allowed.
status Enable allows this user to authenticate. Disable enable All models.
{enable | disable} prevents the user from authenticating.
tryother If the connection to the RADIUS server disable All models.
{enable | disable} configured using set user local
<name_str> type radius fails, enable or
disable trying to connect to other RADIUS
servers added to the FortiGate RADIUS
configuration.
type Require the user to use a password a RADIUS No default. All models.
server or LDAP server for authentication.
password Enter the password that this user must use to No default. All models.
<password_str> authenticate using the internal database. The type only.
password should be at least six characters
long.
radius <server_str> Enter the name of the RADIUS server to which No default. All models.
the user must authenticate. You can only select type only.
a RADIUS server that has been added to the
FortiGate RADIUS configuration. Enter set
user local <name_str> type radius a
space and a ? for a list of available RADIUS
servers.
ldap <server_str> Enter the name of the LDAP server to which the No default. All models.
user must authenticate. You can only select an type only.
LDAP server that has been added to the
FortiGate LDAP configuration. Enter set user
local <name_str> type ldap a space
and a ? for a list of available LDAP servers.

Examples
Use the following command to add a new user named User_1, with authentication type set to
password and a password of 23E9jz6 to authenticate using the internal database. The user is
enabled by default.
set user local User_1 type password 23E9jz6

FortiGate CLI Reference Guide 119


set user local set commands

Use the following command to disable authentication for User_1:


set user local User_1 status disable
Use the following command to add a new user named User_4, with authentication type set to ldap.
The user is enabled by default.
set user local User_4 type ldap LDAP_1
Use the following command to add a new user named User_3, with authentication type set to radius
and tryother enabled. The user is enabled by default.
set user local User_3 type radius Radius_2 tryother enable

Related commands
• get user
• set user group
• set user ldap
• set user radius
• unset user local

120 Fortinet Inc.


set commands set user radius

set user radius


Add or edit the information used for RADIUS authentication.
If you have configured RADIUS support and a user is required to authenticate using a RADIUS server,
the FortiGate unit contacts the RADIUS server for authentication.

Syntax description
Keyword Description Default Availability
<name_str> A name for the RADIUS server. If the server name is No All models.
new, this command adds a new server. If the server default.
name already exists, this command edits the server
information.
The name can contain numbers (0-9), uppercase and
lowercase letters (A-Z, a-z), and the special
characters - and _. Other special characters and
spaces are not allowed.
secret <password_str> Enter the RADIUS server secret. No All models.
default.
server Enter the domain name or IP address of the RADIUS No All models.
{<name_str | server_ip>} server. default.

Examples
Use the following command to add the information for a new RADIUS server named radserv_1, with
IP address 23.64.67.47 and a server secret of secret_1.
set user radius radserv_1 server 23.64.67.47 secret secret_1
Use the following command to change the server secret for radserv_1 to new_secret.
set user radius radserv_1 secret new_secret

Related commands
• get user
• set user group
• set user ldap
• set user local
• unset user radius

FortiGate CLI Reference Guide 121


set vpn ipsec concentrator set commands

set vpn ipsec concentrator


Add and edit IPSec VPN concentrators. You can add VPN tunnels to a VPN concentrator grouping to
create a hub and spoke configuration. The VPN concentrator allows VPN traffic to pass from one
tunnel to the other through the FortiGate.
In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as a hub. The
peers that connect to the hub are known as spokes. The hub functions as a concentrator on the
network, managing the VPN connections between the spokes.

Note: VPN peers are required to have static IP addresses in order to join a hub-and-spoke network. VPN peers
with dynamic IP addresses (dialup peers) cannot join a hub-and-spoke network.

Note: Add the concentrator configuration to the central FortiGate unit (the hub) after adding the tunnels for all
spokes.

Note: VPN is not available in transparent mode.

Syntax description
Keyword Description Default Availability
<name_str> If the concentrator name is new, this command adds No All models.
a VPN concentrator. If the concentrator name already default. NAT/Route
exists, this command edits the VPN concentrator. mode only.
member {none | The names of the VPN tunnels to add to the No All models.
<tunnel_str> <tunnel_str> concentrator. You can add AutoIKE key and manual default. NAT/Route
...} key tunnels to a concentrator. Separate the tunnel mode only.
names with spaces. Use none to create a
concentrator with no tunnels.

Example
Use the following command to add an IPSec VPN concentrator named Concentrator_1 containing
two AutoIKE tunnels named Auto_1, Auto_2, and one manual key tunnel named Manual_1.
set vpn ipsec concentrator Concentrator_1 member Auto_1 Auto_2 Manual_1

Related commands
• set vpn ipsec phase1
• set vpn ipsec phase2
• set vpn ipsec manualkey
• get vpn ipsec

122 Fortinet Inc.


set commands set vpn ipsec manualkey

set vpn ipsec manualkey


Use this command to configure manual key IPSec VPN tunnels.
Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a
remote IPSec VPN client or gateway that is also using manual key. A manual key VPN tunnel consists
of a name for the tunnel, the IP address of the VPN gateway or client at the opposite end of the tunnel,
and the encryption and authentication algorithms to use for the tunnel. Because the keys are created
when you configure the tunnel, no negotiation is required for the VPN tunnel to start. However, the
VPN gateway or client that connects to this tunnel must use the same encryption and authentication
algorithms and must have the same encryption and authentication keys.

Note: VPN is not available in transparent mode.

Syntax description
Keyword Description Default Availability
<tunnel_str> Enter a name for the VPN tunnel. The name can contain No All models.
numbers (0-9), uppercase and lowercase letters (A-Z, a- default. NAT/Route
z), and the special characters - and _. Other special mode only.
characters and spaces are not allowed.
If the name is new, this command adds a new tunnel. If
the name already exists, this command edits the tunnel.
authalg Select an authentication algorithm from the list. Make null All models.
{null | md5 | sha1} sure you use the same algorithm at both ends of the NAT/Route
tunnel. mode only.
authkey <key_hex> MD5: Enter a 32 digit (16 byte) hexadecimal number. No All models.
Separate each 16 digit (8 byte) hexadecimal segment default. NAT/Route
with a hyphen. mode only.
SHA1: Enter a 40 digit (20 byte) hexadecimal number.
Use a hyphen to separate the first 16 digits (8 bytes) from
the remaining 24 digits (12 bytes).
Digits can be 0 to 9, and a to f.
Use the same authentication key at both ends of the
tunnel.
concentrator Enter the name of a VPN Concentrator if you want the none All models.
{<name_str> | none} tunnel to be a member of a group of VPN tunnels. Select NAT/Route
none to remove the manual key tunnel from a mode only.
concentrator.
encalg {null | des | Select an encryption algorithm from the list. Make sure null All models.
3des | aes128 | aes192 you use the same algorithm at both ends of the tunnel. NAT/Route
| aes256} mode only.
enckey <key_hex> DES: Enter a 16 digit (8 byte) hexadecimal number. No All models.
3DES: Enter a 48 digit (24 byte) hexadecimal number. default. NAT/Route
AES128: Enter a 32 digit (16 byte) hexadecimal number. mode only.
AES192: Enter a 48 digit (24 byte) hexadecimal number.
AES256: Enter a 64 digit (32 byte) hexadecimal number.
Digits can be 0 to 9, and a to f.
For all of the above, separate each 16 digit (8 byte)
hexadecimal segment with a hyphen.
Use the same encryption key at both ends of the tunnel.
gateway <gateway_ip> The external IP address of the FortiGate unit or other No All models.
IPSec gateway at the opposite end of the tunnel. default. NAT/Route
mode only.

FortiGate CLI Reference Guide 123


set vpn ipsec manualkey set commands

Keyword Description Default Availability


localspi <spi_hex> Local Security Parameter Index. Enter a hexadecimal No All models.
number of up to eight digits (digits can be 0 to 9, a to f) in default. NAT/Route
the range bb8 to FFFFFFF. This number must be added mode only.
to the Remote SPI at the opposite end of the tunnel.
remotespi <spi_hex> Remote Security Parameter Index. Enter a hexadecimal No All models.
number of up to eight digits in the range bb8 to FFFFFFF. default. NAT/Route
This number must be added to the Local SPI at the mode only.
opposite end of the tunnel.

Example
Use the following command to add an IPSec VPN manual key tunnel with the following characteristics:
• Tunnel name: Manual_Tunnel
• Local SPI: 1000ff
• Remote SPI: 2000ff
• Remote gateway IP: 206.37.33.45
• Encryption algorithm: 3DES
• Encryption keys: 003f2b01a9002f3b 004f4b0209003f01 3b00f23bff003eff
• Authentication algorithm: MD5
• Authentication keys: ff003f012ba900bb 00f402303f0100ff
• Concentrator: none
set vpn ipsec manualkey Manual_Tunnel localspi 1000ff remotespi 2000ff
gateway 206.37.33.45 encalg 3des enckey 003f2b01a9002f3b-
004f4b0209003f01-3b00f23bff003eff authalg md5 authkey
ff003f012ba900bb-00f402303f0100ff concentrator none
Use the following command to change the local SPI to bb8 and the authentication algorithm to null
for the tunnel created in the example above.
set vpn ipsec manualkey Manual_Tunnel localspi bb8 authalg null.

Related commands
• set vpn ipsec concentrator
• get vpn ipsec
• unset vpn ipsec

124 Fortinet Inc.


set commands set vpn ipsec phase1

set vpn ipsec phase1


Add or edit IPSec VPN phase 1 configurations.
When you add a phase 1 configuration, you define how the FortiGate unit and a remote VPN peer
(gateway or client) authenticate themselves to each other prior to the establishment of an IPSec VPN
tunnel. The phase 1 configuration consists of the name of a remote VPN peer, the address type of the
remote peer (static IP or dynamic (dialup)), the proposal settings (encryption and authentication
algorithms) used in the authentication process, and the pre-shared key. For authentication to be
successful, the FortiGate unit and the remote VPN peer must be configured with compatible phase 1
proposal settings.
After you have added a phase 1 configuration, you can change most settings. You cannot, however,
change the type setting (static or dynamic (dialup)). If the VPN peer address changes from either
static to dynamic (dialup) address, or dynamic (dialup) to static address, you must delete the original
phase 1 configuration and add a new one. As a general rule, add only one phase 1 configuration per
remote VPN peer.

Note: VPN is not available in transparent mode.

Syntax description
Keyword Description Default Availability
<name_str> If the phase 1 name is new, this command adds a No All models.
new configuration. If the phase 1 name already default. NAT/Route
exists, this command edits the phase 1 configuration. mode only.
authmethod Select psk to authenticate using a pre-shared key. No All models.
{psk <preshared-key_str | The key must be the same on the remote VPN default. NAT/Route
rsasig gateway or client and should only be known by mode only.
<certificate-name_str>} network administrators. The key must consist of at
least 6 printable characters. For optimum protection
against currently known attacks, the key should
consist of a minimum of 16 randomly chosen
alphanumeric characters.
Select rsasig to authenticate using a digital
certificate. You must enter the name of the digital
certificate.
You must configure certificates before selecting
rsasig here. For more information, see “execute
vpn certificates local” on page 239 and “execute vpn
certificates ca” on page 238.
dhgrp {[1] [2] [5]} Select one or more Diffie-Hellman groups to propose 5 All models.
for Phase 1. NAT/Route
• When the VPN peers have static IP addresses and mode only.
use aggressive mode, select a single matching DH
group.
• When the VPN peers have dynamic (dialup) IP
addresses, select up to three DH groups for a
server configuration and select one DH group for a
dynamic (dialup) client or gateway.
• When the VPN peers use main mode, you can
select multiple DH groups.

FortiGate CLI Reference Guide 125


set vpn ipsec phase1 set commands

Keyword Description Default Availability


dpd {enable | disable} Enable or disable DPD (Dead Peer Detection). DPD enable All models.
detects the status of the connection between VPN NAT/Route
peers. Enabling DPD facilitates cleaning up dead mode only.
connections and establishing new VPN tunnels. DPD
is not supported by all vendors. It will not be used
unless both VPN peers include DPD support.
dpdidlecleanup The DPD long idle setting. Set the time, in seconds, 300 All models.
<long-idle_integer> that a link must remain unused before the local VPN seconds DPD
peer pro-actively probes its state. After this period of enabled
time expires, the local peer will send a DPD probe to only.
determine the status of the link even if there is no NAT/Route
traffic between the local peer and the remote peer. mode only.
The dpdidlecleanup setting must be greater than
100 and greater than the dpdidleworry setting.
dpdidleworry The DPD short idle setting. Set the time, in seconds, 10 All models.
<short-idle_integer> that a link must remain unused before the local VPN seconds DPD
peer considers it to be idle. After this period of time enabled
expires, whenever the local peer sends traffic to the only.
remote VPN peer it will also send a DPD probe to NAT/Route
determine the status of the link. The dpdidleworry mode only.
range is 1 to 300.
To control the length of time that the FortiGate unit
takes to detect a dead peer with DPD probes, use the
dpdretrycount and dpdretryinterval
keywords.
dpdretrycount The DPD retry count. Set the number of times that 3 All models.
<retry_integer> the local VPN peer sends a DPD probe before it DPD
considers the link to be dead and tears down the enabled
security association (SA). The dpdretrycount only.
range is 0 to 10. NAT/Route
To avoid false negatives due to congestion or other mode only.
transient failures, set the retry count to a sufficiently
high value for your network.
dpdretryinterval The DPD retry interval. Set the time, in seconds, that 5 All models.
<interval_integer> the local VPN peer waits between sending DPD seconds DPD
probes. The dpdretryinterval range is 1 to 60. enabled
only.
NAT/Route
mode only.
keylife <keylife_integer> Set the keylife time in seconds. 28800 All models.
The keylife is the amount of time in seconds before seconds NAT/Route
the phase 1 encryption key expires. When the key mode only.
expires, a new key is generated without interrupting
service. P1 proposal <keylife-integer> can be
from 120 to 172,800 seconds.

