FortiADC CLI Reference, 4.2.2, Revision 1

FortiADC™ CLI Reference - D Series
VERSION 4.2.2
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
March 31, 2015
FortiADC™ CLI Reference - D Series
Table of contents
Introduction ...................................................................................................... 8
Using the CLI .................................................................................................. 10
Connecting to the CLI ............................................................................................
Connecting to the CLI using a local console....................................................
Enabling access to the CLI through the network .............................................
Connecting to the CLI using SSH ....................................................................
Connecting to the CLI using Telnet..................................................................
10
10
11
12
13
Command syntax ................................................................................................... 14
Subcommands ....................................................................................................... 18
Table commands ............................................................................................. 19
Field commands............................................................................................... 20
Permissions ........................................................................................................... 21
Tips & tricks ...........................................................................................................
Command abbreviation....................................................................................
Special characters ...........................................................................................
Language support & regular expressions ........................................................
Screen paging..................................................................................................
Editing the configuration file in a text editor .....................................................
22
23
23
24
25
26
config config................................................................................................... 27
config config sync .................................................................................................. 27
config firewall ................................................................................................. 28
config firewall address ........................................................................................... 28
config firewall address6 ......................................................................................... 29
config firewall connlimit .......................................................................................... 30
config firewall connlimit6 ........................................................................................ 32
config firewall nat-snat ........................................................................................... 33
config firewall policy ............................................................................................... 35
config firewall policy6 ............................................................................................. 37
config firewall qos-filter .......................................................................................... 38
config firewall qos-filter6 ........................................................................................ 40
config firewall qos-queue ....................................................................................... 41
config firewall service............................................................................................. 42
config firewall vip.................................................................................................... 44
config global-dns-server ............................................................................... 46
config global-dns-server address-group ................................................................ 46
config global-dns-server dns64.............................................................................. 48
config global-dns-server dsset-info-list .................................................................. 49
config global-dns-server general............................................................................ 50
config global-dns-server load-balance-pool ........................................................... 51
config global-dns-server policy .............................................................................. 53
config global-dns-server remote-dns-server .......................................................... 56
config global-dns-server response-rate-limit.......................................................... 57
config global-dns-server trust-anchor-key.............................................................. 58
config global-dns-server zone................................................................................ 59
config link-load-balance ................................................................................ 65
config link-load-balance address ........................................................................... 65
config link-load-balance address6 ......................................................................... 66
config link-load-balance flow-policy ....................................................................... 66
config link-load-balance gateway........................................................................... 68
config link-load-balance health-check.................................................................... 70
config link-load-balance link-group ........................................................................ 72
config link-load-balance persistence...................................................................... 74
config link-load-balance proximity-route ................................................................ 75
config link-load-balance service............................................................................. 77
config link-load-balance virtual-tunnel.................................................................... 79
config load-balance........................................................................................ 81
config load-balance caching .................................................................................. 81
config load-balance compression .......................................................................... 82
config load-balance connection-pool ..................................................................... 84
config load-balance content-rewriting .................................................................... 86
config load-balance content-routing....................................................................... 89
config load-balance error-page .............................................................................. 92
config load-balance health-check .......................................................................... 92
config load-balance ippool ..................................................................................... 96
config load-balance method................................................................................... 96
config load-balance persistence ............................................................................ 97
config load-balance pool ........................................................................................ 99
config load-balance profile ................................................................................... 104
config load-balance reputation............................................................................. 110
config load-balance reputation-exception ............................................................ 113
config load-balance ssl ........................................................................................ 113
config load-balance virtual-server ........................................................................ 113
config log ...................................................................................................... 119
config log alertemail recipient .............................................................................. 119
config log alertemail setting ................................................................................. 119
config log report ................................................................................................... 120
config log report_queryset ................................................................................... 120
config log setting highspeed ................................................................................ 120
config log setting local.......................................................................................... 121
config log setting remote...................................................................................... 123
config router ................................................................................................. 127
config router ospf ................................................................................................. 127
config router policy............................................................................................... 131
config router setting ............................................................................................. 132
config router static................................................................................................ 133
config system ............................................................................................... 136
config system accprofile....................................................................................... 136
config system admin ............................................................................................ 139
config system certificate ca.................................................................................. 142
config system certificate ca_group....................................................................... 143
config system certificate certificate_verify............................................................ 144
config system certificate crl.................................................................................. 145
config system certificate intermediate_ca ............................................................ 146
config system certificate intermediate_ca_group................................................. 147
config system certificate local .............................................................................. 148
config system certificate local_cert_group ........................................................... 151
config system certificate remote .......................................................................... 152
config system dns ................................................................................................ 153
config system dos-prevention .............................................................................. 154
config system fortiguard....................................................................................... 155
config system global ............................................................................................ 156
config system ha .................................................................................................. 159
config system interface ........................................................................................ 163
config system mailserver ..................................................................................... 169
config system password-policy ............................................................................ 170
config system schedule-group ............................................................................. 171
config system snmp community........................................................................... 172
config system snmp sysinfo ................................................................................. 175
config system snmp threshold ............................................................................. 176
config system snmp user ..................................................................................... 177
config system tcpdump ........................................................................................ 179
config system time manual .................................................................................. 180
config system time ntp ......................................................................................... 181
config user .................................................................................................... 183
config user ldap.................................................................................................... 183
config user radius................................................................................................. 183
diagnose........................................................................................................ 185
diagnose debug application ................................................................................. 185
diagnose debug cli ............................................................................................... 187
diagnose debug enable........................................................................................ 188
diagnose debug info............................................................................................. 189
diagnose debug kernel......................................................................................... 190
diagnose hardware deviceinfo ............................................................................. 191
diagnose hardware ioport .................................................................................... 193
diagnose hardware pciconfig ............................................................................... 195
diagnose hardware sysinfo .................................................................................. 198
diagnose netlink backlog...................................................................................... 199
diagnose netlink device........................................................................................ 200
diagnose netlink interface .................................................................................... 201
diagnose netlink ip/ipv6........................................................................................ 202
diagnose netlink neighbor/neighbor6 ................................................................... 203
diagnose netlink route/route6............................................................................... 204
diagnose netlink tcp ............................................................................................. 205
diagnose netlink udp ............................................................................................ 207
diagnose sniffer packet ........................................................................................ 208
diagnose system top ............................................................................................ 211
diagnose system vmware .................................................................................... 213
execute .......................................................................................................... 214
execute backup config ......................................................................................... 214
execute caching ................................................................................................... 215
execute certificate ca ........................................................................................... 215
execute certificate crl ........................................................................................... 216
execute certificate local........................................................................................ 216
execute certificate remote.................................................................................... 217
execute certificate config ..................................................................................... 218
execute date ........................................................................................................ 218
execute factoryreset............................................................................................. 219
execute formatlogdisk .......................................................................................... 219
execute log delete-file .......................................................................................... 220
execute log delete-type........................................................................................ 220
execute log list-type ............................................................................................. 220
execute log rebuild-db.......................................................................................... 221
execute nslookup ................................................................................................. 221
execute ping/ping6............................................................................................... 222
execute ping-options/ping6-options ..................................................................... 223
execute reboot ..................................................................................................... 225
execute restore config.......................................................................................... 226
execute restore image ......................................................................................... 227
execute shutdown ................................................................................................ 228
execute tcpdump/tcpdump6................................................................................. 228
execute tcpdump-file............................................................................................ 229
execute traceroute ............................................................................................... 230
execute vmware license....................................................................................... 231
get .................................................................................................................. 232
get router info ospf ............................................................................................... 233
get router info routing-table.................................................................................. 234
get system performance ...................................................................................... 235
get system status ................................................................................................. 235
show .............................................................................................................. 237
Appendix A: Virtual domains ...................................................................... 239
Overview .............................................................................................................. 239
Enabling VDOMs ................................................................................................. 239
Creating VDOMs.................................................................................................. 240
Assigning interfaces to a VDOM .......................................................................... 241
Assigning administrators to a VDOM ................................................................... 241
Disabling VDOMs................................................................................................. 241
Index .............................................................................................................. 243
Introduction
Welcome, and thank you for selecting Fortinet products for your network protection.
Scope
This document describes how to use the command-line interface (CLI) of the FortiADC appliance. It assumes that you
have already successfully installed the FortiADC appliance and completed basic setup.
At this stage:
•
You have administrative access to the web UI and/or CLI.
•
The FortiADC appliance is integrated into your network.
Once that basic installation is complete, you can use this document. This document if a reference for commands you can
use to:
•
Update the system.
•
Configure features and advanced options.
•
Diagnose problems.
This document does not cover the web UI or first-time setup. For that information, see the FortiADC Handbook.
Conventions
This document uses the conventions described in this section.
IP addresses
To avoid IP conflicts that would occur if you used examples in this document with public IP addresses that belong to a
real organization, the IP addresses used in this document are fictional. They belong to the private IP address ranges
defined by these RFCs.
•
RFC 1918: Address Allocation for Private Internets
•
RFC 5737: IPv4 Address Blocks Reserved for Documentation
http://ietf.org/rfc/rfc1918.txt?number-1918
http://tools.ietf.org/html/rfc5737
•
RFC 3849: IPv6 Address Prefix Reserved for Documentation
http://tools.ietf.org/html/rfc3849
For example, even though a real network’s Internet-facing IP address would be routable on the public Internet, in this
document’s examples, the IP address would be shown as a non-Internet-routable IP such as 10.0.0.1, 192.168.0.1, or
172.16.0.1.
Cautions, notes, & tips
This document uses the following guidance and styles for notes, tips and cautions.
Warns you about procedures or feature behaviors that could have unexpected or undesirable results
including loss of data or damage to equipment.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
8
Highlights important, possibly unexpected but non-destructive, details about a feature’s behavior.
Presents best practices, troubleshooting, performance tips, or alternative methods.
Typographical conventions
Table 1 describes the typographical conventions used in this document.
Table 1: Typographical conventions
Convention
Example
A GUI element you are instructed From Minimum log level, select Notification.
to click or select
CLI input
config system dns
set primary <address_ipv4>
end
CLI output
FortiADC-VM # execute certificate local regenerate
self certificate regenerated!
Emphasis
HTTP connections are not secure and can be intercepted by a third party.
File content
<HTML><HEAD><TITLE>Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
Hyperlink
https://support.fortinet.com
Keyboard entry
Type a name for the configuration such as virtual_server_1.
Navigation
Go to System > Maintenance.
Publication
For details, see the FortiADC Handbook.
Command syntax
The CLI requires that you use valid syntax, and conform to expected input constraints. It rejects invalid commands.
For command syntax conventions such as braces, brackets, and command constraints such as <address_ipv4>, see
“Notation” on page 16.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
9
Using the CLI
The command-line interface (CLI) is an alternative to the web UI.
You can use either interface or both to configure the FortiADC appliance. In the web UI, you use buttons, icons, and
forms, while, in the CLI, you either type text commands or upload batches of commands from a text file, like a
configuration script.
If you are new to Fortinet products, or if you are new to the CLI, this section can help you to become familiar.
Connecting to the CLI
You can access the CLI in two ways:
•
Locally — Connect your computer, terminal server, or console directly to the console port.
•
Through the network — Connect your computer through any network attached to one of the network ports. To connect
using an Secure Shell (SSH) or Telnet client, enable the network interface for Telnet or SSH administrative access.
Enable HTTP/HTTPS administrative access to connect using the CLI Console widget in the web UI.
Local access is required in some cases.
•
If you are installing your FortiADC appliance for the first time and it is not yet configured to connect to your network,
unless you reconfigure your computer’s network settings for a peer connection, you might only be able to connect to
the CLI using a local console connection. See the FortiADC Handbook.
•
Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process
completes, and therefore local CLI access is the only viable option.
Before you can access the CLI through the network, you usually must enable SSH and/or HTTP/HTTPS and/or Telnet on
the network interface through which you will access the CLI.
Connecting to the CLI using a local console
Local console connections to the CLI are formed by directly connecting your management computer or console to the
FortiADC appliance, using its DB-9 console port.
Requirements
•
A computer with an available serial communications (COM) port
•
Console cable (RJ-45-to-DB-9 or null modem cable) included in your FortiADC package
•
Terminal emulation software such as PuTTY
The following procedure describes connection using PuTTY software; steps may vary with other terminal
emulators.
To connect to the CLI using a local console connection
1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiADC appliance’s console port to the serial
communications (COM) port on your management computer.
2. On your management computer, start PuTTY.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
10
3. In the Category tree on the left, go to Connection > Serial and configure the following:
Serial line to connect to COM1 (or, if your computer has multiple serial ports, the name of the
connected serial port)
Speed (baud)
9600
Data bits
8
Stop bits
1
Parity
None
Flow control
None
4. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial.
5. Click Open.
6. Press the Enter key to initiate a connection.
The login prompt appears.
7. Type a valid administrator account name (such as admin) then press Enter.
8. Type the password for that administrator account and press Enter. (In its default state, there is no password for the
admin account.)
The CLI displays the following text, followed by a command line prompt:
Welcome!
You can now enter CLI commands, including configuring access to the CLI through SSH or Telnet.
Enabling access to the CLI through the network
SSH, Telnet, or CLI Console widget (via the web UI) access to the CLI requires connecting your computer to the
FortiADC appliance using one of its RJ-45 network ports. You can either connect directly, using a peer connection
between the two, or through any intermediary network.
If you do not want to use an SSH/Telnet client and you have access to the web UI, you can alternatively
access the CLI through the network using the CLI Console widget in the web UI.
You must enable SSH and/or Telnet on the network interface associated with that physical network port. If your computer
is not connected directly or through a switch, you must also configure the FortiADC appliance with a static route to a
router that can forward packets from the FortiADC appliance to your computer.
You can do this using either:
•
a local console connection (see the following procedure)
•
the web UI
Requirements
•
a computer with an available serial communications (COM) port and RJ-45 port
•
terminal emulation software such as PuTTY
•
the RJ-45-to-DB-9 or null modem cable included in your FortiADC package
•
a crossover Ethernet cable (if connecting directly) or straight-through Ethernet cable (if connecting through a switch or
router)
To enable SSH or Telnet access to the CLI using a local console connection
1. Using the network cable, connect the FortiADC appliance’s network port either directly to your computer’s network
port, or to a network through which your computer can reach the FortiADC appliance.
2. Note the number of the physical network port.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
11
3. Using a local console connection, connect and log into the CLI.
4. Enter the following commands:
config system interface
edit <interface_name>
set allowaccess {http https ping snmp ssh telnet}
end
where:
•
<interface_name> is the name of the network interface associated with the physical network port, such as
port1
•
{http https ping snmp ssh telnet} is the complete, space-delimited list of permitted administrative access protocols,
such as https ssh telnet; omit protocols that you do not want to permit
For example, to exclude HTTP, SNMP, and Telnet, and allow only HTTPS, ICMP ECHO (ping), and SSH
administrative access on port1:
config system interface
edit "port1"
set allowaccess ping https ssh
next
end
Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other
untrusted network.
5. To confirm the configuration, enter the command to view the access settings for the interface.
show system interface <interface_name>
The CLI displays the settings, including the management access settings, for the interface.
6. If you will be connecting indirectly, through one or more routers or firewalls, configure the appliance with at least one
static route so that replies from the CLI can reach your client.
Connecting to the CLI using SSH
Once you configure the FortiADC appliance to accept SSH connections, you can use an SSH client on your management
computer to connect to the CLI.
Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. Supported SSH protocol
versions, ciphers, and bit strengths vary by whether or not you have enabled FIPS-CC mode or are using a low
encryption (LENC) version, but generally include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1.
Requirements
•
a computer with an RJ-45 Ethernet port
•
a crossover Ethernet cable
•
an SSH client such as PuTTY
To connect to the CLI using SSH
1. On your management computer, start PuTTY.
Initially, the Session category of settings is displayed.
2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled SSH
administrative access.
3. In Port, type 22.
4. From Connection type, select SSH.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
12
5. Click Open.
The SSH client connects to the FortiADC appliance.
The SSH client may display a warning if this is the first time you are connecting to the FortiADC appliance and its SSH
key is not yet recognized by your SSH client, or if you have previously connected to the FortiADC appliance but it
used a different IP address or SSH key. If your management computer is directly connected to the FortiADC
appliance with no network hosts between them, this is normal.
6. Click Yes to verify the fingerprint and accept the FortiADC appliance’s SSH key. You will not be able to log in until you
have accepted the key.
The CLI displays a login prompt.
7. Type a valid administrator account name (such as admin) and press Enter.
8. Type the password for this administrator account and press Enter.
If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then
reconnect to attempt the login again.
The FortiADC appliance displays a command prompt (its host name followed by a #). You can now enter CLI
commands.
Connecting to the CLI using Telnet
Once the FortiADC appliance is configured to accept Telnet connections, you can use a Telnet client on your
management computer to connect to the CLI.
Telnet is not a secure access method. SSH should be used to access the CLI from the Internet or any other
untrusted network.
Requirements
•
a computer with an RJ-45 Ethernet port
•
a crossover Ethernet cable
•
a FortiADC network interface configured to accept Telnet connections
•
terminal emulation software such as PuTTY
To connect to the CLI using Telnet
1. On your management computer, start PuTTY.
2. In Host Name (or IP Address), type the IP address of a network interface on which you have enabled Telnet
administrative access.
3. In Port, type 23.
4. From Connection type, select Telnet.
5. Click Open.
6. Type a valid administrator account name (such as admin) and press Enter.
7. Type the password for this administrator account and press Enter.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
13
If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one minute, then
reconnect to attempt the login again.
The CLI displays a command line prompt (by default, its host name followed by a #). You can now enter CLI
commands.
Command syntax
When entering a command, the CLI requires that you use valid syntax and conform to expected input constraints. It will
reject invalid commands.
For example, if you do not type the entire object that will receive the action of a command operator such as config, the
CLI will return an error message such as:
Command fail. CLI parsing error
Fortinet documentation uses the following conventions to describe valid command syntax.
Terminology
Each command line consists of a command word followed by words for the configuration data or other specific item that
the command uses or affects, for example:
get system admin
Fortinet documentation uses the terms in Figure 1 to describe the function of each word in the command line.
Figure 1: Command syntax terminology
Command
Subcommand
Object
Table
config system interface
Option
edit <port_name>
set status {up | down}
set ip <interface_ipv4mask>
next
end
Field
Value
The syntax uses the following terms:
•
command — A word that begins the command line and indicates an action that the FortiADC appliance should
perform on a part of the configuration or host on the network, such as config or execute. Together with other
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
14
words, such as fields or values, that you terminate by pressing the Enter key, it forms a command line. Exceptions
include multi-line command lines, which can be entered using an escape sequence.
Valid command lines must be unambiguous if abbreviated. Optional words or other command line permutations are
indicated by syntax notation.
If you do not enter a known command, the CLI will return an error message such as:
Unknown action 0
•
subcommand — A kind of command that is available only when nested within the scope of another command. After
entering a command, its applicable subcommands are available to you until you exit the scope of the command, or
until you descend an additional level into another subcommand. Indentation is used to indicate levels of nested
commands.
Not all top-level commands have subcommands. Available subcommands vary by their containing scope.
•
object — A part of the configuration that contains tables and/or fields. Valid command lines must be specific enough
to indicate an individual object.
•
table — A set of fields that is one of possibly multiple similar sets that each have a name or number, such as an
administrator account, policy, or network interface. These named or numbered sets are sometimes referenced by
other parts of the configuration that use them.
•
field — The name of a setting, such as ip or hostname. Fields in some tables must be configured with values.
Failure to configure a required field will result in an invalid object configuration error message, and the FortiADC
appliance will discard the invalid table.
•
value — A number, letter, IP address, or other type of input that is usually the configuration setting held by a field.
Some commands, however, require multiple input values which may not be named but are simply entered in
sequential order in the same command line. Valid input types are indicated by constraint notation.
•
option — A kind of value that must be one or more words from a fixed set of options.
Indentation
Indentation indicates levels of nested commands, which indicate what other subcommands are available from within the
scope.
For example, the edit subcommand is available only within a command that affects tables, and the next subcommand
is available only from within the edit subcommand:
config system interface
edit port1
set status up
next
end
For information about available subcommands, see “Subcommands” on page 18.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
15
Notation
Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as
<address_ipv4>, indicate which data types or string patterns are acceptable value input.
If you do not use the expected data type, the CLI returns an error message such as:
object set operator error, -4003 discard the setting
The request URL must start with "/" and without domain name.
or:
invalid unsigned integer value :-:
value parse error before '-'
Input value is invalid.
It might reject or discard your settings instead of saving them when you type end.
Table 2: Command syntax notation
Convention
Description
Square brackets [ ]
A non-required (optional) word or words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and its accompanying
option, such as:
verbose 3
Curly braces { }
A word or series of words that is constrained to a set of options delimited by either
vertical bars or spaces.
You must enter at least one of the options, unless the set of options is surrounded by
square brackets [ ].
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
16
Table 2: Command syntax notation
Convention
Options delimited
by vertical bars |
Description
Mutually exclusive options. For example:
{enable | disable}
indicates that you must enter either enable or disable, but must not enter both.
Options delimited
by spaces
Non-mutually exclusive options. For example:
{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any order, in a
space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For example, to add snmp
to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options, instead of replacing it, or
if the list is comma-delimited, the exception will be noted.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
17
Table 2: Command syntax notation
Convention
Description
Angle brackets < >
A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive name followed by
an underscore ( _ ) and suffix that indicates the valid data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
•
<xxx_name> — A name referring to another part of the configuration, such as
policy_A.
•
<xxx_index> — An index number referring to another part of the configuration, such
as 0 for the first static route.
•
<xxx_pattern> — A regular expression or word with wild cards that matches
possible variations, such as *@example.com to match all e-mail addresses ending in
@example.com.
•
<xxx_fqdn> — A fully qualified domain name (FQDN), such as
mail.example.com.
•
<xxx_email> — An email address, such as admin@mail.example.com.
•
<xxx_url> — A uniform resource locator (URL) and its associated protocol and host
name prefix, which together form a uniform resource identifier (URI), such as
http://www.fortinet.com/.
•
<xxx_ipv4> — An IPv4 address, such as 192.168.1.99.
•
<xxx_v4mask> — A dotted decimal IPv4 netmask, such as 255.255.255.0.
•
<xxx_ipv4mask> — A dotted decimal IPv4 address and netmask separated by a
space, such as 192.168.1.99 255.255.255.0.
•
<xxx_ipv4/mask> — A dotted decimal IPv4 address and CIDR-notation netmask
separated by a slash, such as such as 192.168.1.99/24.
•
<xxx_ipv6> — A colon( : )-delimited hexadecimal IPv6 address, such as
3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
•
<xxx_v6mask> — An IPv6 netmask, such as /96.
•
<xxx_ipv6mask> — An IPv6 address and netmask separated by a space.
•
<xxx_str> — A string of characters that is not another data type, such as
P@ssw0rd. Strings containing spaces or special characters must be surrounded in
quotes or use escape sequences. See “Special characters” on page 23.
•
<xxx_int> — An integer number that is not another data type, such as 15 for the
number of minutes.
Subcommands
Once you connect to the CLI, you can enter commands.
Each command line consists of a command word that is usually followed by words for the configuration data or other
specific item that the command uses or affects, for example:
get system admin
Subcommands are available from within the scope of some commands.When you enter a subcommand level, the
command prompt changes to indicate the name of the current command scope. For example, after entering:
config system admin
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
18
the command prompt becomes:
(admin)#
Applicable subcommands are available to you until you exit the scope of the command, or until you descend an
additional level into another subcommand.
For example, the edit subcommand is available only within a command that affects tables; the next subcommand is
available only from within the edit subcommand:
config system interface
edit port1
set status up
next
end
Available subcommands vary by command.From a command prompt within config, two types of subcommands might
become available:
•
commands that affect fields (see “Field commands” on page 20)
•
commands that affect tables (see “Table commands” on page 19)
Subcommand scope is indicated in this CLI Reference by indentation. See “Indentation” on page 15.
Syntax examples for each top-level command in this CLI Reference do not show all available
subcommands. However, when nested scope is demonstrated, you should assume that subcommands
applicable for that level of scope are available.
Table commands
Table 3: Commands for tables
delete <table_name>
Remove a table from the current object.
For example, in config system admin, you could delete an administrator account
named newadmin by typing delete newadmin and pressing Enter. This deletes
newadmin and all its fields, such as newadmin’s first-name and email-address.
delete is only available within objects containing tables.
edit <table_name>
Create or edit a table in the current object.
For example, in config system admin:
•
edit the settings for the default admin administrator account by typing edit admin.
•
add a new administrator account with the name newadmin and edit newadmin‘s
settings by typing edit newadmin.
edit is an interactive subcommand: further subcommands are available from within
edit.
edit changes the prompt to reflect the table you are currently editing.
edit is only available within objects containing tables.
end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
Save the changes to the current object and exit the config command. This returns you to
the top-level command prompt.
19
Table 3: Commands for tables
get
List the configuration of the current object or table.
•
In objects, get lists the table names (if present), or fields and their values.
•
In a table, get lists the fields and their values.
For more information on get commands, see “get” on page 232.
purge
Remove all tables in the current object.
For example, in config user local-user, you could type get to see the list of all
local user names, then type purge and then y to confirm that you want to delete all users.
purge is only available for objects containing tables.
Caution: Back up the FortiADC appliance before performing a purge because it cannot
be undone. To restore purged tables, the configuration must be restored from a backup.
Caution: Do not purge system interface or system admin tables. This can result in
being unable to connect or log in, requiring the FortiADC appliance to be formatted and
restored.
show
Display changes to the default configuration. Changes are listed in the form of
configuration commands.
For more information on show commands, see “show” on page 237.
Example of table commands
From within the system admin object, you might enter:
edit admin_1
The CLI acknowledges the new table, and changes the command prompt to show that you are now within the admin_1
table:
new entry 'admin_1' added
(admin_1)#
Field commands
Table 4: Commands for fields
abort
Exit both the edit and/or config commands without saving the fields.
end
Save the changes made to the current table or object fields, and exit the config
command. (To exit without saving, use abort instead.)
get
List the configuration of the current object or table.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
•
In objects, get lists the table names (if present), or fields and their values.
•
In a table, get lists the fields and their values.
20
Table 4: Commands for fields
next
Save the changes you have made in the current table’s fields, and exit the edit
command to the object prompt. (To save and exit completely to the root prompt, use
end instead.)
next is useful when you want to create or edit several tables in the same object,
without leaving and re-entering the config command each time.
next is only available from a table prompt; it is not available from an object prompt.
set <field_name> <value>
Set a field’s value.
For example, in config system admin, after typing edit admin, you could
type set password newpass to change the password of the admin administrator
to newpass.
Note: When using set to change a field containing a space-delimited list, type the
whole new list. For example, set <field> <new-value> will replace the list with
the <new-value> rather than appending <new-value> to the list.
show
Display changes to the default configuration. Changes are listed in the form of
configuration commands.
unset <field_name>
Reset the table or object’s fields to default values.
For example, in config system admin, after typing edit admin, typing unset
password resets the password of the admin administrator account to the default
(in this case, no password).
Example of field commands
From within the admin_1 table, you might enter the following command to assign the value my1stExamplePassword
to the password field:
set password my1stExamplePassword
You might then enter the next command to save the changes and edit the next administrator’s table.
Permissions
Depending on the account that you use to log in to the FortiADC appliance, you may not have complete access to all CLI
commands or areas of the web UI.
Access profiles control which commands and areas an administrator account can access. Access profiles assign either:
•
Read (view access)
•
Write (change and execute access)
•
Both read and write
•
No access
Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted.
The admin administrator account is similar to a root administrator account. This administrator account always has full
permission to view and change all FortiADC configuration options, including viewing and changing all other administrator
accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another
administrator’s password without being required to enter that administrator’s existing password.
For complete access to all commands, you must log in with the administrator account named admin.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
21
Tips & tricks
Basic features and characteristics of the CLI environment provide support and ease of use for many CLI tasks.
This section includes:
•
Help
•
Shortcuts & key commands
•
Command abbreviation
•
Special characters
•
Language support & regular expressions
•
Screen paging
•
Editing the configuration file in a text editor
Help
To display brief help during command entry, press the question mark (?) key.
•
Press the question mark (?) key at the command prompt to display a list of the commands available and a description
of each.
•
Press the question mark (?) key after a command keyword to display a list of the objects available with that command
and a description of each.
•
Type a word or part of a word, then press the question mark (?) key to display a list of valid word completions or
subsequent words, and to display a description of each.
Shortcuts & key commands
Table 5: Shortcuts and key commands
Action
Keys
List valid word completions or subsequent words.
?
If multiple words could complete your entry, display all possible completions with helpful descriptions
of each.
Complete the word with the next available match.
Tab
Press the key multiple times to cycle through available matches.
Recall the previous command.
Up arrow, or
Command memory is limited to the current session.
Ctrl + P
Recall the next command.
Down arrow, or
Ctrl + N
Move the cursor left or right within the command line.
Left or Right
arrow
Move the cursor to the beginning of the command line.
Ctrl + A
Move the cursor to the end of the command line.
Ctrl + E
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
22
Table 5: Shortcuts and key commands
Action
Keys
Move the cursor backwards one word.
Ctrl + B
Move the cursor forwards one word.
Ctrl + F
Delete the current character.
Ctrl + D
Abort current interactive commands, such as when entering multiple lines.
Ctrl + C
If you are not currently within an interactive command such as config or edit, this closes the CLI
connection.
Continue typing a command on the next line for a multi-line command.
\ then Enter
For each line that you want to continue, terminate it with a backslash ( \ ). To complete the command
line, terminate it by pressing the spacebar and then the Enter key, without an immediately preceding
backslash.
Command abbreviation
You can abbreviate words in the command line to their smallest number of non-ambiguous characters. For example, the
command get system status could be abbreviated to:
g sy st
If you enter an ambiguous command, the CLI returns an error message such as:
ambiguous command before 's'
Value conflicts with system settings.
Special characters
Special characters <, >, (,), #, ', and " are usually not permitted in CLI. If you use them, the CLI will often return an error
message such as:
The string contains XSS vulnerability characters
value parse error before '%^@'
Input not as expected.
Some may be enclosed in quotes or preceded with a backslash ( \ ) character.
Table 6: Entering special characters
Character
Key
?
Ctrl + V then ?
Tab
Ctrl + V then Tab
Space
Enclose the string in quotation marks: “Security Administrator”.
(to be interpreted as part of a string value, not Enclose the string in single quotes: 'Security Administrator'.
to end the string)
Precede the space with a backslash: Security\ Administrator.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
23
Table 6: Entering special characters
Character
Key
'
\'
(to be interpreted as part of a string value, not
to end the string)
\"
"
(to be interpreted as part of a string value, not
to end the string)
\
\\
Language support & regular expressions
Languages currently supported by the CLI interface include:
•
English
•
Japanese
•
Simplified Chinese
•
Traditional Chinese
Characters such as ñ, é, symbols, and ideographs are sometimes acceptable input. Support varies by the nature of the
item being configured. CLI commands, objects, field names, and options must use their exact ASCII characters, but
some items with arbitrary names or values may be input using your language of choice.
For example, the host name must not contain special characters, and so the web UI and CLI will not accept most
symbols and other non-ASCII encoded characters as input when configuring the host name. This means that languages
other than English often are not supported. However, some configuration items, such as names and comments, may be
able to use the language of your choice.
To use other languages in those cases, you must use the correct encoding.
The system stores the input using Unicode UTF-8 encoding, but it is not normalized from other encodings into UTF-8
before stored. If your input method encodes some characters differently than in UTF-8, your configured items may not
display or operate as expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values. If you enter a regular
expression using another encoding, or if an HTTP client sends a request in an encoding other than UTF-8, matches may
not be what you expect.
For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen symbols ( ¥ ) and vice versa. A
regular expression intended to match HTTP requests containing money values with a yen symbol therefore may not work
it if the symbol is entered using the wrong encoding.
For best results, follow these guidelines:
•
Use UTF-8 encoding, or
•
Use only the characters whose numerically encoded values are the same in UTF-8, such as the US-ASCII characters
that are also encoded using the same values in ISO 8859-1, Windows code page 1252, Shift-JIS and other
encodings, or
•
For regular expressions that must match HTTP requests, use the same encoding as your HTTP clients
HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the
client’s operating system or input language. If you cannot predict the client’s encoding, you may only
be able to match any parts of the request that are in English, because regardless of the encoding, the
values for English characters tend to be encoded identically. For example, English words may be
legible regardless of interpreting a web page as either ISO 8859-1 or as GB2312, whereas simplified
Chinese characters might only be legible if the page is interpreted as GB2312.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
24
To configure the system using other encodings, you might need to switch language settings on your management
computer, including for your web browser or Telnet or SSH client. For instructions on how to configure your management
computer’s operating system language, locale, or input method, see its documentation.