126 Fortinet Inc.


set commands set vpn ipsec phase1

Keyword Description Default Availability


mode {aggressive | main} Enter Aggressive or Main (ID Protection) mode. Both No All models.
modes establish a secure channel. When using default. NAT/Route
aggressive mode, the VPN peers exchange mode only.
identifying information in the clear. When using main
mode, identifying information is hidden.
Aggressive mode is typically used when one VPN
peer has a dynamic (dialup) address and uses its ID
as part of the authentication process. Main mode is
typically used when both VPN peers have static IP
addresses.
When using aggressive mode, Diffie-Hellman (DH)
groups cannot be negotiated. Therefore, you should
enter matching DH configurations on the VPN peers
when you use aggressive mode.
The VPN peers must use the same mode.
nattraversal Enable NAT traversal if you expect the IPSec VPN enable All models.
{enable | disable} traffic to go through a gateway that performs NAT. If NAT/Route
no NAT device is detected, enabling NAT traversal mode only.
has no effect. Both ends of the VPN must have the
same NAT traversal setting. If you enable NAT
traversal you can set the keepalive frequency.
keepalive Set the NAT traversal keepalive frequency. This 5 All models.
<frequency_integer> number specifies, in seconds, how frequently empty seconds NAT
UDP packets are sent through the NAT device to traversal
ensure that the NAT mapping does not change until only.
P1 and P2 security associations expire. The NAT/Route
keepalive frequency can be from 0 to 900 seconds. mode only.
peertype Optionally select a peer type. any All models.
{any | one | dialup} Enter any to accept any peer ID (and therefore not NAT/Route
authenticate remote VPN peers by ID). mode only.
Enter one to authenticate a specific VPN peer or a
group of VPN peers with a shared id. Use the
peerid keyword to set the peer ID.
Select dialup to authenticate each remote VPN
peer with a unique ID. Use the usrgrp keyword to
select the required user group.
peerid <peerid_str> Enter the peer ID used to authenticate a group of No All models.
remote VPN peers when peertype is set to one. default. Peer type
only.
NAT/Route
mode only.
usrgrp {<name_str> | Enter the user group used to authenticate remote none All models.
none} VPN peers when peertype is set to dialup. The Peertype
user group can contain local users, LDAP servers, only.
and RADIUS servers. The user group must be added NAT/Route
to the FortiGate configuration before it can be mode only.
selected here. For more information, see “set user
group” on page 116, “set user local” on page 119, and
“set user radius” on page 121.

FortiGate CLI Reference Guide 127


set vpn ipsec phase1 set commands

Keyword Description Default Availability


proposal Select a minimum of one and a maximum of three No All models.
{des-md5 des-sha1 encryption and authentication algorithm combinations default. NAT/Route
3des-md5 3des-sha1 for the Phase 1 proposal. mode only.
aes128-md5 aes128-sha1 • DES encryption-MD5 authentication
aes192-md5 aes192-sha1 • DES encryption-SHA1 authentication
aes256-md5 aes256-sha1} • 3DES encryption-MD5 authentication
• 3DES encryption-SHA1 authentication
• AES128 encryption-MD5 authentication
• AES128 encryption-SHA1 authentication
• AES192 encryption-MD5 authentication
• AES192 encryption-SHA1 authentication
• AES256 encryption-MD5 authentication
• AES256 encryption-SHA1 authentication
type {static | dynamic} If the remote VPN peer has a static IP address, select No All models.
static or dynamic depending on your default. NAT/Route
requirements. mode only.
If the remote VPN peer has a dynamically assigned
IP address (DHCP or PPPoE), select dynamic
(dialup).
gw <gateway_ip> If the remote VPN peer has a static IP address, enter No All models.
the IP address. default. Static only.
NAT/Route
mode only.
localid <localid_str> Optionally enter a local ID if the FortiGate unit is No All models.
functioning as a client and uses its local ID to default. Static only.
authenticate itself to the remote VPN peer. NAT/Route
If you add a local ID, the FortiGate unit sends it as if it mode only.
is a domain name. If you do not add a local ID, the
FortiGate unit sends the IP address of its external
interface (pre-shared key authentication) or its
distinguished name (certificate authentication).
To exchange IDs, both VPN peers must use
Aggressive mode.
xauthtype {disable | Optionally configure XAuth (eXtended disable All models.
client | server} Authentication). NAT/Route
Select disable to disable XAuth. mode only.
Select client to configure the FortiGate unit to act
as an XAuth client. Use the authuser keyword to
add the XAuth user name and password.
Select server to configure the FortiGate unit as an
XAuth server. Use the authsrvtype keyword to set
the encryption method used for authentication. Use
the authusrgrp keyword to select the user group
containing members that must authenticate using
XAuth.
authusr <user_str> Enter the XAuth client user name and password for No All models.
<password_str> the FortiGate unit. default. XAuth client
only.
NAT/Route
mode only.

128 Fortinet Inc.


set commands set vpn ipsec phase1

Keyword Description Default Availability


authsrvtype {pap | chap | Enter the encryption method used between the XAuth pap All models.
mixed} client, the FortiGate unit and the authentication XAuth
server. server only.
Select pap to use the Password Authentication NAT/Route
Protocol. mode only.
Select chap to use the Challenge-Handshake
Authentication Protocol.
Select mixed to use PAP between the XAuth client
and the FortiGate unit, and CHAP between the
FortiGate unit and the authentication server.
Use CHAP whenever possible. Use PAP if the
authentication server does not support CHAP. Use
mixed if the authentication server supports CHAP but
the XAuth client does not.
authusrgrp <user-group- When the FortiGate unit is configured as an XAuth No All models.
name_str> server, select the user group used to authenticate default. XAuth
remote VPN peers. The user group can contain local server only.
users, LDAP servers, and RADIUS servers. The user NAT/Route
group must be added to the FortiGate configuration mode only.
before it can be selected here. For more information,
see “set user group” on page 116, “set user local” on
page 119, and “set user radius” on page 121.

Examples
Use the following command to add an IPSec VPN phase 1 configuration with the following
characteristics:
• Tunnel name: Simple_GW
• Type: Dynamic
• Encryption and authentication proposal: DES-MD5
• Authentication method: psk
• Pre-shared key: Qf2p3O93jIj2bz7E
• Mode: aggressive
• Dead Peer Detection: disable
set vpn ipsec phase1 Simple_GW type dynamic proposal des-md5 authmethod
psk Qf2p3O93jIj2bz7E mode aggressive dpd disable
Use the following command to change the DH group of the example above to 2 and to add des-sha1
as a second encryption and authentication protocol.
set vpn ipsec phase1 Simple_GW dhgrp 2 proposal des-md5 des-sha1

Related commands
• set vpn ipsec phase2
• get vpn ipsec
• unset vpn ipsec

FortiGate CLI Reference Guide 129


set vpn ipsec phase2 set commands

set vpn ipsec phase2


Add or edit an IPSec VPN phase 2 configuration.
The FortiGate unit uses the phase 2 configuration to create and maintain an IPSec VPN tunnel with a
remote VPN peer (the VPN gateway or client). The phase 2 configuration consists of a name for the
VPN tunnel, the name or names of already configured phase 1 remote gateways, the proposal settings
(encryption and authentication algorithms) and DH group used for phase 2. For phase 2 to be
successful, the FortiGate unit and the remote VPN peer must be configured with compatible proposal
settings.

Note: VPN is not available in transparent mode.

Syntax description
Keyword Description Default Availability
<name_str> If the phase 2 name is new, this command adds a No All models.
new configuration. If the phase 2 name already default. NAT/Route
exists, this command edits the phase 2 configuration. mode only.
concentrator {<name_str> Select a concentrator if you want the tunnel to be part none All models.
| none} of a hub and spoke VPN configuration. NAT/Route
mode only.
dhgrp {1 | 2 | 5} Select the Diffie-Hellman group to propose for Phase 5 All models.
2 of the IPSec VPN connection. Select one of DH 1, 2 NAT/Route
or 5. The VPN peers must use the same DH Group. mode only.
keepalive {enable | Enable keep alive to keep the VPN tunnel running disable All models.
disable} even if no data is being processed. NAT/Route
mode only.
keylifekbs Set the number of Kbytes of data transmitted before 4608000 All models.
<Kbytes_integer> the phase 2 key expires. NAT/Route
If you configure both keylifeseconds and mode only.
keylifekbs, the key expires when either condition
is met, whichever occurs first. When the key expires,
a new key is generated without interrupting service.
<kbyte_integer> can be 5120 to 99999 kbytes.
keylifeseconds Set the number of seconds that can elapse before the 1800 All models.
<seconds_integer> phase 2 key expires. NAT/Route
If you configure both keylifeseconds and mode only.
keylifekbs, the key expires when either condition
is met, whichever occurs first. When the key expires,
a new key is generated without interrupting service.
<seconds_integer> can be 120 to 172800
seconds.
pfs {enable | disable} Optionally, enable or disable perfect forward secrecy disable All models.
(PFS). PFS ensures that each key created during NAT/Route
Phase 2 is unrelated to keys created during Phase 1 mode only.
or to other keys created during Phase 2. PFS may
cause minor delays during key generation.

130 Fortinet Inc.


set commands set vpn ipsec phase2

Keyword Description Default Availability


phase1name Select up to 3 phase 1 names. Enter set vpn No All models.
{[<name_str> [<name_str> ipsec phase2 test phase1name followed by a default. NAT/Route
[<name_str>]]]} space and a ? for a list of available phase1 names. mode only.
Choose either a single dynamic (dialup) phase 1
configuration, or up to three static phase 1
configurations. IPSec redundancy requires multiple
static phase 1 configurations.
proposal Select a minimum of one and a maximum of three No All models.
{null-null null-md5 encryption and authentication algorithm combinations default. NAT/Route
null-sha1 des-null to propose for phase 2. Use a space to separate the mode only.
combinations.
des-md5 des-sha1
The VPN peers must use the same P2 proposal
3des-null 3des-md5 settings.
3des-sha1 aes128-null • null encryption-null authentication (test only)
aes128-md5 aes128-sha1 • null encryption-MD5 authentication
aes192-null aes192-md5 • null encryption-SHA1 authentication
aes192-sha1 aes256-null • DES encryption-null authentication
aes256-md5 aes256-sha1} • DES encryption-MD5 authentication
• DES encryption-SHA1 authentication
• 3DES encryption-null authentication
• 3DES encryption-MD5 authentication
• 3DES encryption-SHA1 authentication
• AES128 encryption-null authentication
• AES128 encryption-MD5 authentication
• AES128 encryption-SHA1 authentication
• AES192 encryption-null authentication
• AES192 encryption-MD5 authentication
• AES192 encryption-SHA1 authentication
• AES256 encryption-null authentication
• AES256 encryption-MD5 authentication
• AES256 encryption-SHA1 authentication
replay {enable | disable} Optionally, enable or disable replay detection. Replay disable All models.
attacks occur when an unauthorized party intercepts NAT/Route
a series of IPSec packets and replays them back into mode only.
the tunnel. Enable replay detection to check the
sequence number of every IPSec packet to see if it
has been received before. If packets arrive out of
sequence, the FortiGate units discards them.
You can configure the FortiGate unit to send an alert
email when it detects a replay packet. See “set
alertemail configuration” on page 34 and “set
alertemail setting” on page 35.
wildcardid Enable or disable a wildcard id selector for quick disable All models.
{enable | disable} mode. NAT/Route
mode only.

FortiGate CLI Reference Guide 131


set vpn ipsec phase2 set commands

Examples
Use the following command to add a phase 2 configuration with the following characteristics:
• Name: New_Tunnel
• Phase 1 name: Simple_GW
• Encryption and authentication proposal: des-md5
• Keylife seconds: 18001
• Diffie-Hellman group: 2
• Replay detection: enable
• Perfect forward secrecy: enable
• Keepalive: enable
• Concentrator: none
set vpn ipsec phase2 New_Tunnel phase1name Simple_GW proposal des-md5
keylifeseconds 18001 dhgrp 2 replay enable pfs enable keepalive enable
concentrator none
Use the following command to change the DH group to 5 and to disable replay detection in the phase
2 example configuration above.
set vpn ipsec phase2 New_Tunnel dhgrp 5 replay disable

Related commands
• set vpn ipsec phase1
• get vpn ipsec
• unset vpn ipsec

132 Fortinet Inc.


set commands set vpn l2tp

set vpn l2tp


L2TP clients must be able to authenticate with the FortiGate unit to start an L2TP session. To support
L2TP authentication, you must add a user group to the FortiGate configuration. See “set user group”
on page 116.
After you have added a user group, use this command to enable L2TP and specify an L2TP address
range. The L2TP address range is the range of addresses that must be reserved for remote L2TP
clients. When a remote L2TP client connects to the internal network using L2TP, the client computer is
assigned an IP address from this range. The L2TP address range can be on any subnet.
You can also use this command to disable L2TP, change the starting or ending IP of the L2TP address
range, or change the user group.
Add external to internal firewall policies to control the access that L2TP users have through the
FortiGate unit. Set the source address to match the L2TP address range and the destination address
to the address on your internal network or zone to which L2TP users can connect. Set the policy
service to the service that matches the traffic type inside the L2TP VPN tunnel. For example, if L2TP
users can access a web server, set service to HTTP. Set the policy action to ACCEPT and select NAT
if required. See “set firewall policy” on page 53

Note: The first time you configure the L2TP address range you must enter a starting IP, an ending IP and a user
group.

Note: L2TP VPN is not available in transparent mode.

Syntax description
Keyword Description Default Availability
eip <ending_ip> The ending IP address of the L2TP address range. 0.0.0.0 All models.
NAT/Route
mode only.
sip <starting_ip> The starting IP address of the L2TP address range. 0.0.0.0 All models.
NAT/Route
mode only.
status Enable or disable L2TP VPN. disable All models.
{enable | disable} NAT/Route
mode only.
usrgrp <name_str> Add a user group to support L2TP authentication. The user No All models.
group can contain users added to the FortiGate user default. NAT/Route
database, authentication servers (LDAP and RADIUS), or mode only.
both.