If you choose to configure parts of the system using non-ASCII characters, verify that all systems interacting
with the FortiADC appliance also support the same encodings. You should also use the same encoding
throughout the configuration if possible in order to avoid needing to switch the language settings of your web
browser or Telnet or SSH client while you work.
Similarly to input, your web browser or CLI client should usually interpret display output as encoded using UTF-8. If it
does not, your configured items may not display correctly in the web UI or CLI. Exceptions include items such as regular
expressions that you may have configured using other encodings in order to match the encoding of HTTP requests that
the system receives.
To enter non-ASCII characters in a Telnet or SSH client
1. On your management computer, start your Telnet or SSH client.
2. Configure your Telnet or SSH client to send and receive characters using UTF-8 encoding the encoding.
Support for sending and receiving international characters varies by each Telnet or SSH client. Consult the
documentation for your Telnet or SSH client.
3. Log in to the FortiADC system.
4. At the command prompt, type your command and press Enter.
Figure 2: Entering encoded characters (PuTTY)
You might need to surround words that use encoded characters with single quotes ( ' ).
Depending on your Telnet or SSH client’s support for your language’s input methods and for sending international
characters, you may need to interpret them into character codes before pressing Enter.
For example, you might need to enter:
edit '\743\601\613\743\601\652'
5. The CLI displays your previous command and its output.
Screen paging
When output spans multiple pages, you can configure the CLI to pause after each page. When the display pauses, the
last line displays --More--. You can then either:
•
Press the spacebar to display the next page.
•
Type Q to truncate the output and return to the command prompt.
This might be useful when displaying lengthy output, such as the list of possible matching commands for command
completion, or a long list of settings. Rather than scrolling through or possibly exceeding the buffer of your terminal
emulator, you can simply display one page at a time.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
25
Editing the configuration file in a text editor
Editing the configuration file with a plain text editor can be time-saving if:
•
you have many changes to make,
•
are not sure where the setting is in the CLI, and/or
•
own several FortiADC appliances
This is true especially if your plain text editor provides advanced features such as regular expressions for
find-and-replace, or batch changes across multiple files. Several free text editors are available with these features, such
as Text Wrangler and Notepad++.
Do not use a rich text editor such as Microsoft Word. Rich text editors insert special characters into the file
in order to apply formatting, which may corrupt the configuration file.
To edit the configuration on your computer
1. Use execute backup config to download the configuration file to a TFTP server, such as your management computer.
2. Edit the configuration file using a plain text editor that supports Unix-style line endings.
Do not edit the first line. The first lines of the configuration file (preceded by a # character) contains
information about the firmware version and FortiADC model. If you change the model number, the
FortiADC appliance will reject the configuration file when you attempt to restore it.
3. Use execute restore config to upload the modified configuration file back to the FortiADC system.
The system downloads the configuration file and checks that the model information is correct. If it is, it loads the
configuration file and checks each command for errors. If a command is invalid, the system ignores the command. If
the configuration file is valid, it restarts and loads the new configuration.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
26
config config
The config config commands are deprecated. In previous releases, these commands had been used to configure
optional settings related to configuration synchronization with peer nodes.
config config sync
Deprecated.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
27
config firewall
The config firewall commands configure security feature settings.
This chapter is a reference for the following commands:
config
config
config
config
config
config
firewall
firewall
firewall
firewall
firewall
firewall
address
address6
connlimit
connlimit6
nat-snat
policy
config
config
config
config
config
config
firewall
firewall
firewall
firewall
firewall
firewall
policy6
qos-filter
qos-filter6
qos-queue
service
vip
config firewall address
Use this command to create the IPv4 address objects that you use in firewall rules.
You create address objects to specify matching source and destination addresses in policies.
The following policies use the firewall address objects:
•
Firewall policies
•
QoS policies
•
Connection limit policies
Basic Steps
1. Create address objects.
2. Specify them when you configure your policies.
Before you begin:
•
You must have read-write permission for firewall settings.
Syntax
config firewall address
edit <name>
set type {ip-netmask | ip-range}
set ipnetmask <ip&netmask>
set ip-min <class_ip>
set ip-max <class_ip>
next
end
type
•
ip-netmask: address block
•
ip-range: address range
ipnetmask
Specify a subnet using the address/mask notation.
ip-min
Specify the start of an address range.
ip-max
Specify the end of an address range.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
28
Example
FortiADC-VM # config firewall address
FortiADC-VM (address) # edit fw-dest-addr1
Add new entry 'fw-dest-addr1' for node 1850
FortiADC-VM (fw-dest-addr1) # get
type
: ip-netmask
ip-netmask
: 0.0.0.0/0
FortiADC-VM (fw-dest-addr1) # set ip-netmask 192.0.2.0/24
FortiADC-VM (fw-dest-addr1) # end
config firewall address6
Use this command to create the IPv6 address objects that you use in firewall rules.
You create address objects to specify matching source and destination addresses in policies.
The following policies use the firewall address objects:
•
Firewall policies
•
QoS policies
•
Connection limit policies
Basic Steps
1. Create address objects.
2. Specify them when you configure your policies.
Before you begin:
•
You must have read-write permission for firewall settings.
Syntax
config firewall address6
edit <No.>
set type {ip6-network | ip6-range}
set ip6-network <ip&netmask>
set ip6-min <class_ip>
set ip6-max <class_ip>
next
end
type
•
ip6-network: address block
•
ip6-range: address range
ip6-network
Specify a subnet using the address/mask notation.
ip6-min
Specify the start of an address range.
ip6-max
Specify the end of an address range.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
29
Example
FortiADC-VM # config firewall address6
FortiADC-VM (address6) # edit fw-dest-addr2
Add new entry 'fw-dest-addr2' for node 1856
FortiADC-VM (fw-dest-addr2) # get
type
: ip6-network
ip6-network
: ::/0
FortiADC-VM (fw-dest-addr2) # set ip6-network 2001:db8::/32
FortiADC-VM (fw-dest-addr2) # end
config firewall connlimit
Use this command to create connection limit security rules for IPv4 addresses.
The connection limit security policy allows or denies traffic based on a matching tuple: source address, destination
address, and service; and connection count. The purpose is to detect anomalous connection requests.
The limit you specify can be based on the following counts:
•
Count of concurrent sessions that match the tuple.
•
Count of concurrent sessions from a single host that match the tuple.
The FortiADC system evaluates connection limit policy rules before other rules. It matches traffic against the connection
limit table, beginning with the first rule. If no rule matches, the connection is forwarded for further processing. If a rule
matches, and the limit has not been reached, the connection is forwarded for further processing. If a rule matches and
the limit has been reached, the connection is dropped.
By default, if security connection limit rules are not configured, the system does not perform connection limit policy
processing.
Note: The purpose of the security connection limit is distinct from the virtual server connection limit. The security
connection limit setting is a security setting; the virtual server connection limit is a capacity setting.
Before you begin:
•
You must have a good understanding and knowledge of the capacity of your backend servers.
•
You must have created the address configuration objects and service configuration objects that define the matching
tuple in your connection limit rules.
•
You must have read-write permission for firewall settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
30
Syntax
config firewall connlimit
config rule
edit <name>
set connection-limit <integer>
set destination-address <datasource>
set in-interface <datasource>
set out-interface <datasource>
set service <datasource>
set source-address <datasource>
set type {host | rule}
set side {both | destination | source}
next
end
end
connection-limit
Maximum concurrent sessions. The default is 1,048,576.
destination-address Destination address object to use to form the matching tuple.
in-interface
Interface that receives traffic.
out-interface
Interface that forwards traffic.
service
Service object to use to form the matching tuple.
source-address
Source address object to use to form the matching tuple.
type
Whether the limit is per rule or per host.
side
When the connection limit is per host, specify whether the connection counter gets
incremented when the host IP address appears in:
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
•
source—Only increment the counter if the host is the source address.
•
destination—Only increment the counter if the host is the destination address.
•
both—Increment the counter if the host is the source or destination address.
31
Example
FortiADC-VM # config firewall connlimit
FortiADC-VM (connlimit) # config rule
FortiADC-VM (rule) # edit dest-rule
Add new entry 'dest-rule' for node 1890
FortiADC-VM (dest-rule) # get
in-interface
:
out-interface
:
source-address
:
destination-address :
service
:
type
: host
side
: both
connection-limit
: 1048576
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(dest-rule)
(dest-rule)
(dest-rule)
(dest-rule)
(dest-rule)
(dest-rule)
#
#
#
#
#
#
set
set
set
set
set
end
in-interface port4
out-interface port5
destination-address fw-dest-addr1
service fw-http
type rule
config firewall connlimit6
Use this command to create connection limit security rules for IPv6 addresses.
The security connection limit policy allows or denies traffic based on a matching tuple: source address, destination
address, and service; and connection count. The purpose is to detect anomalous connection requests.
The limit you specify can be based on the following counts:
•
Count of concurrent sessions that match the tuple.
•
Count of concurrent sessions from a single host that match the tuple.
The FortiADC system evaluates connection limit policy rules before other rules. It matches traffic against the connection
limit table, beginning with the first rule. If no rule matches, the connection is forwarded for further processing. If a rule
matches, and the limit has not been reached, the connection is forwarded for further processing. If a rule matches and
the limit has been reached, the connection is dropped.
By default, if security connection limit rules are not configured, the system does not perform connection limit policy
processing.
Note: The purpose of the security connection limit is distinct from the virtual server connection limit. The security
connection limit setting is a security setting; the virtual server connection limit is a capacity setting.
Before you begin:
•
You must have a good understanding and knowledge of the capacity of your backend servers.
•
You must have created the address configuration objects and service configuration objects that define the matching
tuple in your connection limit rules.
•
You must have read-write permission for firewall settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
32
Syntax
config firewall connlimit6
config rule
edit <name>
set connection-limit <integer>
set destination-address6 <datasource>
set in-interface <datasource>
set out-interface <datasource>
set service <datasource>
set source-address6 <datasource>
set type {host | rule}
set side {both | destination | source}
next
end
end
connection-limit
Maximum concurrent sessions. The default is 1,048,576.
destination-address6 Destination address object to use to form the matching tuple.
in-interface
Interface that receives traffic.
out-interface
Interface that forwards traffic.
service
Service object to use to form the matching tuple.
source-address6
Source address object to use to form the matching tuple.
type
Whether the limit is per rule or per host.
side
When the connection limit is per host, specify whether the connection counter gets
incremented when the host IP address appears in:
•
source—Only increment the counter if the host is the source address.
•
destination—Only increment the counter if the host is the destination address.
•
both—Increment the counter if the host is the source or destination address.
config firewall nat-snat
Use this command to configure source NAT (SNAT) rules.
You use SNAT when clients have IP addresses from private networks. This ensures you do not have multiple sessions
from different clients with source IP 192.168.1.1, for example. Or, you can map all client traffic to a single source IP
address because a source address from a private network is not meaningful to the FortiADC system or backend servers.
The system maintains this NAT table and performs the inverse translation when it receives the server-to-client traffic. Be
sure to configure the backend servers to use the FortiADC address as the default gateway so that server responses are
also rewritten by the NAT module.
Before you begin:
•
You must have read-write permission for firewall settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
33
Syntax
config firewall nat-snat
edit <name>
set from <ip&netmask>
set out-interface <datasource>
set to <ip&netmask>
set trans-to-type {ip | pool}
set trans-to-ip <class_ip>
set trans-to-ip-start <class_ip>
set trans-to-ip-end <class_ip>
next
end
from
Address/mask notation to match the source IP address in the packet header. 0.0.0.0/0
matches all IP addresses.
out-interface
Interface that forwards traffic.
to
Address/mask notation to match the destination IP address in the packet header. For
example, 192.0.2.0/24.
trans-to-type
•
ip—Specify to translate the source IP to a single specified address.
•
pool—Specify to translate the source IP to the next address in a pool.
trans-to-ip
Specify an IPv4 address. The source IP address in the packet header will be translated to this
address.
trans-to-ip-start
First IP address in the SNAT pool.
trans-to-ip-end
Last IP address in the SNAT pool.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
34
Example
FortiADC-VM # config firewall nat-snat
FortiADC-VM (nat-snat) # edit fw-snat-example
Add new entry 'fw-snat-example' for node 1941
FortiADC-VM (fw-snat-example) # get
from
: 0.0.0.0/0
to
: 0.0.0.0/0
out-interface
:
trans-to-type
: ip
trans-to-ip
: 0.0.0.0
FortiADC-VM (fw-snat-example) # set to 192.0.2.0/24
FortiADC-VM (fw-snat-example) # set out-interface port5
FortiADC-VM (fw-snat-example) # set trans-to-ip 192.0.2.10
FortiADC-VM (fw-snat-example) # get
from
: 0.0.0.0/0
to
: 192.0.2.0/24
out-interface
: port5
trans-to-type
: ip
trans-to-ip
: 192.0.2.10
FortiADC-VM (fw-snat-example) # end
config firewall policy
Use this command to configure firewall policy rules for IPv4 addresses.
A firewall policy allows or denies traffic to be forwarded to the system based on a matching tuple: source address,
destination address, and service.
The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table,
beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy
rule, it is dropped. If the session is accepted, system processing continues.
By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as
if the system were a router, and traffic is forwarded according to routing and other system rules.
Before you begin:
•
You must have a good understanding and knowledge of firewalls.
•
You must have created the address configuration objects and service configuration objects that define the matching
tuple in your firewall policy rules.
•
You must have read-write permission for firewall settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
35
Syntax
config firewall policy
set default-action {deny|accept}
set stateful {enable|disable}
config rule
edit <name>
set action {deny | accept}
set destination-address <datasource>
set in-interface <datasource>
set out-interface <datasource>
set service <datasource>
set source-address <datasource>
next
end
end
default-action
stateful
Action when no rule matches or no rules are configured:
•
deny—Drop the traffic.
•
accept—Allow the traffic to pass the firewall.
Enable/disable stateful firewall. Enabled by default.
config rule
action
•
deny—Drop the traffic.
•
accept—Allow the traffic to pass the firewall.
destination-address
Destination address object to use to form the matching tuple.
in-interface
Interface that receives traffic.
out-interface
Interface that forwards traffic.
service
Service object to use to form the matching tuple.
source-address
Source address object to use to form the matching tuple.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
36
Example
FortiADC-VM # config firewall policy
FortiADC-VM (policy) # set default-action deny
FortiADC-VM (policy) # config rule
FortiADC-VM (rule) # edit fw-allow-http
Add new entry 'fw-allow-http' for node 1871
FortiADC-VM (fw-allow-http) # get
in-interface
:
out-interface
:
source-address
:
destination-address :
service
:
action
:
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(fw-allow-http)
(fw-allow-http)
(fw-allow-http)
(fw-allow-http)
(fw-allow-http)
(fw-allow-http)
#
#
#
#
#
#
set
set
set
set
set
set
action accept
in-interface port4
out-interface port5
source-address fw-source-addr1
destination-address fw-dest-addr1
service fw-http
FortiADC-VM (fw-allow-http) # get
in-interface
: port4
out-interface
: port5
source-address
: fw-source-addr1
destination-address : fw-dest-addr1
service
: fw-http
action
: accept
FortiADC-VM (fw-allow-http) # end
config firewall policy6
Use this command to configure firewall policy rules for IPv6 addresses.
A firewall policy allows or denies traffic to be forwarded to the system based on a matching tuple: source address,
destination address, and service.
The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table,
beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy
rule, it is dropped. If the session is accepted, system processing continues.
By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as
if the system were a router, and traffic is forwarded according to routing and other system rules.
Before you begin:
•
You must have a good understanding and knowledge of firewalls.
•
You must have created the address configuration objects and service configuration objects that define the matching
tuple in your firewall policy rules.
•
You must have read-write permission for firewall settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
37
Syntax
config firewall policy6
set default-action {deny|accept}
set stateful {enable|disable}
config rule
edit <name>
set action {deny | accept}
set destination-address6 <datasource>
set in-interface <datasource>
set out-interface <datasource>
set service <datasource>
set source-address6 <datasource>
next
end
end
default-action
stateful
Action when no rule matches or no rules are configured:
•
deny—Drop the traffic.
•
accept—Allow the traffic to pass the firewall.
Enable/disable stateful firewall.
config rule
action
•
deny—Drop the traffic.
•
accept—Allow the traffic to pass the firewall.
destination-address6 Destination address object to use to form the matching tuple.
in-interface
Interface that receives traffic.
out-interface
Interface that forwards traffic.
service
Service object to use to form the matching tuple.
source-address6
Source address object to use to form the matching tuple.
config firewall qos-filter
Use this command to configure QoS rules for IPv4 addresses.
A QoS filter is the policy that assigns traffic to the QoS queue.
Before you begin:
•
You must have a good understanding and knowledge of traffic in your network that requires QoS provisioning.
•
You must have created the address configuration objects and service configuration objects that define the matching
tuple for QoS rules.
•
You must have created a QoS queue configuration object.
•
You must have read-write permission for firewall settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
38
Syntax
config firewall qos-filter
edit <name>
set destination-address <datasource>
set in-interface <datasource>
set out-interface <datasource>
set queue <datasource>
set service <datasource>
set source-address <datasource>
set status {enable|disable}
next
end
destination-address
Destination address object to use to form the matching tuple.
in-interface
Interface that receives traffic.
out-interface
Interface that forwards traffic.
queue
QoS queue that will be used for packets that match the filter criteria.
service
Service object to use to form the matching tuple.
source-address
Source address object to use to form the matching tuple.
status
Enable/disable the filter.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
39
Example
FortiADC-VM # config firewall qos-filter
FortiADC-VM (qos-filter) # edit qos-premium
Add new entry 'qos-premium' for node 1922
FortiADC-VM (qos-premium) # get
status
: enable
in-interface
:
out-interface
:
source-address
:
destination-address :
service
:
queue
:
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(qos-premium)
(qos-premium)
(qos-premium)
(qos-premium)
(qos-premium)
(qos-premium)
#
#
#
#
#
#
set
set
set
set
set
set
in-interface port4
out-interface port5
source-address fw-source-addr1
destination-address fw-dest-addr1
service fw-http
queue lane-1
FortiADC-VM (qos-premium) # get
status
: enable
in-interface
: port4
out-interface
: port5
source-address
: fw-source-addr1
destination-address : fw-dest-addr1
service
: fw-http
queue
: lane-1
FortiADC-VM (qos-premium) # end
config firewall qos-filter6
Use this command to configure QoS rules for IPv6 addresses.
A QoS filter is the policy that assigns traffic to the QoS queue.
Before you begin:
•
You must have a good understanding and knowledge of traffic in your network that requires QoS provisioning.
•
You must have created the address configuration objects and service configuration objects that define the matching
tuple for QoS rules.
•
You must have created a QoS queue configuration object.
•
You must have read-write permission for firewall settings.
Before you begin:
•
You must have read-write permission for firewall settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
40
Syntax
config firewall qos-filter6
edit <name>
set destination-address6 <datasource>
set in-interface <datasource>
set out-interface <datasource>
set queue <datasource>
set service <datasource>
set source-address6 <datasource>
set status {enable|disable}
next
end
destination-address6
Destination address object to use to form the matching tuple.
in-interface
Interface that receives traffic.
out-interface
Interface that forwards traffic.
queue
QoS queue that will be used for packets that match the filter criteria.
service
Service object to use to form the matching tuple.
source-address6
Source address object to use to form the matching tuple.
status
Enable/disable the filter.
config firewall qos-queue
Use this command to configure QoS queues.
You can use QoS policies to provision bandwidth for any traffic that matches the rule. You might consider QoS policies for
latency- or bandwidth-sensitive services, such as VoIP and ICMP.
The FortiADC system does not provision bandwidth based on the TOS bits (also called differentiated services) in the IP
header to control packet queueing. Instead, the system provisions bandwidth based on a source/destination/service
matching tuple that you specify.
Basic steps
1. Configure a queue.
2. Configure a QoS filter.
Before you begin:
•
You must have read-write permission for firewall settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
41
Syntax
config firewall qos-queue
edit <name>
set bandwidth <digit>[G|M|K]
next
end
bandwidth
Maximum bandwidth rate. Specify a number and a unit abbreviation. For example, specify 100K for 100
Kbps, 10M for 10 Mbps, and 1G for 1Gbps.
If you do not speccify a bandwidth, the default qos-queue is 1G.
Example
The following commands configure a firewall policy rule:
FortiADC-VM # config firewall qos-queue
FortiADC-VM (qos-queue) # edit lane-1
Add new entry 'lane-1' for node 1909
FortiADC-VM (lane-1) # end
FortiADC-VM # get firewall qos-queue lane-1
bandwidth
: 1G
bandwidth-int
: 1073741824
config firewall service
Use this command to create the service objects that you use in firewall rules.
The following policies use the firewall service objects:
•
Firewall policies
•
QoS policies
•
Connection limit policies
Basic Steps
1. Create service objects.
2. Specify them when you configure your policies.
Before you begin:
•
You must have read-write permission for firewall settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
42
Syntax
config firewall service
edit <name>
set destination-port-min <integer>
set destination-port-max <integer>
set protocol <integer>
set source-port-min <integer>
set source-port-max <integer>
next
end
destination-port-min First port number in the listening port number/range. For example, web servers usually
listen on TCP port 80 (HTTP). Valid range: 0 - 65535.
destination-port-max Last port number in the listening port number/range.
protocol
Number in the IPv4 Protocol/IPv6 Next Header field that identifies the protocol, such as 1
(ICMP), 6 (TCP) or 17 (UDP).
source-port-min
First port number in the originating port number/range. For some protocols, this may be a
single, predictable number, such as 162 (SNMP). For others, it is dynamically chosen from
available ports in the 49152-65535 range.
source-port-max
Last port number in the originating port number/range.
Example
FortiADC-VM # config firewall service
FortiADC-VM (service) # edit fw-http
Add new entry 'fw-http' for node 1862
FortiADC-VM (fw-http) # get
protocol
: 1
source-port-min
: 0
source-port-max
: 65535
destination-port-min: 0
destination-port-max: 65535
FortiADC-VM (fw-http) # set protocol 6
FortiADC-VM (fw-http) # set destination-port-min 80
FortiADC-VM (fw-http) # set destination-port-max 80
FortiADC-VM (fw-http)
protocol
:
source-port-min
:
source-port-max
:
destination-port-min:
destination-port-max:
# get
6
0
65535
80
80
FortiADC-VM (fw-http) # end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
43
config firewall vip
Use this command to configure 1-to-1 NAT rules.
You can use 1-to-1 NAT when you want to publish public or “external” IP addresses for FortiADC resources but want the
communication among servers on the internal network to be on a private or “internal” IP address range.
The system maintains this NAT table and performs the inverse mapping when it sends traffic from the internal side to the
external side.
Before you begin:
•
You must have read-write permission for firewall settings.
Syntax
config firewall vip
edit <name>
set extif <datasource>
set extip <class_ip>
set extport <integer>
set mappedip-min <class_ip>
set mappedip-max <class_ip>
set mappedport-min <integer>
set mappedport-max <integer>
set portforward {enable | disable}
set protocol {tcp | udp}
next
end
extif
Interface that receives traffic.
extip
Specify the first address in the range. The last address is calculated after you enter the mapped IP
range.
extport
Specify the first port number in the range. The last port number is calculated after you enter the
mapped port range.
mappedip-min
Frst address in the range.
mappedip-max
Last address in the range.
mappedport-min
First port in the range.
mappedport-max
Last port in the range.
portforward
Enable/disable port forwarding.
protocol
•
TCP
•
UDP
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
44
Example
FortiADC-VM # config firewall vip
FortiADC-VM (vip) # edit 1-to-1-NAT
Add new entry '1-to-1-NAT' for node 661
FortiADC-VM (1-to-1-NAT) # get
extif
:
extip
: 0.0.0.0
mappedip-min
: 0.0.0.0
mappedip-max
: 0.0.0.0
portforward
: disable
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(1-to-1-NAT)
(1-to-1-NAT)
(1-to-1-NAT)
(1-to-1-NAT)
#
#
#
#
set
set
set
set
extif port4
extip 198.51.100.10
mappedip-min 192.0.2.10
mappedip-max 192.0.2.19
FortiADC-VM (1-to-1-NAT) # get
extif
: port4
extip
: 198.51.100.10
mappedip-min
: 192.0.2.10
mappedip-max
: 192.0.2.19
portforward
: disable
FortiADC-VM (1-to-1-NAT) # end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
45
config global-dns-server
The config global-dns-server commands configure the global load balancing feature settings.
This chapter is a reference for the following commands:
config
config
config
config
config
global-dns-server
global-dns-server
global-dns-server
global-dns-server
global-dns-server
address-group
dns64
dsset-info-list
general
load-balance-pool
config
config
config
config
config
global-dns-server
global-dns-server
global-dns-server
global-dns-server
global-dns-server
policy
remote-dns-server
response-rate-limit
trust-anchor-key
zone
config global-dns-server address-group
Use this command to configure the source and destination IP addresses that are the matching criteria for DNS policies.
Before you begin:
•
You must have read-write permission for global load balancing settings.
After you have configured an address group, you can specify it in the DNS64 and DNS policy configurations.
Syntax
config global-dns-server address-group
edit <name>
config member
edit <No.>
set action {include|exclude}
set addr-type {ipv4|ipv6}
set ip-network <ip&netmask>
set ip6-network <ip&netmask>
next
end
next
end
action
addr-type
ip-network
•
include—The rule logic creates an address object that includes addresses matching the specified
address block.
•
exclude—The rule logic creates an address object that excludes addresses matching the specified
address block.
•
IPv4
•
IPv6
Address/mask notation to match the IP address in the packet header.
Create objects to match source IPv4 address and different objects to match destination IPv4 address.
ip6-network
Address/mask notation to match the IPv6 address in the packet header.
Create objects to match source IPv6 address and different objects to match destination IPv6 address.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
46
Example
FortiADC-VM # config global-dns-server address-group
FortiADC-VM (address-group) # edit campus
Add new entry 'campus' for node 2206
FortiADC-VM (campus) # config member
FortiADC-VM (member) # edit 1
Add new entry '1' for node 2209
FortiADC-VM (1) # get
action
: include
addr-type
: ipv4
ip-network
: 0.0.0.0/0
FortiADC-VM (1) # set ip-network 192.0.2.0/24
FortiADC-VM (1) # end
FortiADC-VM (campus) # end
FortiADC-VM # config global-dns-server address-group
FortiADC-VM (address-group) # edit branch
Add new entry 'branch' for node 2206
FortiADC-VM (branch) # config member
FortiADC-VM (member) # edit 1
Add new entry '1' for node 2209
FortiADC-VM (1) # set ip-network 198.51.100.0/24
FortiADC-VM (1) # end
FortiADC-VM (branch) # end
FortiADC-VM # show global-dns-server address-group
config global-dns-server address-group
edit "campus"
config member
edit 1
set ip-network 192.0.2.0/24
next
end
next
edit "branch"
config member
edit 1
set ip-network 198.51.100.0/24
next
end
next
end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
47
config global-dns-server dns64
Use this command to map IPv4 addresses to AAAA queries when there are no AAAA records. This feature is optional. It
can be used in network segments that use NAT64 to support IPv6 client communication with IPv4 backend servers.
Before you begin:
•
You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
•
You must have configured address objects that specify the network segments for which the DNS64 map applies.
•
You must have read-write permission for global load balancing settings.
After you have created a DNS64 configuration, you can specify it in a DNS policy configuration.
Syntax
config global-dns-server dns64
edit <name>
set exclude {any | none | <datasource>}
set mapped-address {any | none | <datasource>}
prefix6 <ip&netmask>
source-address {any | none | <datasource>}
next
end
exclude
Specify a wildcard (any or none) or an address object. Allows specification of a list of IPv6
addresses that can be ignored. Typically, you exclude addresses that do have AAAA records.
mapped-address
Address object that specifies the IPv4 addresses that are to be mapped in the corresponding A
RR set.
prefix6
IP address and netmask that specify the DNS64 prefix. Compatible IPv6 prefixes have lengths of
32, 40, 48, 56, 64 and 96 as per RFC 6052.
Each DNS64 configuration has one prefix. Multiple configurations can be defined.
source-address
Specify an address object. Only clients that match the source IP use the DNS64 lookup table.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
48
Example
FortiADC-VM # config global-dns-server dns64
FortiADC-VM (dns64) # edit 1
Add new entry '1' for node 2289
FortiADC-VM (1) # get
prefix6
: ::/0
source-address
:
mapped-address
:
exclude
:
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(1)
(1)
(1)
(1)
#
#
#
#
set
set
set
set
prefix6 64:ff::/96
source-address any
mapped-address dns64_mapped_pool
exclude none
FortiADC-VM (1) # get
prefix6
: 64:ff::/96
source-address
: any
mapped-address
: dns64_mapped_pool
exclude
: none
FortiADC-VM (1) # end
config global-dns-server dsset-info-list
Use this command to paste in the content of the DSSET files provided by child domain servers or stub domains.
If you enable DNSSEC, secure communication between the FortiADC DNS server and any child DNS servers is based
on keys contained in delegation signer files (DSSET files). In DNSSEC deployments, DSSET files are generated
automatically when the zone is signed by DNSSEC.
Note: You use the Global DNS zone configuration to generate the DSSET file for this server. The file generated by the
zone configuration editor is the one you give to any parent zone or the registrar of your domain.
Before you begin:
•
You must have a good understanding of DNSSEC and knowledge of the DNS deployment in your network.
•
You must have used DNSSEC to sign the child domain servers and have downloaded the DSset files to a location
you can reach from your management computer.
•
You must have read-write permission for global load balancing settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
49
Syntax
config global-dns-server dsset-info-list
edit <name>
set filename <string>
set content <string>
next
end
filename
Specify the filename. The convention is dsset-<domain>, for example, dsset-example.com.
content
Specify (paste) the DSset file content. The content of DSset files is similar to the following:
dns.example.com. IN DS 13447 5 1 A5AD9EFB6840F58CF817F3CC7C24A7ED2DD5559C
config global-dns-server general
Use this command to configure basic behavior for the DNS server.
The general settings configuration specifies the interfaces that listen for DNS requests. By default, the system listens on
the IPv4 and IPv6 addresses of all configured interfaces for DNS requests.
The other settings in the general settings configuration are applied when traffic does not match a Global DNS policy.
Before you begin:
•
You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
•
You must have read-write permission for global load balancing settings.
Syntax
config
set
set
set
set
set
set
set
set
set
set
set
set
end
global-dns-server general
dnssec-status {enable|disable}
dnssec-validate-status {enable|disable}
forward {first | only}
forwarders <datasource>
gds-status {enable|disable}
ipv4-accessed-status {enable|disable}
ipv6-accessed-status {enable|disable}
listen-on-all-interface {enable|disable}
listen-on-interface <datasource>
recursion-status {enable|disable}
response-rate-limit <datasource>
use-system-dns-server {enable|disable}
dnssec-status
Enable/disable DNSSEC.
dnssec-validate-status
Enable/disable DNSSEC validation.
forward
•
first—The DNS server queries the forwarders list before doing its own DNS lookup.
•
only—Only queries the forwarders list. Does not perform its own DNS lookups.
forwarders
If the DNS server zone has been configured as a forwarder, select the remote DNS
servers to which it forwards requests.
gds-status
Enable/disable the DNS server configuration.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
50
ipv4-accessed-status
Enable/disable listening for DNS requests on the interface IPv4 address.
ipv6-accessed-status
Enable/disable listening for DNS requests on the interface IPv6 address.
listen-on-all-interface Enable listening on all interfaces.
listen-on-interface
If you do not listen on all interfaces, select one or more ports to listen on.
recursion-status
Enable/disable recursion. If enabled, the DNS server attempts to do all the work
required to answer the query. If not enabled, the server returns a referral response
when it does not already know the answer.
response-rate-limit
Specify a rate limit configuration object.
use-system-dns-server
Forward DNS requests to the system DNS server instead of the forwarders list.
Example
FortiADC-VM # config global-dns-server general
FortiADC-VM (general) # get
gds-status
: enable
recursion-status
: enable
dnssec-status
: disable
dnssec-validate-status: disable
ipv6-accessed-status: enable
ipv4-accessed-status: enable
listen-on-all-interface: enable
forward
: first
use-system-dns-server: enable
response-rate-limit :
FortiADC-VM (general) # set gds-status enable
FortiADC-VM (general) # end
config global-dns-server load-balance-pool
Use this command to configure the pool of virtual servers that are available to DNS policies.
You can build a pool list from the following sources:
•
Local—A local virtual server is a FortiADC virtual server that is configured on the local system. Select a local virtual
server from the list to add it to the pool. The system gets the IP address for local virtual servers from this
configuration.
•
Remote—A remote virtual server is a FortiADC virtual server that is configured on another system. If you add a
remote virtual server, specify its IPv4/IPv6 type and IP address.