Example
Use the following command to enable L2TP and set the L2TP address range for the first time using a
starting IP of 192.168.1.150, an ending IP of 192.168.1.160 and a user group named L2TP_users:
set vpn l2tp status enable sip 192.168.1.150 eip 192.168.1.160 usrgrp
L2TP users
Use the following command to change the starting IP of the L2TP address range:
set vpn l2tp status enable sip 192.168.1.140
Related commands
• get vpn l2tp range

FortiGate CLI Reference Guide 133


set vpn pptp set commands

set vpn pptp


PPTP clients must be able to authenticate with the FortiGate unit to start a PPTP session. To support
PPTP authentication, you must add a user group to the FortiGate configuration. See “set user group”
on page 116.
After you have added a user group, use this command to enable PPTP and specify a PPTP address
range. The PPTP address range is the range of addresses that must be reserved for remote PPTP
clients. When a remote PPTP client connects to the internal network using PPTP, the client computer
is assigned an IP address from this range. The PPTP address range can be on any subnet.
You can also use this command to disable PPTP, change the starting or ending IP of the PPTP
address range, or change the user group.
Add external to internal firewall policies to control the access that PPTP users have through the
FortiGate unit. Set the source address to match the PPTP address range and the destination address
to the address on your internal network or zone to which PPTP users can connect. Set the policy
service to the service that matches the traffic type inside the PPTP VPN tunnel. For example, if PPTP
users can access a web server, set service to HTTP. Set the policy action to ACCEPT and select NAT
if required.

Note: The first time you configure the PPTP address range you must enter a starting IP, an ending IP and a user
group.

Note: PPTP VPN is not available in transparent mode.

Syntax description
Keyword Description Default Availability
eip <ending_ip> The ending address of the PPTP address range. 0.0.0.0 All models.
NAT/Route
mode only.
sip <starting_ip> The starting address of the PPTP address range. 0.0.0.0 All models.
NAT/Route
mode only.
status Enable or disable PPTP VPN. disable All models.
{enable | disable} NAT/Route
mode only.
usrgrp <name_str> Add a user group to support L2TP authentication. No default. All models.
The user group can contain users added to the NAT/Route
FortiGate user database, authentication servers mode only.
(LDAP and RADIUS), or both.

Example
Use the following command to enable PPTP and set the PPTP address range for the first time using a
starting IP of 192.168.1.100, an ending IP of 192.168.1.130 and a user group named PPTP_users:
set vpn pptp status enable sip 192.168.1.100 eip 192.168.1.130 usrgrp
PPTP_users
Use the following command to change the starting IP of the PPTP address range:
set vpn pptp status enable sip 192.168.1.110
Related commands
• get vpn pptp range

134 Fortinet Inc.


set commands set webfilter cerberian

set webfilter cerberian


Use this command to configure support for Cerberian web filtering. For information about Cerberian
web filtering, see www.cerberian.com.
You can purchase a Cerberian web filtering licence when you purchase your FortiGate unit. To use
Cerberian web filtering, the FortiGate unit must have access to the Internet.

Syntax description
Keyword Description Default Availability
add <address_ip> Add an IP address and netmask to identify the No All models
<netmask_ip> [alias FortiGate user. This can be the address of a single default.
<user-name_str>] computer or of a subnet. If IP addresses on your
internal network are set using DHCP, use a subnet
that includes the addresses controlled by the DHCP
server.
Optionally enter an alias for the user. The alias is the
user name you add to a user group on the Cerberian
server. If you do not enter an alias, the IP address is
added to the default user group on the Cerberian
server.
delete <address_ip> Delete the user information. No All models
<netmask_ip> default.
license <license_str> Enter the Cerberian license key. You must have a No All models
licence key to use Cerberian web filtering. default.
status {enable | disable} Enable or disable Cerberian web filtering. For disable All models.
Cerberian web filtering to work, you must enable URL
Block for HTTP in a content profile. For more
information on content profiles, see “set firewall
profile” on page 57.

Examples
Use the following commands to:
• add the cerberian licence key, testkey
• add the Cerberian user with the IP address 192.168.100.19, the netmask 255.255.255.255 and the
alias User_1, to the FortiGate unit
• enable your Cerberian web filtering settings for use in content profiles
set webfilter cerberian license testkey
set webfilter cerberian add 192.168.100.19 255.255.255.255 alias User_1
set webfilter cerberian status enable

Related commands
• get webfilter
• set firewall profile

FortiGate CLI Reference Guide 135


set webfilter content set commands

set webfilter content


Use this command to add, edit or delete words or phrases on the Web Filter content block list.
For the content block list to work, you must enable Banned Word for HTTP in a content profile. For
more information, see “set firewall profile” on page 57.

Syntax description
Keyword Description Default Availability
add word <word_str> Add a word or phrase to the banned word list. No All models.
language {0 | 1 | 2 | 3 | If you enter a single word (for example, banned), the default.
4} state FortiGate blocks all web pages that contain that word.
{enable | disable} If you type a phrase, you must add + between the
words (for example, banned+phrase). The
FortiGate blocks web pages that contain both of the
words.
If you type a phrase in quotes, you must also include
the + (for example, "banned+word"). The FortiGate
blocks all web pages where the words are found
together as a phrase.
Content filtering is not case-sensitive. You cannot
include special characters in banned words.
The language or character set for the banned word or
phrase. You can choose 0 for Western,
• 1 for Simplified Chinese
• 2 for Traditional Chinese
• 3 for Japanese
• 4 for Korean
Enable or disable content filtering for this word or
phrase.
delete {<word_integer> | Enter a number to delete the specified word or No All models.
all} phrase from the content block list. Use the command default.
get webfilter content for a numbered list of
banned words. Enter all to delete all the words on
the content block list.
edit <word_integer> word Edit a word or phrase on the banned word list. No All models.
<word_str> language {0 | Enter a number to edit the specified word or phrase default.
1 | 2 | 3 | 4} state from the content block list. Use the command get
{enable | disable} webfilter content for a numbered list of banned
words.
You can make changes to any or all of the word or
phrase, language or character set, or state.

Example
Use the following command to add the exact phrase "banned phrase" in the Western character set
to the Web Filter content filtering list.
set webfilter content add word "banned+phrase" language 0 state enable

Related commands
• get webfilter
• set firewall profile

136 Fortinet Inc.


set commands set webfilter exempturl

set webfilter exempturl


Use this command to add, edit or delete URLs on the URL Exempt list.
For the URL Exempt list to work, you must enable URL Exempt for HTTP in a content profile. For more
information, see “set firewall profile” on page 57.

Note: Content downloaded from exempt web pages is not blocked or scanned by antivirus protection.

Syntax description
Keyword Description Default Availability
add <exempt-url_str> Enter a complete URL, including path and filename, No All models.
state {enable | disable} to exempt access to a page on a web site. For default.
example, www.goodsite.com/index.html
exempts access to the main page of this example
website. You can also add IP addresses; for example,
122.63.44.67/index.html exempts access to
the main web page at this address. Do not include
http:// in the URL to exempt.
Exempting a top level URL, such as
www.goodsite.com, exempts all requested
subpages (for example,
www.goodsite.com/badpage) from all content and
URL filtering rules.
Exempting a top level URL will not exempt pages
such as mail.goodsite.com from all content and
URL filtering rules unless goodsite.com (without
the www) is added to the Exempt List.
Enable or disable exempting this URL
delete Enter a number to delete the specified URL from the No All models.
{<url_integer> | all} exempt list. Use the command get webfilter default.
exempturl for a numbered list of exempt URLs.
Enter all to delete all the URLs on the exempt list.
edit <url_integer> Edit a URL on the exempt list. No All models.
newurl<exempt-url_str> Enter a number to edit the specified URL from the default.
state {enable | disable} exempt list. Use the command get webfilter
exempturl for a numbered list of exempt URLs.
You can make changes to the URL or state.

Example
Use the following command to add the URL www.oksite.com/index.html to the list of URLs that
are exempt from content and URL blocking.
set webfilter exempturl add www.oksite.com/index.html state enable

Related commands
• get webfilter
• set firewall profile

FortiGate CLI Reference Guide 137


set webfilter script set commands

set webfilter script


Use this command to enable or disable script filtering to block Java applets, cookies, and ActiveX
controls.
For script filtering to work, you must enable Script FIlter for HTTP in a content profile. For more
information, see “set firewall profile” on page 57.

Syntax description
Keyword Description Default Availability
{activex | cookie | java} Select activex, cookie or java as required. No All models.
default.
status {enable | disable} For each keyword above, enable or disable blocking disable All models.
Java applets, cookies, or ActiveX controls.

Examples
Use the following command to configure script filtering to block cookies.
set webfilter script cookie status enable

Related commands
• get webfilter
• set firewall profile

138 Fortinet Inc.


set commands set webfilter url

set webfilter url


Use this command to add, edit or delete URLs on the URL Block list.
For the URL Block list to work, you must enable URL Block for HTTP in a content profile. For more
information, see “set firewall profile” on page 57.

Note: URL blocking does not block access to other services that users can access with a web browser. For
example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall
policies to deny FTP connections.

Syntax description
Keyword Description Default Availability
add <url_str> state You can configure the FortiGate unit to block all No All models.
{enable | disable} pages on a website by adding the top-level URL or IP default.
address. You can also block individual pages on a
website by including the full path and filename of the
web page to block.
Type a top-level URL or IP address to block access to
all pages on a website. For example,
www.badsite.com or 122.133.144.155 blocks
access to all pages at this website.
Type a top-level URL followed by the path and
filename to block access to a single page on a
website. For example,
www.badsite.com/news.html or
122.133.144.155/news.html blocks the news
page on this website.
To block all pages with a URL that ends with
badsite.com, add badsite.com to the block list.
For example, adding badsite.com blocks access to
www.badsite.com, mail.badsite.com,
www.finance.badsite.com, and so on.
Enable or disable blocking this URL.
delete {<url_integer> | Enter a number to delete the specified URL from the No All models.
all} block list. Use the command get webfilter url default.
for a numbered list of blocked URLs. Enter all to
delete all the URLs on the block list.
edit <url_integer> newurl Edit a URL on the block list. No All models.
<block-url_str> state Enter a number to edit the specified URL from the default.
{enable | disable} block list. Use the command get webfilter url
for a numbered list of blocked URLs.
You can make changes to the URL or state.

Example
Use the following commands to add the example URL www.badsite.com/index.html to the URL
block list.
set webfilter url add www.badsite.com/index.html state enable

Related commands
• get webfilter
• set firewall profile

FortiGate CLI Reference Guide 139


set webfilter url set commands

140 Fortinet Inc.


FortiGate CLI Reference Guide Version 2.50

unset commands
Use unset commands to delete settings from your FortiGate configuration.

unset firewall address unset system hostname


unset firewall addrgrp unset system route number
unset firewall ipmacbinding unset system route policy
unset firewall ippool unset system secondip
unset firewall onetimeschedule unset system sessionttl
unset firewall policy unset system vlan
unset firewall profile unset system zone
unset firewall recurringschedule unset user group
unset firewall service unset user ldap
unset firewall vip unset user local
unset log filter unset user radius
unset system admin unset vpn certificates
unset system dhcpserver unset vpn ipsec

FortiGate CLI Reference Guide 141


unset firewall address unset commands

unset firewall address


Use this command to delete addresses no longer needed in firewall policies. To delete an address that
has been added to a policy, you must first remove the address from the policy.

Syntax description
Keyword Description Availability
<name_str> The name of the address to delete. Use the command All models.
unset firewall address followed by a space and
? for a list of addresses. If you try to delete an address
that is in use by a policy the FortiGate CLI returns the
error message: Entry is used.

Examples
Use the following command to delete the address named User_1.
unset firewall address User_1

Related commands
• set firewall address
• get firewall address

142 Fortinet Inc.


unset commands unset firewall addrgrp

unset firewall addrgrp


Use this command to delete address groups no longer needed in firewall policies. To delete an
address group that has been added to a policy, you must first remove the address group from the
policy.

Syntax description
Keyword Description Availability
<name_str> The name of the address group to delete. Use the All models.
command unset firewall addressgrp followed
by a space and ? for a list of address groups.

Examples
Use the following command to delete the address group named Internal_1.
unset firewall addrgrp Internal_1

Related commands
• set firewall addrgrp
• get firewall addrgrp

FortiGate CLI Reference Guide 143


unset firewall ipmacbinding unset commands

unset firewall ipmacbinding


Use this command to delete IP and MAC address pairs from the IP/MAC binding table.

Syntax description
Keyword Description Availability
table <order_integer> The order number of the IP/MAC binding pair on the All models.
IP/MAC binding table. Use the command unset
firewall ipmacbinding table followed by a
space and ? to display the IP/MAC binding table.

Examples
Use the following command to delete the IP and MAC address pair numbered 2.
unset firewall ipmacbinding table 2

Related commands
• set firewall ipmacbinding setting
• get firewall ipmacbinding

144 Fortinet Inc.


unset commands unset firewall ippool

unset firewall ippool


Use this command to remove IP address pools.

Syntax description
Keyword Description Availability
ippool <id_integer> Delete an IP pool with the specified number. Enter the All models.
command unset firewall ippool followed by a Not available in
space and a ? for a list of IP pools and their Transparent mode.
corresponding numbers and interfaces.

Examples
Use the following command to remove an IP pool numbered 2.
unset firewall ippool 2

Related commands
• set firewall ippool
• get firewall ippool

FortiGate CLI Reference Guide 145


unset firewall onetimeschedule unset commands

unset firewall onetimeschedule


Use this command to delete a one-time schedule. To delete a schedule that has been added to a
policy, you must first remove the schedule from the policy

Syntax description
Keyword Description Availability
<name_str> Enter the name of the one-time schedule to delete. All models.
Use the command unset firewall
onetimeschedule followed by a space and ? to get
a list of one-time schedules.

Examples
Use the following command to delete the schedule named Holiday.
unset firewall onetimeschedule Holiday

Related commands
• set firewall onetimeschedule
• get firewall schedule

146 Fortinet Inc.


unset commands unset firewall policy

unset firewall policy


Use this command to delete a firewall policy.

Syntax description
Keyword Description Availability
srcintf <name_str> Enter the source interface for the policy. On all All models.
FortiGate models srcintf can be the name of a
FortiGate interface to which a firewall address has
been added.
In NAT/Route mode on FortiGate models 400 and up
this name can also be a VLAN subinterface to which
firewall addresses have been added.
In NAT/Route mode on FortiGate models 400 and up
this name can also be a zone if you have added
firewall addresses to the zone and if you have added
at least one interface or VLAN subinterface to the
zone.
Use the command unset firewall policy
srcintf followed by a space and ? for a list of
available interfaces.
dstintf <name_str> Enter the destination interface for the policy. On all All models.
FortiGate models dstintf can be the name of a
FortiGate interface to which a firewall address has
been added.
In NAT/Route mode on FortiGate models 400 and up
this name can also be a VLAN subinterface to which
firewall addresses have been added.
In NAT/Route mode on FortiGate models 400 and up
this name can also be a zone if you have added
firewall addresses to the zone and if you have added
at least one interface or VLAN subinterface to the
zone.
Use the command unset firewall policy
srcintf <intf_str> dstintf followed by a
space and ? for a list of available interfaces.
policyid <id_int> Enter an ID number for the policy. All models.
Every firewall policy is identified by its srcintf,
dstintf, and policyid. Every srcintf, dstintf,
and policyid combination is unique.
Use the command unset firewall policy
srcintf <intf_str> dstintf <intf_str>
policyid followed by a space and ? for a list of
available policies and their id numbers.

Examples
Use the following command to delete the policy in the Internal to External policy list with the policy id
number 3.
unset firewall policy srcintf internal dstintf external policyid 3

Related commands
• set firewall policy
• get firewall policy

FortiGate CLI Reference Guide 147


unset firewall profile unset commands

unset firewall profile


Delete a firewall profile.

Note: The profile cannot be removed if it used in any firewall policies.

Syntax description
Keyword Description Availability
<name_str> The name of the profile to delete. Use the command All models.
get firewall profile for a list of profiles. The
profile name is case sensitive.

Examples
Use the following command to unset the profile named Newtest.
unset firewall profile Newtest

Related commands
• set firewall profile
• get firewall profile

148 Fortinet Inc.


unset commands unset firewall recurringschedule

unset firewall recurringschedule


Use this command to delete a recurring schedule. To delete a schedule that has been added to a
policy, you must first remove the schedule from the policy

Syntax description
Keyword Description Availability
<name_str> Enter the name of the recurring schedule to delete. All models.
Use the command unset firewall
recurringschedule followed by a space and ? to
get a list of one-time schedules.

Examples
Use the following command to delete the recurring schedule named access.
unset firewall recurringschedule access

Related commands
• set firewall recurringschedule
• get firewall schedule

FortiGate CLI Reference Guide 149


unset firewall service unset commands

unset firewall service


Delete custom services or service groups.

Syntax description
Keyword Description Availability
custom <name_str> The name of the custom service to delete. Use the All models.
command get firewall service custom for a
list of custom services.
group <name_str> The name of the service group to delete. Use the All models.
command get firewall service group for a list
of custom services.

Examples
Use the following command to delete a service group named marketing.
unset firewall service group marketing

Related commands
• set firewall service custom
• set firewall service group
• get firewall service

150 Fortinet Inc.


unset commands unset firewall vip

unset firewall vip


Delete virtual IPs. You cannot delete virtual IPs that have been added to firewall policies.

Note: Virtual IPs are not available in Transparent mode.

Syntax description
Keyword Description Availability
<name_str> The name of the virtual IP to delete. Enter unset All models.
firewall vip followed by a space and ? for a list of
virtual IPs.

Examples
Use the following command to delete a virtual IP named http_server.
unset firewall vip http_server

Related commands
• set firewall vip
• get firewall vip

FortiGate CLI Reference Guide 151


unset log filter unset commands

unset log filter


Remove a traffic log filtering rule.

Note: Traffic logging is not available when logging to system memory.

Syntax description
Keyword Description Availability
traffic rule <name_str> Remove the named traffic log filtering rule. Use the All models.
command get log trafficfilter for a list of
traffic filter rules.

Examples
Use the following command to delete the traffic filter rule named test.
unset log filter traffic rule test

Related commands
• set log trafficfilter rule
• get log trafficfilter

152 Fortinet Inc.


unset commands unset system admin

unset system admin


Use this command to delete an administrator account.
When the FortiGate unit is initially installed, it is configured with a single administrator account with the
user name admin. This is the only account with permissions to delete other administrator accounts.The
admin account cannot be deleted.

Syntax description
Keyword Description Availability
username <name_str> The user name of the administrator account to delete. All models.
Enter unset system admin username followed
by a space and ? for a list of administrator account
names.

Examples
Use the following command to delete an administrator account with the user name newadmin.
unset system admin username newadmin

Related commands
• set system admin
• get system admin

FortiGate CLI Reference Guide 153


unset system dhcpserver unset commands

unset system dhcpserver


Remove a reserved IP/MAC address pair added to the FortiGate DHCP server configuration.
Reserved IP and MAC address pairs are added to the FortiGate DHCP server configuration so that the
device with the given MAC address is always assigned the specified IP address.

Syntax description
Keyword Description Availability
reserve <reserve_ip> Enter unset system dhcpserver reserve a All models.
space and then ? for a list of reserved IP/MAC pairs.
Enter the IP address for the pair that you want to
remove.

Examples
Use the following command to remove the IP/MAC address pair with a reserved IP address of
192.168.20.45
unset system dhcpserver reserve 192.168.20.45

Related commands
• set system dhcpserver
• get system dhcpserver

154 Fortinet Inc.


unset commands unset system hostname

unset system hostname


Remove the FortiGate unit host name. The FortiGate host name is used as the SNMP system name.

Examples
Use the following command to remove the FortiGate unit host name.
unset system hostname

Related commands
• get system status
• set system hostname
• set system snmp

FortiGate CLI Reference Guide 155


unset system route number unset commands

unset system route number


Remove a destination route from the routing table.

Syntax description
Keyword Description Availability
<route_integer> The number of the destination route to delete from the All models.
routing table. Enter unset system route number
followed by a space and ? for a list of routes.

Examples
Use the following command to delete destination route number 1.
unset system route number no 1

Related commands
• set system route number
• get system route table

156 Fortinet Inc.


unset commands unset system route policy

unset system route policy


Remove a policy route from the policy routing database.

Syntax description
Keyword Description Availability
<policy_integer> The number of the policy route to delete from the All models.
policy routing database. Enter unset system route
policy followed by a space and ? for a list of policy
routes.

Examples
Use the following command to delete route policy number 5.
unset system route policy 5

Related commands
• set system route policy
• get system route policy

FortiGate CLI Reference Guide 157


unset system secondip unset commands

unset system secondip


Remove the secondary IP address and netmask from an interface. This command sets the secondary
IP address and netmask to 0.0.0.0 and 0.0.0.0. Other secondary interface configuration information is
not changed by this command.

Syntax description
Keyword Description Availability
<intf-name_str> The name of the interface for which to set the All models.
secondary IP address and netmask to 0.0.0.0 and Not available in
0.0.0.0. Transparent mode.

Examples
Use the following command to set the secondary IP and netmask of the external interface to 0.0.0.0
and 0.0.0.0.
unset system secondip external

Related commands
• set system interface
• get system interface

158 Fortinet Inc.


unset commands unset system sessionttl

unset system sessionttl


Use this command to remove session timeout configurations for specific ports.

Syntax description
Keyword Description Availability
<port_integer> The number of the port for which to remove a session All models.
timeout configuration.

Examples
Use the following command to remove the session timeout configuration for SSH on port 22:
unset system sessionttl 22

Related commands
• set system session_ttl
• get system sessionttl

FortiGate CLI Reference Guide 159


unset system vlan unset commands

unset system vlan


Use this command to delete a VLAN subinterface. You cannot delete a VLAN subinterface if you have
added addresses to it.

Syntax description
Keyword Description Availability
vlan <name_str> The name of the VLAN subinterface to delete. Use the Models numbered
command unset system vlan followed by a space 400 and higher.
and ? for a list of VLANs. NAT/Route mode
only.

Examples
Use the following command to delete a VLAN subinterface named Sub_1.
unset system vlan Sub_1

Related commands
• get system vlan
• set system vlan

160 Fortinet Inc.


unset commands unset system zone

unset system zone


Use this command to delete a zone. You cannot delete a zone if you have added an interface to it.

Syntax description
Keyword Description Availability
zone <name_str> The name of a zone to delete. Enter unset system Models numbered
zone followed by a space and ? for a list of zones. 400 and higher.
NAT/Route mode
only.

Examples
Use the following command to delete a zone named Finance.
unset system zone Finance

Related commands
• get system zone
• set system zone

FortiGate CLI Reference Guide 161


unset user group unset commands

unset user group


Delete a user group. You cannot delete user groups that have been added to a policy, remote gateway,
PPTP, or L2TP configuration.

Syntax description
Keyword Description Availability
name <name_str> The name of the user group to delete. Enter unset All models.
user group name followed by a space and ? for a
list of user group names.

Examples
Use the following command to delete a user group named FTP_grp:
unset user group name FTP_grp

Related commands
• set user group
• get user

162 Fortinet Inc.


unset commands unset user ldap

unset user ldap


Delete an LDAP server. You cannot delete LDAP servers that have been added to user groups.

Syntax description
Keyword Description Availability
server <name_str> The name of the LDAP server to delete. Enter unset All models.
user ldap server followed by a space and ? for a
list of LDAP server names.

Examples
Use the following command to delete the LDAP server named LDAP_1.
unset user ldap server LDAP_1

Related commands
• set user group
• set user ldap
• get user

FortiGate CLI Reference Guide 163


unset user local unset commands

unset user local


Delete a user name from the local FortiGate user database. To delete a user name, the user name
must be removed from any user groups that it has been added to.

Syntax description
Keyword Description Availability
name <name_str> The user name to delete. Enter unset user All models.
local name followed by a space and ? for a list of
user names.

Examples
Use the following command to delete the user name User1:
unset user local name User1

Related commands
• set user group
• set user local
• get user

164 Fortinet Inc.


unset commands unset user radius

unset user radius


Delete a RADIUS server. You cannot delete RADIUS servers that have been added to user groups.

Syntax description
Keyword Description Availability
server <name_str> The name of the RADIUS server to delete. Enter All models.
unset user radius server followed by a space
and ? for a list of RADIUS server names.

Examples
Use the following command to delete the RADIUS server named MainRADIUS:
unset user radius server MainRADIUS

Related commands
• set user group
• set user radius
• get user

FortiGate CLI Reference Guide 165


unset vpn certificates unset commands

unset vpn certificates


Use this command to delete local and CA certificates.

Note: The unset vpn certificates command is not available in Transparent mode.

Syntax description
Keyword Description Availability
ca <name_str> Delete the named CA certificate. Use the command All models.
unset vpn certificates ca followed by a space
and ? for a list of CA certificate names.
local <name_str> Delete the named local certificate. Use the command All models.
unset vpn certificates local followed by a
space and ? for a list of CA certificate names.

Examples
Use the following command to delete a local certificate:
unset vpn certificates local branch_office_ca
Use the following command to delete a CA certificate:
unset vpn certificates ca trust_ca

Related commands
• execute vpn certificates ca
• execute vpn certificates local
• get vpn certificates

166 Fortinet Inc.


unset commands unset vpn ipsec

unset vpn ipsec


Use this command to delete IPSec VPN phase 1, phase 2, concentrator, or manual key tunnel
configurations. Phase 1 configurations must be removed from phase 2 configurations before the
phase 1 configuration can be deleted.

Note: The unset vpn ipsec command is not available in Transparent mode.

Syntax description
Keyword Description Availability
concentrator <name_str> Delete an IPSec VPN concentrator. Use the command All models.
unset vpn ipsec concentrator followed by a
space and ? for a list of concentrator configurations.
manualkey <name_str> Delete an IPSec manual key tunnel. Use the command All models.
unset vpn ipsec manualkey followed by a space
and ? for a list of manual key configurations.
phase1 <name_str> Delete the named IPSec phase 1 configuration. Use All models.
the command unset vpn ipsec phase1 followed
by a space and ? for a list of phase 1 configurations.
phase2 <name_str> Delete the named IPSec phase 2 configuration. Use All models.
the command unset vpn ipsec phase2 followed
by a space and ? for a list of phase 2 configurations.

Examples
Use the following command to delete an IPSec VPN concentrator.
unset vpn ipsec concentrator Concentrator_1
Use the following command to delete an IPSec VPN manual key tunnel.
unset vpn ipsec manualkey Manual_1
Use the following command to delete an IPSec VPN phase 1 configuration.
unset vpn ipsec phase1 Remote_GW
Use the following command to delete an IPSec VPN phase 2 configuration.
unset vpn ipsec phase2 Auto_1

Related commands
• set vpn ipsec phase1
• set vpn ipsec phase2
• set vpn ipsec concentrator
• set vpn ipsec manualkey
• get vpn ipsec

FortiGate CLI Reference Guide 167


unset vpn ipsec unset commands

168 Fortinet Inc.


FortiGate CLI Reference Guide Version 2.50

get commands
Use get commands to list FortiGate configuration settings. You can also view these configuration
settings from the web-based manager. Configuration settings are static settings that can be configured
by an administrative user with write permission. All these settings can be uploaded and downloaded,
and they do not change while the FortiGate is in operation.

get alertemail configuration get log elog get system route policy
get alertemail setting get log logsetting get system route rip
get antivirus filepattern get log policy get system route table
get antivirus quarantine list get log trafficfilter get system serialno
get antivirus quarantine settings get nids detection get system sessionttl
get antivirus service get nids prevention get system snmp
get config get nids rule get system status
get console get system admin get system time
get emailfilter get system autoupdate get system vlan
get firewall address get system dhcpserver get system zone
get firewall addrgrp get system dns get user
get firewall dnstranslation get system ha get vpn certificates
get firewall ipmacbinding get system interface get vpn ipsec
get firewall ippool get system mainregpage get vpn l2tp range
get firewall profile get system management get vpn pptp range
get firewall policy get system objver get webfilter
get firewall schedule get system option
get firewall service get system performance
get firewall vip

FortiGate CLI Reference Guide 169


get alertemail configuration get commands

get alertemail configuration


Display the SMTP server address, SMTP user name, SMTP authentication status, encrypted SMTP
password and the email addresses to which alert email will be sent.
get alertemail configuration

Related commands
• set alertemail configuration
• get alertemail setting
• set alertemail setting
• get system dns
• set system dns

170 Fortinet Inc.


get commands get alertemail setting

get alertemail setting


Display the status for sending alert email for virus incidents, block incidents, network intrusions, and
critical firewall or VPN events or violations, and if you have configured logging to a local disk, the
status for sending an alert email when the hard disk is almost full.
get alertemail setting

Related commands
• get alertemail configuration
• set alertemail configuration
• set alertemail setting

FortiGate CLI Reference Guide 171


get antivirus filepattern get commands

get antivirus filepattern


Display the full list of file patterns that FortiGate antivirus protection can block, or display a specific file
pattern.