•
Self-defined—Use the self-defined server configuration if the FortiADC system uses 1-to-1 NAT. In those
deployments, you want to publish the external address, not use the address from the virtual server configuration. You
can also use the self-defined configuration to add the IPv4/IPv6 type and IP address for a non-FortiADC server.
Before you begin:
•
You must have completed the virtual server configuration.
•
You must have knowledge of any remote virtual servers that are available to the global deployment.
•
You must have read-write permission for global load balancing settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
51
After you have configured a pool, you can select it when you add A/AAAA records to a DNS zone configuration.
Syntax
config global-dns-server load-balance-pool
edit <name>
config pool_member
edit <No.>
set addr-source {local-vs | remote-vs | self-define}
set addr-type {vs_ipv4|vs_ipv6}
set ip <class_ip>
set ip6 <class_ip>
set link-group <datasource>
set llb-link-member <string>
set local-virtual-server <datasource>
set weight <integer>
next
end
next
end
addr-source
addr-type
•
self-define: Use the self-defined server configuration if the FortiADC system uses
1-to-1 NAT. In that deployment, you want to publish the external address, not use the
address from the virtual server configuration. You can also use the self-defined
configuration to add the IPv4/IPv6 type and IP address for a non-FortiADC server.
•
local-vs: A local virtual server is a FortiADC virtual server that is configured on the
local system. Specify a local virtual server from the list to add it to the pool. The
system gets the IP address for local virtual servers from this configuration.
•
remote-vs: A remote virtual server is a FortiADC virtual server that is configured on
another system. If you add a remote virtual server, specify its IPv4/IPv6 type and IP
address.
•
IPv4
•
IPv6
ip
IP address of a virtual server to be added to the pool.
ip6
IP address of a virtual server to be added to the pool.
link-group
If you add a link group to the configuration, the system uses it to perform a health check.
If the link group is not available, the system excludes the virtual server from the DNS load
balancing distribution. This behavior applies only to pools with local virtual servers or
self-defined virtual servers.
llb-link-member
Like link group, but only the health of a link member is polled. Specify the name of
gateway to serve as a beacon for the health check. The string must match the configured
name of the link member.
local-virtual-server
If you specify the local source option, select a virtual server. Virtual servers that you add
can be the targets for the DNS zone RR.
weight
Assigns relative preference among members—higher values are more preferred and are
assigned connections more frequently.
The default is 1. The valid range is 1-255.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
52
Example
FortiADC-VM # config global-dns-server load-balance-pool
FortiADC-VM (load-balance-p~o) # edit global-pool-1
Add new entry 'global-pool-1' for node 1820
FortiADC-VM (global-pool-1) # config pool_member
FortiADC-VM (pool_member) # edit 1
Add new entry '1' for node 1822
FortiADC-VM (1) # get
addr-source
: local-vs
weight
: 1
local-virtual-server:
link-group
:
llb-link-member
:
FortiADC-VM (1) # set local-virtual-server example-vs
FortiADC-VM (1) # end
config global-dns-server policy
Use this command to configure a rulebase that matches traffic to DNS zones.
Traffic that matches both source and destination criteria is served by the policy. Traffic that does not match any policy is
served by the DNS “general settings” configuration.
Before you begin:
•
You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
•
You must have configured address objects, remote servers, DNS zones, and optional configuration objects you want
to specify in your policy.
•
You must have read-write permission for global load balancing settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
53
Syntax
config global-dns-server policy
edit <name>
set destination-address <datasource>
set dns64-list {<datasource> ...}
set dnssec-status {enable|disable}
set dnssec-validate-status {enable|disable}
set forward {first | only}
set forwarders <datasource>
set recursion-status {enable|disable}
set response-rate-limit <datasource>
set source-address <datasource>
set zone-list {<datasource> ...}
next
end
destination-address
Address object to specify the destination match criteria.
dns64-list
Specify one or more DNS64 configurations to use when resolving IPv6 requests.
dnssec-status
Enable/disable DNSSEC.
dnssec-validate-status
Enable/disable DNSSEC validation.
forward
•
first—The DNS server queries the forwarders list before doing its own DNS lookup.
•
only—Only queries the forwarders list. Does not perform its own DNS lookups.
forwarders
If the DNS server zone has been configured as a forwarder, select the remote DNS
servers to which it forwards requests.
recursion-status
Enable/disable recursion. If enabled, the DNS server attempts to do all the work
required to answer the query. If not enabled, the server returns a referral response
when it does not already know the answer.
response-rate-limit
Specify a rate limit configuration object.
source-address
Address object to specify the source match criteria.
zone-list
Specify one or more zone configurations to serve DNS requests from matching traffic.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
54
Example
FortiADC-VM (policy) # edit lan_policy
Add new entry 'lan_policy' for node 2236
FortiADC-VM (lan_policy) # get
source-address
:
destination-address :
zone-list
:
dns64-list
:
recursion-status
: enable
dnssec-status
: disable
dnssec-validate-status: disable
forward
: first
forwarders
:
response-rate-limit :
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(lan_policy)
(lan_policy)
(lan_policy)
(lan_policy)
#
#
#
#
set source-address campus
set destination-address any
set zone-list lan-zone
next
FortiADC-VM (policy) # edit wan_policy
Add new entry 'wan_policy' for node 2236
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(wan_policy)
(wan_policy)
(wan_policy)
(wan_policy)
#
#
#
#
set source-address branch
set destination-address any
set zone-list wan-zone
end
FortiADC-VM # get global-dns-server policy lan_policy
source-address
: campus
destination-address : any
zone-list
: lan-zone
dns64-list
:
recursion-status
: enable
dnssec-status
: disable
dnssec-validate-status: disable
forward
: first
forwarders
:
response-rate-limit :
FortiADC-VM # get global-dns-server policy wan_policy
source-address
: branch
destination-address : any
zone-list
: wan-zone
dns64-list
:
recursion-status
: enable
dnssec-status
: disable
dnssec-validate-status: disable
forward
: first
forwarders
:
response-rate-limit :
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
55
config global-dns-server remote-dns-server
Use this command to create a list of DNS forwarders.
DNS forwarders are commonly used when you do not want the local DNS server to connect to Internet DNS servers. For
example, if the local DNS server is behind a firewall and you do not want to allow DNS through that firewall, you
implement DNS forwarding to a remote server that is deployed in a DMZ or similar network region that can contact
Internet DNS servers.
Before you begin:
•
You must have a good understanding of DNS and knowledge of the remote DNS servers that can be used to
communicate with Internet domain servers.
•
You must have read-write permission for global load balancing settings.
After you have configured remote DNS servers, you can select them in DNS zone and DNS policy configurations.
Syntax
config global-dns-server remote-dns-server
edit <name>
config member
edit <No.>
set addr-type {ipv4|ipv6}
set ip <class_ip>
set ip6 <class_ip>
set port <integer>
next
end
next
end
addr-type
•
IPv4
•
IPv6
ip
IP address of the remote DNS server.
ip6
IP address of the remote DNS server.
port
Port number the remote server uses for DNS. The default is 53.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
56
Example
FortiADC-VM # config global-dns-server remote-dns-server
FortiADC-VM (remote-dns-ser~e) # edit google.com
Add new entry 'google.com' for node 2329
FortiADC-VM (google.com) # config member
FortiADC-VM (member) # edit 1
Add new entry '1' for node 2331
FortiADC-VM (1) # get
addr-type
: ipv4
ip
: 0.0.0.0
port
: 53
FortiADC-VM (1) # set ip 8.8.8.8
FortiADC-VM (1) # get
addr-type
: ipv4
ip
: 8.8.8.8
port
: 53
FortiADC-VM (1) # end
FortiADC-VM (google.com) # end
config global-dns-server response-rate-limit
Use this command to configure response rate limit objects that you specify in the DNS policy and DNS general
configurations.
The response rate limit keeps the FortiADC authoritative DNS server from being used in amplifying reflection denial of
service (DoS) attacks.
Before you begin:
•
You must have a good understanding of DNS.
•
You must have read-write permission for global load balancing settings.
After you have created a response rate limit configuration, you can select it in the DNS policy and DNS general settings
configurations.
Syntax
config global-dns-server response-rate-limit
edit <name>
set per-second <integer>
next
end
per-second
Maximum number of responses per second. The valid range is 1-2040. The default is 1000.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
57
Example
FortiADC-VM # config global-dns-server response-rate-limit
FortiADC-VM (response-rate-~i) # edit gdns-rl-1
Add new entry 'gdns-rl-1' for node 2313
FortiADC-VM (gdns-rl-1) # end
FortiADC-VM # get global-dns-server response-rate-limit gdns-rl-1
per-second
: 1000
config global-dns-server trust-anchor-key
Use this command to change the trust anchor key (if necessary).
DNSSEC validation requires that a DNS name server know the trust anchor key for the root DNS domain in order to
validate already signed responses. In general, trust anchor keys do not change often, but they do change occasionally,
and might change unexpectedly in the event the keys are compromised.
The FortiADC DNS server is preconfigured with a trust anchor key for the root DNS domain. If you are informed that you
must update this key, you can use the configuration editor to paste the new content into the DNS server configuration.
Further reading:
•
http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html
Before you begin:
•
You must have a good understanding of DNSSEC and knowledge of the DNS deployment in your network.
•
You must have already obtained the key so that you can copy and paste it into the DNS server configuration.
•
You must have read-write permission for global load balancing settings.
Syntax
config global-dns-server trust-anchor-key
edit <name>
set value <string>
set description <string>
next
end
value
The key value. The key format is a string with the following format:
\"<domainname>\" <num1> <num2> <num3> \"<content>\"
The following is an example:
\".\" 256 3 5 \"AwEAAbDrWmiIReotvZ6FObgKygZwUxSUJW9z5pjiQMLH0JBGXooHrR16
pdKhI9mNkM8bLUMtwYfgeUOYXIvfagee8rk=\"
description
A description of this configuration.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
58
Example
FortiADC-VM # config global-dns-server trust-anchor-key
FortiADC-VM (trust-anchor-key) # edit sss
Add new entry 'sss' for node 2240
FortiADC-VM (sss) # get
value
:
description
:
FortiADC-VM (sss) # set
*value
key value
description
key description
FortiADC-VM (sss) # set value "\".\" 256 3 5
\"AwEAAbDrWmiIReotvZ6FObgKygZwUxSUJW9z5pjiQMLH0JBGXooHrR16
pdKhI9mNkM8bLUMtwYfgeUOYXIvfagee8rk=\""
FortiADC-VM (sss) # end
config global-dns-server zone
Use this command to configure DNS zone and resource records.
The DNS zone configuration is the key to the global load balancing solution. This configuration contains the key DNS
server settings, including:
•
Domain name and name server details.
•
Type—Whether the server is the master or a forwarder.
•
DNSSEC—Whether to use DNSSEC.
•
DNS RR records—The zone configuration contains resource records (RR) used to resolve DNS queries delegated to
the domain by the parent zone.
You can specify different DNS server settings for each zone you create. For example, the DNS server can be a master
for one zone and a forwarder for another zone.
Before you begin:
•
You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
•
You must have authority to create authoritative DNS zone records for your network.
•
You must have read-write permission for global load balancing settings.
After you have configured a DNS zone, you can select it in the DNS policy configuration.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
59
Syntax
config global-dns-server zone
edit <name>
set domain-name <string>
set primary-server-ip <class_ip>
set primary-server-ip6 <class_ip>
set primary-server-name <string>
set responsible-mail <string>
set ttl <integer>
set type {master|forward}
set forward {first | only}
set forwarders <datasource>
set dnssec-status {enable|disable}
set dnssec-algorithm RSASHA1
set dsset9info <string>
set dssetinfo-filename <string>
set dsset-info-list <datasource>
set KSK <string>
set KSK-Filename <string>
set ZSK <string>
set ZSK-Filename <string>
config a-aaaa-record
edit <No.>
set hostname <string>
set source-type {from-load-balance-pool | ipv4 | ipv6}
set load-balance-pool <datasource>
set ip <class_ip>
set ip6 <class_ip>
set method wrr
set weight <integer>
next
end
config cname-record
edit <No.>
set alias <string>
set target <string>
next
end
config mx-record
edit <No.>
set hostname <string>
set type {ipv4|ipv6}
set ip <class_ip>
set ip6 <class_ip>
set priority <integer>
next
end
config ns-record
edit <No.>
set domain-name <string>
set host-name <string>
set type {ipv4|ipv6}
set ip <class_ip>
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
60
set ip6 <class_ip>
next
end
next
end
config global-dns-server zone
domain-name
The domain name must end with a period. For example: example.com.
primary-server-ip
The IP address of the primary server.
primary-server-ip6
The IP address of the primary server.
primary-server-name
Sets the server name in the SOA record.
responsible-mail
Username of the person responsible for this zone, such as root.
ttl
The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for
every RR without a specific TTL set.
The default is 86,400. The valid range is 0 to 2,147,483,647.
type
forward
•
master—The configuration contains the “master” copy of data for the zone and is the
authoritative server for it.
•
forward—The configuration allows you to apply DNS forwarding on a per-domain
basis, overriding the forwarding settings in the “general” configuration.
•
first—The DNS server queries the forwarders list before doing its own DNS lookup.
•
only—Only query the forwarders list. Do not perform a DNS lookup.
forwarders
The Forward option is only meaningful if the forwarders list is not empty.
dnssec-status
Enable/disable DNSSEC.
dnssec-algorithm
RSHSHA1 is the oly supported algorithm.
dsset9info
It is generated by the system if DNSSEC is enabled for the zone.
dssetinfo-filename
The file is generated by the system if DNSSEC is enabled for the zone. The file generated
by the zone configuration editor is the one you give to any parent zone or the registrar of
your domain.
The convention is dsset-<domain>, for example dsset-example.com.
dsset-info-list
Specify a DSset info list configuration object.
KSK
Type characters for a string key. The file is generated by the system if DNSSEC is enabled
for the zone.
KSK-Filename
The file is generated by the system if DNSSEC is enabled for the zone.
To regenerate the KSK, disable DNSSEC and then re-enable DNSSEC.
ZSK
Type characters for a string key. The file is generated by the system if DNSSEC is enabled
for the zone.
ZSK-Filename
The file is generated by the system if DNSSEC is enabled for the zone.
To regenerate the ZSK, disable DNSSEC and then re-enable DNSSEC.
config a-aaaa-record
hostname
The hostname part of the FQDN, such as www.
source-type
•
from-load-balance-pool: Specify this option to use the IP address information and
weight from configuration objects you have created.
•
ipv4—Specify this option to configure IPv4 address information and weight.
•
ipv6—Specify this option to configure IPv6 address information and weight.
load-balance-pool
Specify a global pool configuration.
ip
Specify the IP address of the virtual server.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
61
ip6
Specify the IP address of the virtual server.
method
Weighted Round Robin is the only method supported.
weight
Assigns relative preference among members—higher values are more preferred and are
assigned connections more frequently.
The default is 1. The valid range is 1-255.
config cname-record
alias
An alias name to another true or canonical domain name (the target). For instance,
www.example.com is an alias for example.com.
target
The true or canonical domain name. For instance, example.com.
config mx-record
hostname
The hostname part of the FQDN for a mail exchange server, such as mail.
type
•
IPv4
•
IPv6
ip
Specify the IP address.
ip6
Specify the IP address.
priority
Preference given to this RR among others at the same owner. Lower values have greater
priority.
config ns-record
domain-name
The domain for which the name server has authoritative answers, such as example.com.
host-name
The hostname part of the FQDN, such as ns.
type
•
IPv4
•
IPv6
ip
Specify the IP address of the name server.
ip6
Specify the IP address of the name server.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
62
Example
FortiADC-VM # config global-dns-server zone
FortiADC-VM (zone) # edit wan-zone
Add new entry 'wan-zone' for node 2248
FortiADC-VM (wan-zone) # get
type
: master
domain-name
:
dnssec-status
: disable
ttl
: 86400
responsible-mail
:
primary-server-name :
primary-server-ip
: 0.0.0.0
primary-server-ip6 : ::
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(wan-zone)
(wan-zone)
(wan-zone)
(wan-zone)
#
#
#
#
set
set
set
set
domain-name www.fortiadc.com.
responsible-mail root
primary-server-name ns
primary-server-ip 202.33.11.107
FortiADC-VM (wan-zone) # config a-aaaa-record
FortiADC-VM (a-aaaa-record) # edit 1
Add new entry '1' for node 2257
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # get
hostname
: www
source-type
: ipv4
weight
: 1
ip
: 0.0.0.0
method
: wrr
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # set ip 202.33.11.1
FortiADC-VM (1) # end
FortiADC-VM (wan-zone) # end
FortiADC-VM # config global-dns-server zone
FortiADC-VM (zone) # edit lan-zone
Add new entry 'lan-zone' for node 2248
FortiADC-VM (lan-zone) # set domain-name fortiadc.com.
FortiADC-VM (lan-zone) # set responsible-mail root
FortiADC-VM (lan-zone) # set primary-server-name ns
FortiADC-VM (lan-zone) # set primary-server-ip 192.33.11.107
FortiADC-VM (lan-zone) # config a-aaaa-record
FortiADC-VM (a-aaaa-record) # edit 1
Add new entry '1' for node 2257
FortiADC-VM (1) # set source-type from-load-balance-pool
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # set load-balance-pool global-pool-1
FortiADC-VM (1) # end
FortiADC-VM (lan-zone) # end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
63
FortiADC-VM # show global-dns-server zone
config global-dns-server zone
edit "wan-zone"
set domain-name www.fortiadc.com.
set responsible-mail root
set primary-server-name ns
set primary-server-ip 202.33.11.107
config a-aaaa-record
edit 1
set hostname www
set ip 202.33.11.1
next
end
config ns-record
end
config cname-record
end
config mx-record
end
next
edit "lan-zone"
set domain-name fortiadc.com.
set responsible-mail root
set primary-server-name ns
set primary-server-ip 192.33.11.107
config a-aaaa-record
edit 1
set hostname www
set source-type from-load-balance-pool
set load-balance-pool global-pool-1
next
end
config ns-record
end
config cname-record
end
config mx-record
end
next
end
FortiADC-VM #
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
64
config link-load-balance
The config link-load-balance commands configure the link load balancing feature settings.
This chapter is a reference for the following commands:
config
config
config
config
config
link-load-balance
link-load-balance
link-load-balance
link-load-balance
link-load-balance
address
address6
flow-policy
gateway
health-check
config
config
config
config
config
link-load-balance
link-load-balance
link-load-balance
link-load-balance
link-load-balance
link-group
persistence
proximity-route
service
virtual-tunnel
config link-load-balance address
Use this command to create the IPv4 address objects that you use in link load balancing rules.
Before you begin:
•
You must have read-write permission for link load balancing settings.
Syntax
config link-load-balance address
edit <name>
set type {ip-netmask|ip-range}
set ip-netmask <ip&netmask>
set ip-min <class_ip>
set ip-max <class_ip>
next
end
type
•
ip-netmask: address block
•
ip-range: address range
ip-netmask
Specify a subnet using the address/mask notation.
ip-min
Specify the start of an address range.
ip-max
Specify the end of an address range.
Example
FortiADC-VM # config link-load-balance address
FortiADC-VM (address) # edit llb-dest-addr1
Add new entry 'llb-dest-addr1' for node 1850
FortiADC-VM (llb-dest-addr1) # get
type
: ip-netmask
ip-netmask
: 0.0.0.0/0
FortiADC-VM (llb-dest-addr1) # set ip-netmask 192.0.2.0/24
FortiADC-VM (llb-dest-addr1) # end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
65
config link-load-balance address6
Use this command to create the IPv6 address objects that you use in link load balancing rules.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config link-load-balance address6
edit <name>
set type {ip6-network|ip6-range}
set ip-netmask <ip&netmask>
set ip-min <class_ip>
set ip-max <class_ip>
next
end
type
•
ip6-network: address block
•
ip6-range: address range
ip6-network
Specify a subnet using the address/mask notation.
ip6-min
Specify the start of an address range.
ip6-max
Specify the end of an address range.
Example
FortiADC-VM # config llb address6
FortiADC-VM (address6) # edit llb-dest-addr2
Add new entry 'llb-dest-addr2' for node 1856
FortiADC-VM (llb-dest-addr2) # get
type
: ip6-network
ip6-network
: ::/0
FortiADC-VM (llb-dest-addr2) # set ip6-network 2001:db8::/32
FortiADC-VM (llb-dest-addr2) # end
config link-load-balance flow-policy
Use this command to configure link load balancing policy rules.
A link load balancing policy matches traffic to rules that select a link group or virtual tunnel.
The policy uses a matching tuple: source, destination, service, and schedule. All must match for the rule to be applied.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
66
The policy table is consulted from top to bottom. The first rule to match is applied.
The FortiADC system evaluates traffic to determine the routing rules to apply. With regard to link load
balancing, the system evaluates rules in the following order and applies the first match:
1. LLB link policy
2. Policy route
3. Static/Dynamic route
4. LLB default link group
Before you begin:
•
You must have configured any address, service, and schedule objects that you want to use as match criteria for your
policy.
•
You must have configured a link group or virtual tunnel group.
•
You must have read-write permission for link load balancing settings.
Syntax
config link-load-balance flow-policy
set default-link-group <datasource>
config rule
edit <name>
set group-type {link-group | virtual-tunnel}
set link-group <datasource>
set virtual-tunnel <datasource>
set destination-address <datasource>
set in-interface <datasource>
set schedule <datasource>
set service <datasource>
set source-address <datasource>
next
end
default-link-group
Specify a link group configuration object that is used as the default when traffic does not
match policy rules.
config rule
group-type
•
link-group: Policy uses a link group.
•
virtual-tunnel: Policy uses a virtual tunnel.
link-group
If you specify the link group type, specify a link group configuration object.
virtual-tunnel
If you specify the virtual tunnel group type, specify a virtual tunnel configuration object.
destination-address
Specify an address object to match destination addresses. If you do not specify a
destination address, the rule matches any destination.
in-interface
Network interface to which the policy applies.
schedule
Specify the schedule object that determines the times the system uses the logic of this
configuration. The link policy is active when the current time falls in a time period specified
by one or more schedules in the schedule group. If you do not specify a schedule, the rule
applies at all times.
service
Specify a service object to match destination services. If you do not specify a service, the
rule matches any service.
source-address
Specify an address object to match source addresses. If you do not specify a source
address, the rule matches any source address.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
67
Example
FortiADC-VM # config link-load-balance flow-policy
FortiADC-VM (flow-policy) # set default-link-group llb-lg1
FortiADC-VM (flow-policy) # config rule
FortiADC-VM (rule) # edit 1
Add new entry '1' for node 634
FortiADC-VM (1) # get
in-interface
:
source-address
:
destination-address :
service
:
schedule
:
group-type
: link-group
link-group
:
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(1)
(1)
(1)
(1)
(1)
(1)
#
#
#
#
#
#
set
set
set
set
set
end
in-interface port4
source-address llb-source-addr1
destination-address llb-dest-addr1
service llb-http
link-group llb-lg2
FortiADC-VM (flow-policy) # get
default-link-group : llb-lg1
== [ 1 ]
FortiADC-VM (flow-policy) # show
config link-load-balance flow-policy
set default-link-group llb-lg1
config rule
edit "1"
set in-interface port4
set source-address llb-source-addr1
set destination-address llb-dest-addr1
set service llb-http
set link-group llb-lg2
next
end
end
config link-load-balance gateway
Use this command to configure gateway links.
The gateway link configuration enables you to specify health checks, bandwidth rate thresholds, and spillover threshold
behavior for the gateway links you add to link groups.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
68
Before you begin:
•
You must know the IP addresses of the ISP gateway link used in the network segment where the FortiADC appliance
is deployed.
•
You must have added health check configuration objects that you want to use to probe the gateway links.
•
You must have read-write permission for link load balancing settings.
After you have configured a gateway link configuration object, you can select it in the link group configuration.
Syntax
config link-load-balance gateway
edit <name>
set health-check-ctrl {enable|disable}
set health-check-name <datasource>
set inbound-bandwidth <integer>
set ip <class_ip>
set outbound-bandwidth <integer>
set spillover-threshold-in <integer>
set spillover-threshold-out <integer>
set spillover-threshold-total <integer>
next
end
health-check-ctrl
Enable/disable health checks.
health-check-name
If you enable health checks, specify a health check configuration..
inbound-bandwidth
Maximum bandwidth rate for inbound traffic through this gateway link. This is a
global setting that applies to all traffic received from this gateway link. If traffic
exceeds this threshold, the FortiADC system considers the gateway to be full and
does not dispatch new connections to it.
The default is 2,000,000 Kbps. The valid range is 1 to 2,147,483,647.
We recommend you tune bandwidth thresholds strategically, using the bandwidth
rate and price structure agreement you have with your ISP to your advantage.
ip
IP address of the gateway link.
outbound-bandwidth
Maximum bandwidth rate for outbound traffic.
spillover-threshold-in
Maximum inbound bandwidth rate for a link in a spillover load balancing pool.
If you enable spillover load balancing in the link group configuration, the system
maintains a spillover list. It dispatches new connections to the link with the greatest
priority until its spillover threshold is exceeded; then dispatches new connections to
the link with the next greatest priority until its threshold is exceeded, and so on.
This is a global setting that applies to all traffic received from this gateway link. If
traffic exceeds this threshold, the FortiADC system considers the gateway to be full
and does not dispatch new connections to it.
spillover-threshold-out
Maximum outbound bandwidth rate for a link in a spillover load balancing pool.
spillover-threshold-total Maximum total bandwidth rate (inbound plus outbound) for a link in a spillover load
balancing pool.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
69
Example
FortiADC-VM (gateway) # edit llb-gateway
Add new entry 'llb-gateway' for node 2501
FortiADC-VM (llb-gateway) # get
ip
: 0.0.0.0
inbound-bandwidth
: 2000000
outbound-bandwidth : 2000000
health-check-ctrl
: disable
spillover-threshold-in: 2000000
spillover-threshold-out: 2000000
spillover-threshold-total: 2000000
FortiADC-VM (llb-gateway) # set ip 192.168.1.1
FortiADC-VM (llb-gateway) # end
FortiADC-VM # get link-load-balance gateway llb-gateway
ip
: 192.168.1.1
inbound-bandwidth
: 2000000
outbound-bandwidth : 2000000
health-check-ctrl
: disable
spillover-threshold-in: 2000000
spillover-threshold-out: 2000000
spillover-threshold-total: 2000000
config link-load-balance health-check
Use this command to configure health checks.
Link health checks test routes to the specified destination. When the link health check option is enabled for a gateway
link, the system periodically sends an ICMP ECHO probe (ping) to a beacon—an IP address that must be reachable in
order for the link to be deemed available. A beacon can be any IP address, such as a main office, core router, or virtual
server at another data center.
Before you begin:
•
You must have knowledge of a destination IP address that can function as a beacon for the health check.
•
You must have read-write permission for link load balancing settings.
After you have configured a health check, you can select it in the gateway link configuration.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
70
Syntax
config link-load-balance health-check
edit <name>
set interval <integer>
set retry <integer>
set source-addr <class_ip>
set timeout <integer>
set type icmpv4
config check_member
edit <name>
set ip <class_ip>
set source-sddr <class_ip>
next
end
next
end
interval
The default is 5. The default is recommended in most cases.
retry
The default is 3. The default is recommended in most cases.
source-addr
Source IP address specified in the health check packet header.
You do not necessarily need to configure the source address of the health check or its individual
probes unless you want it to differ from the network interface IP address, or differ from the source
IP used by other probes in the health check.
The probe’s source IP address is configurable at multiple levels. The system uses the most
specific source address that you configure for each probe:
•
If a source IP address is configured for the health check member, the system uses that source
address as the SRC field in the packet’s IP header.
•
If source IP address for the health check member remains at its default value (0.0.0.0) but you
have configured an health check group source IP address, the system uses that address.
•
If both group and member settings are not configured (remaining at their default value of
0.0.0.0), the system uses the IP address of the network interface from which the packet is sent.
The default is 0.0.0.0.
timeout
The default is 3. The default is recommended in most cases.
type
Only ICMPv4 is supported.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
71
config check_member
ip
You must specify a destination IP address.
When the link health check option is enabled within an active link group, the system periodically
sends an ICMP ECHO probe (ping) to a beacon—an IP address that must be reachable in order for
the link to be deemed available. A beacon can be any IP address, such as a main office, core
router, or virtual server at another data center.
source-addr
Source IP address specified in the health check packet header.
You do not necessarily need to configure the source address of the health check or its individual
probes unless you want it to differ from the network interface IP address, or differ from the source
IP used by other probes in the health check.
The probe’s source IP address is configurable at multiple levels. The system uses the most
specific source address that you configure for each probe:
•
If a source IP address is configured for the health check member, the system uses that source
address as the SRC field in the packet’s IP header.
•
If source IP address for the health check member remains at its default value (0.0.0.0) but you
have configured an health check group source IP address, the system uses that address.
•
If both group and member settings are not configured (remaining at their default value of
0.0.0.0), the system uses the IP address of the network interface from which the packet is sent.
The default is 0.0.0.0.
Example
FortiADC-VM # config link-load-balance health-check
FortiADC-VM (health-check) # edit llb-hc-1
Add new entry 'llb-hc-1' for node 1801
FortiADC-VM (llb-hc-1) # get
type
: icmpv4
interval
: 5
retry
: 3
timeout
: 3
source-addr
: 0.0.0.0
FortiADC-VM (llb-hc-1) # config check_member
FortiADC-VM (check_member) # edit 1
Add new entry '1' for node 1803
FortiADC-VM (1) # set ip 198.51.100.10
FortiADC-VM (1) # end
FortiADC-VM (llb-hc-1) # end
config link-load-balance link-group
Use this command to configure link groups.
Link groups include ISP gateways your company uses for outbound traffic. Grouping links reduces the risk of outages
and provisions additional bandwidth to relieve potential traffic congestion.
The link group configuration specifies the load balancing algorithm and the gateway routers in the load balancing pool.
You can enable LLB options, such as persistence rules and proximity routes.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
72
Before you begin:
•
You must have configured gateway links and persistence rules and before you can select them in the link group
configuration.
•
You must have read-write permission for link load balancing settings.
After you have configured a link group configuration object, you can select it in the link policy configuration.
Syntax
config link-load-balance link-group
edit <name>
set addr-type ipv4
set persistence <datasource>
set proximity-route {enable|disable>
set route-method {consistent-hash-ip | least-connection | least-new-cps |
least-throughput-all | least-throughput-in | least-throughput-out |
spillover-throughput-all | spillover-throughput-in | spillover-throughput-out | wrr>
next
end
addr-type
Only IPv4 is supported.
persistence
Specify a persistence configuration. Optional.
proximity-route •
route-method
enable—The system uses the proximity route logic and configuration when determining
routes.
•
disable—The system does not use the proximity route configuration.
•
consistent-hash-ip: Selects the gateway link based on a hash of the source IP address.
•
least-connection: Dispatches new connections to the link member with the lowest number of
connections.
•
least-new-cps: Dispatches new connections to the link member that has the lowest rate of
new connections per second.
•
least-throughput-all: Dispatches new connections to the link member with the least total traffic
(that is, inbound plus outbound).
•
least-throughput-in: Dispatches new connections to the link member with the least inbound
traffic.
•
least-throughput-out: Dispatches new connections to the link member with the least outbound
traffic.
•
spillover-throughput-all: Spillover list based on total traffic (that is, inbound plus outbound).
•
spillover-throughput-in: Spillover list based on inbound traffic.
•
spillover-throughput-out: Dispatches new connections according to the spillover list based on
outbound traffic.
•
wrr: Dispatches new connections to link members using a weighted round-robin method.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
73
Example
FortiADC-VM (link-group) # edit llb-link-group
Add new entry 'llb-link-group' for node 618
FortiADC-VM (llb-link-group) # get
addr-type
: ipv4
route-method
: wrr
persistence
:
proximity-route
: disable
FortiADC-VM (llb-link-group) # config link-member
FortiADC-VM (link-member) # edit 1
Add new entry '1' for node 624
FortiADC-VM (1) # get
gateway
:
weight
: 1
spillover-priority : 0
status
: enable
FortiADC-VM (1) # set gateway llb-gateway
FortiADC-VM (1) # end
config link-load-balance persistence
Use this command to configure persistence rules.
Persistence rules identify traffic that should be ignored by load balancing rules and instead be forwarded to the same
gateway each time the traffic traverses the FortiADC appliance.
You should use persistence rules with applications that use a secure connection. Such applications drop connections
when the server detects a change in a client’s source IP address.
Before you begin:
•
You must have an awareness of the types of outbound traffic from your network. Persistence rules are useful for
traffic that requires an established session, such as secure connections (HTTPS and SSH, for example).