Syntax description
Keyword Description Default Availability
[<fp_integer>] Display the master list of file patterns that FortiGate No All models.
antivirus protection can block. Enter the number of a default.
file pattern to display only that file pattern.

Examples
Use the following command to display the master list of filename patterns:
get antivirus filepattern
Use the following command to display the tenth filename pattern in the list.
get antivirus filepattern 10

Related commands
• set antivirus filepattern
• set antivirus service
• get antivirus service

172 Fortinet Inc.


get commands get antivirus quarantine list

get antivirus quarantine list


Use this command to list files in the quarantine. The entries displayed show:
• the filename in the format <checksum>.<filename>,
• the date and time the first copy of the file was quarantined,
• the service from which the file was quarantined,
• a message indicating why the file was quarantined,
• a duplicate count number indicating how many times the same file was received after the first
instance of the file was quarantined,
• the TTL (time to live) of the file in quarantine.
Note: In the case of duplicate files, all fields relate to the originally quarantined file except TTL, which is refreshed
with every new instance of a given file. Duplicate files (based on checksum) are never stored, but an internal
counter for each file records the number of duplicates encountered.

Syntax description
Keyword Description Default Availability
filter Filter the list of quarantined files using either the No FortiGate-
service or status keywords. default. 200 and
higher.
service value {http | ftp Filter the list of quarantined files according to the No FortiGate-
| smtp | imap | pop3} service from which the file was quarantined. default. 200 and
higher.
status value Filter the list of quarantined files based on whether No FortiGate-
{infected | blocked} the file was blocked or infected. default. 200 and
higher.

Examples
Use the following command to list all the files in quarantine:
get antivirus quarantine list
Use the following command to list all the blocked files in quarantine:
get antivirus quarantine list filter status value blocked
Use the following command to list all the files quarantined from SMTP traffic:
get antivirus quarantine list filter service value smtp

Related commands
• set antivirus quarantine

FortiGate CLI Reference Guide 173


get antivirus quarantine settings get commands

get antivirus quarantine settings


Display the quarantine general and service specific settings. The display of the general settings shows
the quarantine maximum file size and file age limit, and what action to take when the quarantine is full.
The display of the service specific settings shows whether or not quarantining is in effect for infected
and/or blocked files of that service type.
get antivirus quarantine settings

Related commands
• set antivirus quarantine

174 Fortinet Inc.


get commands get antivirus service

get antivirus service


Display the antivirus protection settings that control how the FortiGate unit applies antivirus protection
to the web, FTP, and email traffic allowed by firewall policies.
This command also displays the port numbers used for HTTP and email traffic, and the SMTP splice
status.

Syntax description
Keyword Description Default Availability
{http | smtp | pop3 | Select a service for which to display antivirus No All models.
imap | ftp} protection settings. default.
block Display the list of filename patterns and whether they enabled All models.
are enabled or disabled. All services.
filesizelimit Displays, in Mbytes, the file size limit for the specified Varies. All models.
service. All services.
ports List the port or ports used for HTTP, SMTP, POP3 http 80 All models.
and IMAP traffic. smtp 25 HTTP,
pop3 110 SMTP,
imap 143 POP3,
IMAP
services.
splice Show whether splice is enabled or disabled for smtp enabled All models.
or ftp. SMTP, FTP
services.

Examples
Use the following command to display the list of file name patterns for HTTP and the status of each file
name pattern.
get antivirus service http block
Use the following command to display the file size limit for POP3.
get antivirus service pop3 filesizelimit
Use the following command to list the ports used for HTTP traffic.
get antivirus service http ports
Use the following command to display the SMTP splice status.
get antivirus service smtp splice

Related commands
• set antivirus service

FortiGate CLI Reference Guide 175


get config get commands

get config
Display the current FortiGate system configuration. For more information, see “Displaying the
FortiGate configuration” on page 19.

Syntax description
Keyword Description Availability
[<keyword_str>] Enter a keyword to display all the lines in the configuration file that All models.
contain that keyword.

Examples
Use the following command to display the current FortiGate system configuration:
get config
Use the following command to display the configuration for the keyword option:
get config option

Related commands
• execute backup
• execute reload
• execute restore
• set console

176 Fortinet Inc.


get commands get console

get console
Display the number of lines per page, the mode of operation and the baud rate of the command line
console.

Note: The baud rate information will display only for FortiGate units with BIOS 3.03 and higher and FortiOS
version 2.50 and higher. When default displays for baud rate, the baud rate has not been set and the FortiGate
unit uses the default setting (115200 for the FortiGate-300 and 9600 for all other models).

get console

Related commands
• set console

FortiGate CLI Reference Guide 177


get emailfilter get commands

get emailfilter
Display the email filtering banned word, address block, and address exempt lists, and the subject tag
configuration.

Syntax description
Keyword Description Default Availability
bannedword Display the list of email filter banned words and No All models.
phrases. The list includes a number for each entry, default.
the word or phrase, the language of the entry and
whether the entry is enabled or disabled.
blocklist Display the list of email address block patterns. The No All models.
list includes a number for each entry, and whether the default.
patterns are enabled or disabled.
config Display the subject tag added to filtered email. All models.
exemptlist Display the list of email address exempt patterns. No All models.
The list includes a number for each entry, and default.
whether the patterns are enabled or disabled.

Examples
Use the following command to display the list of email address block patterns:
get emailfilter blocklist

Related commands
• set emailfilter bannedword
• set emailfilter blocklist
• set emailfilter config
• set emailfilter exemptlist

178 Fortinet Inc.


get commands get firewall address

get firewall address


Display the addresses that have been added to the FortiGate configuration. These addresses can be
used in policies. The display lists each address name, IP address and netmask. The display also lists
the interface or, for zone and VLAN capable models, the zone and VLAN subinterface to which each
address has been added.
get firewall address

Related commands
• get firewall addrgrp
• set firewall address
• unset firewall address
• set firewall addrgrp

FortiGate CLI Reference Guide 179


get firewall addrgrp get commands

get firewall addrgrp


Display the address groups that have been added to the FortiGate configuration. These address
groups can be used in policies. The display lists the name of each address group, the names of the
addresses in the group, and the interface or, for zone and VLAN capable models, zone or VLAN to
which each address group has been added.
get firewall addrgrp

Related commands
• set firewall addrgrp
• unset firewall addrgrp

180 Fortinet Inc.


get commands get firewall dnstranslation

get firewall dnstranslation


Display the DNS translation settings including whether DNS translation is enabled or disabled, and the
DNS translation source, and destination addresses and netmask.

Example
get firewall dnstranslation

Related commands
• set firewall dnstranslation

FortiGate CLI Reference Guide 181


get firewall ipmacbinding get commands

get firewall ipmacbinding


Display the current static or dynamic IP/MAC binding configuration. The display indicates whether
IP/MAC binding for traffic going to or through the FortiGate unit is enabled or disabled. The display
also lists the IP and MAC address pairs that have been added to the table, and whether the address
pair is enabled or disabled.

Syntax description
Keyword Description Availability
[dhcpipmac] Display the dynamic IP/MAC binding list. This list is All Models.
available if you have configured the FortiGate to be a
DHCP server.

Examples
Use the following command to display the IP/MAC binding configuration for static IP/MAC binding:
get firewall ipmacbinding
Use the following command to display the dynamic IP/MAC binding list:
get firewall ipmacbinding dhcpipmac

Note: You can also display the dynamic IP/MAC binding list using the get system dhcpipmac command.

Related commands
• get system dhcpserver
• set firewall ipmacbinding setting
• set firewall ipmacbinding table
• unset firewall address
• set system dhcpserver

182 Fortinet Inc.


get commands get firewall ippool

get firewall ippool


Display IP address pools that have been added to FortiGate interfaces. For each IP pool the display
shows a number, the interface name, the start IP, and the end IP.
get firewall ippool

Note: IP pools are not available in Transparent mode.

Related commands
• set firewall ippool
• unset firewall address

FortiGate CLI Reference Guide 183


get firewall profile get commands

get firewall profile


Display the settings for the named profile.

Syntax description
Keyword Description Default Availability
<name_str> Enter a profile name to list the settings for all services No All models.
for that profile. Enter get firewall profile for a default.
list of profiles. The profile name is case sensitive.
Enter a service name to list the settings for that
service only.
[<service_str>] Enter a service name to list the settings for that No All models.
service only. Enter get firewall profile default.
<name_str> followed by a space and ? for a list of
services. The service name is not case sensitive.

Examples
Use the following command to display the settings for the default profile named Strict:
get firewall profile Strict
Use the following command to display the HTTP settings for the default profile named Strict:
get firewall profile Strict http

Related commands
• set firewall profile
• unset firewall profile

184 Fortinet Inc.


get commands get firewall policy

get firewall policy


Display the firewall policy lists or detailed information for a policy. The policy lists show all of the
policies added to the firewall configuration. For each policy, the display includes the policy sequence
number, policy id number, source and destination addresses, service, schedule, action, and policy
status (enabled or disabled).

Syntax description
Required Keyword Description Default Availability
srcintf <intf_str> Enter the source interface for the policy. On all FortiGate No All models.
models srcintf can be the name of a FortiGate interface default.
to which a firewall address has been added.
In NAT/Route mode on FortiGate models 400 and up this
name can also be a VLAN subinterface to which firewall
addresses have been added.
In NAT/Route mode on FortiGate models 400 and up this
name can also be a zone if you have added firewall
addresses to the zone and if you have added at least one
interface or VLAN subinterface to the zone.
Use the command get firewall policy srcintf
followed by a space and ? for a list of available interfaces.
dstintf <intf_str> Enter the destination interface for the policy. On all No All models.
FortiGate models dstintf can be the name of a FortiGate default.
interface to which a firewall address has been added.
In NAT/Route mode on FortiGate models 400 and up this
name can also be a VLAN subinterface to which firewall
addresses have been added.
In NAT/Route mode on FortiGate models 400 and up this
name can also be a zone if you have added firewall
addresses to the zone and if you have added at least one
interface or VLAN subinterface to the zone.
Use the command get firewall policy srcintf
<intf_str> dstintf followed by a space and ? for a list
of available interfaces.
policyid Enter an ID number for the policy. No All models.
<policy-id_integer> Every firewall policy is identified by its srcintf, dstintf, default.
and policyid. Every srcintf, dstintf, and policyid
combination is unique.
Use the command get firewall policy srcintf
<intf_str> dstintf <intf_str> policyid
followed by a space and ? for a list of available policies and
their id numbers.

Examples
Use the following command to display all the policy lists:
get firewall policy
Use the following command to display the Internal to External policy list:
get firewall policy srcintf internal dstintf external
Use the following command to display detailed information for the policy in the Internal to External
policy list with the policy id number 3:
get firewall policy srcintf internal dstintf external policyid 3
Related commands
• set firewall policy
• unset firewall policy

FortiGate CLI Reference Guide 185


get firewall schedule get commands

get firewall schedule


Display the lists of one-time or recurring schedules.

Syntax description
Keyword Description Default Availability
onetime Display the list of one-time schedules. The display No All models.
shows details about each schedule including the default.
name, begin day, begin time, end day, and end time.
recurring Display the list of recurring schedules. The display Always. All models.
shows details about each schedule including the
name, days of the week the schedule is active, and
the begin time and end time.

Examples
Use the following command to display the list of one-time schedules:
get firewall schedule onetime
Use the following command to display the list of recurring schedules:
get firewall schedule recurring

Related commands
• set firewall onetimeschedule
• set firewall recurringschedule

186 Fortinet Inc.


get commands get firewall service

get firewall service


Display the lists of custom or predefined firewall services. Display the list of service groups.

Syntax description
Keyword Description Default Availability
custom Display the list of custom services. The display No All models.
shows the service name and port information. default.
group Display the list of service groups. The display shows No All models.
the service group name, and the names of the default.
services added to the service group.
predefined The list of predefined services. The display shows the No All models.
service name and port information. default.

Example
Use the following command to display the list of custom services:
get firewall service custom
Use the following command to display the list of service groups:
get firewall service group
Use the following command to display the list of predefined services:
get firewall service predefined

Related commands
• set firewall service custom
• set firewall service group
• unset firewall service

FortiGate CLI Reference Guide 187


get firewall vip get commands

get firewall vip


Display the list of static NAT and port forwarding virtual IPs. The display lists the name, type, external
interface, external IP address and port, and map to IP address and port.
get firewall vip

Note: The get firewall vip command is not available in transparent mode.

Related commands
• set firewall vip
• unset firewall vip

188 Fortinet Inc.


get commands get log elog

get log elog


Display the event log messages that have been saved to memory or to the optional FortiGate hard
disk.

Note: Not available on FortiGate-50 models.

Examples
get log elog

Related commands
• set log policy
• set log setting

FortiGate CLI Reference Guide 189


get log logsetting get commands

get log logsetting


Display the Log to locations and whether logging to that location is turned on or off. Display the log
severity level for each log location. Display the remote host and webtrends server configurations. For
FortiGate units with a hard disk, show Log file size, Log time and Log options when disk is full settings.