•
You must have knowledge of the source and/or destination subnets to which the persistence rules should apply.
•
You must have read-write permission for link load balancing settings.
You can use persistence rules in link groups but not virtual tunnels.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
74
Syntax
config link-load-balance persistence
edit <name>
set timeout <integer>
set type {destination-address | source-address | source-destination-address |
source-destination-pair}
set dst-ipv4-maskbits <integer>
set src-ipv4-maskbits <integer>
next
end
timeout
The default is 300 seconds.
type
•
destination-address: Packets with a destination IP address that belongs to the same
subnet take same outgoing gateway.
•
source-address: Packets with a source IP address that belongs to the same subnet take
the same outgoing gateway.
•
source-destination-address: Packets with a source IP address and destination IP address
that belong to the same subnet take the same outgoing gateway.
•
source-destination-pair: Packets with the same source IP address and destination IP
address take same outgoing gateway.
dst-ipv4-maskbits
Number of bits in a subnet mask to specify a network segment that should following the
persistence rule.
For example, if you set this to 24, and the system chooses a particular gateway router for
destination IP 192.168.1.100, the system will select that same gateway for traffic to all
destination IPs in subnet 192.168.1.0/24.
src-ipv4-maskbits
Number of bits in a subnet mask to specify a network segment that should following the
persistence rule.
For example, if you set this to 24, and the system chooses a particular gateway router for
client IP 192.168.1.100, the system will select that same gateway for subsequent client
requests when the subsequent client belongs to subnet 192.168.1.0/24.
Example
FortiADC-VM # config link-load-balance persistence
FortiADC-VM (persistence) # edit llb-persistence
Add new entry 'llb-persistence' for node 674
FortiADC-VM (llb-persistence) # get
type
: source-destination-pair
timeout
: 300
FortiADC-VM (llb-persistence) # end
config link-load-balance proximity-route
Use this command to configure proximity routing.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
75
The proximity route feature enables you to associate link groups with efficient routes. Proximity routes can improve user
experience over the WAN because traffic is routed over fast routes.
You can use either or both of these methods:
•
Dynamic Detection—The system polls the network for efficient routes. The algorithm selects a gateway based on
latency, time-to-live (TTL), and traffic load.
•
Static Table—You specify the gateways to use for traffic on destination networks.
If you configure both, the system checks the static table first for a matching route and, if any, uses it. If there is no
matching static route, the system uses dynamic detection.
Before you begin:
•
You must have knowledge of IP addresses used in outbound network routes to configure a static route.
•
You must have read-write permission for link load balancing settings.
Syntax
config link-load-balance proximity-route
set mode {disable | dynamic-detect-only | static-table-first | static-table-only}
set dynamic-cache-aging-period <integer>
set dynamic-detect-protocol icmp
set dynamic-detect-retry-count <class_ip>
set dynamic-detect-retry-interval <integer>
config static-table
edit <No.>
set destination <ip&netmask>
set gateway <class_ip>
next
end
next
end
mode
•
disable
•
dynamic-detect-only
•
static-table-first
•
static-table-only
dynamic-cache-aging-period
The default is 86,400 seconds (24 hours).
dynamic-detect-protocol icmp
ICMP is the only supported protocol.
dynamic-detect-retry-count
The default is 3.
dynamic-detect-retry-interval The default is 3.
config static-table
destination
Address/mask notation to match the destination IP address in the packet header.
gateway
IP address for the gateway router.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
76
Example
FortiADC-VM # config link-load-balance proximity-route
FortiADC-VM (proximity-route) # set mode static-table-first
FortiADC-VM (proximity-route) # get
mode
: static-table-first
dynamic-detect-protocol: icmp
dynamic-detect-retry-count: 3
dynamic-detect-retry-interval: 3
dynamic-cache-aging-period: 86400
FortiADC-VM (proximity-route) # config static-table
FortiADC-VM (static-table) # edit 1
Add new entry '1' for node 687
FortiADC-VM (1) # set gateway 198.51.100.0
FortiADC-VM (1) # set destination 198.51.100.10
FortiADC-VM (1) # end
FortiADC-VM (proximity-route) # get
mode
: static-table-first
dynamic-detect-protocol: icmp
dynamic-detect-retry-count: 3
dynamic-detect-retry-interval: 3
dynamic-cache-aging-period: 86400
== [ 1 ]
FortiADC-VM (proximity-route) # show
config link-load-balance proximity-route
set mode static-table-first
config static-table
edit 1
set destination 198.51.100.10/32
set gateway 198.51.100.0
next
end
end
config link-load-balance service
Use this command to create the service objects that you use in link load balancing policy rules.
Basic Steps
1. Create service objects.
2. Specify them when you configure your policies.
Before you begin:
•
You must have read-write permission for link load balancing settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
77
Syntax
config link-load-balance service
edit <name>
set destination-port-min <integer>
set destination-port-max <integer>
set protocol <integer>
set source-port-min <integer>
set source-port-max <integer>
next
end
destination-port-min First port number in the listening port number/range. For example, web servers usually
listen on TCP port 80 (HTTP). Valid range: 0 - 65535.
destination-port-max Last port number in the listening port number/range.
protocol
Number in the IPv4 Protocol/IPv6 Next Header field that identifies the protocol, such as 1
(ICMP), 6 (TCP) or 17 (UDP).
source-port-min
First port number in the originating port number/range. For some protocols, this may be a
single, predictable number, such as 162 (SNMP). For others, it is dynamically chosen from
available ports in the 49152-65535 range.
source-port-max
Last port number in the originating port number/range.
Example
FortiADC-VM # config link-load-balance service
FortiADC-VM (service) # edit llb-http
Add new entry 'llb-fw' for node 1862
FortiADC-VM (llb-http) # get
protocol
: 1
source-port-min
: 0
source-port-max
: 65535
destination-port-min: 0
destination-port-max: 65535
FortiADC-VM (llb-http) # set protocol 6
FortiADC-VM (llb-http) # set destination-port-min 80
FortiADC-VM (llb-http) # set destination-port-max 80
FortiADC-VM (llb-http) # get
protocol
: 6
source-port-min
: 0
source-port-max
: 65535
destination-port-min: 80
destination-port-max: 80
FortiADC-VM (llb-http) # end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
78
config link-load-balance virtual-tunnel
Use this command to configure virtual tunnels.
Virtual tunnels enable reliable, site-to-site connectivity using Generic Routing Encapsulation (GRE) to tunnel traffic
between pairs of FortiADC appliances.
The virtual tunnel group configuration sets the list of tunnel members, as well as load balancing options like algorithm and
weight.
When you add members to a virtual tunnel configuration, you specify a local and remote IP address. These addresses
are IP addresses assigned to a network interface on the local and remote FortiADC appliance.
Before you begin:
•
You must have read-write permission for link load balance settings.
After you have configured a virtual tunnel configuration object, you can select it in the link policy configuration.
Syntax
config link-load-balance virtual-tunnel
edit <name>
set dispatch-method {vt-wrr|vt-chash}
config vt-member
edit <name>
set health-check-ctrl {enable|disable}
set status {enable|disable}
set tunnel-local-addr <class_ip>
set tunnel-remote-addr <class_ip>
set weight <integer>
next
end
next
end
dispatch-method
health-check-ctrl
status
•
vt-wrr: Dispatches packets to VT members using a weighted round-robin method.
•
vt-chash: Dispatches packets by source-destination IP address tuple.
•
enable—Send probes to test whether the link is available.
•
disable—Do not send probes to test the health of the link.
•
enable—The member is considered available for new traffic.
•
disable—The member is considered unavailable for new traffic.
tunnel-local-addr
IP address for the network interface this system uses to form a VPN tunnel with the remote
system.
tunnel-remote-addr
IP address that the remote FortiADC system uses to form a VPN tunnel with this system.
weight
Assigns relative preference among members—higher values are more preferred and are
assigned connections more frequently.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
79
Example
FortiADC-VM # config link-load-balance virtual-tunnel
FortiADC-VM (virtual-tunnel) # edit llb-vt
Add new entry 'llb-vt' for node 222
FortiADC-VM (llb-vt) # get
dispatch-method
: vt-wrr
FortiADC-VM (llb-vt) # config vt-member
FortiADC-VM (vt-member) # edit vt-member-1
Add new entry 'vt-member-1' for node 225
FortiADC-VM (vt-member-1) # get
tunnel-local-addr
: 0.0.0.0
tunnel-remote-addr : 0.0.0.0
weight
: 1
status
: enable
health-check-ctrl
: disable
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(vt-member-1)
(vt-member-1)
(vt-member-1)
(vt-member-1)
#
#
#
#
set health-check-ctrl enable
set tunnel-local-addr 192.0.2.10
set tunnel-remote-addr 198.51.100.10
end
FortiADC-VM (llb-vt) # get
dispatch-method
: vt-wrr
== [ vt-member-1 ]
FortiADC-VM (llb-vt) # show
config link-load-balance virtual-tunnel
edit "llb-vt"
config vt-member
edit "vt-member-1"
set tunnel-local-addr 192.0.2.10
set tunnel-remote-addr 198.51.100.10
set health-check-ctrl enable
next
end
next
end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
80
config load-balance
The config load-balance commands configure the load-balancing feature settings.
This chapter is a reference for the following commands:
config
config
config
config
config
config
config
config
load-balance
load-balance
load-balance
load-balance
load-balance
load-balance
load-balance
load-balance
caching
compression
connection-pool
content-rewriting
content-routing
error-page
health-check
ippool
config
config
config
config
config
config
config
config
load-balance
load-balance
load-balance
load-balance
load-balance
load-balance
load-balance
load-balance
method
persistence
pool
profile
reputation
reputation-exception
ssl
virtual-server
config load-balance caching
Use this command to configure the system cache.
The system cache can store HTTP content. The system can serve subsequent HTTP requests for that content without
forwarding the requests to the backend servers, thereby reducing the load on the backend servers.
In general, the RAM cache conforms with the cache requirements described in sections 13 and 14 in RFC 2616.
If caching is enabled for the profile that is applied to traffic processing, the system evaluates HTTP responses to
determine whether or not to cache the content. HTTP responses with status codes 200, 203, 300, 301, 400 can be
cached.
The following content is not cached:
•
A response that does not include the Content-Length header.
•
A response for a request that uses any method other than GET.
•
A response for a request of which URI is contained in URI Exclude List.
•
A response for a request that contains any of the following headers: If-Match, If-Unmodified-Since, Authorization,
Proxy-Authorization.
•
A response that contains any of the following headers: Pragma, Vary, Set-Cookie, and Set-Cookie2.
•
A response that does not contain the following headers: Cache-Control, Expires.
•
A response with a Cache-Control header that has one of the following values: no-cache, no-store, private.
•
A response with a Cache-Control header that does not have any of the following values: public, max-age, s-maxage.
In addition, content is not cached if the user-configured RAM cache thresholds described below are exceeded, or if the
content is contained in a response for a request to a URI in the user-specified URI Exclude List.
Before you begin:
•
You must have a good understanding of caching and knowledge about the size of content objects clients access on
the backend servers.
•
You must have read-write permission for load balancing settings.
Caching is not enabled by default. After you have configured caching, you can select it in the profile configuration. To
enable caching, select the profile when you configure the virtual server.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
81
Syntax
config load-balance caching
edit <name>
set max-age <integer>
set max-cache-size <integer>
set max-entries <integer>
set max-object-size <integer>
config uri_exclude_list
edit <No.>
set uri <string>
next
end
next
end
max-age
The default is 43,200 seconds. The valid range is 60 to 86,400.
The backend real server response header also includes a maximum age value. The
FortiADC system enforces whichever value is smaller.
max-cache-size
The default is 100 MB. The valid range is 1 byte to 500 MB.
max-entries
The default is 10,000. The valid range is 1 to 262,144.
max-object-size
The default is 1 MB. The valid range is 1 byte to 10 MB.
config uri_exclude_list
uri
Specify URIs to build a list or sites to exclude from caching. You can use regular
expressions.
Example
FortiADC-VM # config load-balance caching
FortiADC-VM (caching) # edit lb-caching
Add new entry 'lb-caching' for node 2054
FortiADC-VM (lb-caching) # get
max-object-size
: 1M
max-cache-size
: 100M
max-entries
: 10000
max-age
: 43200
FortiADC-VM (lb-caching) # set max-cache-size 50M
FortiADC-VM (lb-caching) # end
config load-balance compression
Use this command to configure compression options.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
82
The following content types can be compressed:
•
application/javascript
•
application/soap+xml
•
application/x-javascript
•
application/xml
•
text/css
•
text/html
•
text/javascript
•
text/plain
•
text/xml
Not all HTTP responses should be compressed. Compression offers the greatest performance improvements when
applied to URLs whose media types compress well, such as repetitive text such as tagged HTML, and scripts such as
JavaScript. Files that already contain efficient compression such as GIF images usually should not be compressed, as
the CPU usage and time spent compressing them will result in an increased delay rather than network throughput
improvement. Plain text files where no words are repeated, such as configurations with unique URLs or IPs, also may not
be appropriate for compression.
Before you begin:
•
You must have a good understanding of HTTP compression and knowledge of the content types served from the
backend real servers.
•
You must have read-write permission for load balancing settings.
Compression is not enabled by default. After you have configured a compression rule, you can select it in the profile
configuration. To enable compression, select the profile when you configure the virtual server.
Syntax
config load-balance compression
edit <name>
set cpu-limit <integer>
set max-cpu-usage <integer>
set min-content-length <integer>
set uri-list-type {include | exclude>
config uri_list
edit <No.>
set uri <string>
next
end
config content_types
edit <No.>
set content-type {application/javascript | application/soap+xml |
application/x-javascript | application/xml | text/css | text/html |
text/javascript | text/plain | text/xml}
next
end
next
end
cpu-limit
Enable/disable application of a CPU limit.
max-cpu-usage
Maximum CPU usage for compression operations. The default is 80.
min-content-length
Do not compress files smaller than this size. The default is 1024 bytes.
uri-list-type
Specify whether to include or exclude items in the list from compression.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
83
config uri_list
uri
Specify URIs to build a list or sites to include/exclude from compression. You can use
regular expressions.
config content_type
content-type
•
application/javascript
•
application/soap+xml
•
application/x-javascript
•
application/xml
•
text/css
•
text/html
•
text/javascript
•
text/plain
•
text/xml
Example
FortiADC-VM (compression) # config load-balance compression
FortiADC-VM (compression) # edit lb-compression
Add new entry 'lb-compression' for node 1627
FortiADC-VM (lb-compression) # get
min-content-length : 1024
cpu-limit
: enable
max-cpu-usage
: 80
uri-list-type
: exclude
FortiADC-VM (lb-compression) # set max-cpu-usage 50
FortiADC-VM (lb-compression) # end
config load-balance connection-pool
Use this command to configure connection pool settings.
A connection pool enables Layer 7 load balancing virtual servers to “reuse” existing TCP connections. In the same way
that persistent HTTP connections allow a single HTTP connection to retrieve multiple objects, TCP multiplexing allows
the virtual server to use a single connection between FortiADC and the backend servers for multiple sessions. Using this
connection pool can reduce the impact of TCP overhead on web server and application performance.
Before you begin:
•
You must have read-write permission for load balancing feature settings.
After you have created a connection pool configuration, you can specify it in a virtual server configuration.
Note: The feature is not supported for virtual servers that use HTTPS or TCPS profiles, or profiles with the Source
Address option enabled.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
84
Syntax
config load-balance connection-pool
edit <name>
set age <integer>
set reuse <integer>
set size <integer>
set timeout <integer>
next
end
age
Maximum duration of a connection in seconds. The recommended value is 3000.
reuse
Maximum number of times that the virtual server can reuse the connection. The recommended value
is 2000.
size
Maximum number of connections in the connection pool. The recommended value is 0, which
specifies that there is no limit on the connection size.
timeout
Maximum number of seconds a connection can be idle before the system deletes it. The
recommended value is 30.
Example
FortiADC-VM # config load-balance connection-pool
FortiADC-VM (connection-pool) # edit lb-connection-pool
Add new entry 'lb-connection-pool' for node 1698
FortiADC-VM (lb-connec~i) # get
size
: 10000
age
: 86400
reuse
: 10000
timeout
: 50
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(lb-connec~i)
(lb-connec~i)
(lb-connec~i)
(lb-connec~i)
#
#
#
#
set
set
set
set
age 3000
reuse 2000
size 0
timeout 30
FortiADC-VM (lb-connec~i) # get
size
: 0
age
: 3000
reuse
: 2000
timeout
: 30
FortiADC-VM (example-connec~i) # end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
85
config load-balance content-rewriting
Use this command to configure content rewriting rules.
You might rewrite the HTTP headers for various reasons, including the following:
•
Redirect HTTP to HTTPS—You can use the content rewriting feature to send redirects when the requested resource
requires a secure connection. For example, create a rule that matches requests to
http://example.com/resource with an action to send a redirect that has the secure URL in the Location
header: https://example.com/resource.
•
External-to-internal URL translationq—It is standard for web servers to have external and internal domain names.
You can use content-based routing to forward HTTP requests to example.com to a server pool that includes
server1.example.com, server2.example.com, and server3.example.com. When you use content routing like this, you
should also rewrite the Location header in the HTTP response so that the client receives HTTP with example.com in
the header and not the internal domain server1.example.com. Create a rule that matches the regular expression
server.*\.example\.com in the Location header of the HTTP response with an action to rewrite the Location
header with the public URL http://example.com.
•
Other security reasons—Another use case for external-to-internal URL translation involves masking pathnames that
give attackers information about your web applications. For example, the unmasked URL for a blog might be
http://www.example.com/wordpress/?feed=rss2, which exposes that the blog is a wordpress application. In this case,
you want to publish an external URL that does not have clues of the underlying technology. For example, in your web
pages, you create links to http://www.example.com/blog. On FortiADC, you create a rule that matches requests to
http://www.example.com/resource2 with an action to rewrite the URL to the internal URL
http://www.example.com/wordpress/?feed=rss2. For the return traffic, you create another rule that
matches http://www.example.com/wordpress/?feed=rss2 in the Location header of the HTTP response
with an action to rewrite it with the public URL http://www.example.com/blog.
Table 7 summarizes the HTTP header fields that can be rewritten.
Table 7: HTTP header rewriting
Direction
HTTP Header
HTTP Request
•
Host
•
Referer
HTTP Redirect
•
Location
HTTP Response
•
Location
The first line of an HTTP request includes the HTTP method, relative URL, and HTTP version. The next lines are headers
that communicate additional information. The following example shows the HTTP request for the URL
http://www.example.com/index.html:
GET /index.html HTTP/1.1
Host: www.example.com
Referer: http://www.google.com
The following is an example of an HTTP redirect including the HTTP Location header:
HTTP/1.1 302 Found
Location: http://www.iana.org/domains/example/
You can use literal strings or regular expressions to match traffic to rules. To match a request URL such as
http://www.example.com/index, you create two match conditions: one for the Host header www.example.com and
another for the relative URL that is in the GET line: /index.html.
For HTTP redirect rules, you can specify the rewritten location as a literal string or as a regular expression. For all other
types or rules, you must specify the complete URL as a literal string.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
86
Before you begin:
•
You must have a good understanding of HTTP header fields.
•
You must have a good understanding of Perl-compatible regular expressions (PCRE) if you want to use them in rule
matching or rewriting.
•
You must have read-write permission for load balancing settings.
After you have configured a content rewriting rule, you can select it in the virtual server configuration.
Note: You can select multiple content rewriting rules in the virtual server configuration. Rules you add to that
configuration are consulted from top to bottom. The first to match is applied. If the traffic does not match any of the
content rewriting rule conditions, the header is not rewritten.
Syntax
config load-balance content-rewriting
edit <name>
set action-type {request|response>
set action {redirect | rewrite_http_header | rewrite_http_location |
send-403-forbidden}
set redirect <string>
set host-status {enable|disable}
set host <string>
set referer-status {enable|disable}
set referer <string>
set url-status {enable|disable}
set url <string>
set location <string>
set comments <string>
config match-condition
edit <No.>
set content <string>
set object {http-host-header | http-location-header | http-referer-header |
http-request-url | ip-source-address}
set reverse {enable|disable}
set type {string | regular-expression}
next
end
next
end
action-type
Specify whether to rewrite the HTTP request or HTTP response.
action
If you configure a rule based on the HTTP request, you can specify the following actions:
•
rewrite_http_header
•
redirect
•
send-403-forbidden
If you configure a rule based on the HTTP response, you can specify the following action:
•
redirect
rewrite_http_location
Sends a redirect with the URL you specify in the HTTP Location header field.
For Redirect rules, specify an absolute URL. For example:
https://example.com/content/index.html
Note: The rewrite string can be a literal string or a regular expression.
host-status
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
Enable/disable rewriting the Host header by replacing the hostname with the string you specify.
87
host
Rewrites the Host header by replacing the hostname with the string you specify. For Host rules,
specify a replacement domain and/or port.
Note: The rewrite string is a literal string. Regular expression syntax is not supported.
referer-status
Enable/disable rewriting the Referer header with the URL you specify.
referer
Rewrites the Referer header with the URL you specify. For Referer rules, you must specify an
absolute URL.
Note: The rewrite string is a literal string. Regular expression syntax is not supported.
url-status
Enable/disable rewriting the Host header by replacing the whole URL with the string you specify.
url
Rewrites the request URL and Host header using the string you specify. For URL rules, specify
a URL in one of the following formats:
•
Absolute URL — https://example.com/content/index.html
•
Relative URL — content/index.html
If you specify a relative URL, the host header is not rewritten.
Note: The rewrite string is a literal string. Regular expression syntax is not supported.
location
For Location rules, specify an absolute URL. For example:
https://example.com/content/index.html
Note: The rewrite string is a literal string. Regular expression syntax is not supported.
comments
Optional administrator note.
config match-condition
content
Specify the string or regular expression syntax.
object
Specify content matching conditions based on the following parameters:
•
http-host-header
•
http-location-header
•
http-referer-header
•
http-request-url
•
ip-source-address
Note: When you add multiple conditions, FortiADC joins them with an AND operator. For
example, if you specify both a HTTP Host Header and HTTP Request URL to match, the rule is
a match only for traffic that meets both conditions.
reverse
Rule matches if traffic does not match the expression.
type
•
string
•
regular-expression
Example
The following example creates a configuration to rewrite a literal string:
FortiADC-VM # config load-balance content-rewriting
FortiADC-VM (content-rewrit~n) # edit c-rewrite-0
Add new entry 'c-rewrite-0' for node 1737
FortiADC-VM (c-rewrite-0) # set action redirect
FortiADC-VM (c-rewrite-0) # set redirect https://example.com/resource
FortiADC-VM (c-rewrite-0) # set comments http-to-https
FortiADC-VM (c-rewrite-0) # config match-condition
FortiADC-VM (match-condition) # edit 1
FortiADC-VM (1) # set type string
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
88
FortiADC-VM (1) # set object http-host-header
FortiADC-VM (1) # set content www.example.com
FortiADC-VM (1) # next
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(match-condition) # edit 2
(2) # set type string
(2) # set object http-request-url
(2) # set content /resource
(2) # end
The following example creates a configuration to rewrite using a regular expression:
FortiADC-VM (content-rewrit~n) # edit c-rewrite-1
FortiADC-VM (c-rewrite-1) # set action redirect
FortiADC-VM (c-rewrite-1) # set redirect https://$0/$1
FortiADC-VM (c-rewrite-1) # set comments http-to-https
FortiADC-VM (c-rewrite-1) # config match-condition
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(match-condition) # edit 1
(1) # set type regular-expression
(1) # set object http-host-header
(1) # set content (.*)
(1) # next
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(match-condition) # edit 2
(2) # set type regular-expression
(2) # set object http-request-url
(2) # set content ^/(.*)$
(2) # end
config load-balance content-routing
Use this command to configure content routing.
Content routes select the backend server pool based on matches to TCP/IP or HTTP header values.
Layer 7 content route rules are based on matches to the following header values:
•
HTTP Host
•
HTTP Referer
•
HTTP Request URL
•
SNI
•
Source IP address
You might want to use Layer 7 content routes to simplify front-end coding of your web pages or to obfuscate the precise
server names from clients. For example, you can publish links to a simple URL named example.com and use content
route rules to direct traffic for requests to example.com to a server pool that includes server1.example.com,
server2.example.com, and server3.example.com.
Layer 4 content route rules are based on matches to the following header values:
•
Source IP address
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
89
Before you begin:
•
You must have a good understanding of HTTP header fields.
•
You must have a good understanding of Perl-compatible regular expressions (PCRE) if you want to use them in rule
matching.
•
You must have read-write permission for load balancing settings.
After you have configured a content routing rule, you can select it in the virtual server configuration.
Note: You can select multiple content routing rules in the virtual server configuration. Rules you add to that configuration
are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content routing
rule conditions specified in the virtual server configuration, the system behaves unexpectedly. Therefore, it is important
that you create a “catch all” rule that has no match conditions. In the virtual server configuration, this rule should be
ordered last so it can be used to forward traffic to a default pool.
Syntax
config load-balance content-routing
edit <name>
set type {l4-content-routing | l7-content-routing}
set ip <ip&netmask>
set ip6 <ip&netmask>
set connection-pool inherit {enable|disable}
set connection-pool <datasource>
set load-balance-pool <datasource>
set method-inherit {enable|disable}
set load-balance-method <datasource>
set persistence-inherit {enable|disable}
set load-balance-persistence <datasource>
set comments <string>
config match-condition
edit <No.>
set content <string>
set object {http-host-header | http-referer-header | http-request-url |
ip-source-address | sni}
set reverse {enable|disable}
set type {string | regular-expression}
next
end
next
end
type
•
l4-content-routing
•
l7-content-routing
ip
Address/mask notation to match the source IP address in the packet header.
ip6
Address/mask notation to match the source IP address in the packet header.
connection-pool-inherit
Enable to use the connection pool configuration object speified in the virtual server
configuration.
connection-pool
If not using inheritance, specify the connection pool.
load-balance-pool
Specify a real server pool.
method-inherit
Enable to use the method specified in the virtual server configuration.
load-balance-method
If not using inheritance, select a load balancing method type.
persistence-inherit
Enable to use the persistence object specified in the virtual server configuration.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
90
load-balance-persistence If not using inheritance, select a session persistence type.
comments
Optional administrator note.
config match-condition
content
Specify the string or regular expression syntax.
object
Specify content matching conditions based on the following parameters:
•
http-host-header
•
http-referrer-header
•
http-request-url
•
sni
•
ip-source-address
Note: When you add multiple conditions, FortiADC joins them with an AND operator.
For example, if you specify both a HTTP Host Header and HTTP Request URL to
match, the rule is a match only for traffic that meets both conditions.
reverse
Rule matches if traffic does not match the expression.
type
•
string
•
regular-expression
Example
FortiADC-VM # config load-balance content-routing
FortiADC-VM (content-routing) # edit example.com
Add new entry 'example.com' for node 1756
FortiADC-VM (example.com) # get
type
: l7-content-routing
persistence-inherit : disable
load-balance-persistence:
method-inherit
: disable
load-balance-method :
connection-pool
:
connection-pool-inherit: disable
load-balance-pool
:
comments
: comments
FortiADC-VM (example.com) # set persistence-inherit enable
FortiADC-VM (example.com) # set method-inherit enable
FortiADC-VM (example.com) # set load-balance-pool example-pool
FortiADC-VM (example.com) # set comments external-to-internal-name-map
FortiADC-VM (example.com) # config match-condition
FortiADC-VM (match-condition) # edit 1
Add new entry '1' for node 1768
FortiADC-VM (1) # get
object
: http-host-header
type
: regular-expression
content
: match
reverse
: disable
FortiADC-VM (1) # set type string
FortiADC-VM (1) # set content http://example.com
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
91
FortiADC-VM (1) # set object http-request-url
FortiADC-VM (1) # end
FortiADC-VM (example.com) # get
type
: l7-content-routing
persistence-inherit : enable
method-inherit
: enable
connection-pool
:
connection-pool-inherit: disable
load-balance-pool
: example-pool
== [ 1 ]
comments
: external-to-internal-name-map
FortiADC-VM (example.com) # show
config load-balance content-routing
edit "example.com"
set persistence-inherit enable
set method-inherit enable
set load-balance-pool example-pool
config match-condition
edit 1
set object http-request-url
set type string
set content http://example.com
next
end
set comments external-to-internal-name-map
next
end
FortiADC-VM (example.com) # end
config load-balance error-page
Deprecated. You must use the web UI to upload an error page and create an error page configuration object.
config load-balance health-check
Use this command to create health check configuration objects.
The system uses health checks to poll the backend real servers to test whether an application is available. If a server
fails a health check and retries also fail, it is deemed unavailable. The ADC does not send it connections until it is
deemed available.
If you expect a backend server is going to be unavailable for a long period, such as when it is undergoing
hardware repair, it is experiencing extended down time, or when you have removed it from the server farm,
you can improve the performance of the FortiADC system by setting the status of the pool member to
Disabled, rather than allowing the system to continue to attempt health checks.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
92
Table 8 describes the predefined health checks. You can get started with these or create custom objects.
Table 8: Predefined health check configuration objects
Predefined
Description
LB_HLTHCK_HTTP
Sends a HEAD request to the server port 80. Expects the server to return an HTTP 200.
LB_HLTHCK_HTTPS
Sends a HEAD request to the server port 443. Expects the server to return an HTTP 200.
LB_HLTHCK_ICMP
Pings the server.
LB_HLTHCK_TCP_ECHO
Sends a TCP echo to server port 7. Expects the server to respond with the corresponding
TCP echo.
Before you begin:
•
You must have a good understanding of TCP/IP and knowledge of the services running on your backend servers.
•
You must know the IP address, port, and configuration details for the applications running on backend servers. For
some application protocol checks, you must specify user credentials.
•
You must have read-write permission for load balancing settings.
After you have configured a health check, you can select it in the real server configuration.
Syntax
config load-balance health-check
edit <name>
set type {dns | ftp | http | https | icmp | imap4 | pop3 | radacct | radius | smtp |
snmp | tcp | tcp-echo | tcphalf | tcpssl}
set interval <integer>
set retry <integer>
set timeout <integer>
set up-retry <integer>
set addr-type {ivp4|ipv6}
set domain-name <string>
set host-addr <class_ip>
set port <integer>
set file <string>
set passive {enable|disable}
set username <string>
set password <passwd>
set match-type {match_all | match_status | match_string}
set method-type {http_get | http_head}
set send-string <string>
set receive-string <string>
set status-code <integer>
set nas-ip <string>
set password-type {user-password | chap-password}
set secret-key <string>
set agent-type {UCD|WIN2000}
set community <string>
set cpu <integer>
set disk <integer>
set mem <integer>
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
93
set version {v1|v2c}
next
end
type
Specify the health check type. After you have specified the type, the CLI commands are
constrained to the ones that are applicable to the specified type, not all of the settings described in
this table.
interval
Seconds between each health check. Should be more than the timeout to prevent overlapping
health checks. The default is 10.
retry
Attempts to retry the health check to confirm availability. The default is 1.
timeout
Seconds to wait for a reply before assuming that the health check has failed. The default is 5.
up-retry
Attempts to retry the health check to confirm availability. The default is 1.
addr-type
•
IPv4
•
IPv6
domain-name
The FQDN, such as www.example.com, to use in the SMTP or DNS A/AAAA record health check.
host-addr
IP address that matches the FQDN, indicating a successful DNS health check.
port
Listening port number of the backend server. Usually HTTP is 80, FTP is 21, DNS is 53, POP3 is
110, IMAP4 is 143, RADIUS is 1812, and SNMP is 161 or 162.
file
Specify a file that exists on the backend server. Path is relative to the initial login path. If the file
does not exist or is not accessible, the health check fails.
passive
Enable this option if the backend server uses passive FTP.
username
User name of an account on the backend server.
password
The corresponding password.
match-type
What determines a failed health check?
•
method-type
Match String
•
Match Status
•
Match All (match both string and status)
HTTP method for the test traffic:
•
HTTP Get
•
HTTP Head
send-string
A URL, such as /contact.php.
receive-string
A string expected in return when the request is successful.
status-code
HTTP status code that the server replies with when the request is successful. Except 200 (OK),
most statuses indicate errors.
nas-ip
IP address for RADIUS server.
password-type
•
User—If the backend server does not use CHAP, select this option.