Examples
get log logsetting

Related commands
• set log setting
• set log policy

190 Fortinet Inc.


get commands get log policy

get log policy


For each log destination display the types of logs enabled or disabled.

Syntax description
Keyword Description Default Availability
destination {syslog | Specify a destination for which to display log type No All models.
webtrends | local | status and category settings. default.
console} If the FortiGate unit has a hard disk local will
display the local log settings. If the FortiGate unit
does not have a hard disk local will display the
memory log settings. Use the command get
system status to confirm whether or not a hard
disk is available on the FortiGate unit.
{event | ids | traffic | Specify a log type for which to display status and No All models.
update | virus | category settings. default.
webfilter}

Examples
Use the following command to display the status of all log types for all log locations.
get log policy
Use the following command to display the status, enabled or disabled, of the syslog traffic log:
get log policy destination syslog traffic
Related commands
• set log policy
• set log setting

FortiGate CLI Reference Guide 191


get log trafficfilter get commands

get log trafficfilter


Display the traffic log filtering rules and global settings.

Note: Traffic logging is not available when logging to system memory.

Examples
get log trafficfilter

Related commands
• set log trafficfilter rule
• set log trafficfilter setting
• unset log filter

192 Fortinet Inc.


get commands get nids detection

get nids detection


Display NIDS detection settings.

Syntax description
Keyword Description Default Availability
checksum Display whether or not the NIDS is set to run off All models.
checksums for IP, TCP, UPD, and ICMP traffic.
interface Display whether or not the NIDS is set to monitor off All models.
each interface for attacks.

Example
Use the following command to display the checksum settings:
get nids detection checksum
Use the following command to find out which interfaces the NIDS monitors for attacks:
get nids detection interface

Related commands
• set nids detection

FortiGate CLI Reference Guide 193


get nids prevention get commands

get nids prevention


Display whether the NIDS Prevention module is enabled or disabled. Display whether NIDS
Prevention signatures are enabled or disabled and the threshold value for signatures that have
threshold values.

Syntax description
Keyword Description Default Availability
icmp <attack_str> Specify an Internet Control Message Protocol (ICMP) No All models.
NIDS prevention signature. The display shows default.
whether the signature is enabled or disabled, and the
threshold value if the specified signature has a
threshold value.
Use the command get nids prevention icmp
followed by a space and a ? to display a list of ICMP
signatures.
ip <attack_str> Specify an Internet Protocol (IP) NIDS prevention No All models.
signature. The display shows whether the signature default.
is enabled or disabled, and the threshold value if the
specified signature has a threshold value.
Use the command get nids prevention ip
followed by a space and a ? to display a list of IP
signatures.
status Display whether the NIDS Prevention module is disabled All models.
enabled or disabled.
tcp <attack_str> Specify a Transmission Control Protocol (TCP) NIDS No All models.
prevention signature. The display shows whether the default.
signature is enabled or disabled, and the threshold
value if the specified signature has a threshold value.
Use the command get nids prevention tcp
followed by a space and a ? to display a list of TCP
signatures.
udp <attack_str> Specify a User Datagram Protocol (UDP) NIDS No All models.
prevention signature. The display shows whether the default.
signature is enabled or disabled, and the threshold
value if the specified signature has a threshold value.
Use the command get nids prevention udp
followed by a space and a ? to display a list of UDP
signatures.

Examples
Use the following command to display whether the NIDS Prevention module is enabled or disabled:
get nids prevention status
Use the following command to display the settings for the TCP SYN flood signature:
get nids prevention tcp synflood

Related commands
• set nids prevention
• get nids detection
• get nids rule

194 Fortinet Inc.


get commands get nids rule

get nids rule


Display the current list of NIDS detection signature groups and whether the groups are enabled or
disabled. You can also display the ID, rule name, and revision number for the signatures in each
group.

Syntax description
Keyword Description Default Availability
<group_str> Specify the signature group for which to display the No All models.
ID, rule name and revision number of the signatures default.
in the group. Use the command get nids rule
followed by a space and ? to display the list of
signature groups.

Examples
Use the following command to show the list of signature groups and whether each group is enabled or
disabled.
get nids rule
Use the following command to show the ID, rule name, and revision number for each signature in the
telnet signature group:
get nids rule telnet

Related commands
• set nids rule
• get nids detection
• execute backup
• execute restore

FortiGate CLI Reference Guide 195


get system admin get commands

get system admin


Display the current list of FortiGate administrator accounts including the user name for the account,
the IP address and netmask from which this account can manage the FortiGate unit, and the account
read and write permissions.
get system admin

Related commands
• set system admin
• unset system admin

196 Fortinet Inc.


get commands get system autoupdate

get system autoupdate


Display the antivirus and attack definitions update configuration. The display shows whether push and
scheduled updating are enabled or disabled, whether antivirus and NIDS definitions updates are
enabled or disabled and whether server and push overrides are enabled or disabled. If server override
is enabled, the override IP address is displayed. If push address override is enabled the override IP
address and port are displayed. This command also displays FortiResponse Distribution Network FDN
server and push update availability status.
For current virus and attack definition version information, see “get system status” on page 213.
get system autoupdate

Related commands
• get system status
• set system autoupdate
• get system objver

FortiGate CLI Reference Guide 197


get system dhcpserver get commands

get system dhcpserver


Display the settings for the FortiGate DHCP server. Display the reserved IP/MAC pairs. Display the
dynamic IP/MAC binding list.

Syntax description
Keyword Description Availability
reserve Display the list of reserved IP/MAC pairs. All models.
reserve Display the dynamic IP/MAC binding list. The dynamic IP/MAC binding list All models.
dhcpipmac is available if you have configured the FortiGate unit as a DHCP server.

Examples
Use the following command to display the DHCP server settings:
get system dhcpserver
Use the following command to display the list of reserved IP/MAC pairs:
get system dhcpserver reserve
Use the following command to display the dynamic IP/MAC binding list:
get system dhcpserver reserve dhcpipmac
You can also display this list using the get firewall ipmacbinding dhcpipmac command.

Related commands
• get firewall ipmacbinding
• set system dhcpserver
• unset system dhcpserver

198 Fortinet Inc.


get commands get system dns

get system dns


Display the IP addresses of the primary and secondary DNS servers that the FortiGate unit uses for
DNS lookups.
get system dns

Related commands
• set system dns

FortiGate CLI Reference Guide 199


get system ha get commands

get system ha
Display the FortiGate HA configuration and display statistics for the HA cluster.

Syntax description
Keyword Description Availability
mode Display the HA mode, Group ID, HA unit priority, HA master override Models numbered
setting, and the list of monitored interfaces. In A-A mode, display the 300 and higher.
schedule. If schedule is set to weight-round robin, display the weights for
each priority ID.
statistic Display the statistics for the HA cluster. The statistics include health Models numbered
information for each FortiGate unit in the cluster (CPU usage, memory 300 and higher.
usage, and network usage) and HA statistics (number of sessions, packets,
and bytes processed by each unit in the cluster).

Example
Use the following command to display the HA mode:
get system ha mode
Use the following command to display the statistics for the HA group.
get system ha statistic

Related commands
• get system interface
• set system ha
• execute ha manage
• execute ha synchronize
• set system interface

200 Fortinet Inc.


get commands get system interface

get system interface


Display the configuration of all FortiGate interfaces. For FortiGate models 400 and up this command
also displays the configuration of all FortiGate VLAN subinterfaces.
Depending on the interface, in NAT/Route mode this command displays the addressing mode (static,
DHCP or PPPoE), IP address, netmask, MAC address, speed, administrative access, MTU setting,
and status (up or down) for each interface.
In Transparent mode, this command displays the speed, administrative access, and status for each
interface.

Example
Use the following command to display the configuration of all the interfaces:
get system interface

Related commands
• get system management
• set system interface
• set system management
• unset system secondip

FortiGate CLI Reference Guide 201


get system mainregpage get commands

get system mainregpage


Display whether the registration window on the web-based manager shows or is hidden.
get system mainregpage

Related commands
• set system mainregpage

202 Fortinet Inc.


get commands get system management

get system management


Display the Transparent mode management IP address and netmask.
get system management

Note: The get system management command is only available in Transparent mode.

Related commands
• set system management

FortiGate CLI Reference Guide 203


get system objver get commands

get system objver


Display the antivirus engine, virus and attack definitions version, contract expiry, and last update
attempt information.
get system objver

Related commands
• get system autoupdate
• set system autoupdate
• get system status

204 Fortinet Inc.


get commands get system option

get system option


Display the administration timeout, the authorization timeout, the dead gateway detection ping interval
and failover time, the web-based manager language, the front panel and LCD pin settings and the GUI
refresh interval.
get system option

Note: Front panel and LCD pin settings are available only on FortiGate models numbered 300 and higher.

Related commands
• set system option

FortiGate CLI Reference Guide 205


get system performance get commands

get system performance


Display FortiGate system status information, including CPU states, memory states, and up time.
get system performance

Related commands
• get system status

206 Fortinet Inc.


get commands get system route policy

get system route policy


Display the policy routing list. The display includes the policy route number, source and destination
addresses, protocol and port numbers, gateway address and in and out interface names.

Examples
get system route policy

Related commands
• set system route policy
• unset system route policy

FortiGate CLI Reference Guide 207


get system route rip get commands

get system route rip


Display the Routing Information Protocol (RIP) configuration. The information displayed includes the
basic RIP configuration, the RIP neighbors that have been added, and the RIP configuration for each
interface.

Syntax description
Keyword Description Availability
filter Display RIP filter settings. All models except
FortiGate-50.
NAT/Route mode
only.

Related commands
• set system route rip
• set system route rip filter
• set system route rip interface
• set system route rip neighbor
• set system route rip timers

208 Fortinet Inc.


get commands get system route table

get system route table


Display the FortiGate static routing table. For each route in the routing table, the command displays
the route number, the destination IP address and netmask, and the gateways and interfaces for each
static route.

Example
Use the following command to display the list of routes:
get system route table

Related commands
• set system route number
• unset system route number

FortiGate CLI Reference Guide 209


get system serialno get commands

get system serialno


Display the serial number of the FortiGate unit.

Examples
get system serialno

Related commands
• get system status

210 Fortinet Inc.


get commands get system sessionttl

get system sessionttl


Display the TCP session timeout configuration including the default session timeout and, if set, the
session timeout for specific ports.

Examples
get system sessionttl

Related commands
• set system session_ttl
• unset system sessionttl

FortiGate CLI Reference Guide 211


get system snmp get commands

get system snmp


Display the FortiGate SNMP configuration. The command displays whether SNMP is enabled or
disabled. The command also displays the SNMP system name, system location, contact information,
get community string, set/trap community string, and the first, second, and third trap receiver IP
addresses. SNMP can be used for remote monitoring of the FortiGate unit.
get system snmp

Related commands
• set system snmp

212 Fortinet Inc.


get commands get system status

get system status


Display system status information. This command displays the FortiGate firmware version and build
number, virus definitions version, attack definitions version, FortiGate serial number, the availability of
a hard disk for logging, operation mode and hostname.
get system status

Related commands
• get system performance
• get system autoupdate
• get system objver

FortiGate CLI Reference Guide 213


get system time get commands

get system time


Display the FortiGate system date, time, time zone, and Network Time Protocol (NTP) settings.

Syntax description
Keyword Description Default Availability
ntp Display the NTP configuration, including whether Disabled. All models.
NTP is enabled or disabled, the NTP server IP 132.246.
address, and the NTP synchronization interval. 168.148.
Interval
60.
time Display the system date, time and time zone and System All models.
whether daylight saving time is enabled or disabled. time and
date.
GM-8.
DST
disabled.

Example
Use the following command to display the FortiGate time settings.
get system time time
Use the following command to display the FortiGate NTP settings.
get system time ntp

Related commands
• set system time

214 Fortinet Inc.


get commands get system vlan

get system vlan


Display the configuration of the VLAN subinterfaces added to a physical FortiGate interface. The
command displays the VLAN subinterface name, VLAN ID, IP address and netmask, and
management access. The display also shows the zone if the VLAN has been added to a zone.

Syntax description
Keyword Description Availability
[interface Enter a physical interface name to display the VLAN Models
<name_str>] subinterfaces added to this physical interface. Use the numbered 400
command get system vlan interface followed by a and higher.
space and a ? for a list of physical interfaces. NAT/Route mode
only.

Example
Use the following command to display the configuration of the VLAN subinterfaces added to the
internal interface.
get system vlan interface internal

Related commands
• set system vlan
• unset system vlan

FortiGate CLI Reference Guide 215


get system zone get commands

get system zone


Display the zone list. The command lists the number and name of the zone and whether the zone is
configured to block traffic between interfaces in the same zone.
get system zone

Note: Zones are available on FortiGate models numbered 400 and higher. Zones are not available in Transparent
mode.

Related commands
• set system zone
• unset system zone

216 Fortinet Inc.


get commands get user

get user
Display information about user names and passwords. Display information about user groups used to
authenticate with firewall policies, PPTP and L2TP VPNs, and IPSec VPN. Display information about
RADIUS and LDAP server settings.

Syntax description
Keyword Description Default Availability
group Display the list of user groups. The list includes the No All models.
number and name for the group, and the members of default.
the group.
ldap Display information about LDAP servers. The list No All models.
includes the LDAP server number, name, IP address, default.
port, common name and base distinguished name.
local Display the list of user names in the local FortiGate No All models.
user database that can be added to user groups. The default.
list includes user number and name, authentication
type, and password. If RADIUS authentication is set
for the user, the list includes the name of the RADIUS
server and indicates if other servers should be tried. If
LDAP authentication is set for the user, the list
includes the name of the LDAP server. The list also
indicates whether the user name is enabled or
disabled.
radius Display information about RADIUS servers. The list No All models.
includes the number, name and IP address of the default.
server. The server secret is masked by an *.

Example
Use the following command to display user group information:
get user group
Use the following command to display user names and information:
get user local

Related commands
• set user group
• set user local
• set user radius
• unset user group
• unset user local
• unset user radius

FortiGate CLI Reference Guide 217


get vpn certificates get commands

get vpn certificates


Display information about local and CA certificates.