•
CHAP—If the backend server uses CHAP and does not require a secret key, select this option.
secret-key
The secret set on the backend server.
agent-type
•
UCD
•
Windows 2000
community
The SNMP community string set on the backend server. If this does not match, and the appliance
is not configured as an SNMP manager for the backend server, all health checks fail.
cpu
Maximum normal CPU usage. If overburdened, the health check fails.
disk
Maximum normal disk usage. If the disk is too full, the health check fails.
mem
Maximum normal RAM usage. If overburdened, the health check fails.
version
SNMP v1 or v2c.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
94
Example
FortiADC-VM # config load-balance health-check
FortiADC-VM (health-check) # edit lb-health-check
Add new entry 'lb-health-check' for node 1669
FortiADC-VM (lb-health~c) # set type ?
dns
dns
ftp
ftp
http
http
https
https
icmp
icmp
imap4
imap4
pop3
pop3
radacct
radacct
radius
radius
smtp
smtp
snmp
snmp
tcp
tcp
tcp-echo
tcp-echo
tcphalf
tcphalf
tcpssl
tcpssl
FortiADC-VM (lb-health~c) # set type snmp
FortiADC-VM (lb-health~c) # get
type
: snmp
interval
: 10
timeout
: 5
retry
: 1
up-retry
: 1
port
: 0
cpu
: 96
mem
: 96
disk
: 96
agent-type
: UCD
community
:
version
: v1
FortiADC-VM (lb-health~c) # set community community-string
FortiADC-VM (lb-health~c) # set port 161
FortiADC-VM (lb-health~c) # set cpu 50
FortiADC-VM (lb-health~c) # set mem 50
FortiADC-VM (lb-health~c) # set disk 50
FortiADC-VM (lb-health~c) # get
type
: snmp
interval
: 10
timeout
: 5
retry
: 1
up-retry
: 1
port
: 161
cpu
: 50
mem
: 50
disk
: 50
agent-type
: UCD
community
: community-string
version
: v1
FortiADC-VM (lb-health~c) # end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
95
config load-balance ippool
Use this command to configure a NAT IP address range pool to be used in a Layer 4 virtual server deployment
You can configure network address translation (NAT) in a Layer 4 virtual server configuration. You have the following
options:
•
Full NAT—Rewrites both the source and destination IP addresses. The NAT module translates the source IP address
to the next available address in the source pool you configure with the config load-balance ippool command.
The NAT module translates the destination address to the address of the real server selected by the load balancer.
•
Destination NAT—Rewrites the destination IP address for packets before it forwards them. The NAT module
translates this address to the address of the real server selected by the load balancer. The NAT module rewrites only
the destination IP address. Therefore, if you configure destination NAT, you do not need to configure a source pool.
The system maintains the NAT table and performs the inverse translation when it receives the server-to-client traffic.
Before you begin:
•
You must have a good understanding of NAT. You must know the address ranges your network has provisioned for
NAT.
•
Be sure to configure the backend servers to use the FortiADC address as the default gateway so that server
responses are also rewritten by the NAT module.
•
You must have read-write permission for load balancing settings.
After you have configured a source pool IP address range configuration object, you can specify it in the virtual server
configuration.
Syntax
config load-balance ippool
edit <No.>
set interface <datasource>
set addr-type {ipv4|ipv6}
set ip-min <class_ip>
set ip-max <class_ip>
next
end
interface
Interface to receive responses from the backend server. The interface used for the initial client
traffic is determined by the virtual server configuration.
addr-type
•
IPv4
•
IPv6
ip-min
The first address in the address pool.
ip-max
The last address in the address pool.
config load-balance method
Use this command to add method configuration objects.
The system includes predefined configuration objects for all supported load balancing methods, and there is no need to
create additional configuration objects. You may choose to do so, however, for various reasons, for example, to use a
naming convention that makes the purpose of the configuration clear to other administrators.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
96
Table 9 describes the predefined methods.
Table 9: Predefined methods
Predefined
Description
LB_METHOD_ROUND_ROBIN
Selects the next server in the series: server 1, then server 2, then server 3,
and so on.
LB_METHOD_LEAST_CONNECTION
Selects the server with the least connections.
LB_METHOD_FASTEST_RESPONSE
Selects the server with the fastest response to health check tests.
LB_METHOD_URI
Selects the server based on a hash of the URI found in the HTTP header,
excluding hostname.
LB_METHOD_FULL_URI
Selects the server based on a hash of the full URI string found in the HTTP
header. The full URI string includes the hostname and path.
LB_METHOD_HOST
Selects the server based on a hash of the hostname in the HTTP Request
header Host field.
LB_METHOD_HOST_DOMAIN
Selects the server based on a hash of the domain name in the HTTP
Request header Host field.
LB_METHOD_DEST_IP_HASH
Selects the next hop based on a hash of the destination IP address. This
method can be used with the Layer 2 virtual server.
Before you begin:
•
You must have read-write permission for load balancing settings.
Syntax
config load-balance method
edit <name>
set type {dest-ip-hash | fastest-response | full-uri-hash | host-domain-hash |
host-hash | least-connection | round-robin | uri-hash}
next
end
type
Specify the method.
config load-balance persistence
Use this command to configure persistence rules.
Persistence rules identify traffic that should not be load balanced, but instead forwarded to the same backend server that
has seen requests from that source before. Typically, you configure persistence rules to support server transactions that
depend on an established client-server session, like e-commerce transactions or SIP voice calls.
Persistence rules are evaluated before load balancing rules. If the packets received by the ADC match the session
properties you configure for the persistence rule, the packets are forwarded to the server that established the connection,
and load balancing rules are not applicable.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
97
Table 10 describes the predefined persistence rules. You can get started with these commonly used persistence
methods or create custom objects.
Table 10: Predefined persistence rules
Predefined
Description
LB_PERSIS_SIP
Persistence based on IP address or subnet.
The system selects the backend server for a client IP’s first request using the
method specified in the virtual server configuration and then stores the
relationship between client IP and server in a table. It uses the mapping in the
table to forward subsequent requests from the same IP address or subnet to the
same backend server.
LB_PERSIS_CONSISTENT_SIP
Persistence based on a hash of source IP.
The system uses an algorithm to calculate a hash value for the IP address of the
client making an initial request. It then maps this value to the selected backend
server and uses the mapping table to forward subsequent requests that generate
the same hash value to the same backend server.
LB_PERSIS_HASH_SRC_ADDR_
PORT
LB_PERSIS_HASH_COOKIE
Persistence based on a hash that includes source IP and port.
The system uses an algorithm to calculate a hash value for the IP address and
port of an initial client request. It then maps this value to the selected backend
server and uses the mapping table to forward subsequent requests that generate
the same hash value to the same backend server.
Persistence based on a cookie provided by the backend server.
The system uses an algorithm to calculate a hash value for the cookie provided
by the backend server. It then maps this value to the selected backend server and
uses the mapping table to forward subsequent requests that generate the same
hash value to the same backend server.
LB_PERSIS_SSL_SESS_ID
Persistence based on the SSL session ID.
If the initial client request has an SSL session ID, the system sends all
subsequent sessions with the same SSL session ID to the same backend server.
Before you begin:
•
You must have a good understanding and knowledge of the applications that require persistent sessions and the
methods that can be used to identify application sessions.
•
You must have read-write permission for load balancing settings.
After you have configured a persistence rule, you can select it in the virtual server configuration.
Syntax
config load-balance persistence
edit <name>
set type {consistent-hash-ip | embedded-cookie | hash-cookie | hash-http-header |
hash-http-request | hash-source-address-port | insert-cookie | persistent-cookie |
radius-attribute | rewrite-cookie | source-address | ssl-session-id}
set timeout <integer>
set keyword <string>
set match-across-servers {enable|disable}
set ipv4-maskbits <integer>
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
98
set ipv6-maskbits <integer>
next
end
type
Specify the persistence type:
•
consistent-hash-ip: Persistence is based on a hash of the IP address of the client
making an initial request.
•
embedded-cookie: Persistence is based on the cookie provided in the backend
server response.
•
hash-cookie: Persistence is based on a hash of the cookie provided by the backend
server.
•
hash-http-header: Persistence is based on a hash of the specified header value found
in an initial client request.
•
hash-http-request:
•
hash-source-address-port: Persistence is based on a hash of the IP address and port
of an initial client request.
•
insert-cookie: Persistence is based on a cookie inserted by the FortiADC system.
•
persistent-cookie: Persistence is based on the cookie provided in the backend server
response.
•
radius-attribute: Persistence is based on a specified RADIUS attribute.
•
rewrite-cookie: Persistence is based on the cookie provided in the backend server
response, but the system rewrites the cookie.
•
source-address: Persistence is based on source IP address.
•
ssl-session-id: Persistence is based on SSL session ID.
After you have specified the type, the CLI commands are constrained to the ones that are
applicable to the specified type, not all of the settings described in this table.
timeout
Server-side session timeout. Specifies the maximum amount of time between requests.
That is, when the time that has elapsed since the system last received a request from the
client IP is greater than the timeout, the system does not use the mapping table to
forward the request. Instead, it again selects the server using the method specified in the
virtual server configuration.
keyword
A value found in an HTTP header or RADIUS attribute.
match-across-servers
RADIUS servers. Allow clients to continue to access the same backend server through
different virtual servers for the duration of a session.
ipv4-maskbits
Number of bits in a subnet mask to specify a network segment that should following the
persistence rule.
For example, if IPv4 maskbits is set to 24, and the backend server A responds to a client
with the source IP 192.168.1.100, server A also responds to all clients from subnet
192.168.1.0/24.
ipv6-maskbits
Number of bits in a subnet mask to specify a network segment that should following the
persistence rule.
config load-balance pool
Use this command to configure real server pool settings.
A server pool is a group of the real servers that host the applications that you load balance.
To configure a server pool:
1. Create a server pool object.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
99
2. Add members.
Before you begin:
•
You must have a good understanding and knowledge of the backend server boot behavior, for example, how many
seconds it takes to “warm up” after a restart before it can process traffic.
•
You must know the IP address and port of the applications.
•
You must have read-write permission for load balancing settings.
After you have configured a real server pool, you can select it in the virtual server configuration.
Syntax
config load-balance pool
edit <name>
set addr-type {ipv4|ipv6}
set health-check-ctrl {enable|disable}
set health-check-list {<datasource> ...}
set health-check-relation {AND|OR}
config pool_member
edit <No.>
set backup {enable|disable}
set connection-limit <integer>
set connection-rate-limit <integer>
set health-check-inherit {enable|disable}
set health-check-ctrl {enable|disable}
set health-check-list {<datasource> ...}
set health-check-relation {AND|OR}
set ip <class_ip>
set ip6 <class_ip>
set pool_member_cookie <string>
set pool_member_service_port <integer>
set pool_member_weight <integer>
set recover <integer>
set ssl {enable|disable}
set status {enable|disable|maintain}
set warm-rate <integer>
set warm-up <integer>
next
end
next
end
addr-type
•
IPv4
•
IPv6
health-check-ctrl
Enable health checking for the pool. You can override this for individual servers in the pool.
health-check-list
Specify one or more health check configuration objects.
health-check-relation •
AND—All of the specified health checks must pass for the server to the considered
available.
•
OR—One of the specified health checks must pass for the server to be considered
available.
config pool_member
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
100
backup
Server that the ADC directs traffic to only when other servers in the pool are down. The
backup server receives connections when all the other pool members fail the health check
or you have manually disabled them, for example.
connection-limit
Maximum number of concurrent connections to the backend server. The default is 0
(disabled). The valid range is 1 to 1,048,576 concurrent connections.
Note: Connection Limit is not supported for FTP servers.
connection-rate-limit Limit the number of new connections per second to this server. The default is 0 (disabled).
The valid range is 1 to 86,400 connections per second.
In Layer 4 deployments, you can apply a connection rate limit per real server and per
virtual server. Both limits are enforced.
Note: The connection rate limit applies only when the real servers belong to a Layer 4
virtual server. If you add a real server pool with this setting configured to a Layer 7 virtual
server, for example, the setting is ignored.
Note: Connection Rate Limit is not supported for FTP servers.
health-check-ctrl
Enable health checking for the pool. You can override this for individual servers in the pool.
health-check-list
Specify one or more health check configuration objects.
health-check-relation •
AND—All of the selected health checks must pass for the server to the considered
available.
•
OR—One of the selected health checks must pass for the server to be considered
available.
ip
IP address of the backend server.
In a Layer 2 virtual server deployment, specify the IP address of the next hop to the
destination server. Configure a pseudo default gateway in the static route since Layer 2
virtual servers need to use this default route internally to match all the destinations that the
client wants to access. However, this default gateway is not used because the next hop is
the pool member and not the pseudo gateway. In a Layer 2 virtual server deployment,
ensure the backend servers have been configured to route responses through the
FortiADC IP address.
ip6
IP address of the backend server.
In a Layer 2 virtual server deployment, specify the IP address of the next hop to the
destination server. Configure a pseudo default gateway in the static route since Layer 2
virtual servers need to use this default route internally to match all the destinations that the
client wants to access. However, this default gateway is not used because the next hop is
the pool member and not the pseudo gateway. In a Layer 2 virtual server deployment,
ensure the backend servers have been configured to route responses through the
FortiADC IP address.
pool_member_cookie
Name of the HTTP header that will be used for server-side HTTP sessions.
If you use Layer 7 session persistence with a backend server, FortiADC injects an HTTP
cookie whose name you can configure in Cookie. This contains the FortiADC session ID
and will enable the appliance to forward subsequent related requests to the same backend
server.
pool_member_service_p Listening port number of the backend server. Usually HTTP is 80, HTTPS is 443, FTP is
ort
21, SMTP is 25, DNS is 53, POP3 is 110, IMAP4 is 143, RADIUS is 1812, and SNMP is
161 or 162.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
101
pool_member_weight
Assigns relative preference among members—higher values are more preferred and are
assigned connections more frequently. The default is 1. The valid range is 1 to 256.
All load balancing methods consider weight. Servers are dispatched requests proportional
to their weight, relative to the sum of all weights.
The following example shows the effect of weight on Round Robin:
Sever A, Weight 2; Server B, Weight 1: Requests are sent AABAAB.
Sever A, Weight 3; Server B, Weight 2: Requests are sent AABAB.
For other methods, weight functions as a tie-breaker. For example, with the Least
Connection algorithm, requests are sent to the server with the least connections. If the
number of connections is equal, the request is sent to the server with the greater weight.
For example:
Server A, Weight 1, 1 connection
Server B, Weight 2, 1 connection
The next request is sent to Server B.
recover
Seconds to postpone forwarding traffic after downtime, when a health check indicates that
this server has become available again. The default is 0 (disabled). The valid range is 1 to
86,400 seconds.
After the recovery period elapses, the FortiADC assigns connections at the warm rate.
Examples of when the server experiences a recovery and warm-up period:
•
A server is coming back online after the health check monitor detected it was down.
•
A network service is brought up before other daemons have finished initializing and
therefore the server is using more CPU and memory resources than when startup is
complete.
To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.
Tip: During scheduled maintenance, you can also manually apply these limits by setting
Status to Maintenance instead of Enable.
ssl
Use SSL/TLS for the connection between the FortiADC and the real server.
Content routing and rewriting requires SSL decryption. In some cases, you might want to
re-encrypt traffic before forwarding it to the backend servers. For example, if you are load
balancing traffic and forwarding to backend servers along untrusted paths, vital credit card
and personally identifying information would be vulnerable during its backend transit
unless you re-encrypt it.
Verify that your backend servers are configured for encrypted connections. If they are not,
the connection will fail. Conversely, if you do not enable SSL to Server, you should also
disable SSL/TLS on your servers.
status
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
•
enable—The server can receive new sessions.
•
disable—The server does not receive new sessions and closes any current sessions as
soon as possible.
•
maintain—The server does not receive new sessions but maintains any current
connections.
102
warm-rate
Maximum connection rate while the server is starting up. The default is 10 connections per
second. The valid range is 1 to 86,400 connections per second.
The warm up calibration is useful with servers that have the network service brought up
before other daemons have finished initializing. As the servers are brought online, CPU
and memory are more utilized than they are during normal operation. For these servers,
you define separate rates based on warm-up and recovery behavior.
For example, if Warm Up is 5 and Warm Rate is 2, the number of allowed new connections
increases at the following rate:
•
warm-up
1st second—Total of 2 new connections allowed (0+2).
•
2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
•
3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
•
4th second—2 new connections added for a total of 8 new connections allowed (6+2).
•
5th second—2 new connections added for a total of 10 new connections allowed (8+2).
If the server cannot initially handle full connection load when it begins to respond to health
checks (for example, if it begins to respond when startup is not fully complete), indicate
how long to forward traffic at a lesser rate. The default is 0 (disabled). The valid range is 1
to 86,400 seconds.
Example
FortiADC-VM # config load-balance pool
FortiADC-VM (pool) # edit lb-pool
Add new entry 'lb-pool' for node 1705
FortiADC-VM (lb-pool) # get
addr-type
: ipv4
health-check-ctrl
: disable
FortiADC-VM (lb-pool) # set health-check-ctrl enable
FortiADC-VM (lb-pool) # set ?
addr-type
address type
health-check-ctrl
health check control
*health-check-list
health check list
health-check-relation
health check relationship
FortiADC-VM (lb-pool) # set health-check-list lb-health-check
FortiADC-VM (lb-pool) # config pool_member
FortiADC-VM (pool_member) # edit 1
Add new entry '1' for node 1710
FortiADC-VM (1) # get
health-check-inherit: enable
status
: enable
ssl
: disable
backup
: disable
ip
: 0.0.0.0
ip6
:
pool_member_service_port: 80
pool_member_weight : 1
connection-limit
: 0
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
103
recover
: 0
warm-up
: 0
warm-rate
: 10
connection-rate-limit: 0
pool_member_cookie : cookie
FortiADC-VM (1) # set ip 192.168.100.1
FortiADC-VM (1) # end
FortiADC-VM (lb-pool) # end
config load-balance profile
Use this command to configure server profiles.
A profile is a configuration object that defines how you want the FortiADC virtual server to handle traffic for specific
protocols.
Table 11 describes usage for profile type, including compatible virtual server types, load balancing methods, and
persistence methods.
Table 11: Profile usage
Profile
Usage
VS Type
LB Methods
FTP
Use with FTP servers.
Layer 4
Round Robin, Least Source Address,
Connections, Fastest Source Address Hash
Response
HTTP
Use for standard, unsecured web server
traffic.
Layer 7,
Layer 2
Layer 7: Round
Robin, Least
Connections, URI
Hash, Full URI Hash,
Host Hash, Host
Domain Hash
Layer 2: Round
Robin, Least
Connections,
Destination IP Hash
HTTPS
Use for secured web server traffic when
offloading TLS/SSL from the backend
servers. You must import the backend
server certificates into FortiADC and
select them in the HTTPS profile.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
Layer 7,
Layer 2
Same as HTTP
Persistence
Source Address,
Source Address
Hash, Source
Address-Port Hash,
HTTP Header Hash,
HTTP Request Hash,
Cookie Hash,
Persistent Cookie,
Insert Cookie,
Embedded Cookie,
Rewrite Cookie
Same as HTTP, plus
SSL Session ID
104
Table 11: Profile usage
Profile
Usage
VS Type
HTTP Turbo
Use for unsecured HTTP traffic that does Layer 7
not require advanced features like
caching, compression, content rewriting,
rate limiting, or source NAT. The profile
can be used with content routes and
destination NAT, but the HTTP request
must be in the first data packet.
LB Methods
Persistence
Round Robin, Least Source Address
Connections, Fastest
Response
This profile enables packet-based
forwarding that reduces network latency
and system CPU usage. However,
packet-based forwarding for HTTP is
advisable only when you do not anticipate
dropped packets or out-of-order packets.
RADIUS
Use with RADIUS servers.
Layer 7
Round Robin
TCP
Use for other TCP protocols.
Layer 4,
Layer 2
Layer 4: Round
Source Address,
Robin, Least
Source Address Hash
Connections, Fastest
Response
RADIUS attribute
Layer 2: Round
Robin, Least
Connections, Fastest
Response,
Destination IP Hash
TCPS
UDP
Use for secured TCP when offloading
Layer 7,
TLS/SSL from the backend servers. Like Layer 2
the HTTPS profile, you must import the
backend server certificates into FortiADC
and select them in the TCPS profile.
Layer 7: Round
Robin, Least
Connections
Use for other UDP protocols.
Round Robin, Least Source Address,
Connections, Fastest Source Address Hash
Response
Layer 4
Layer 2: Round
Robin, Least
Connections,
Destination IP Hash
Source Address,
Source Address
Hash, Source
Address-Port Hash,
SSL Session ID
Table 12 provides a summary of the predefined profiles. You can select predefined profiles in the virtual server
configuration, or you can create user-defined profiles, especially to include configuration objects like certificates, caching
settings, compression options, and IP reputation.
Table 12: Predefined profiles
Profile
Defaults
LB_PROF_TCP
•
Session Timeout —100 seconds
•
Session Timeout after FIN —100 seconds
•
IP Reputation—disabled
•
Session Timeout —100 seconds
•
IP Reputation—disabled
LB_PROF_UDP
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
105
Table 12: Predefined profiles
Profile
Defaults
LB_PROF_HTTP
•
Client Timeout—50 seconds
•
Connect Timeout—5 seconds
•
Keep-alive Timeout—50 seconds
•
Request Timeout—50 seconds
•
Queue Timeout—5 seconds
•
Server Timeout—50 seconds
•
Compression—disabled
•
Caching—disabled
•
X-Forwarded-For—disabled
•
Source Address—disabled
•
IP Reputation— disabled
•
Session Timeout —100 seconds
•
Session Timeout after FIN —100 seconds
•
IP Reputation—disabled
•
Session Timeout —100 seconds
•
Session Timeout after FIN —100 seconds
•
IP Reputation—disabled
LB_PROF_RADIUS
•
Session Timeout—300 seconds
LB_PROF_TCPS
•
Client Timeout—50 seconds
LB_PROF_TURBOHTTP
LB_PROF_FTP
LB_PROF_HTTPS
•
Connect Timeout—5 seconds
•
Queue Timeout—5 seconds
•
Server Timeout—50 seconds
•
Source Address—disabled
•
IP Reputation—disabled
•
Certificate—Factory
•
Client Timeout—50 seconds
•
Connect Timeout—5 seconds
•
Keep-alive Timeout—50 seconds
•
Request Timeout—50 seconds
•
Queue Timeout—5 seconds
•
Server Timeout—50 seconds
•
Compression—disabled
•
Caching—disabled
•
X-Forwarded-For—disabled
•
Source Address—disabled
•
IP Reputation—disabled
•
Certificate—Factory
Before you begin:
•
You must have already created configuration objects for certificates, caching, and compression if you want the profile
to use them.
•
You must have read-write permission for load balance settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
106
Syntax
config load-balance profile
edit <name>
set type {ftp | http | https | radius | tcp | tcps | turbohttp | udp}
set ip-reputation {enable|disable}
set timeout_tcp_session <integer>
set timeout_tcp_session_after_FIN <integer>
set timeout-radius-session <integer>
set timeout_udp_session <integer>
set buffer-pool {enable|disable}
set caching <datasource>
set client-address {enable|disable}
set client-timeout <integer>
set compression <datasource>
set connect-timeout <integer>
set http-keepalive-timeout <integer>
set http-request-timeout <integer>
set http-x-forwarded-for {enable|disable}
set http-x-forwarded-for-header <string>
set once-only {enable|disable}
set queue-timeout <integer>
set server-timeout <integer>
set tune-bufsize <integer>
set tune-maxrewrite <integer>
set allow-ssl-versions {sslv2 sslv3 tlsv1.0 tslv1.1 tlsv1.2}
set cert-verify <datasource>
set client-sni-required {enable|disable}
set local-cert-group <datasource>
set ssl-ciphers <string>
next
end
type
Specify the profile type. After you have specified the type, the CLI commands
are constrained to the ones that are applicable to the specified type, not all of
the settings described in this table.
ip-reputation
Enable to apply the FortiGuard IP reputation service.
timeout_tcp_session
Client-side timeout for connections where the client has not sent a FIN signal,
but the connection has been idle. The default is 100 seconds. The valid range
is 1 to 86,400.
timeout_tcp_session_after_FIN
Client-side connection timeout. The default is 100 seconds. The valid range is
1 to 86,400.
timeout-radius-session
The default is 300 seconds. The valid range is 1 to 3,600.
timeout_udp_session
Client-side session timeout. The default is 100 seconds. The valid range is 1
to 86,400.
buffer-pool
Enable to use buffering.
caching
Specify the name of the caching configuration object.
client-address
Use the original client IP address as the source address in the connection to
the real server.
client-timeout
Client-side TCP connection timeout. The default is 50 seconds. The valid
range is 1 to 3,600.
compression
Specify a compression configuration object.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
107
connect-timeout
Multiplexed server-side TCP connection timeout. Usually less than the
client-side timeout. The default is 5 seconds. The valid range is 1 to 3,600.
http-keepalive-timeout
The default is 50 seconds. The valid range is 1 to 3,600.
http-request-timeout
Client-side HTTP request timeout. The default is 50 seconds. The valid range
is 1 to 3,600.
http-x-forwarded-for
Append the client IP address found in IP layer packets to the HTTP header
that you have specified in the X-Forwarded-For Header setting. If there is no
existing X-Forwarded-For header, the system creates it.
http-x-forwarded-for-header
Specify the HTTP header to which to write the client IP address. Typically,
this is the X-Forwarded-For header, but it is customizable because you might
support traffic that uses different headers for this. Do not include the 'X-'
prefix. Examples: Forwarded-For, Real-IP, or True-IP.
once-only
When there is an initial HTTP request, use the load balancing algorithm to
select the destination server; forward subsequent traffic for the same
connection to the server that was selected to process the initial request.
queue-timeout
Specifies how long connection requests to a backend server remain in a
queue if the server has reached its maximum number of connections. If the
timeout period expires before the client can connect, FortiADC drops the
connection and sends a 503 error to the client. The default is 5 seconds. The
valid range is 1 to 3,600.
server-timeout
Server-side IP session timeout. The default is 50 seconds. The valid range is
1 to 3,600.
tune-bufsize
Specify the buffer size for a session. The default is 8,030 bytes. The valid
range is 128 to 2,147,483,647.
tune-maxrewrite
Specify the buffer space reserved for content rewriting. The default is 1,024
bytes. The valid range is 128 to 2,147,483,647.
allow-ssl-versions
We recommend TLSv1.2 or TLSv1.1. You have the following options:
•
SSLv2
•
SSLv3
•
TLSv1.0
•
TLSv1.1
•
TLSv1.2
cert-verify
Specify a certificate validation policy.
client-sni-required
Require clients to use the TLS server name indication (SNI) extension to
include the server hostname in the TLS client hello message. Then, the
FortiADC system can select the appropriate local server certificate to present
to the client.
local-cert-group
A configuration group that includes the certificates this virtual server presents
to SSL/TLS clients. This should be the backend servers’ certificate, NOT the
appliance’s GUI web server certificate.
ssl-ciphers
We recommend retaining the default list:
AES256-SHA:RC4-MD5:RC4-SHA:AES128-SHA:DES-CBC3-SHA
If necessary, you can edit the colon-separated list so that it includes the
algorithms you require for this profile.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
108
Example
FortiADC-VM # get load-balance profile
== [ LB_PROF_TCP ]
== [ LB_PROF_UDP ]
== [ LB_PROF_HTTP ]
== [ LB_PROF_TURBOHTTP ]
== [ LB_PROF_FTP ]
== [ LB_PROF_RADIUS ]
== [ LB_PROF_TCPS ]
== [ LB_PROF_HTTPS ]
FortiADC-VM # get load-balance profile LB_PROF_HTTPS
type
: https
tune-bufsize
: 8030
tune-maxrewrite
: 1024
client-timeout
: 50
server-timeout
: 50
connect-timeout
: 5
queue-timeout
: 5
http-request-timeout: 50
http-keepalive-timeout: 50
buffer-pool
: enable
client-address
: disable
http-x-forwarded-for: disable
http-x-forwarded-for-header:
once-only
: disable
ssl-ciphers
: AES256-SHA:RC4-MD5:RC4-SHA:AES128-SHA:DES-CBC3-SHA
allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2
local-cert-group
: LOCAL_CERT_GROUP
client-sni-required : disable
cert-verify
:
compression
:
caching
:
ip-reputation
: disable
FortiADC-VM # config load-balance profile
FortiADC-VM (profile) # edit https-example
Add new entry 'https-example' for node 1643
FortiADC-VM (https-example) # set type https
FortiADC-VM (https-example) # get
type
: https
tune-bufsize
: 8030
tune-maxrewrite
: 1024
client-timeout
: 50
server-timeout
: 50
connect-timeout
: 5
queue-timeout
: 5
http-request-timeout: 50
http-keepalive-timeout: 50
buffer-pool
: enable
client-address
: disable
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
109
http-x-forwarded-for: disable
http-x-forwarded-for-header:
once-only
: disable
ssl-ciphers
: AES256-SHA:RC4-MD5:RC4-SHA:AES128-SHA:DES-CBC3-SHA
allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2
local-cert-group
:
client-sni-required : disable
cert-verify
:
compression
:
caching
:
ip-reputation
: disable
FortiADC-VM (https-example) # set local-cert-group local-cert-group-1
FortiADC-VM (https-example) # set cert-verify cert-verify-rule1
FortiADC-VM (https-example) # end
FortiADC-VM # get load-balance profile https-example
type
: https
tune-bufsize
: 8030
tune-maxrewrite
: 1024
client-timeout
: 50
server-timeout
: 50
connect-timeout
: 5
queue-timeout
: 5
http-request-timeout: 50
http-keepalive-timeout: 50
buffer-pool
: enable
client-address
: disable
http-x-forwarded-for: disable
http-x-forwarded-for-header:
once-only
: disable
ssl-ciphers
: AES256-SHA:RC4-MD5:RC4-SHA:AES128-SHA:DES-CBC3-SHA
allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2
local-cert-group
: local-cert-group-1
client-sni-required : disable
cert-verify
: cert-verify-rule1
compression
:
caching
:
ip-reputation
: disable
config load-balance reputation
Use this command to configure IP reputation policies.
The FortiGuard IP Reputation service provides a regularly updated data set that identifies compromised and malicious
clients.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
110
The IP reputation configuration allows you to specify the action the system takes when it receives traffic from a client with
an IP address on the list. Table 13 lists limitations for IP reputation actions.
Table 13: IP reputation actions
Action
Address Type
Profile Limitations
Pass
IPv4 only
Not supported for RADIUS.
Deny
IPv4 only
Not supported for RADIUS.
Redirect
IPv4 only
Not supported for RADIUS, FTP, TCP, UDP.
Send 403 Forbidden
IPv4 only
Not supported for RADIUS, FTP, TCP, UDP.
Note: IP reputation is also not supported for Layer 4 virtual servers when the Packet Forwarding Mode is Direct Routing.
Basic Steps
1. Configure the connection to the FortiGuard IP Reputation Service.
2. Optionally, customize the actions you want to take when the system encounters a request from an IP source that
matches the list; and add exceptions. If a source IP appears on the exceptions list, the system does not look it up on
the IP reputation list. See below.
3. Enable IP reputation in the profiles you associate with virtual servers.
Before you begin:
•
You must have read-write permission for load balancing settings.
Syntax
config load-balance reputation
edit <No.>
set action {deny | pass | redirect | send-403-forbidden}
set category <string>
set log {enable|disable}
set severity {high | low | medium}
set status {enable|disable}
next
end
action
•
Pass
•
Deny
•
Redirect
•
Send 403 Forbidden
Note: L4 Load Balance and TCPS virtual servers do not support Redirect or Send 403 Forbidden. If
you apply an IP reputation configuration that uses these options to a L4 Load Balance or TCPS
virtual server, FortiADC denies matching clients but logs the action as Redirect or Send 403
Forbidden.
category
Specify a FortiGuard IP Reputation category:
•
Botnet
•
Anonymous Proxy
•
Phishing
•
Spam
•
Others
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
111
log
Enable/disable logging.
severity
The severity to apply to the event. Severity is useful when you filter and sort logs:
status
•
Low
•
Medium
•
High
Enable/disable the category.
Example
FortiADC-VM # get load-balance reputation
== [ 1 ]
== [ 2 ]
== [ 3 ]
== [ 4 ]
== [ 5 ]
FortiADC-VM # get load-balance reputation 1
category
: Botnet
status
: enable
action
: pass
severity
: low
log
: disable
FortiADC-VM # get load-balance reputation 2
category
: "Anonymous Proxy"
status
: enable
action
: pass
severity
: low
log
: disable
FortiADC-VM # get load-balance reputation 3
category
: Phishing
status
: enable
action
: pass
severity
: low
log
: disable
FortiADC-VM # get load-balance reputation 4
category
: Spam
status
: enable
action
: pass
severity
: low
log
: disable
FortiADC-VM # get load-balance reputation 5
category
: Others
status
: enable
action
: pass
severity
: low
log
: disable
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
112
config load-balance reputation-exception
Use this command to add exceptions to IP reputation rules—traffic that should not be processed by the IP reputation
module.