Note: The get vpn certificates command is not available in Transparent mode.

Syntax description
Keyword Description Default Availability
ca Display the list of CA certificates. The list includes the No All models.
certificate name, subject, issuer, validity from and to default.
dates, finger print, and whether or not this is a root
ca.
local Display the list of local certificates. The list includes No All models.
the certificate name, subject and type. default.

Examples
Use the following command to delete a local certificate:
get vpn certificates local
Use the following command to delete a CA certificate:
get vpn certificates ca

Related commands
• execute vpn certificates ca
• execute vpn certificates local
• unset vpn certificates

218 Fortinet Inc.


get commands get vpn ipsec

get vpn ipsec


Display IPSec VPN AutoIKE phase 1, and phase 2 configuration, IPSec manual key configuration and
VPN concentrator configuration.

Note: The get vpn ipsec command is not available in Transparent mode.

Syntax description
Keyword Description Default Availability
concentrator Display the names of the IPSec VPN concentrators No All models.
and the names of the member tunnels in each one. default. NAT/Route
mode only.
manualkey Display the configuration of each IPSec VPN manual No All models.
key tunnel including the tunnel name, local SPI, default. NAT/Route
remote SPI, remote gateway IP address, encryption mode only.
algorithm, authentication algorithm and concentrator
name (if the tunnel has been added to a
concentrator). The encryption and authentication
keys are hidden.
phase1 Display the settings of each IPSec VPN Phase 1 No All models.
configuration. The information displayed includes the default. NAT/Route
gateway name, remote gateway type, Diffie-Hellman mode only.
group, P1 proposal, keylife, authentication method,
authentication key, Dead Peer Detection settings,
XAuth settings and other settings.
phase2 Display the settings of each IPSec VPN phase 2 No All models.
configuration. The information displayed includes the default. NAT/Route
tunnel name, remote gateway name, P2 proposal mode only.
configuration, keylife, autokey keepalive
configuration, and concentrator name (if the tunnel
has been added to a concentrator).

Example
Use the following command to display the configuration of the IPSec VPN manual key tunnels:
get vpn ipsec manualkey
Use the following command to display the configuration of the IPSec VPN concentrators:
get vpn ipsec concentrator

Related commands
• set vpn ipsec concentrator
• set vpn ipsec manualkey
• set vpn ipsec phase1
• set vpn ipsec phase2
• unset vpn ipsec

FortiGate CLI Reference Guide 219


get vpn l2tp range get commands

get vpn l2tp range


Display whether L2TP VPN is enabled or disabled, the L2TP range starting and ending IP addresses,
and the L2TP user group.
get vpn l2tp range

Note: The get vpn l2tp command is not available in Transparent mode.

Related commands
• set vpn l2tp

220 Fortinet Inc.


get commands get vpn pptp range

get vpn pptp range


Display whether PPTP VPN is enabled or disabled, the PPTP range starting and ending IP addresses,
and the PPTP user group.
get vpn pptp range

Note: The get vpn pptp command is not available in Transparent mode.

Related commands
• set vpn pptp

FortiGate CLI Reference Guide 221


get webfilter get commands

get webfilter
Display the current web content filtering configuration.

Syntax description
Keyword Description Default Availability
cerberian Display the Cerberian support configuration including disabled All models.
whether Cerberian support is enabled or disabled,
the Cerberian licence key and seat count, and the list
of IP addresses, netmasks, and aliases for Cerberian
users.
content Display a numbered list of banned words, the No All models.
language for each banned word, and whether each default.
banned word is enabled or disabled.
exempturl Display a numbered list of exempt URLs and whether No All models.
each one is enabled or disabled. default.
script Display whether Java applet, cookie, and ActiveX disabled All models.
filtering is enabled or disabled.
url Display a numbered list of blocked URLs, and No All models.
whether each URL is enabled or disabled. default

Example
Use the following command to display the list of blocked URLs.
get webfilter url

Related commands
• set webfilter cerberian
• set webfilter content
• set webfilter script
• set webfilter url
• set webfilter exempturl

222 Fortinet Inc.


FortiGate CLI Reference Guide Version 2.50

execute commands
Use execute commands to perform system functions similar to those available using the System >
Status page of the web-based manager. Using execute commands, you can shut down or restart the
FortiGate unit, and restore factory defaults. You can also download firmware from a TFTP server, and
upload and download system settings.

Note: Before running execute commands in Transparent mode, make sure that the IP address of the
management interface is configured correctly. See “set system management” on page 94.

execute backup execute restore


execute factoryreset execute save config
execute formatlogdisk execute shutdown
execute ha manage execute traceroute
execute ha synchronize execute updatecenter updatenow
execute ping execute vpn certificates ca
execute ping-option execute vpn certificates local
execute reboot
execute reload

FortiGate CLI Reference Guide 223


execute backup execute commands

execute backup
Backup the FortiGate configuration file or NIDS user defined signatures file to a TFTP server.

Syntax description
Keyword Description Availability
config <name_str> <tftp_ip> The name to give the configuration file that is copied to All models.
the TFTP server. The TFTP server IP address.
nidsuserdefsig <name_str> The name to give the NIDS user defined signature file All models.
<tftp_ip> that is copied to the TFTP server. The TFTP server IP
address.

Example
Use the following command to backup a configuration file from the FortiGate unit to a TFTP server.
The name to give the configuration file on the TFTP sever is fgt.cfg. The IP address of the TFTP
server is 192.168.1.23.
execute backup config fgt.cfg 192.168.1.23

Related commands
• execute restore
• execute reload
• get config
• set nids rule

224 Fortinet Inc.


execute commands execute factoryreset

execute factoryreset
Reset the FortiGate configuration to factory default settings. This procedure does not change the
firmware version or the antivirus or attack definitions.
execute factoryreset

!
Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the
system to its original configuration, including resetting interface addresses.

Related commands
• execute reboot
• execute reload
• get config

FortiGate CLI Reference Guide 225


execute formatlogdisk execute commands

execute formatlogdisk
Format the FortiGate hard disk to enhance performance for logging.

! Caution: This operation will erase all quarantine files and logging data on the hard disk.

execute formatlogdisk

226 Fortinet Inc.


execute commands execute ha manage

execute ha manage
Use this command from the CLI of the primary unit in an HA cluster to connect to the CLI of a
secondary unit in the cluster.

Syntax description
Keyword Description Availability
<cluster-nember_int> The number of the secondary unit in the cluster to which Models
to connect. Enter execute ha manage followed by a numbered 300
space and a question mark to view the list of FortiGate and higher.
units in the cluster. The list includes the serial number Primary unit in
and host name of each secondary unit in the cluster as an HA cluster.
well as a number for the unit.

Example
Use the following command to connect to a secondary unit in a cluster of three FortiGate units.
execute ha manage ?
<1> Subsidary unit FPS3012803021709
<2> Subsidary unit FPS3082103021989

Type 2 and press enter to connect to the second unit in the list. The CLI prompt changes to the host
name of this unit.

Related commands
• execute ha synchronize
• set system ha
• get system ha
• get config

FortiGate CLI Reference Guide 227


execute ha synchronize execute commands

execute ha synchronize
Use this command from a subordinate HA unit in an HA cluster to manually synchronize its
configuration with the primary unit. Using this command you can synchronize the following:
• Configuration changes made to the primary unit (normal system configuration, firewall
configuration, VPN configuration and so on stored in the FortiGate configuration file),
• Antivirus engine and antivirus definition updates received by the primary unit from the
FortiResponse Distribution Network (FDN),
• NIDS attack definition updates received by the primary unit from the FDN,
• Web filter lists added to or changed on the primary unit,
• Email filter lists added to or changed on the primary unit,
• Replacement messages changed on the primary unit,
• Certification Authority (CA) certificates added to the primary unit,
• Local certificates added to the primary unit.

Syntax description
Keyword Description Availability
config Synchronize the FortiGate configuration. Models numbered 300 and higher.
avupd Synchronize the antivirus engine and antivirus definitions. Models numbered 300 and higher.
attackdef Synchronize attack definitions. Models numbered 300 and higher.
weblists Synchronize web filter lists. Models numbered 300 and higher.
emaillists Synchronize email filter lists. Models numbered 300 and higher.
resmsg Synchronize replacement messages. Models numbered 300 and higher.
ca Synchronize CA certificates. Models numbered 300 and higher.
localcert Synchronize local certificates. Models numbered 300 and higher.
all Synchronize all of the above. Models numbered 300 and higher.

Example
From the CLI on a subordinate unit, use the following commands to synchronize the antivirus and
attack definitions on the subordinate FortiGate unit with the primary unit after the FDN has pushed new
definitions to the primary unit.
execute ha synchronize avupd
execute ha synchronize attackdef

Related commands
• execute ha manage
• set system ha
• get system ha
• get config

228 Fortinet Inc.


execute commands execute ping

execute ping
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and
another network device.

Note: You can change the default ping options using the command execute ping-option.

Note: To display ping option settings use the command execute ping-option view-settings.

Syntax description
Keyword Description Availability
{<host-name_str> The domain name or IP address of the network device that you want the All models.
| <host_ip>} FortiGate unit to ping.

Example
Use the following command to ping a host with the IP address 192.168.1.23
execute ping 192.168.1.23

Related commands
• execute ping-option
• execute traceroute
• set system interface
• get system interface

FortiGate CLI Reference Guide 229


execute ping-option execute commands

execute ping-option
Set ICMP echo request (ping) options to control the way ping tests the network connection between
the FortiGate unit and another network device.

Syntax description
Keyword Description Default Availability
data-size <byte_integer> Specify the datagram size in bytes. 56 All models.
df-bit {yes | no} Set df-bit to yes to prevent the ICMP packet from no All models.
being fragmented. Set df-bit to no to allow the
ICMP packet to be fragmented.
pattern {none | <2- Used to fill-in the optional data buffer at the end of the No All models.
byte_hex} ICMP packet. The size of the buffer is specified using default.
the data_size parameter. This allows you to send
out packets of different sizes for testing the effect of
packet size on the connection.
repeat-count Specify how many times to repeat ping. 5 All models.
<repeat_integer>
source {auto | <source- Specify the FortiGate interface from which to send auto All models.
intf_ip} the ping. If you specify auto, the FortiGate unit
selects the source address and interface based on
the route to the <host-name_str> or <host_ip>.
Specifying the IP address of a FortiGate interface
tests connections to different network segments from
the specified interface.
timeout <seconds_integer> Specify, in seconds, how long to wait until ping times 2 All models.
out.
tos {lowdelay | Set the ToS (Type of Service) field in the packet default/ All models.
throughput | reliability header to provide an indication of the quality of 0
| lowcost | default} service desired.
lowdelay = minimize delay
throughput = maximize throughput
reliability = maximize reliability
lowcost = minimize cost
default = 0
ttl <ttl_integer> Specify the time to live. Time to live is the number of 64 All models.
hops the ping packet should be allowed to make
before being discarded or returned.
validate-reply {yes | no} Select yes to validate reply data. no All models.
view-settings Display the current ping-option settings. No All models.
default

Example
Use the following command to increase the number of pings sent.
execute ping-option repeat-count 10
Use the following command to send all pings from the FortiGate interface with IP address
192.168.10.23.
execute ping-option source 192.168.10.23
Related commands
• execute ping
• execute traceroute
• get system interface

230 Fortinet Inc.


execute commands execute reboot

execute reboot
Restart the FortiGate unit.
execute reboot

Related commands
• execute reload
• execute factoryreset
• execute shutdown

FortiGate CLI Reference Guide 231


execute reload execute commands

execute reload
Flush the current configuration from system memory and reload the configuration from a saved
configuration file.
execute reload

Related commands
• execute reboot
• execute factoryreset
• execute shutdown
• execute backup
• get config

232 Fortinet Inc.


execute commands execute restore

execute restore
Copy a configuration file, firmware image or NIDS user defined signature file from a TFTP server to the
FortiGate unit. Use this command to restore a backup configuration, to change the FortiGate firmware,
or to add a new or edited NIDS user defined signature file.
For more information on changing the FortiGate firmware, see “Changing the FortiGate firmware” on
page 21.

Syntax description
Keyword Description Availability
config <name_str> <tftp_ip> Copy a configuration file from a TFTP server to the All models.
FortiGate unit. The FortiGate unit reboots. The new
configuration replaces the existing configuration,
including administrator accounts and passwords.
image <name_str> <tftp_ip> Copy a firmware image from a TFTP server to the All models.
FortiGate unit. The FortiGate unit reboots, loading the
new firmware.
nidsuserdefsig <name_str> Copy a NIDS user defined signature file from a TFTP All models.
<tftp_ip> server to the FortiGate unit. If you have already
uploaded a NIDS user defined signature file, this
command replaces this file.

Example
Use the following command to copy a configuration file from a TFTP server to the FortiGate unit and
restart the FortiGate unit with this configuration. The name of the configuration file on the TFTP server
is backupconfig. The IP address of the TFTP server is 192.168.1.23.
execute restore config backupconfig 192.168.1.23

Related commands
• execute backup
• execute reload
• get config
• get system status
• set nids rule
• get nids rule

FortiGate CLI Reference Guide 233


execute save config execute commands

execute save config


Use this command to save configuration changes when the command line console mode is set to
batch mode.
execute save config

Note: This command is only available when you have set the CLI console mode to batch. See “set console” on
page 41.

Related commands
• set console
• get console

234 Fortinet Inc.


execute commands execute shutdown

execute shutdown
Shutdown the FortiGate unit. You can use this command to remotely shutdown the FortiGate unit so
that it stops processing network traffic. To restart the FortiGate unit you must turn the power off and
then on.
execute shutdown

Related commands
• execute reboot
• execute reload
• execute factoryreset

FortiGate CLI Reference Guide 235


execute traceroute execute commands

execute traceroute
Test the connection between the FortiGate unit and another network device, and display information
about the network hops between the device and the FortiGate unit. Some gateways and routers do not
respond to traceroute. In those instances, three asterisks will be displayed.

Syntax description
Keyword Description Availability
traceroute <host_ip> The IP address of the network device to which to trace the route. All models.