Before you begin:
•
You must have read-write permission for load balancing feature settings.
Syntax
config load-balance reputation-exception
edit <No.>
set status {enable|disable}
set ip <class_ip>
next
end
status
Enable or disable the exception. You might have occasion to toggle to exception off and on.
ip
Specify the IP address that should not be processed by the IP reputation module.
config load-balance ssl
Deprecated.
config load-balance virtual-server
Use this command to configure virtual servers.
The virtual server configuration supports three classes of application delivery control:
•
Layer 7—Persistence, load balancing, and routing are based on Layer 7 objects, such as HTTP headers, cookies,
and so on.
•
Layer 4—Persistence, load balancing, and network address translation are based on Layer 4 objects, such as source
and destination IP address.
•
Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load balance
connections between multiple next-hop gateways.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
113
Before you begin:
•
You must have a deep understanding of the backend servers and your load balancing objectives.
•
You must have configured a real server pool (required) and other configuration objects that you can incorporate into
the virtual server configuration, such as persistence rules, user-defined profiles, source IP address pools if you are
deploying full NAT, content routes and rewriting rules, and error messages.
•
You must have read-write permission for load balancing settings.
Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as
soon as you configure them and set status to enable. You do not apply them by selecting them in a policy.
Syntax
config load-balance virtual-server
edit <name>
set addr-type {ipv4|ipv6}
set alone {enable|disable}
set connection-limit <integer>
set connection-pool <datasource>
set connection-rate-limit <integer>
set content-rewriting {enable|disable}
set content-rewriting-list <string>
set content-routing {enable|disable}
set content-routing-list <string>
set error-msg <string>
set error-page <datasource>
set id <integer>
set interface <datasource>
set ip <class_ip>
set port <integer>
set ippool <datasource>
set load-balance-method <datasource>
set load-balance-persistence <datasource>
set load-balance-pool <datasource>
set load-balance-profile <datasource>
set multi-process <integer>
set packet-forwarding-method {FullNAT|NAT|direct_routing}
set status {enable|disable|maintain}
set traffic-log {enable|disable}
set trans-rate-limit <integer>
set type {l2-load-balance | l4-load-balance | l7-load-balance}
set warm-rate <integer>
set warm-up <integer>
next
end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
114
type
Specify the virtual server type:
•
l7-load-balance: Persistence, load balancing, and routing are based on Layer 7
objects, such as HTTP headers, cookies, and so on.
•
l4-load-balance:Persistence, load balancing, and network address translation are
based on Layer 4 objects, such as source and destination IP address.
•
l2-load-balance:This feature is useful when the request’s destination IP is
unknown and you need to load balance connections between multiple next-hop
gateways.
After you have specified the type, the CLI commands are constrained to the ones that
are applicable to the specified type, not all of the settings described in this table.
addr-type
•
IPv4
•
IPv6
Note: IPv6 is not supported for FTP or HTTP Turbo profiles.
alone
Enable/disable alone mode. When enabled, each HTTP virtual server is handled by a
separate haproxy daemon. When disabled, all HTTP virtual servers are handled by
one haproxy daemon.
connection-limit
Limit the number of concurrent connections. The default is 0 (disabled). The valid
range is 1 to 1,048,576 concurrent connections.
You can apply a connection limit per real server and per virtual server. Both limits are
enforced. Attempted connections that are dropped by security rules are not counted.
Note: Connection Limit is not supported for FTP profiles.
connection-pool
Specify a connection pool configuration object.
connection-rate-limit
With all Layer 4 profiles, and with the Layer 2 TCP profile, you can limit the number of
new connections per second. The default is 0 (disabled). The valid range is 1 to
86,400 connections per second.
You can apply a connection rate limit per real server and per virtual server. Both limits
are enforced. Attempted connections that are dropped by security rules are not
counted.
Note: Connection Rate Limit is not supported for FTP profiles.
content-rewriting
Enable to rewrite HTTP headers.
content-rewriting-list
Specify content rewriting rules.
Note: You can select multiple content rewriting rules in the virtual server
configuration. Rules that you add are consulted from top to bottom. The first rule to
match is applied. If the traffic does not match any of the content rewriting rule
conditions, the header is not rewritten.
content-routing
Enable to route packets to backend servers based on IP address (Layer 4) or HTTP
headers (Layer 7 content).
Overrides static or policy routes.
content-routing-list
Specify content route configuration objects.
Note: You can specify multiple content routing rules in the virtual server
configuration. Rules that you add are consulted from top to bottom. The first rule to
match is applied. If the traffic does not match any of the content routing rule
conditions specified in the virtual server configuration, the system behaves
unexpectedly. Therefore, it is important that you create a “catch all” rule that has no
match conditions. In the virtual server configuration, this rule should be ordered last
so it can be used to forward traffic to a default pool.
error-msg
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
Specify an error page configuration object.
115
error-page
If you do not use an error page, you can enter an error message to be returned to
clients in the event no server is available.
id
Deprecated.
interface
Network interface that receives client traffic for this virtual server.
ip
IP address provisioned for the virtual server.
Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual
server is not aware of IP addresses. Instead of routing data for a specific destination,
this type of server simply forwards data from the specified network interface and port.
port
Port number to listen for client requests.
Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or
443, ensure that the HTTPS and HTTP administrative access options are not
enabled for the interface.
ippool
If you are configuring a Layer 4 virtual server and enable Full NAT, select a source
pool configuration object.
load-balance-method
Specify a predefined or user-defined method configuration object.
load-balance-persistence Specify a predefined or user-defined persistence configuration object.
load-balance-pool
Specify a server pool configuration object.
load-balance-profile
Specify a predefined or user-defined profile configuration object.
multi-process
If your system has a multicore CPU, you can assign the number of CPU cores to
handle traffic for an HTTP virtual server. The valid range is 1 to 15.
packet-forwarding-method In Layer 4 virtual server deployments, select one of the following packet forwarding
methods:
•
Direct Routing— Forwards the source and destination IP addresses with no
changes.
Note: For FTP profiles, when Direct Routing is selected, you must also configure
a persistence method.
•
DNAT— Replaces the destination IP address with the IP address of the backend
server selected by the load balancer.
The destination IP address of the initial request is the IP address of the virtual
server. Be sure to configure FortiADC as the default gateway on the backend
server so that the reply goes through FortiADC and can also be translated.
•
Full NAT—Replaces both the destination and source IP addresses.
The source IP address is replaced by an IP address from the pool you define
using Server Load Balance > Resources > Source Pool. The destination IP
address is replaced with the IP address of the backend server selected by the
load balancer.
status
traffic-log
•
enable—The server can receive new sessions.
•
disable—The server does not receive new sessions and closes any current
sessions as soon as possible.
•
maintain—The server does not receive new sessions but maintains any current
connections.
Enable to record traffic logs for this virtual server.
Note: Local logging is constrained by available disk space. We recommend that if
you enable traffic logs, you monitor your disk space closely. We also recommend that
you use local logging during evaluation and verification of your initial deployment,
and then configure remote logging to send logs to a log management repository.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
116
trans-rate-limit
Limit the number of HTTP requests per second. The default is 0 (disabled). The valid
range is 1 to 1,048,567 transactions per second.
The system counts each client HTTP request against the limit. When the HTTP
request rate exceeds the limit, the virtual server sends an HTTP 503 error response
to the client.
Note: Transaction Rate Limit is not supported for HTTP Turbo profiles.
warm-rate
Maximum connection rate while the virtual server is starting up. The default is 10
connections per second. The valid range is 1 to 86,400 connections per second.
If Warm Up is 5 and Warm Rate is 2, the number of allowed new connections
increases at the following rate:
warm-up
•
1st second—Total of 2 new connections allowed (0+2).
•
2nd second—2 new connections added for a total of 4 new connections allowed
(2+2).
•
3rd second—2 new connections added for a total of 6 new connections allowed
(4+2).
•
4th second—2 new connections added for a total of 8 new connections allowed
(6+2).
•
5th second—2 new connections added for a total of 10 new connections allowed
(8+2).
If the server cannot initially handle full connection load when it begins to respond to
health checks (for example, if it begins to respond when startup is not fully complete),
indicate how long to forward traffic at a lesser rate. The default is 0 (disabled). The
valid range is 1 to 86,400 seconds.
Example
FortiADC-VM # config load-balance virtual-server
FortiADC-VM (virtual-server) # edit lb-vs1
Add new entry 'lb-vs1' for node 1775
FortiADC-VM (lb-vs1) # get
status
: enable
type
: l4-load-balance
multi-process
: 1
packet-forwarding-method: NAT
interface
:
addr-type
: ipv4
ip
: 0.0.0.0
port
: 80
connection-limit
: 10000
load-balance-profile:
content-routing
: disable
load-balance-persistence:
load-balance-method :
load-balance-pool
:
traffic-log
: disable
warm-up
: 0
warm-rate
: 10
connection-rate-limit: 0
id
: 0
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
117
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
(lb-vs1)
(lb-vs1)
(lb-vs1)
(lb-vs1)
(lb-vs1)
(lb-vs1)
#
#
#
#
#
#
set
set
set
set
set
end
ip 192.168.200.1
interface port4
load-balance-profile LB_PROF_TCP
load-balance-method LB_METHOD_ROUND_ROBIN
load-balance-pool lb-pool
FortiADC-VM # get load-balance virtual-server lb-vs1
status
: enable
type
: l4-load-balance
multi-process
: 1
packet-forwarding-method: NAT
interface
: port4
addr-type
: ipv4
ip
: 192.168.200.1
port
: 80
connection-limit
: 10000
load-balance-profile: LB_PROF_TCP
content-routing
: disable
load-balance-persistence:
load-balance-method : LB_METHOD_ROUND_ROBIN
load-balance-pool
: lb-pool
traffic-log
: disable
warm-up
: 0
warm-rate
: 10
connection-rate-limit: 0
id
: 1
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
118
config log
The config log commands configure logging.
This chapter is a reference for the following commands:
config
config
config
config
log
log
log
log
alertemail recipient
alertemail setting
report
report
config log setting highspeed
config log setting local
config log setting remote
config log alertemail recipient
Use this command to add email addresses for alert recipients.
Before you begin:
•
You must have read-write permission for log settings.
Syntax
config log alertemail recipient
edit <name>
set address <string>
next
end
address
Recipient email address.
config log alertemail setting
Use this command to configure alert settings.
Before you begin:
•
You must have read-write permission for log settings.
Syntax
config log alertemail setting
set by_category {enable|disable}
set categories {admin config diskfull ha healthcheck}
set loglevel {alert | critical | debug | emerge | error | information | notification |
warning}
set deferq-interval <integer>
set from <string>
end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
119
by_category
Specify this option to send alerts that match the specified categories. If you do not select this
option, alerts are sent based on event severity.
categories
Specify the events for which alerts are sent:
•
loglevel
Admin
•
Configuration
•
Disk
•
HA
•
Health Check
Specify the lowest severity for which alerts are sent:
•
Emergency—The system has become unstable.
•
Alert—Immediate action is required.
•
Critical—Functionality is affected.
•
Error—An error condition exists and functionality could be affected.
•
Warning—Functionality might be affected.
•
Notification—Information about normal events.
•
Information—General information about system operations.
•
Debug—Detailed information about the system that can be used to troubleshoot unexpected
behavior.
For example, if you select error, the system sends alerts with level Error, Critical, Alert, and
Emergency. If you select alert, the system sends alerts with level Alert and Emergency.
deferq-interval If identical alerts are occurring continuously, select the interval between each email that will be
sent while the event continues.
from
Sender email address used in alert email.
config log report
Deprecated.
config log report_queryset
For future use.
config log setting highspeed
Use this command to configure high speed logging.
The high speed log feature is intended for deployments that require a high volume of logging activity. The logs are sent in
binary format so they can be sent at a high speed. If you want to use high speed logging, contact Fortinet to obtain a
utility for handling the binary format.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
120
The feature supports traffic logs. Event logs and security logs are not supported.
Before you begin:
•
You must have read-write permission for log settings.
Syntax
config
set
set
set
set
set
end
log setting highspeed
server <string>
status {enable | disable}
traffic-log-status {enable | disable}
traffic-log-category {slb|dns}
udpport <integer>
server
IP address of the syslog server.
status
Enable/disable the configuration.
traffic-log-status
Enable/disable logging for traffic processed by the load balancing modules.
traffic-log-category
•
slb—Send server load balancing logs.
•
dns—Send global load balancing logs.
udpport
Listening port number of the syslog server. Usually this is UDP port 514.
config log setting local
Use this command to configure basic log settings.
The local log is a datastore hosted on the FortiADC system.
Typically, you use the local log to capture information about system health and system administration activities. We
recommend that you use local logging during evaluation and verification of your initial deployment, and then configure
remote logging to send logs to a log management repository where they can be stored long term and analyzed using
preferred analytic tools.
Local log disk settings are configurable. You can select a subset of system events, traffic, and security logs.
Before you begin:
•
You must have read-write permission for log settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
121
Syntax
config log settings local
set attack-log-cached-lines {0|100|500|800|1000|2000|5000|10000}
set attack-log-category {synflood ipreputation}
set attack-log-status {enable|disable}
set disk-full {overwrite | nolog}
set event-log-cached-lines {0|100|500|800|1000|2000|5000|10000}
set event-log-category {admin app configuration system}
set event-log-status {enable|disable}
set loglevel {alert | critical | debug | emerge | error | information | notification |
warning}
set rate_limit <integer>
set rotation-size <integer>
set status {enable|disable}
set traffic-log-cached-lines {0|100|500|800|1000|2000|5000|10000}
set traffic-log-category {slb dns}
set traffic-log-status {enable|disable}
end
attack-log-cached-lines
Limit the number of logs that are cached. The default is 0 (disabled). Valid multiples
are 100, 500, 800, 1000, 2000, 5000, 10000. If 0, every generated log is written to
disk immediately. If 1000, logs are written to disk in batches of 1000.
attack-log-category
•
synflood—Send SYN flood protection logs.
•
ipreputation—Send IP Reputation logs.
attack-log-status
Enable/disable logging for the category.
disk-full
Specify log behavior when the maximum disk space for local logs is reached:
•
overwrite—Continue logging. Overwrite the earliest logs.
•
nolog—Stop logging.
event-log-cached-lines
Limit the number of logs that are cached. The default is 0 (disabled). Valid multiples
are 100, 500, 800, 1000, 2000, 5000, 10000. If 0, every generated log is written to
disk immediately. If 1000, logs are written to disk in batches of 1000.
event-log-category
Specify the types of events to collect in the local log:
event-log-status
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
•
Configuration—Configuration changes.
•
Admin—Administrator actions.
•
Application—Health check results.
•
System—System operations, warnings, and errors.
Enable/disable logging for the category.
122
Specify the lowest severity for which alerts are sent:
loglevel
•
Emergency—The system has become unstable.
•
Alert—Immediate action is required.
•
Critical—Functionality is affected.
•
Error—An error condition exists and functionality could be affected.
•
Warning—Functionality might be affected.
•
Notification—Information about normal events.
•
Information—General information about system operations.
•
Debug—Detailed information about the system that can be used to troubleshoot
unexpected behavior.
For example, if you select error, the system sends alerts with level Error, Critical,
Alert, and Emergency. If you select alert, the system sends alerts with level Alert
and Emergency.
rate_limit
Rate limit logging (logs/second). The default is 0 (disabled).
rotation-size
Maximum disk space for local logs. The default is 200 MB.
status
Enable/disable local logging.
traffic-log-cached-lines Limit the number of logs that are cached. The default is 0 (disabled). Valid multiples
are 100, 500, 800, 1000, 2000, 5000, 10000. If 0, every generated log is written to
disk immediately. If 1000, logs are written to disk in batches of 1000.
traffic-log-category
•
slb—Send server load balancing logs.
•
dns—Send global load balancing logs.
Enable/disable logging for the category.
traffic-log-status
Example
FortiADC-VM # config log setting local
FortiADC-VM (local)
status
rotation-size
disk-full
loglevel
event-log-status
event-log-category
traffic-log-status
attack-log-status
rate_limit
#
:
:
:
:
:
:
:
:
:
get
enable
200
overwrite
information
enable
configuration admin app system
disable
disable
0
FortiADC-VM (local) # end
config log setting remote
Use this command to configure logging to a remote syslog server.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
123
A remote syslog server is a system provisioned specifically to collect logs for long term storage and analysis with
preferred analytic tools.
Before you begin:
•
You must have read-write permission for log settings.
Syntax
config log setting remote
edit <name>
set attack-log-status {enable|disable}
set attack-log-category {synflood ipreputation}
set comma-separated-value {enable|disable}
set event-log-status {enable|disable}
set event-log-category {admin app configuration system}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kern |
local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, news,
ntp}
set loglevel {alert | critical | debug | emerge | error | information | notification
| warning}
set port <integer>
set server <string>
set status {enable|disable}
set traffic-log-status {enable|disable}
set traffic-log-category {slb dns}
next
end
attack-log-status
Enable/disable logging for security events.
attack-log-category
•
synflood—Send SYN flood protection logs.
•
ipreputation—Send IP Reputation logs.
comma-separated-value Send logs in CSV format. Do not use with FortiAnalyzer.
event-log-status
Enable/disable logging for system events.
event-log-category
Specify the types of events to send to the syslog server:
facility
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
•
Admin—Administrator actions.
•
Application—Health check results.
•
Configuration—Configuration changes.
•
System—System operations, warnings, and errors.
Identifier that is not used by any other device on your network when sending logs to
FortiAnalyzer/syslog.
124
loglevel
Specify the lowest severity for which alerts are sent:
•
Emergency—The system has become unstable.
•
Alert—Immediate action is required.
•
Critical—Functionality is affected.
•
Error—An error condition exists and functionality could be affected.
•
Warning—Functionality might be affected.
•
Notification—Information about normal events.
•
Information—General information about system operations.
•
Debug—Detailed information about the system that can be used to troubleshoot
unexpected behavior.
For example, if you select error, the system sends alerts with level Error, Critical, Alert,
and Emergency. If you select alert, the system sends alerts with level Alert and
Emergency.
port
Listening port number of the syslog server. Usually this is UDP port 514.
server
IP address of the syslog server.
status
Enable/disable the configuration.
traffic-log-status
Enable/disable logging for traffic processed by the load balancing modules.
traffic-log-category
•
slb—Send server load balancing logs.
•
dns—Send global load balancing logs.
Example
FortiADC-VM # config log setting remote
FortiADC-VM (remote) # edit 1
Add new entry '1' for node 547
FortiADC-VM (1) # get
status
: disable
server
:
port
: 514
loglevel
: information
comma-separated-value: disable
facility
: kern
event-log-status
: disable
traffic-log-status : disable
attack-log-status
: disable
FortiADC-VM (1) # set status enable
FortiADC-VM (1) # set server 203.0.113.10
FortiADC-VM (1) # set loglevel notification
FortiADC-VM (1) # set event-log-status enable
FortiADC-VM (1) # set event-log-category admin app configuration system
FortiADC-VM (1) # set traffic-log-status enable
FortiADC-VM (1) # set traffic-log-category slb dns
FortiADC-VM (1) # end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
125
FortiADC-VM # get
FortiADC-VM # get log setting remote
== [ 1 ]
status: enable
server: 203.0.113.10
port: 514
loglevel: notification
facility: kern
FortiADC-VM # show log setting remote
config log setting remote
edit 1
set server 203.0.113.10
set loglevel notification
set event-log-status enable
set event-log-category configuration admin app system
set traffic-log-status enable
set traffic-log-category slb dns
next
end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
126
config router
This chapter is a reference for the following commands:
config router ospf
config router policy
config router setting
config router static
config router ospf
Use this command to configure OSPF. FortiADC supports OSPF version 2.
OSPF (Open Shortest Path First) is described in RFC2328, OSPF Version 2. It is a link-state interior routing protocol.
Compared with RIP, OSPF can provide scalable network support and faster convergence times. OSPF is widely used in
large networks such as ISP backbone and enterprise networks.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
127
Syntax
config router ospf
set router-id <integer>
set default-metric <integer>
set distance <integer>
set default-information-originate {always|enable|disable}
set default-information-metric-type {1|2}
set default-information-metric <integer>
set redistribute-connected {enable|disable}
set redistribute-connected-metric-type {1|2}
set redistribute-connected-metric <integer>
set redistribute-static {enable|disable}
set redistribute-static-metric-type {1|2}
set redistribute-static-metric <integer>
config network
edit <No.>
set area <class_ip>
set prefix <ip&netmask>
next
end
config ospf-interface
edit <name>
set cost <integer>
set dead-interval <integer>
set hello-interval <integer>
set interface <datasource>
set mtu-ignore {enable|disable}
set network-type {broadcast | point-to-multipoint | point-to-point}
set priority <integer>
set retransmit-interval <integer>
set transmit-delay <integer>
next
end
end
router-id
32-bit number that identifies the router. The router ID uses dotted
decimal notation. sets the router-ID of the OSPF process. The
router-ID must be an IP address of the router, and it must be unique
within the entire OSPF domain to the OSPF speaker.
default-metric
The default is 10.
distance
The default is 110.
default-information-originate
•
enable—Originate an AS-External (type-5) LSA describing a
default route into all external routing capable areas of the specified
metric and metric type.
•
always—The default is always advertised, even when there is no
default present in the routing table.
•
disable
•
1
•
2
default-information-metric-type
default-information-metric
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
The default is -1.
128
redistribute-connected
Enable/disable to redistribute connected routes into OSPF, with the
metric type and metric set if specified. Redistributed routes are
distributed into OSPF as Type-5 External LSAs into links to areas.
redistribute-connected-metric-type •
1
•
2
redistribute-connected-metric
Specify a metric.
redistribute-static
Enable/disable to redistribute static routes into OSPF, with the metric
type and metric set if specified. Redistributed routes are distributed
into OSPF as Type-5 External LSAs into links to areas.
redistribute-static-metric-type
•
1
•
2
redistribute-static-metric
Specify a metric.
config network
area
32-bit number that identifies the OSPF area. An OSPF area is a
smaller part of the larger OSPF AS. Areas are used to limit the
link-state updates that are sent out. The flooding used for these
updates would overwhelm a large network, so it is divided into these
smaller areas for manageability.
prefix
Address/mask notation to specify the subnet.
config ospf-interface
cost
Set link cost for the specified interface. The cost value is set to
router-LSA's metric field and used for SPF calculation. The default is 0.
dead-interval
Number of seconds for RouterDeadInterval timer value used for Wait
Timer and Inactivity Timer. This value must be the same for all routers
attached to a common network. The default is 40 seconds.
hello-interval
Number of seconds between hello packets sent on the configured
interface. This value must be the same for all routers attached to a
common network. The default is 10 seconds.
interface
Specify the interface to enable OSPF for it.
mtu-ignore
Enable/disable to ignore the interface MTU. Disabled by default.
network-type
•
broadcast
•
point-to-point
•
point-to-multipoint
priority
The router with the highest priority will be more eligible to become
Designated Router. Setting the value to 0 makes the router ineligible to
become Designated Router. The default is 1.
retransmit-interval
Interval for retransmitting Database Description and Link State
Request packets. The default is 5 seconds.
transmit-delay
Increment LSA age by this value when transmitting. The default is 1
second.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
129
Example
FortiADC1
FortiADC-VM # config router ospf
FortiADC-VM (ospf) # set router-id 1.1.1.2
FortiADC-VM (ospf) # set default-metric 5
FortiADC-VM (ospf) # config network
FortiADC-VM (network) # edit 1
Add new entry '1' for node 2090
FortiADC-VM (1) # set prefix 1.1.1.1/32
FortiADC-VM (1) # set area 0.0.0.0
FortiADC-VM (1) # end
FortiADC-VM (ospf) # get
router-id
: 1.1.1.2
default-information-originate: disable
default-information-metric: -1
default-information-metric-type: 2
default-metric
: 5
distance
: 110
redistribute-connected: disable
redistribute-connected-metric: -1
redistribute-connected-metric-type: 2
redistribute-static : disable
redistribute-static-metric: -1
redistribute-static-metric-type: 2
== [ 1 ]
FortiADC-VM (ospf) # show
config router ospf
set router-id 1.1.1.2
set default-metric 5
config network
edit 1
set prefix 1.1.1.1/32
next
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
130
end
config
end
end
ospf-interface
FortiADC2
FortiADC-VM # config router ospf
FortiADC-VM (ospf) # set router-id 1.1.1.3
FortiADC-VM (ospf) # config network
FortiADC-VM (network) # edit 1
Add new entry '1' for node 2090
FortiADC-VM (1) # set prefix 1.1.1.1/32
FortiADC-VM (1) # set area 0.0.0.0
FortiADC-VM (1) # end
FortiADC-VM (ospf) # get
router-id
: 1.1.1.2
default-information-originate: disable
default-information-metric: -1
default-information-metric-type: 2
default-metric
: 10
distance
: 110
redistribute-connected: disable
redistribute-connected-metric: -1
redistribute-connected-metric-type: 2
redistribute-static : disable
redistribute-static-metric: -1
redistribute-static-metric-type: 2
== [ 1 ]
FortiADC-VM (ospf) # show
config router ospf
set router-id 1.1.1.2
config network
edit 1
set prefix 1.1.1.1/32
next
end
config ospf-interface
end
end
See Also
•
get router info ospf
config router policy
Use this command to add routes to the policy routing table.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
131
Network systems maintain route tables to determine where to forward TCP/IP packets.
The FortiADC system route table includes up to three types routes:
1. Content routes—Content routes are based on application layer values, specifically the URL or Host: field in the HTTP
header.
2. Policy routes—Policy routes are based on IP layer values, specifically the source and/or destination fields.
3. Static routes—Static routes are based on IP layer values, specifically the destination field.
The system evaluates content route rules first, then policy routes, then static routes. The packets are routed to the first
route that matches. The policy route table, therefore, need not include a “default route” for packets that do not match your
policy because those packets can be forwarded to the default route set in the static route table.
A policy route is chosen when no content route applies and both the source address and destination address in the
packet match the policy.
Most policy route settings are optional, so a matching route might not provide enough information to forward the packet.
In that case, the FortiADC appliance may refer to the routing table in an attempt to match the information in the packet
header with a route in the routing table. For example, if the destination address is the only match criteria in the policy
route, the FortiADC appliance looks up the IP address of the next-hop router in its routing table. This situation could
occur when interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify a static IP
address of the next-hop router.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config router policy
edit <No.>
set destination <ip&netmask>
set gateway <class_ip>
set source <ip&netmask>
next
end
destination
Address/mask notation to match the destination IP in the packet header.
To match any value, leave it blank or enter 0.0.0.0/32.
gateway
IP address of the next-hop router where the FortiADC system will forward packets for this policy
route. This router must know how to route packets to the destination subnet, or forward packets to
another router with this information.
source
Address/mask notation to match the source IP in the packet header.
To match any value, either leave it blank or enter 0.0.0.0/32.
config router setting
Use this command to change basic routing settings. However, the default settings are recommended for most
deployments.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
132
Syntax
config
set
set
set
set
end
router setting
ip-forward {enable | disable}
ip6-forward {enable | disable}
rt-cache-reverse {enable | disable}
rt-cache-strict {enable | disable}
ip-forward
Enabled by default. Do not disable under normal circumstances.
If disabled, functions related to routing, like link loadbalancing, static routing, policy routing, and
OSPF routing cannot function.
ip6-forward
Enabled by default. Do not disable under normal circumstances.
If disabled, functions related to routing, like link loadbalancing, static routing, policy routing, and
OSPF routing cannot function.
rt-cache-reverse When enabled, forwards reply packets to the ISP link that forwarded the corresponding request
packet.
When not enabled, forwards all packets based on the results of routing lookup.
The rt-cache-reverse function is useful when your site gets trafic routed to it from multiple ISP
links.
Enabled by default.
rt-cache-strict
Enable it when you want to send reply packets only via the same interface that received the
request packets. When enabled, source interface becomes part of the matching tuple FortiADC
uses to identify sessions, so reply traffic is forwarded from the same interface that received the
traffic. Normally each session is identified by a 5-tuple: source IP, destination IP, protocol,
source port, and destination port.
Disabled by default.
Example
FortiADC-VM # get router setting
rt-cache-strict
: disable
rt-cache-reverse
: enable
ip-forward
: enable
ip6-forward
: enable
config router static
Use this command to add routes to the static routing table.
Network systems maintain route tables to determine where to forward TCP/IP packets.
The FortiADC system route table includes potentially three types routes:
1. Content routes—Content routes are based on application layer values, specifically the URL or Host: field in the HTTP
header.
2. Policy routes—Policy routes are based on IP layer values, specifically the source and/or destination fields.
3. Static routes—Static routes are based on IP layer values, specifically the destination field.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
133
The system evaluates content route rules first, then policy routes, then static routes. The packets are routed to the first
route that matches. The static route table, therefore, is the one that must include a “default route” to be used when no
more specific route has been determined.
Static routes specify the IP address of a next-hop router that is reachable from that network interface. Routers are aware
of which IP addresses are reachable through various network pathways, and can forward those packets along pathways
capable of reaching the packets’ ultimate destinations. The FortiADC system itself does not need to know the full route,
as long as the routers can pass along the packet.
You must configure at least one static route that points to a router, often a router that is the gateway to the Internet. You
might need to configure multiple static routes if you have multiple gateway routers, redundant ISP links, or other special
routing cases.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config router static
edit <No.>
set destination <ip&netmask>
set distance <integer>
set gateway <class_ip>
next
end
destination
Address/mask notation to match the destination IP in the packet header.
Specify 0.0.0.0/0 or ::/0 to set a default route for all packets.
It is a best practice to include a default route. If there is no other, more specific static route defined
for a packet’s destination IP address, a default route will match the packet, and pass it to a
gateway router so that any packet can reach its destination.
If you do not define a default route, and if there is a gap in your routes where no route matches a
packet’s destination IP address, packets passing through the FortiADC towards those IP
addresses will, in effect, be null routed. While this can help to ensure that unintentional traffic
cannot leave your FortiADC and therefore can be a type of security measure, the result is that you
must modify your routes every time that a new valid destination is added to your network.
Otherwise, it will be unreachable. A default route ensures that this kind of locally-caused
“destination unreachable” problem does not occur.
distance
The default administrative distance is 10, which makes it preferred to OSPF routes that have a
default of 110. We recommend you do not change these settings unless your deployment has
exceptional requirements.
gateway
Specify the IP address of the next-hop router where the FortiADC system will forward packets
for this static route. This router must know how to route packets to the destination IP addresses
that you have specified, or forward packets to another router with this information.
For a direct Internet connection, this will be the router that forwards traffic towards the Internet,
and could belong to your ISP.
The gateway must be in the same subnet as the interface used to reach it.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
134
Example
FortiADC-VM # config router static
FortiADC-VM (static) # edit 1
FortiADC-VM (1) # set gateway 192.168.1.1
FortiADC-VM (1) # end
FortiADC-VM # get router static 1
destination
: 0.0.0.0/0
gateway
: 192.168.1.1
distance
: 10
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
135
config system
The config system commands configure system settings.
This chapter is a reference for the following commands:
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
accprofile
admin
certificate ca
certificate ca_group
certificate certificate_verify
certificate crl
certificate intermediate_ca
certificate intermediate_ca_group
certificate local
certificate local_cert_group
certificate remote
dns
dos-prevention
fortiguard
global
ha
config
config
config
config
config
config
config
config
config
config
config
config
config
config
config
system
system
system
system
system
system
system
system
system
system
system
system
system
system
system
dos-prevention
fortiguard
global
ha
interface
mailserver
password-policy
schedule-group
snmp community
snmp sysinfo
snmp threshold
snmp user
tcpdump
time manual
time ntp
config system accprofile
Use this command to manage access profiles.
Access profiles provision permissions to roles. The following permissions can be assigned:
•
Read (view access)
•
Read-Write (view, change, and execute access)
•
No access
When an administrator has only read access to a feature, the administrator can access the web UI page for that feature,
and can use the get and show CLI command for that feature, but cannot make changes to the configuration.
In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job
that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each
administrator account to their assigned role. This is sometimes called role-based access control (RBAC).
Table 14 lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI
menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or
issue a CLI set command).
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
136
For complete access to all commands and abilities, you must log in with the administrator account named admin.,
Table 14: Areas of control in access profiles
Web UI Menus
CLI Commands
System
config system
diagnose hardware
diagnose netlink
diagnose sniffer
diagnose system
execute date
execute ping
execute ping-options
execute traceroute
Networking
config router
Server Load Balance
config load-balance
Link Load Balance
config link-load-balance
Global DNS Server
config global-dns-server
Security
config firewall
Log & Report
config log
config report
execute formatlogdisk
* For each config command, there is an equivalent get/show command. The config commands
require write permission. The get/show commands require read permission.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
137
Syntax
config system accprofile
edit <name>
set firewall {none|read|read-write}
set global-dns-server {none|read|read-write}
set link-load-balance {none|read|read-write}
set load-balance {none|read|read-write}
set log {none|read|read-write}
set router {none|read|read-write}
set system {none|read|read-write}
next
end
firewall
Set the permission:
•
global-dns-server
link-load-balance
load-balance
log
•
read—Provision ready-only access.
•
read-write—Enable the role to make changes to the configuration.
Set the permission:
•
none—Do not provision access for the menu.
•
read—Provision ready-only access.
•
read-write—Enable the role to make changes to the configuration.
Set the permission:
•
none—Do not provision access for the menu.
•
read—Provision ready-only access.
•
read-write—Enable the role to make changes to the configuration.
Set the permission:
•
none—Do not provision access for the menu.
•
read—Provision ready-only access.
•
read-write—Enable the role to make changes to the configuration.
Set the permission:
•
router
system
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
none—Do not provision access for the menu.
none—Do not provision access for the menu.
•
read—Provision ready-only access.
•
read-write—Enable the role to make changes to the configuration.
Set the permission:
•
none—Do not provision access for the menu.
•
read—Provision ready-only access.
•
read-write—Enable the role to make changes to the configuration.
Set the permission:
•
none—Do not provision access for the menu.
•
read—Provision ready-only access.
•
read-write—Enable the role to make changes to the configuration.
138
Example
FortiADC-VM # config system accprofile
FortiADC-VM (accprofile) # edit doc-admin
Add new entry 'doc-admin' for node 772
FortiADC-VM (doc-admin) # end
FortiADC-VM # get system accprofile doc-admin
system
: none
router
: none
firewall
: none
load-balance
: none
log
: none
link-load-balance
: none
global-dns-server
: none
config system admin
Use this command to manage administrator accounts.
We recommend that only network administrators—and if possible, only a single person—use the admin account. You
can configure accounts that provision different scopes of access. For example, you can create an account for a security
auditor who must only be able to view the configuration and logs, but not change them.
Before you begin:
•
If you want to use RADIUS or LDAP authentication, you must have already have created the RADIUS server or LDAP
server configuration.
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
139
Syntax
config system admin
edit <name>
set access-profile <datasource>
set access-token <string>
set auth-strategy {local | ldap | radius}
set ldap-server <datasource>
set radius-server <datasource>
set is-system-admin {no|yes}
set password <passwd>
set privilege-map <string>
set role-list <string>
set trusted-hosts <ip&netmask>
set vdom <datasource>
next
end
<name>
Name of the administrator account, such as admin1 or admin@example.com.
Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35
characters.
Note: This is the user name that the administrator must provide when logging in to the CLI or web
UI.
After you initially save the configuration, you cannot edit the name.
access-profile
Specify a user-defined or predefined profile. The predefined profile named super_admin_prof is
a special access profile used by the admin account. However, specifying this access profile will
not confer all permissions of the admin account. For example, the new administrator would not
be able to reset lost administrator passwords.
Note: This option does not appear for the admin administrator account, which by definition
always uses the super_admin_prof access profile.
access-token
Reserved for future use.
auth-strategy
•
local—Use the local authentication server.
•
ldap—Use an LDAP authentication server. Select the LDAP server configuration.
•
radius—Use a RADIUS authentication server.
ldap-server
If using LDAP, specify the LDAP server configuration.
radius-server
If using RADIUS, specify the RADIUS server configuration.
is-system-admin •
•
yes—Can access all virtual domains.
no—Can access only the virtual domain specified in this configuration.
password
Set a strong password for all administrator accounts. The password should be at least eight
characters long, be sufficiently complex, and be changed regularly. To check the strength of your
password, you can use a utility such as Microsoft’s password strength meter.
privilege-map
Reserved for future use.
role-list
Reserved for future use.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
140
trusted-hosts
Source IP address and netmask from which the administrator is allowed to log in. For multiple
addresses, separate each entry with a space. You can specify up to three trusted areas. They
can be single hosts, subnets, or a mixture.
Configuring trusted hosts hardens the security of the system. In addition to knowing the
password, an administrator must connect only from the computer or subnets you specify.
Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet,
SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the
local console is by definition not remote, and does not occur through the network.
If ping is enabled, the address you specify here is also a source IP address to which the system
will respond when it receives a ping or traceroute signal.
To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:
192.0.2.2/32
2001:0db8:85a3:::8a2e:0370:7334/128
To allow login attempts from any IP address (not recommended), enter:
0.0.0.0/0.0.0.0.
Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means
that all accounts are still exposed to the risk of brute force login attacks. This is because if you
leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login
attempts on all network interfaces where remote administrative protocols are enabled, and wait
until after a login attempt has been received in order to check that user name’s trusted hosts list.
Tip: If you allow login from the Internet, set a longer and more complex New Password, and
enable only secure administrative access protocols. We also recommend that you restrict trusted
hosts to IPs in your administrator’s geographical area.
Tip: For improved security, restrict all trusted host addresses to single IP addresses of
computer(s) from which only this administrator will log in.
vdom
If you have enabled the virtual domain feature, specify the virtual domain that this administrator
can view and manage.
Example
FortiADC-VM # config system admin
FortiADC-VM (admin) # edit doc-admin
Add new entry 'doc-admin' for node 78
FortiADC-VM (doc-admin) # set access-profile doc-admin
FortiADC-VM (doc-admin) # end
FortiADC-VM # get system admin doc-admin
is-system-admin
: no
vdom
: root
password
: *
trusted-hosts
: 0.0.0.0/0 ::/0
auth-strategy
: local
access-profile
: doc-admin
theme
:
role-list
:
privilege-map
:
access-token : 3p6RgrzT21ciDMdwgowh9Lwd303SoSsrhygy0Or0PDhrnuXBQrRZdnagne
6K6y9o5qU5el31WkqiMmRANIy04IfpWl91SjnXHh0TA1SukjM6DCFoidnmVCKQVRRN8cIP
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
141
config system certificate ca
Use this command to configure CA certificates. An alternative to execute certificate ca.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config system certificate ca
edit <name>
set certificate <certificate>
next
end
certificate
Paste the contents of a CA certificate file between quotation marks as shown in the example.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
142
Example
FortiADC-VM # config system certificate ca
FortiADC-VM (ca) # get
== [ Fortinet_CA ]
== [ OracleSSLCA ]
== [ ca ]
FortiADC-VM # config system certificate ca
FortiADC-VM (ca) # edit ca-new
FortiADC-VM (ca-new) # set certificate "-----BEGIN CERTIFICATE----> MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ
> kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG
> EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg
> MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is
> ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ
> MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw
> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K
> XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr
> LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY
> CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD
> vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw
> V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA
> AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
> edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA
> A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC
> XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs
> 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI
> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
> 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D
> 03RHH8yYbZ9rw0kuwTkJEo3bYDxH
> -----END CERTIFICATE-----"
FortiADC-VM (ca-new) # end
config system certificate ca_group
Use this command to manage CA groups.
Create CA groups to facilitate the configuration of the certificate validator that is associated with a virtual server.
Include in the CA group all of the CAs for the pool of backend servers to be associated with a single virtual server.
Before you begin:
•
You must have already added the CAs to the CA certificate store.
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
143
Syntax
config system certificate ca_group
edit <name>
config group_member
edit <No.>
set ca <datasource>
next
end
next
end
Specify the CA to add to the group.
ca
config system certificate certificate_verify
Use this command to manage certificate validation rules.
To be valid, a client certificate must meet the following criteria:
•
Must not be expired or not yet valid
•
Must not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP)
•
Must be signed by a certificate authority (CA) whose certificate you have imported into the FortiADC appliance
•
Must contain a CA field whose value matches a CA’s certificate
•
Must contain an Issuer field whose value matches the Subject field in a CA’s certificate
Certificate validation rules specify the CA certificates to use when validating client certificates, and they specify a CRL
and/or OCSP server, if any, to use for certificate revocation checking.
You select a certificate validation configuration object in the profile configuration for a virtual server. If the client presents
an invalid certificate during the authentication phase of a SSL/TLS session initiation, the FortiADC system will not allow
the connection.
Before you begin:
•
You must have already created a CA group and OCSP or CRL configuration.
•
You must have read-write permission for system settings.
Syntax
config system certificate certificate_verify
edit <name>
set ca_group <datasource>
set crl <datasource>
set remote_cert <datasource>
next
end
ca_group
Specify the CA group to which the configuration applies.
crl
Specify a CRL configuration to use CRL to validate certificates.
remote_cert
Specify an OCSP configuration to use OCSP to validate certificates.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
144
config system certificate crl
Use this command to manage certificate revocation lists (CRL). You can enable CRL by importing a CRL file or
specifying a CRL URL.
A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file also
contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity
period of a CRL is one hour.
Some potential reasons for certificates to be revoked include:
•
A CA server was hacked and its certificates are no longer trustworthy.
•
A single certificate was compromised and is no longer trustworthy.
•
A certificates has expired and is not supposed to be used past its lifetime.
You can upload a CRL file or specify a URL for the CRL file.
Online certificate status protocol (OCSP) is an alternative to CRL. OCSP is useful when you do not want to
deploy CRL files, for example, or want to avoid the public exposure of your PKI structure even if it is only
invalid certificates.
Before you begin:
•
You must know the URL of a CRL server or have downloaded the CRL file and be able to browse to it so that you can
upload it.
•
You must have read-write permission for system settings.
Syntax
config system certificate crl
edit <name>
set crl <certificate>
set http-url <string>
set scep-url <string>
next
end
crl
Paste the contents of a CRL certificate file between quotation marks as shown in the example.
http-url
Specify an HTTP URL.
scep-url
Specify a SCEP URL.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
145
Example
FortiADC-VM # config system certificate crl
FortiADC-VM (new-crl) # set crl "-----BEGIN X509 CRL----> MIIBxTCBrgIBATANBgkqhkiG9w0BAQsFADBrMRMwEQYKCZImiZPyLGQBGRYDb3Jn
> MRcwFQYKCZImiZPyLGQBGRYHY2lsb2dvbjELMAkGA1UEBhMCVVMxEDAOBgNVBAoT
> B0NJTG9nb24xHDAaBgNVBAMTE0NJTG9nb24gU2lsdmVyIENBIDEXDTE1MDMxNzA4
> NDIwM1oXDTE1MDQxNjA4NDIwM1qgDzANMAsGA1UdFAQEAgIR8DANBgkqhkiG9w0B
> AQsFAAOCAQEAxTbPy5RGtqyE9VLAzNReCBlIcq3PxiLyuBkyniSZdwAkE8znwXLh
> CYBRCLhkY87sGBqRB1lU4v31RIVsy4AMuJrL2B2ClOa2aEry+PcMMehKnIZcTtMi
> YBvCDsbZSGM1JsxCGMakDaMCMqIpVwcnwzoY7rYtlvzlDfUJVMs+hTyRcqq326/l
> smNcUkLhy4U5ydqFqMT2SaLXDw7hsxEARU7AHhWssgDgAPk/UdH4IxNNtmNb4mcK
> j+D87pdYeXLcHqqv+OhCS70e/dmTJPwXrn9ZmG6gjBxPb2MUbUNw252JnFaRpj58
> aVuuSGcqLs2fVs1rGLRW4Pw8aHF3cafbew==
> -----END X509 CRL-----"
FortiADC-VM (new-crl) # end
See also
•
execute certificate crl
config system certificate intermediate_ca
Use this command to configure intermediate CAs.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config system certificate intermediate_ca
edit <name>
set certificate <certificate>
next
end
certificate
Paste the contents of an intermediate CA file between quotation marks as shown in the example.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
146
Example
FortiADC-VM # config system certificate intermediate_ca
FortiADC-VM (intermediate_ca) # edit new-intermediate-ca
Add new entry 'new-intermediate-ca' for node 1605
FortiADC-VM (new-intermedia~e) # set certificate "-----BEGIN CERTIFICATE----> MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ
> kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG
> EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg
> MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is
> ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ
> MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw
> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K
> XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr
> LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY
> CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD
> vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw
> V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA
> AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
> -----END
CERTIFICATE-----edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA
> A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC
> XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs
> 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI
> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
> 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D
> 03RHH8yYbZ9rw0kuwTkJEo3bYDxH
> -----END CERTIFICATE-----"
FortiADC-VM (new-intermedia~e) # end
config system certificate intermediate_ca_group
Use this command to manage intermediate CA groups.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
147
Syntax
config system certificate intermediate_ca_group
edit <name>
config group_member
edit <No.>
set ca <datasource>
next
end
next
end
Specify a CA configuration object.
ca
config system certificate local
Use this command to manage local certificates.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config system certificate local
edit <name>
set certificate <certificate>
set comments <string>
set csr <csr>
set password <passwd>
set private-key <key>
next
end
certificate
Paste the contents of a certficate file between quotation marks as shown in the example.
comments
Optional administrator note.
csr
Paste the contents of a CSR file between quotation marks as shown in the example.
password
Password that was used to encrypt the file. The FortiADC system uses the password to decrypt
and install the certificate.
private-key
Paste the contents of a key file between quotation marks as shown in the example.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
148
Example
FortiADC-VM # config system certificate local
FortiADC-VM (local) # get
== [ Factory ]
== [ csr_name_test ]
FortiADC-VM (local) # show
config system certificate local
edit "csr_name_test"
set password ENC
t7e4fiX6Sd6T5426Gg/HQXRH41mBwGmjKdBSHUbVUZTka2FtD1oLMWE2mTq1c9GMUz0DokPfoqxkjkmja5mWv4/w
A5XdQ00lQmTeMZK/X5OSFmSS
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----MIIBnjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5/vf1VQB/28CAggA
MBQGCCqGSIb3DQMHBAgZorM0zlnPNASCAViZk4wTZYYMPl0e7NwyxqvLND3LxUaV
UG1XpUSPfnUP4YgrV2d0Uijclj5M7MS341cMVKZ7G1pS/6jvxUr0NamQv4j7JsJ0
t3G7LMkzcTiep26GUCy55Qt+iob7lh0iiKa+4uPOq/Mzy+84AWnRNLfIhevHPsYb
rk4UbwNOFb0ZD9i06+UrFLsRGmtp/vlDyBgAoBojKxB/4j0G299QamnzPz4qneBc
HtPqTMPELyqtT6w4cmnwp6Ti2OOAr9c44mKdyyAVZKie+Iu/4pSVBNSfuC+jjtmC
k8OrCrG14NwrhbTY9zEnGxBRR1NMTEBBTqAQNYWtjUEQVjmY1GAJA3/oBQe7l8C/
G/IUVvc/aaqMvsKSNfDpgZaudTDe1Wxi1792ADGh7zslls+ykH9nmqh7BPfm30Nv
f8O1hXgq01Lvo4v1xdC0w5oAeCyGlbTY5ZnXJFm0HCp0kA==
-----END ENCRYPTED PRIVATE KEY----"
set csr "-----BEGIN CERTIFICATE REQUEST----MIIBNzCB4gIBADBqMQswCQYDVQQIEwJjYTESMBAGA1UEBxMJc3Vubnl2YWxlMREw
DwYDVQQKEwhmb3J0aW5ldDENMAsGA1UECxMEZmFkYzEQMA4GA1UEAxMHZXhhbXBs
ZTETMBEGCSqGSIb3DQEJARYEcm9vdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDK
XH/MC1KTkkZJiQDFb6IXHLYsSVbJzF0K30s3CVmKZvJQSBnmV8aq3fJjN281rrFT
iUovVdBzwCF5jKbxsrPLAgMBAAGgEzARBgNVHRMxChMIQ0E6RkFMU0UwDQYJKoZI
hvcNAQEFBQADQQB96NU+xjds83/6VRSzsyxeVxAGVD7F9Npuji8r/MpxPiMT0PQM
G8Wg//26ZqpwjuPq2V1+7QU4MDk3B5VUJSEF
-----END CERTIFICATE REQUEST----"
next
end
FortiADC-VM (local) # edit new-local
Add new entry 'new-local' for node 849
FortiADC-VM (new-local) # set private-key "-----BEGIN RSA PRIVATE KEY----> MIIJKQIBAAKCAgEA3W29+ID6194bH6ejLrIC4hb2Ugo8v6ZC+Mrck2dNYMNPjcOK
> ABvxxEtBamnSaeU/IY7FC/giN622LEtV/3oDcrua0+yWuVafyxmZyTKUb4/GUgaf
> RQPf/eiX9urWurtIK7XgNGFNUjYPq4dSJQPPhwCHE/LKAykWnZBXRrX0Dq4XyApN
> ku0IpjIjEXH+8ixE12wH8wt7DEvdO7T3N3CfUbaITl1qBX+Nm2Z6q4Ag/u5rl8NJ
> fXg71ZmXA3XOj7zFvpyapRIZcPmkvZYn7SMCp8dXyXHPdpSiIWL2uB3KiO4JrUYv
> t2GzLBUThp+lNSZaZ/Q3yOaAAUkOx+1h08285Pi+P8lO+H2Xic4SvMq1xtLg2bNo
> PC5KnbRfuFPuUD2/3dSiiragJ6uYDLOyWJDivKGt/72OVTEPAL9o6T2pGZrwbQui
> FGrGTMZOvWMSpQtNl+tCCXlT4mWqJDRwuMGrI4DnnGzt3IKqNwS4Qyo9KqjMIPwn
> XZAmWPm3FOKe4sFwc5fpawKO01JZewDsYTDxVj+cwXwFxbE2yBiFz2FAHwfopwaH
> 35p3C6lkcgP2k/zgAlnBluzACUI+MKJ/G0gv/uAhj1OHJQ3L6kn1SpvQ41/ueBjl
> unExqQSYD7GtZ1Kg8uOcq2r+WISE3Qc9MpQFFkUVllmgWGwYDuN3Zsez95kCAwEA
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
149
> AQKCAgBymEHxouau4z6MUlisaOn/Ej0mVi/8S1JrqakgDB1Kj6nTRzhbOBsWKJBR
> EbRidI61mtGNikIF+PAAN+YgFJbXYK5I5jjIDs5JJohIkKaP9c5AJbxnpGslvLg/
IDrFXBc22YY9QTa4YldCi/eOrP0eLIANs95u3zXAqwPBnh1kgG9pYsbuGy5Fh4kp
PzTrIv5aIqYtvJwQzrDyGYcHMaEpNpg5Rz716jPGi5hAPRH+7pyHhO/Watv4bvB+
> RoplFQKCAQEA6i+DcoCL5A+N3tlvkuuQBUw/xzhn2uu5BP/kwd2A+b7gfp6Uv9lf
lCjO+O+v12+SDC1U96+CaQUFLQSw7H/7vfH4UsJmhvX0HWSSWFzsZRCiklOgl1/4
> vlNgB7MU/c7bZLyor3ZuWQh8Q6fgRSQj0kp1T/78RrwDl8r7xG4gW6vj6F6m+9bg
> ro5Zayu3qxqJhWVvR3OPvm8pVa4hIJR5J5Jj3yZNOwdOX/Saiv6tEx7MvB5bGQlC
> 6co5SIEPPZ/FNC1Y/PNOWrb/Q4GW1AScdICZu7wIkKzWAJCo59A8Luv5FV8vm4R2
> wRsQuawQVLCUEP3To6kYOwTzJq7jhiUK6FnjLjeTrNQSVdoqwoJrlTAHgXVV3q7q
4JkyB6kXcVfowrjYXqDF/UX0ddDLLGF96ZStte3PXX8PQWY89FZuBkGw6NRZInHi
> xinN2V8cm7Cw85d9Ez2zEGB4KC7LI+JgLQtdg3XvbdfhOi06eGjgK2mwfOqT8Sq+
> v9POIJXTNEI3fi3dB86af/8OXRtOrAa1mik2msDI1Goi7cKQbC3fz/p1ISQCptvs
> YvNwstDDutkA9o9araQy5b0LC6w5k+CSdVNbd8O2EUd0OBOUjblHKvdZ3Voz8EDF
> ywYimmNGje1lK8nh2ndpja5q3ipDs1hKg5UujoGfei2gn0ch5QKCAQEA8O+IHOOu
> T/lUgWspophE0Y1aUJQPqgK3EiKB84apwLfz2eAPSBff2dCN7Xp6s//u0fo41LE5
> P0ds/5eu9PDlNF6HH5H3OYpV/57v5O2OSBQdB/+3TmNmQGYJCSzouIS3YNOUPQ1z
> FFvRateN91BW7wKFHr0+M4zG6ezfutAQywWNoce7oGaYTT8z/yWXqmFidDqng5w5
> 6d8t40ScozIVacGug+lRi8lbTC+3Tp0r+la66h49upged3hFOvGXIOybvYcE98K2
> GpNl9cc4q6O1WLdR7QC91ZNflKOKE8fALLZ/stEXL0p2bixbSnbIdxOEUch/iQhM
> chxlsRFLjxV1dwKCAQEA60X6LyefIlXzU3PA+gIRYV0g8FOxzxXfvqvYeyOGwDaa
> p/Ex50z76jIJK8wlW5Ei7U6xsxxw3E9DLH7Sf3H4KiGouBVIdcv9+IR0LcdYPR9V
> oCQ1Mm5a7fjnm/FJwTokdgWGSwmFTH7/jGcNHZ8lumlRFCj6VcLT/nRxM6dgIXSo
> w1D9QGC9V+e6KOZ6VR5xK0h8pOtkqoGrbFLu26GPBSuguPJXt0fwJt9PAG+6VvxJ
> 89NLML/n+g2/jVKXhfTT1Mbb3Fx4lnbLnkP+JrvYIaoQ1PZNggILYCUGJJTLtqOT
> gkg1S41/X8EFg671kAB6ZYPbd5WnL14Xp0a9MOB/bwKCAQEA6WVAl6u/al1/jTdA
> R+/1ioHB4Zjsa6bhrUGcXUowGy6XnJG+e/oUsS2kr04cm03sDaC1eOSNLk2Euzw3
> EbRidI61mtGNikIF+PAAN+YgFJbXYK5I5jjIDs5JJohIkKaP9c5AJbxnpGslvLg/
> IDrFXBc22YY9QTa4YldCi/eOrP0eLIANs95u3zXAqwPBnh1kgG9pYsbuGy5Fh4kp
> q7WSpLYo1kQo6J8QQAdhLVh4B7QIsU7GQYGm0djCR81Mt2o9nCW1nEUUnz32YVay
> ASM/Q0eip1I2kzSGPLkHww2XjjjkD1cZfIhHnYZ+kO3sV92iKo9tbFOLqmbz48l7
> RoplFQKCAQEA6i+DcoCL5A+N3tlvkuuQBUw/xzhn2uu5BP/kwd2A+b7gfp6Uv9lf
> P6SCgHf6D4UOMQyN0O1UYdb71ESAnp8BGF7cpC97KtXcfQzK3+53JJAWGQsxcHts
> Q0foss6gTZfkRx4EqJhXeOdI06aX5Y5ObZj7PYf0dn0xqyyYqYPHKkYG3jO1gelJ
> T0C3ipKv3h4pI55Jg5dTYm0kBvUeELxlsg3VM4L2UNdocikBaDvOTVte+Taut12u
> OLaKns9BR/OFD1zJ6DSbS5n/4A9p4YBFCG1Rx8lLKUeDrzXrQWpiw+9amunpMsUr
> rlJhfMwgXjA7pOR1BjmOapXMEZNWKlqsPQKCAQByVDxIwMQczUFwQMXcu2IbA3Z8
> Czhf66+vQWh+hLRzQOY4hPBNceUiekpHRLwdHaxSlDTqB7VPq+2gSkVrCX8/XTFb
> SeVHTYE7iy0Ckyme+2xcmsl/DiUHfEy+XNcDgOutS5MnWXANqMQEoaLW+NPLI3Lu
> V1sCMYTd7HN9tw7whqLg18wB1zomSMVGT4DkkmAzq4zSKI1FNYp8KA3OE1Emwq+0
> wRsQuawQVLCUEP3To6kYOwTzJq7jhiUK6FnjLjeTrNQSVdoqwoJrlTAHgXVV3q7q
> v3TGd3xXD9yQIjmugNgxNiwAZzhJs/ZJy++fPSJ1XQxbd9qPghgGoe/ff6G7
> -----END RSA PRIVATE KEY-----"
FortiADC-VM (new-local) # set certificate "-----BEGIN CERTIFICATE----> MIIGJzCCBA+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBsjELMAkGA1UEBhMCRlIx
> DzANBgNVBAgMBkFsc2FjZTETMBEGA1UEBwwKU3RyYXNib3VyZzEYMBYGA1UECgwP
> d3d3LmZyZWVsYW4ub3JnMRAwDgYDVQQLDAdmcmVlbGFuMS0wKwYDVQQDDCRGcmVl
> bGFuIFNhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgkqhkiG9w0BCQEW
> E2NvbnRhY3RAZnJlZWxhbi5vcmcwHhcNMTIwNDI3MTAzMTE4WhcNMjIwNDI1MTAz
> MTE4WjB+MQswCQYDVQQGEwJGUjEPMA0GA1UECAwGQWxzYWNlMRgwFgYDVQQKDA93
> d3cuZnJlZWxhbi5vcmcxEDAOBgNVBAsMB2ZyZWVsYW4xDjAMBgNVBAMMBWFsaWNl
> MSIwIAYJKoZIhvcNAQkBFhNjb250YWN0QGZyZWVsYW4ub3JnMIICIjANBgkqhkiG
> 9w0BAQEFAAOCAg8AMIICCgKCAgEA3W29+ID6194bH6ejLrIC4hb2Ugo8v6ZC+Mrc
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
150
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
k2dNYMNPjcOKABvxxEtBamnSaeU/IY7FC/giN622LEtV/3oDcrua0+yWuVafyxmZ
yTKUb4/GUgafRQPf/eiX9urWurtIK7XgNGFNUjYPq4dSJQPPhwCHE/LKAykWnZBX
RrX0Dq4XyApNku0IpjIjEXH+8ixE12wH8wt7DEvdO7T3N3CfUbaITl1qBX+Nm2Z6
q4Ag/u5rl8NJfXg71ZmXA3XOj7zFvpyapRIZcPmkvZYn7SMCp8dXyXHPdpSiIWL2
uB3KiO4JrUYvt2GzLBUThp+lNSZaZ/Q3yOaAAUkOx+1h08285Pi+P8lO+H2Xic4S
vMq1xtLg2bNoPC5KnbRfuFPuUD2/3dSiiragJ6uYDLOyWJDivKGt/72OVTEPAL9o
6T2pGZrwbQuiFGrGTMZOvWMSpQtNl+tCCXlT4mWqJDRwuMGrI4DnnGzt3IKqNwS4
Qyo9KqjMIPwnXZAmWPm3FOKe4sFwc5fpawKO01JZewDsYTDxVj+cwXwFxbE2yBiF
z2FAHwfopwaH35p3C6lkcgP2k/zgAlnBluzACUI+MKJ/G0gv/uAhj1OHJQ3L6kn1
SpvQ41/ueBjlunExqQSYD7GtZ1Kg8uOcq2r+WISE3Qc9MpQFFkUVllmgWGwYDuN3
Zsez95kCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT
TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFlfyRO6G8y5qEFKikl5
ajb2fT7XMB8GA1UdIwQYMBaAFCNsLT0+KV14uGw+quK7Lh5sh/JTMA0GCSqGSIb3
DQEBBQUAA4ICAQAT5wJFPqervbja5+90iKxi1d0QVtVGB+z6aoAMuWK+qgi0vgvr
mu9ot2lvTSCSnRhjeiP0SIdqFMORmBtOCFk/kYDp9M/91b+vS+S9eAlxrNCB5VOf
PqxEPp/wv1rBcE4GBO/c6HcFon3F+oBYCsUQbZDKSSZxhDm3mj7pb67FNbZbJIzJ
70HDsRe2O04oiTx+h6g6pW3cOQMgIAvFgKN5Ex727K4230B0NIdGkzuj4KSML0NM
slSAcXZ41OoSKNjy44BVEZv0ZdxTDrRM4EwJtNyggFzmtTuV02nkUj1bYYYC5f0L
ADr6s0XMyaNk8twlWYlYDZ5uKDpVRVBfiGcq0uJIzIvemhuTrofh8pBQQNkPRDFT
Rq1iTo1Ihhl3/Fl1kXk1WR3jTjNb4jHX7lIoXwpwp767HAPKGhjQ9cFbnHMEtkro
RlJYdtRq5mccDtwT0GFyoJLLBZdHHMHJz0F9H7FNk2tTQQMhK5MVYwg+LIaee586
CQVqfbscp7evlgjLW98H+5zylRHAgoH2G79aHljNKMp9BOuq6SnEglEsiWGVtu2l
hnx8SB3sVJZHeer8f/UQQwqbAO+Kdy70NmbSaqaVtp8jOxLiidWkwSyRTsuU6D8i
DiH5uEqBXExjrj0FslxcVKdVj5glVcSmkLwZKbEU1OKwleT/iXFhvooWhQ==
-----END CERTIFICATE-----"
FortiADC-VM (new-local) # end
See also
•
execute certificate local
config system certificate local_cert_group
Use this command to manage local certificate groups.
Create local groups to facilitate the configuration of profiles that are associated with a virtual server.
Include in the local certificate group all of the server certificates and intermediate CAs for the pool of backend servers to
be associated with a single virtual server.
Before you begin:
•
You must have already added the certificates to the local certificate store and Intermediate CA certificate store.
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
151
Syntax
config system certificate local_cert_group
edit <name>
config group_member
edit <No.>
set default {enable|disable}
set intermediate-ca-group <datasource>
set local-cert <datasource>
next
end
next
end
default
Specify one certificate to be the default for the group.
intermediate-ca-group
Specify an Intermediate CA group configuration.
local-cert
Specify a local certificate configuration.
config system certificate remote
Use this command to configure Online Certificate Status Protocol (OCSP). You can enable OCSP by importing an OSCP
CA or specifying an OSCP URL.
OCSP enables you to validate or revoke certificates by query, rather than by importing certificate revocation list (CRL)
files. Since distributing and installing CRL files can be a considerable burden in large organizations, and because delay
between the release and install of the CRL represents a vulnerability window, this can often be preferable.
•
To use OCSP queries, you must first install the certificates of trusted OCSP/CRL servers.
Before you begin:
•
You must know the URL of an OCSP server or have downloaded the certificate and key files and be able to browse to
them so that you can upload them.
•
You must have read-write permission for system settings.
Syntax
config system certificate remote
edit <name>
set certificate <certificate>
set ocsp-url <string>
next
end
certificate
Paste the contents of a CA file between quotation marks as shown in the example.
ocsp-url
Specify the OCSP URL.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
152
Example
FortiADC-VM # config system certificate remote
FortiADC-VM (remote) # get
== [ ca ]
FortiADC-VM (remote) # edit new-remote-ca
Add new entry 'new-remote-ca' for node 930
FortiADC-VM (new-remote-ca) # set certificate "-----BEGIN CERTIFICATE----> MIID0TCCArmgAwIBAgIJAKr1/WtE48FeMA0GCSqGSIb3DQEBCwUAMGgxEzARBgoJ
> kiaJk/IsZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQG
> EwJVUzEQMA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0Eg
> MTAeFw0xNDA0MzAxNDE4MDhaFw0zNDA0MzAxNDE4MDhaMGgxEzARBgoJkiaJk/Is
> ZAEZFgNvcmcxFzAVBgoJkiaJk/IsZAEZFgdjaWxvZ29uMQswCQYDVQQGEwJVUzEQ
> MA4GA1UEChMHQ0lMb2dvbjEZMBcGA1UEAxMQQ0lMb2dvbiBPU0cgQ0EgMTCCASIw
> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQQzsB9Uc37VuIyt5xJxcYYkc6K
> XpYihHgskTQp6YYB4XHVimouHafMYyoFsnenrcgf2NGFDvi9l9x9mnL77920JqGr
> LijieMiFEyP1nhGW8C6nJjkSsXLbgZNh9u6U+0oAbspsFRwdHDZOI7gIHSJ2zuiY
> CkMAvjw9TN44Q4IFCvSIf7mfzZgBH7AW1sbgznqnAJsWQhQGTpxZAxubItesyduD
> vj8tz9eb5u8JO3iQ/LYhMspNnxcpTFdaLn2v82NAFTtCrZdCd7aLj1DM0DPEX7Nw
> V/rt/l+tlscglYyEoUnlPYuSQN0Q6Aj5i1GcKPvnFS0Oy9lGY1lT1vZJ4F0CAwEA
> AaN+MHwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
> FP7bnvI4TIqtrM+KGgCvedJiQpuHMB8GA1UdIwQYMBaAFP7bnvI4TIqtrM+KGgCv
> edJiQpuHMBkGA1UdEQQSMBCBDmNhQGNpbG9nb24ub3JnMA0GCSqGSIb3DQEBCwUA
> A4IBAQCq5KUHQNg51uh1pxKMXQ98ADj2bNzQbswdAFslPow8tTZIBMwhdrq02ZHC
> XPyp2IHxfv+G+pMV1JFtdR0fy8ivilMNyjObEGh1Ss3kvvU7d1z3XwPxqpNcwDqs
> 1K6RRg4zpNWCFPcliAkPDsDbaN1B6A6zJXqOpGgzwocU3dZbPe5sYLgkWZO2/8MI
> eAEk7zoU1ZPSZiu5HghPafKuE1HYshvsak090tRgC6VLvaSLoNZlwR0GuFVGdewH
> 4jR1HpENH7QiLCB1NGCoJgDi3qiFosw3M2+0ExevE1afj2Usm4oZir+Uty0rvR8D
> 03RHH8yYbZ9rw0kuwTkJEo3bYDxH
> -----END CERTIFICATE-----"
FortiADC-VM (new-remote-ca) #
See also
•
execute certificate remote
config system dns
Use this command to configure DNS.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
153
Syntax
config system dns
set primary <class_ip>
set secondary <class_ip>
end
primary
Specify the IP address for the primary DNS server.
secondary
Specify the IP address for the secondary DNS server.