Example
Use the following command to test the connection to a device with the IP address 192.168.1.23
execute traceroute 192.168.1.23

Related commands
• execute ping
• execute ping-option

236 Fortinet Inc.


execute commands execute updatecenter updatenow

execute updatecenter updatenow


Use this command to manually initiate virus definitions, antivirus engine, and attack definitions
updates.
execute updatecenter updatenow

Related commands
• set system autoupdate
• set system dns
• get system autoupdate
• get system status

FortiGate CLI Reference Guide 237


execute vpn certificates ca execute commands

execute vpn certificates ca


Use this command to import a CA certificate from a TFTP server to the FortiGate unit, or to download
a CA certificate from the FortiGate unit to a TFTP server.
Before using this command you must obtain a CA certificate issued by a CA.
Digital certificates are used to ensure that both participants in an IPSec communications session are
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The CA certificate
is the certificate that the FortiGate unit uses to validate digital certificates received from other devices.

Note: The CA certificate must adhere to the X.509 standard.

Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced
feature provided for the convenience of system administrators. This manual assumes the user has prior
knowledge of how to configure digital certificates for their implementation.

Syntax description
Keyword Description Default Availability
download Copy the CA certificate from the FortiGate unit to a No All models.
<name_str> <tftp_ip> TFTP server. default. NAT/Route
mode only.
import Import the CA certificate from a TFTP server to the No All models.
<name_str> <tftp_ip> FortiGate unit. default. NAT/Route
mode only.

Examples
Use the following command to import the CA certificate named trust_ca to the FortiGate unit from a
TFTP server with the address 192.168.21.54.
execute vpn certificates ca import trust_ca 192.168.21.54

Related commands
• execute vpn certificates local
• get vpn certificates
• unset vpn certificates

238 Fortinet Inc.


execute commands execute vpn certificates local

execute vpn certificates local


Use this command to generate a local certificate, to download a local certificate from the FortiGate unit
to a TFTP server, and to import a local certificate from a TFTP server to the FortiGate unit.
Digital certificates are used to ensure that both participants in an IPSec communications session are
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The local
certificate is the certificate that the FortiGate unit uses to authenticate itself to other devices.
When you generate the certificate request, you create a private and public key pair for the local
FortiGate unit. The public key accompanies the certificate request. The private key remains
confidential.
To obtain a signed local certificate:
1 Download the certificate request.
2 Submit the certificate request to the CA.
3 Retrieve the signed certificate from the CA.
4 Import the signed certificate.

Note: VPN peers must use digital certificates that adhere to the X.509 standard.

Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced
feature provided for the convenience of system administrators. This manual assumes the user has prior
knowledge of how to configure digital certificates for their implementation.

Syntax description
Keyword Description Default Availability
download Download the local certificate from the FortiGate unit No All models.
<certificate-name_str> to a TFTP server. default. NAT/Route
<file-name_str> <tftp_ip> mode only.
generate <name_str> Generate the local certificate. The name can contain No All models.
numbers (0-9), uppercase and lowercase letters default. NAT/Route
(A-Z, a-z), and the special characters - and _. Other mode only.
special characters and spaces are not allowed.
import Import the local certificate from a TFTP server to the No All models.
<name_str> <tftp_ip> FortiGate unit. default. NAT/Route
mode only.

Keywords for generate


Keyword Description Default Availability
city <name_str> Enter the name of the city, or town, where the person No All models.
or organization certifying the FortiGate unit resides. default. Optional.
NAT/Route
mode only.
country <code_str> Enter the two-character country code. Enter No All models.
execute vpn certificates local generate default. Optional.
<name_str> country followed by a ? for a list of NAT/Route
country codes. The country code is case sensitive. mode only.
Enter null if you do not want to specify a country.

FortiGate CLI Reference Guide 239


execute vpn certificates local execute commands

Keyword Description Default Availability


email <address_str> Enter a contact e-mail address for the FortiGate unit. No All models.
default. Optional.
NAT/Route
mode only.
keysize {1024 | 1536 | Select one of 1024 Bit, 1536 Bit or 2048 Bit. If you do 1024 All models.
2048} not specify a keysize, the default keysize will be Optional.
used. Larger keys are slower to generate but more NAT/Route
secure. mode only.
org Enter the name of the organization that is requesting No All models.
<organization-name_str> the certificate for the FortiGate unit. default. Optional.
NAT/Route
mode only.
state <name_str> Enter the name of the state or province where the No All models.
FortiGate unit is located. default. Optional.
NAT/Route
mode only.
subject The subject information identifies the FortiGate unit No All models.
{<host_ip> | being certified. Preferably use an IP address or default. Required.
<domain-name_str> | domain name. If this is impossible (such as with a NAT/Route
dialup client), use an e-mail address. mode only.
email-addr_str>}
For host_ip, enter the IP address of the FortiGate
unit.
For domain-name_str, enter the fully qualified
domain name of the FortiGate unit.
For email-addr_str, enter an email address that
identifies the FortiGate unit.
If you specify a host IP or domain name, use the IP
address or domain name associated with the
interface on which IKE negotiations will take place
(e.g. the external interface of the local FortiGate unit).
If the IP address in the certificate does not match the
IP address of the local interface (or if the domain
name in the certificate does not match a DNS query
of the FortiGate unit’s IP), then some
implementations of IKE may reject the connection.
Enforcement of this rule varies for different IPSec
products.
unit <name_str> Enter a name that identifies the department or unit No All models.
within the organization that is requesting the default. Optional.
certificate for the FortiGate unit. NAT/Route
mode only.

Examples
Use the following command to generate a local certificate request with the name branch_cert, the
domain name www.example.com and a keysize of 1536.
set vpn certificates local generate branch_cert subject www.example.com
keysize 1536
Use the following command to download the local certificate request generated in the above example
from the FortiGate unit to a TFTP server. The example uses the filename testcert for the
downloaded file and the TFTP server address 192.168.21.54.
set vpn certificates local download branch_cert testcert 192.168.21.54

240 Fortinet Inc.


execute commands execute vpn certificates local

Use the following command to import the signed local certificate named branch_cert to the
FortiGate unit from a TFTP server with the address 192.168.21.54.
set vpn certificates local import branch_cert 192.168.21.54

Related commands
• execute vpn certificates ca
• get vpn certificates
• unset vpn certificates

FortiGate CLI Reference Guide 241


execute vpn certificates local execute commands

242 Fortinet Inc.


FortiGate CLI Reference Guide Version 2.50

FortiGate maximum values matrix


Table 4: FortiGate maximum values matrix

FortiGate model
50 60 100 200 300 400 500 1000 2000 3000 3600
Policy 200 500 1000 2000 5000 5000 20000 50000 50000 50000 50000
Address 500 500 500 500 3000 3000 6000 10000 10000 10000 10000
Address group 500 500 500 500 500 500 500 500 500 500 500
Service 500 500 500 500 500 500 500 500 500 500 500
Service group 500 500 500 500 500 500 500 500 500 500 500
Recurring schedule 256 256 256 256 256 256 256 256 256 256 256
Onetime schedule 256 256 256 256 256 256 256 256 256 256 256
User 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000
User group 100 100 100 100 100 100 100 100 100 100 100
Group members 300 300 300 300 300 300 300 300 300 300 300
Virtual IPs 500 500 500 500 500 500 500 500 500 500 500
IP/MAC binding 50 100 1000 1000 2000 2000 2000 5000 5000 5000 5000
Route 500 500 500 500 500 500 500 500 500 500 500
Policy route gateway 500 500 500 500 500 500 500 500 500 500 500
Admin user 500 500 500 500 500 500 500 500 500 500 500
IPsec Phase 1 20 50 80 200 1500 1500 3000 5000 5000 5000 5000
VPN concentrator 500 500 500 500 500 500 500 500 500 500 500
VLAN subinterface N/A N/A N/A N/A N/A 1024* 1024* 2048* 2048* 8192* 8192*
Zone N/A N/A N/A N/A N/A 100 100 200 200 300 500
IP pool 50 50 50 50 50 50 50 50 50 50 50
RADIUS server 6 6 6 6 6 6 6 6 6 6 6
File pattern 56 56 56 56 56 56 56 56 56 56 56
PPTP user 500 500 500 500 500 500 500 500 500 500 500
L2TP user 500 500 500 500 500 500 500 500 500 500 500
URL block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit
Content block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit
Exempt URL no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit

FortiGate CLI Reference Guide 243


FortiGate maximum values matrix

244 Fortinet Inc.


FortiGate CLI Reference Guide Version 2.50

Index
A customer service 12

access levels D
administrator 13
administrator diagnose commands 20
access levels 13 displaying the configuration 19
autoupdate DNS translation 48
tunnelling 80
E
B
editing commands 18
backup execute backup 224
config 224 execute commands 223
NIDS user defined signature 224 execute factoryreset 225
baudrate execute formatlogdisk 226
console 41 execute ha manage 227
execute ha synchronize 228
C execute ping 229
CLI execute ping-option 230
basics 17 execute reboot 231
command structure 17 execute reload 232
connecting to 13 execute restore 233
reverting the firmware 22 execute save config 234
command execute shutdown 235
conventions 10
execute traceroute 236
editing 18
help 18 execute updatecenter updatenow 237
recalling 18 execute vpn certificates ca 238
shortcuts 18 execute vpn certificates local 239
command branch
navigating 17 F
command line console 20 firmware
command structure 17 backup image 28
configuration changing 21
displaying 19 installing 23
configuration file re-installing current version 23
editing 19 reverting to an older version 23
connecting reverting using the CLI 22
to the CLI using SSH 15 switching to backup image 29
to the CLI using telnet 16 testing 26
to the console 14 upgrading 21
connecting to the CLI 13 upgrading to a new version 21
console 20 FortiGate product feature matrix 243
baudrate 41 Fortinet customer service 12
conventions 10 ftp splice 40

FortiGate CLI Reference Guide 245


Index

G H
get alertemail configuration 170 help
get alertemail setting 171 command 18
get antivirus filepattern 172
get antivirus quarantine list 173 N
get antivirus quarantine settings 174 navigating
get antivirus service 175 command branches 17
get commands 169 NIDS user defined signature
get config 176 backup 224
get console 177 restore 233
get emailfilter 178
get firewall address 179 P
get firewall addrgrp 180
phase2
get firewall dnstranslation 181
wildcardid 131
get firewall ipmacbinding 182
port forwarding
get firewall ippool 183 virtual IP 64
get firewall policy 185
proxy server
get firewall profile 184 autoupdate tunnelling 80
get firewall schedule 186
get firewall service 187 R
get firewall vip 188
get log elog 189 recalling commands 18
get log logsetting 190 restore
get log policy 191 image 233
get log trafficfilter 192 NIDS user defined signature 233
get nids detection 193 reverting
firmware to an older version 23
get nids prevention 194
firmware using the CLI 22
get nids rule 195
get system admin 196
S
get system autoupdate 197
get system dhcpserver 198 set alertemail configuration 34
get system dns 199 set alertemail setting 35
get system ha 200 set antivirus filepattern 36
get system interface 201 set antivirus quarantine 37
get system mainregpage 202 set antivirus service 39
get system management 203 set commands 33
get system objver 204 set console 20, 41
get system option 205 set emailfilter bannedword 42
get system performance 206 set emailfilter blocklist 43
get system route policy 207 set emailfilter config 44
get system route rip 208 set emailfilter exemptlist 45
get system route table 209 set firewall address 46
get system serialno 210 set firewall addrgrp 47
get system sessionttl 211 set firewall dnstranslation 48
get system snmp 212 set firewall ipmacbinding setting 49
get system status 213 set firewall ipmacbinding table 50
get system time 214 set firewall ippool 51
get system vlan 215 set firewall onetimeschedule 52
get system zone 216 set firewall policy 53
get user 217 set firewall profile 57
get vpn certificates 218 set firewall recurringschedule 61
get vpn ipsec 219 set firewall service custom 62
get vpn l2tp range 220 set firewall service group 63
get vpn pptp range 221 set firewall vip 64
get webfilter 222 set log policy 66

246 Fortinet Inc.


Index

set log setting 68 SSH


set log trafficfilter rule 70 connecting to the CLI 15
set log trafficfilter setting 71
set nids detection 72 T
set nids prevention 73 technical support 12
set nids rule 77
telnet
set system admin 78 connecting to the CLI 16
set system autoupdate 79
tunnelling 80
set system brctl 81
set system dhcpserver 82 U
set system dns 84
set system ha 85 unset commands 141
set system hostname 88 unset firewall address 142
set system interface 89 unset firewall addrgrp 143
set system mainregpage 93 unset firewall ipmacbinding 144
set system management 94 unset firewall ippool 145
set system opmode 95 unset firewall onetimeschedule 146
set system option 96 unset firewall policy 147
set system route number 97 unset firewall profile 148
set system route policy 99 unset firewall recurringschedule 149
set system route rip 101 unset firewall service 150
set system route rip filter 103 unset firewall vip 151
set system route rip interface 106 unset log filter 152
set system route rip neighbor 108 unset system admin 153
set system route rip timers 109
unset system dhcpserver 154
set system session_ttl 110
unset system hostname 155
set system snmp 111
unset system route number 156
set system time 113
unset system route policy 157
set system vlan 114
unset system secondip 158
set system zone 115
unset system sessionttl 159
set user group 116
set user ldap 117 unset system vlan 160
set user local 119 unset system zone 161
set user radius 121 unset user group 162
set vpn ipsec concentrator 122 unset user ldap 163
set vpn ipsec manualkey 123 unset user local 164
set vpn ipsec phase1 125 unset user radius 165
set vpn ipsec phase2 130 unset vpn certificates 166
set vpn l2tp 133 unset vpn ipsec 167
set vpn pptp 134 upgrade
set webfilter cerberian 135 firmware 21
set webfilter content 136 upgrading
set webfilter exempturl 137 firmware 21
set webfilter script 138
set webfilter url 139 V
shortcuts
virtual IP
command 18
port forwarding 64
smtp splice 40
splice 40
W
ftp 40
smtp 40 wildcardid 131

FortiGate CLI Reference Guide 247


Index

248 Fortinet Inc.