Example
FortiADC-VM # get system dns
primary
: 8.8.8.8
secondary
: 0.0.0.0
FortiADC-VM # config system dns
FortiADC-VM (dns) # set secondary 8.8.4.4
FortiADC-VM (dns) # end
FortiADC-VM # get system dns
primary
: 8.8.8.8
secondary
: 8.8.4.4
config system dos-prevention
Use this command to enable basic denial of service (DoS) prevention to combat SYN floods.
When enabled, FortiADC uses the SYN cookie method to track half-open connections. The system maintains a DoS
mitigation table for each configured IPv4 virtual server. It times out half-open connections so that they do not deplete
system resources.
Note: The DoS feature is not supported for IPv6 traffic or for Layer 4 virtual servers with the Direct Routing packet
forwarding mode. Before you begin:
•
You must have read-write permission for system settings.
Syntax
config system dos-prevention
set syncookie <enable|disable>
set max_half_open <integer>
end
syncookie
Enable/disable denial-of-service prevention.
max_half_open
Specify a maximum number of half open connections. The default is 1. The valid range is 1 to
80,000.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
154
Example
FortiADC-VM # get system dos-prevention
syncookie
: disable
max_half_open
: 1
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
# config system dos-prevention
(dos-prevention) # set syncookie enable
(dos-prevention) # set max_half_open 100
(dos-prevention) # end
FortiADC-VM # get system dos-prevention
syncookie
: enable
max_half_open
: 100
config system fortiguard
Use this command to configure how the FortiADC system receives updates from the FortiGuard IP Reputation service.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config system fortiguard
set override-server-status {enable|disable}
set override-server-address <string>
set push-update-override-status {enable|disable}
set push-update-override-address <string>
set push-update-override-port <integer>
set push-update-status {enable|disable}
set scheduled-update-day {Sunday | Monday | Tuesday | Wednesday | Thursday | Friday |
Saturday}
set scheduled-update-frequency {daily|weekly|every}
set scheduled-update-status {enable|disable}
set scheduled-update-time <hh:mm>
set tunneling-status {enable|disable}
set tunneling-address <class_ip>
set tunneling-password <passwd>
set tunneling-port <integer>
set tunneling-username <string>
end
override-server-status
Enable/disable connection to the override server address.
override-server-address
Override server IP address.
push-update-override-status
Enable/disable push updates via connection to the override server.
push-update-override-address
IP address to which to push updates.
push-update-override-port
Port for push updates.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
155
push-update-status
Enable/disable push updates.
scheduled-update-day
Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday.
scheduled-update-frequency
•
Every—Schedule periodic updates. Specify the time to perform the
update.
•
Daily—Schedule daily updates. Specify the time of day to perform the
update.
•
Weekly—Schedule weekly updates. Specify the day and time to perform
the update.
scheduled-update-status
Enable/disable scheduled updates.
scheduled-update-time
<hh:mm> hour and minute, hh: 0-23, mm: {00|15|30|45}.
tunneling-status
Enable/disable use a web proxy server IP address.
tunneling-address
Web proxy server IP address.
tunneling-port
Port for the web proxy server.
tunneling-username
Administrator username for the web proxy server.
tunneling-password
Password for the web proxy server.
Example
FortiADC-VM # get system fortiguard
scheduled-update-status: enable
scheduled-update-frequency: weekly
scheduled-update-day: Sunday
scheduled-update-time: 04:00
override-server-status: disable
push-update-status : enable
push-update-override-status: disable
tunneling-status
: disable
FortiADC-VM # config system fortiguard
FortiADC-VM (fortiguard) # set scheduled-update-time 23:45
FortiADC-VM (fortiguard) # end
FortiADC-VM # get system fortiguard
scheduled-update-status: enable
scheduled-update-frequency: weekly
scheduled-update-day: Sunday
scheduled-update-time: 23:45
override-server-status: disable
push-update-status : enable
push-update-override-status: disable
tunneling-status
: disable
config system global
Use this command to manage system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
156
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
end
system global
admin-idle-timeout <integer>
default-certificate <certname>
gui-firewall {enable|disable>
gui-global-dns-load-balance {enable|disable>
gui-link-load-balance {enable|disable>
gui-load-balance {enable|disable>
hostname <string>
language english
operation-mode {gateway|server|transparent}
port-http <integer>
port-https <integer>
port-ssh <integer>
port-telnet <integer>
theme {dark|light}
vdom-admin {enable|disable>
admin-idle-timeout
Log out an idle administrator session. The default is 30 minutes.
default-certificate
The default is Factory.
gui-firewall
Deprecated.
gui-global-dns-load-balance Deprecated.
gui-link-load-balance
Deprecated.
gui-load-balance
Deprecated.
hostname
You can configure a hostname to facilitate system management. If you use
SNMP, for example, the SNMP system name is derived from the configured
hostname.
The hostname can be up to 35 characters in length. It can include US-ASCII
letters, numbers, hyphens, and underscores, but not spaces and special
characters.
The System Information widget and the get system status CLI command
display the full hostname. If the hostname is longer than 16 characters, the name
is truncated and ends with a tilde ( ~ ) to indicate that additional characters exist,
but are not displayed.
language
English is supported.
operation-mode
Deprecated.
port-http
Specify the port for the HTTP service. Usually, HTTP uses port 80.
port-https
Specify the port for the HTTPS service. Usually, HTTPS uses port 443.
port-ssh
Specify the port for the SSH service. Usually, SSH uses port 22.
port-telnet
Specify the port for the Telnet service. Usually, Telnet uses port 25.
theme
Deprecated.
vdom-admin
Enables the virtual domain feature.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
157
Example
FortiADC-VM # get system global
operation-mode
: gateway
default-certificate : Factory
hostname
: FortiADC-VM
vdom-admin
: disable
admin-idle-timeout : 30
port-http
: 80
port-https
: 443
port-ssh
: 22
port-telnet
: 23
language
: english
theme
: light
gui-system
: enable
gui-router
: enable
gui-log
: enable
gui-load-balance
: enable
gui-global-dns-load-balance: enable
gui-firewall
: disable
gui-link-load-balance: disable
FortiADC-VM # config system global
FortiADC-VM (global) # set admin-idle-timeout 1
FortiADC-VM (global) # end
FortiADC-VM # get system global
operation-mode
: gateway
default-certificate : Factory
hostname
: FortiADC-VM
vdom-admin
: disable
admin-idle-timeout : 1
port-http
: 80
port-https
: 443
port-ssh
: 22
port-telnet
: 23
language
: english
theme
: light
gui-system
: enable
gui-router
: enable
gui-log
: enable
gui-load-balance
: enable
gui-global-dns-load-balance: enable
gui-firewall
: disable
gui-link-load-balance: disable
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
158
config system ha
Use this command to configure high availabilty (HA) settings.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
end
system ha
arps <integer>
arps-interval <integer>
datadev <datasource>
group-id <integer>
group-name <string>
hb-interval <integer>
hb-lost-threshold <integer>
hbdev <datasource>
http-persistence-pickup {enable|disable}
local-node-id <integer>
l4-persistence-pickup {enable|disable}
l4-session-pickup {enable|disable}
mode {active-active | active-passive | standalone}
monitor <datasource>
node-list {0 1 2 3 4 5 6 7}
override {enable|disable}
priority <integer>
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
159
arps
Number of times that the cluster member broadcasts extra address resolution protocol
(ARP) packets when it takes on the primary role. (Even though a new NIC has not
actually been connected to the network, the member does this to notify the network
that a new physical port has become associated with the IP address and virtual MAC
of the HA cluster.) This is sometimes called “using gratuitous ARP packets to train the
network,” and can occur when the primary node is starting up, or during a failover.
Also configure ARP Packet Interval.
Normally, you do not need to change this setting. Exceptions include:
•
Increase the number of times the primary node sends gratuitous ARP packets if an
active-passive cluster takes a long time to fail over or to train the network. Sending
more gratuitous ARP packets may help the failover to happen faster.
•
Decrease the number of times the primary node sends gratuitous ARP packets if
the cluster has a large number of VLAN interfaces and virtual domains. Because
gratuitous ARP packets are broadcast, sending them might generate a large
amount of network traffic. As long as the active-passive cluster fails over
successfully, you can reduce the number of times gratuitous ARP packets are sent
to reduce the amount of traffic produced by a failover.
The valid range is 1 to 60. The default is 5.
arps-interval
Number of seconds to wait between each broadcast of ARP packets.
Normally, you do not need to change this setting. Exceptions include:
•
Decrease the interval if an active-passive cluster takes a long time to fail over or to
train the network. Sending ARP packets more frequently may help the failover to
happen faster.
•
Increase the interval if the cluster has a large number of VLAN interfaces and
virtual domains. Because gratuitous ARP packets are broadcast, sending them
might generate a large amount of network traffic. As long as the active-passive
cluster fails over successfully, you can increase the interval between when
gratuitous ARP packets are sent to reduce the rate of traffic produced by a failover.
The valid range is from 1 to 40. The default is 6 seconds.
datadev
Set the network interface to be used for data synchronization among cluster nodes.
You can configure up to two data ports. If one data port fails, its traffic fails over to the
next data port. If all data ports fail, data synchronization traffic fails over to the
heartbeat port. If you do not configure a data port, the heartbeat port is used for
synchronization.
Use the same port numbers for all cluster members. For example, if you select port3
on the primary node, select port3 as the data port interface on the other member
nodes.
group-id
Number that identifies the HA cluster.
Nodes with the same group ID join the cluster.
If you have more than one HA cluster on the same network, each cluster must have a
different group ID.
The group ID is used in the virtual MAC address that is sent in broadcast ARP
messages.
The valid range is 0 to 31. The default value is 0.
group-name
Name to identify the HA cluster if you have more than one.
This setting is optional, and does not affect HA function.
The maximum length is 63 characters.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
160
hb-interval
Number of 100-millisecond intervals at which heartbeat packets are sent. This is also
the interval at which a node expects to receive heartbeat packets.
This part of the configuration is pushed from the primary node to member nodes.
The valid range is 1 to 20 (that is, between 100 and 2,000 milliseconds).
Note: Although this setting is pushed from the primary node to member nodes, you
should initially configure all nodes with the same Detection Interval to prevent
inadvertent failover from occurring before the initial synchronization.
hb-lost-threshold
Number of times a node retries the heartbeat and waits to receive HA heartbeat
packets from the other nodes before concluding the other node is down.
This part of the configuration is pushed from the primary node to member nodes.
Normally, you do not need to change this setting. Exceptions include:
•
Increase the failure detection threshold if a failure is detected when none has
actually occurred. For example, in an active-passive deployment, if the primary
node is very busy during peak traffic times, it might not respond to heartbeat
packets in time, and a standby node might assume that the primary node has
failed.
•
Decrease the failure detection threshold or detection interval if administrators and
HTTP clients have to wait too long before being able to connect through the
primary node, resulting in noticeable down time.
The valid range is from 1 to 60.
Note: Although this setting is pushed from the primary node to member nodes, you
should initially configure all nodes with the same HB Lost Threshold to prevent
inadvertent failover from occurring before the initial synchronization.
hbdev
Set the network interface to be used for heartbeat packets. You can configure one or
two heartbeat ports.
Use the same port number for all cluster members. For example, if you select port3 on
the primary node, select port3 as the heartbeat interface on the other member nodes.
Note: If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces
must be reachable by Layer 2 multicast.
http-persistence-pickup Enable to synchronize Layer 7 session data used for persistence to backend servers.
When enabled, the source IP address table for sessions is synchronized to support
sessions that use the source IP address persistence method.
When not enabled, a node that receives traffic because of load balancing or failover
would not know that a session had been created already, so it will be treated as a new
session.
l4-persistence-pickup
Enable to synchronize Layer 4 session data used for persistence to backend servers.
When enabled, the source IP address table for sessions is synchronized to support
sessions that use the source IP address persistence method.
When not enabled, a node that receives traffic because of load balancing or failover
would not know that a session had been created already, so it will be treated as a new
session.
l4-session-pickup
Enable to synchronize Layer 4 connection state data.
When enabled, the TCP session table is synchronized. If subsequent traffic for the
connection is distributed through a different cluster node because of failover, the TCP
sessions can resume without interruption.
When not enabled, a node that receives traffic because of failover would not know that
a session had been created already, and the client will be required to re-initialize the
connection.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
161
local-node-id
A number that uniquely identifies the member within the cluster. The valid range is 0-7.
In an active-active deployment, this number is used in the virtual MAC address that is
sent in ARP responses. In an active-passive deployment, this number is not used.
mode
•
active-active
•
active-passive
•
standalone
monitor
One or more network interfaces that correlate with a physical link. These ports will be
monitored for link failure.
Port monitoring (also called interface monitoring) monitors physical network ports to
verify that they are functioning properly and linked to their networks. You can monitor
physical interfaces and 802.3ad aggregated interfaces.
Note: To prevent an unintentional failover, do not configure port monitoring until you
configure HA on all appliances and have plugged in the cables to link the physical
network ports that will be monitored.
node-list
Specify the node IDs for the nodes in the cluster. An active-active cluster can have up
to eight members.
override
Enable to make Device Priority a more important factor than uptime when selecting
the primary node.
priority
Number indicating priority of the member node when electing the cluster primary node.
This setting is optional. The smaller the number, the higher the priority. The valid range
is 0 to 9. The default is 5.
Note: By default, unless you enable Override, uptime is more important than this
setting.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
162
Example
FortiADC-VM # get system ha
mode
: standalone
hbdev
:
datadev
:
group-id
: 0
group-name
:
priority
: 5
override
: disable
hb-interval
: 2
arps
: 5
hb-lost-threshold
: 6
arps-interval
: 6
http-persistence-pickup: disable
l4-persistence-pickup: disable
l4-session-pickup
: disable
monitor
:
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
# config system ha
(ha) # set hbdev port2
(ha) # set datadev port3
(ha) # set group-name dc1-pair
(ha) # set priority 1
(ha) # set mode active-passive
(ha) # end
FortiADC-VM # get system ha
mode
: active-passive
hbdev
: port2
datadev
: port3
group-id
: 0
group-name
: dc1-pair
priority
: 1
override
: disable
hb-interval
: 2
arps
: 5
hb-lost-threshold
: 6
arps-interval
: 6
http-persistence-pickup: disable
l4-persistence-pickup: disable
l4-session-pickup
: disable
monitor
:
config system interface
Use this command to configure network interfaces.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
163
Syntax
config system interface
edit <name>
set allowaccess {http https ping snmp ssh telnet}
set ip <ip&netmask>
set ip6 <ip&netmask>
set mac-addr <xx:xx:xx:xx:xx:xx>
set mode {static|ppoe}
set disc-retry-timeout <integer>
set dns-server-override {enable|disable}
set idle-timeout <integer>
set lcp-echo-interval <integer>
set lcp-max-echo-fails <integer>
set pppoe-default-gateway {enable|disable}
set username <string>
set password <passwd>
set mtu <integer>
set speed {10full | 10half | 100full | 100half | 1000full | 1000half | auto}
set status {down | up}
set vdom <datasource>
set type {vlan|aggregate}
set vlanid <integer>
set interface <datasource>
set aggregate-algorithm {layer2 | layer2-3 | layer3-4}
set aggregate-mode {802.3ad | balance-alb | balance-rr | balance-tlb | balance-xor|
broadcast}
set member <datasource>
set secondary-ip {enable|disable}
config secondary-ip-list
edit <No.>
set allowaccess {http https ping snmp ssh telnet}
set ip <ip&netmask>
next
end
config ha-node-ip-list
edit <No.>
set ip <ip&netmask>
set node <integer>
next
end
next
end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
164
allowaccess
Allow inbound service traffic. Select from the following options:
•
HTTP—Enables connections to the web UI. We recommend this option only for network
interfaces connected to a trusted private network, or directly to your management
computer.
•
HTTPS—Enables secure connections to the web UI. We recommend this option instead
of HTTP.
•
Ping—Enables ping and traceroute to be received on this network interface. When it
receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0
(ECHO_RESPONSE or “pong”).
•
SNMP—Enables SNMP queries to this network interface.
•
SSH—Enables SSH connections to the CLI. We recommend this option instead of
Telnet.
•
Telnet—Enables Telnet connections to the CLI. We recommend this option only for
network interfaces connected to a trusted private network, or directly to your
management computer.
mac-addr
The MAC address is read from the interface. If necessary, you can set the MAC address.
mtu
The default is 1500. We recommend you maintain the default.
speed
Select one of the following speed/duplex settings:
•
Auto—Speed and duplex are negotiated automatically. Recommended.
•
10half—10 Mbps, half duplex.
•
10full—10 Mbps, full duplex.
•
100half—100 Mbps, half duplex.
•
100full—100 Mbps, full duplex.
•
1000half—1000 Mbps, half duplex.
•
1000full—1000 Mbps, full duplex.
status
This Status column is not the detected physical link status; it is the administrative status
(Up/Down) that indicates whether you permit the network interface to receive and/or
transmit packets.
vdom
If applicable, select the virtual domain to which the configuration applies.
mode
•
Static—Specify a static IP address. The IP address must be on the same subnet as the
network to which the interface connects. Two network interfaces cannot have IP
addresses on the same subnet (i.e. overlapping subnets).
•
PPPoE—Use PPPoE to retrieve a configuration for the IP address, gateway, and DNS
server. For example, if this interface uses a DSL connection to the Internet, your ISP
may require this option.
type
If you are editing the configuration for a physical interface, you cannot set the type.
If you are configuring a logical interface, you can select from the following options:
•
Aggregate—A logical interface you create to support the aggregation of multiple physical
interfaces.
•
VLAN—A logical interface you create to VLAN subinterfaces on a single physical
interface.
set mode static
ip
Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ),
such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.
ip6
Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ),
such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are
not accepted.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
165
set mode pppoe
disc-retry-timeout
Seconds the system waits before it retries to discover the PPPoE server.
dns-server-override
Use the DNS addresses retrieved from the PPPoE server instead of the one configured in
the FortiADC system settings.
idle-timeout
Disconnect after idle timeout in seconds. The default is 0. The valid range is 0 to 32,000.
lcp-echo-interval
LCP echo interval in seconds. The default is 5. The valid range is 1 to 255.
lcp-max-echo-fails
Maximum missed LCP echo messages before disconnect. The default is 3. The valid range
is 1 to 255.
pppoe-default-gateway Use the default gateway retrieved from the PPPoE server instead of the one configured in
the FortiADC system settings.
username
PPPoE account user name.
password
PPPoE account password.
set type vlan
vlanid
VLAN ID of packets that belong to this VLAN.
If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create
multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.
If multiple different physical network ports will handle the same VLANs, on each of the ports,
create VLAN subinterfaces that have the same VLAN IDs.
The valid range is between 1 and 4094. The value you specify must match the VLAN ID
added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.
interface
Physical interface associated with the VLAN; for example, port2.
set type aggregate
aggregate-algorithm
aggregate-mode
member
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
Connectivity layers that will be considered when distributing frames among the aggregated
physical ports:
•
Layer 2
•
Layer 2-3
•
Layer 3-4
Link aggregation type:
•
802.3ad
•
Balance-alb
•
Balance-rr
•
Balance-tlb
•
Balance-xor
•
Broadcast
Select the physical interfaces that are included in the aggregation.
166
config secondary-ip-list
allowaccess
ip
Allow inbound service traffic. Select from the following options:
•
HTTP—Enables connections to the web UI. We recommend this option only for network
interfaces connected to a trusted private network, or directly to your management
computer.
•
HTTPS—Enables secure connections to the web UI. We recommend this option instead
of HTTP.
•
Ping—Enables ping and traceroute to be received on this network interface. When it
receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0
(ECHO_RESPONSE or “pong”).
•
SNMP—Enables SNMP queries to this network interface.
•
SSH—Enables SSH connections to the CLI. We recommend this option instead of
Telnet.
•
Telnet—Enables Telnet connections to the CLI. We recommend this option only for
network interfaces connected to a trusted private network, or directly to your
management computer.
Secondary IP addresses can be used when you deploy the system so that it belongs to
multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign
them static addresses.
To add secondary IP addresses, enable the feature and save the configuration. After you
have saved it the first time, you can edit it to add secondary IP addresses and enable
inbound traffic to that address.
config ha-node-ip-list
ip
You use the HA node IP list configuration in an HA active-active deployment. For each HA
cluster node, configure an HA node IP list that includes an entry for each cluster node.
When the appliance is in standalone mode, it uses the physical port IP address; when it is in
HA mode, it uses the HA node IP address.
For each address, specify an IP address using the CIDR-formatted subnet mask, separated
by a forward slash ( / ), such as 192.0.2.5/24.
node
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
ID of the corresponding node.
167
Example
The following example configures port1 (the management interface):
FortiADC-VM # get system interface port1
: physical
type
mode
: static
vdom
: root
redundant-master
:
ip
: 192.168.1.99/24
ip6
: ::/0
allowaccess
: https ping ssh snmp http telnet
mtu
: 1500
speed
: auto
status
: up
mac-addr
: 00:0c:29:e8:a0:86
secondary-ip
: enable
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
# config system interface
(interface) # edit port1
(port1) # set ip 192.0.2.5/24
(port1) # end
FortiADC-VM # get system interface port1
type
: physical
mode
: static
vdom
: root
redundant-master
:
ip
: 192.0.2.5/24
ip6
: ::/0
allowaccess
: https ping ssh snmp http telnet
mtu
: 1500
speed
: auto
status
: up
mac-addr
: 00:0c:29:e8:a0:86
secondary-ip
: enable
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
168
The following example configures vlan interfaces on port7:
FortiADC-VM # config system interface
FortiADC-VM (interface) # edit vlan102
Add new entry 'vlan102' for node 1
FortiADC-VM (vlan102) # set type vlan
FortiADC-VM (vlan102) # set vlanid 102
FortiADC-VM (vlan102) # set ip 10.10.100.102/32
FortiADC-VM (vlan102) # set interface port7
FortiADC-VM (vlan102) # next
FortiADC-VM (interface) # edit vlan103
Add new entry 'vland103' for node 1
FortiADC-VM (vland103) # set type vlan
FortiADC-VM (vland103) # set vlanid 103
FortiADC-VM (vland103) # set ip 10.10.103.102/32
FortiADC-VM (vland103) # set interface port7
FortiADC-VM (vland103) # end
FortiADC-VM # get system interface
== [ vlan102 ]
type: vlan
vdom: root
redundant-master: 0
ip: 10.10.100.102/32
ip6: ::/0
allowaccess:
status: up
interface: port7
== [ vlan103 ]
type: vlan
vdom: root
redundant-master: 0
ip: 10.10.103.102/32
ip6: ::/0
allowaccess:
status: up
interface: port7
config system mailserver
Use this command to configure an SMTP email server if you want to send notifications by email.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
169
Syntax
config
set
set
set
set
set
end
system mailserver
address <string>
port <integer>
smtp-auth {enable|disable}
username <string>
password <passwd>
address
IP address or FQDN of an SMTP server (such as FortiMail) or email server that the appliance can
connect to in order to send alerts and/or generated reports.
port
Listening port number of the server. Usually, SMTP is 25.
smtp-auth
Enable if the SMTP server requires authentication.
username
Username for authentication to the SMTP server.
password
Password for authentication to the SMTP server.
Example
FortiADC-VM # get system mailserver
address
:
port
: 25
smtp-auth
: enable
username
:
password
: *
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
# config system mailserver
(mailserver) # set address 192.168.1.125
(mailserver) # set username admin
(mailserver) # set password strongpass
(mailserver) # end
FortiADC-VM # get system mailserver
address
: 192.168.1.125
port
: 25
smtp-auth
: enable
username
: admin
password
: *
config system password-policy
Use this command to set requirements for administrator passwords.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
170
Syntax
config
set
set
set
set
end
system password-policy
status {enable|disable}
apply-to admin-user
minimum-length <integer>
must-contain {lower-case-letter non-alphanumeric number upper-case-letter}
status
Enable/disable password requirements.
apply-to admin-user Apply the policy to all admin users.
minimum-length
Specify a minimum length. The default is 8.
must-contain
Specify character requirements.
Example
FortiADC-VM # get system password-policy
status
: disable
FortiADC-VM # config system password-policy
FortiADC-VM (password-policy) # set status enable
FortiADC-VM (password-policy) # end
FortiADC-VM # get system password-policy
status
: enable
apply-to
: admin-user
minimum-length
: 8
must-contain
:
config system schedule-group
Use this command to create schedule objects to use in link load balancing policies. A policy rule can be time-bound: one
time, daily, weekly, or monthly.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
171
Syntax
config system schedule-group
edit <name>
config schedule-member <No.>
edit <name>
set type {daily-recurring | monthly-recurring | one-time | weekly-recurring}
set endtime-of-enddate <string>
set starttime-of-startdate <string>
set day-of-month <integer>
set enddate <string>
set startdate <string>
set day-of-week {friday | monday | saturday | thursday | tuesday | wednesday}
next
end
next
end
type
•
One Time
•
Daily
•
Weekly
•
Monthly
endtime-of-enddate
HH:MM.
startime-of-startdate
HH:MM.
day-of-month
1 - 31.
enddate
YYYY/MM/DD.
startdate
YYYY/MM/DD.
day-of-week
Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday.
config system snmp community
Use this command to configure SNMP community settings.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
172
Syntax
config system snmp community
edit <No.>
set name <string>
set queryportv1 <integer>
set queryportv2c <integer>
set queryv1-status {enable|disable}
set queryv2c-status {enable|disable}
set status {enable|disable}
set trapevent {cpu logdisk mem}
set trapportv1-local <integer>
set trapportv1-remote <integer>
set trapportv2c-local <integer>
set trapportv2c-remote <integer>
set trapv1-status <enable|disable>
set trapv2c-status <enable|disable>
next
end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
173
Name of the SNMP community to which the FortiADC system and at least one SNMP
manager belongs, such as management.
name
You must configure the FortiADC system to belong to at least one SNMP community so that
community’s SNMP managers can query system information and receive SNMP traps.
You can add up to three SNMP communities. Each community can have a different
configuration for queries and traps, and the set of events that trigger a trap. You can also
add the IP addresses of up to eight SNMP managers to each community to designate the
destination of traps and which IP addresses are permitted to query the FortiADC system.
queryportv1
Port number on which the system listens for SNMP queries from the SNMP managers in this
community. The default is 161.
queryportv2c
Port number on which the system listens for SNMP queries from the SNMP managers in this
community. The default is 161.
queryv1-status
Enable/disable SNMP v1 queries.
queryv2c-status
Enable/disable SNMP v2 queries.
status
Enable/disable the configuration.
trapevent
Specify trap events:
•
CPU—CPU usage has exceeded 80%.
•
Memory—Memory (RAM) usage has exceeded 80%.
•
Log disk usage—Disk space usage for the log partition or disk has exceeded 90%.
trapportv1-local
Source (Local) port number for trap packets sent to SNMP managers in this community. The
default is 162.
trapportv1-remote
Destination (Remote) port number for trap packets sent to SNMP managers in this
community. The default is 162.
trapportv2c-local
Source (Local) port number for trap packets sent to SNMP managers in this community. The
default is 162.
trapportv2c-remote
Destination (Remote) port number for trap packets sent to SNMP managers in this
community. The default is 162.
trapv1-status
Enable/disable SNMP v1 traps.
trapv2c-status
Enable/disable SNMP v2 traps.
Example
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
FortiADC-VM
# config system snmp community
(community) # edit 1
(1) # set queryv2c-status enable
(1) # set trapv2c-status enable
(1) # set status enable
(1) # end
FortiADC-VM # get system snmp community 1
name
: community1
status
: enable
queryv1-status
: disable
queryportv1
: 161
queryv2c-status
: enable
queryportv2c
: 161
trapv1-status
: disable
trapportv1-local
: 162
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
174
trapportv1-remote
trapv2c-status
trapportv2c-local
trapportv2c-remote
trapevent
:
:
:
:
:
162
enable
162
162
cpu mem logdisk
config system snmp sysinfo
Use this command to configure SNMP settings.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config
set
set
set
set
end
system snmp sysinfo
contact <string>
description <string>
location <string>
status {enable|disable>
contact
Contact information for the administrator or other person responsible for this system, such as a
phone number (555-5555) or name (jdoe). The contact information can be up to 35 characters
long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
description
A description or comment about the system, such as dont-reboot. The description can be up to
35 characters long, and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and
underscores ( _ ).
location
Physical location of the appliance, such as floor2. The location can be up to 35 characters long,
and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and underscores ( _ ).
status
Enable/disable the SNMP agent, so that the system can send traps and receive queries.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
175
Example
FortiADC-VM # get system snmp sysinfo
status
: disable
description
:
location
:
contact
:
FortiADC-VM # config system snmp sysinfo
FortiADC-VM (sysinfo) # set status enable
FortiADC-VM (sysinfo) # end
FortiADC-VM # get system snmp sysinfo
status
: enable
description
:
location
:
contact
:
config system snmp threshold
Use this command to manage SNMP thresholds.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config
set
set
set
end
cpu
system snmp threshold
cpu {<value> <value> <value> <value>}
logdisk {<value> <value> <value> <value>}
mem {<value> <value> <value> <value>}
The command takes 4 values:
•
Trigger—The default is 80% utilization.
•
Threshold—The default is 3, meaning the event is reported when the condition has been
triggered 3 times in a short period.
•
Sample Period—The default is 600 seconds.
•
Sample Frequency—The default is 30 seconds.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
176
logdisk
mem
The command takes 4 values:
•
Trigger—The default is 90% utilization.
•
Threshold—The default is 1, meaning the event is reported each time the condition is
triggered.
•
Sample Period—The default is 7200 seconds.
•
Sample Frequency—The default is 3600 seconds.
The command takes 4 values:
•
Trigger—The default is 80% utilization.
•
Threshold—The default is 3, meaning the event is reported when the condition has been
triggered 3 times in a short period.
•
Sample Period—The default is 600 seconds.
•
Sample Frequency—The default is 30 seconds.
Example
FortiADC-VM # get system snmp threshold
cpu
: 80 3 600 30
mem
: 80 3 600 30
logdisk
: 90 1 7200 3600
FortiADC-VM # config system snmp threshold
FortiADC-VM (threshold) # set logdisk 50 1 7200 3600
FortiADC-VM (threshold) # end
FortiADC-VM # get system snmp threshold
cpu
: 80 3 600 30
mem
: 80 3 600 30
logdisk
: 50 1 7200 3600
config system snmp user
Use this command to manage SNMP settings.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
177
Syntax
config system snmp user
edit <name>
set query-status {enable|disable}
set queryport <integer>
set security-level {authnopriv | authpriv | noauthnopriv}
set auth-proto {sha1|md5}
set auth-pwd <passwd>
set priv-proto {aes|des}
set priv-pwd <passwd>
set status {enable|disable}
set trap-status {enable|disable}
set trapevent {cpu ha ip-change logdisk mem raid remote-storage system}
set trapport-local <integer>
set trapport-remote <integer>
config host
edit <name>
set ip <class_ip>
next
end
next
end
query-status
Enable/disable SNMP queries.
queryport
Port number on which the system listens for SNMP queries from the SNMP managers in this
community. The default is 161.
security-level
•
authnopriv—Authenticated but unencrypted.
•
authpriv—Authenticated and encrypted.
•
noauthnopriv—Unauthenticated and unencrypted.
•
SHA1
•
MD5
auth-proto
auth-pwd
Passphrase used to generate the key.
priv-proto
•
AES
•
DES
priv-pwd
Passphrase used to generate the key.
status
Enable/disable the user configuration.
trap-status
Enable/disable SNMP traps.
trapevent
Specify trap events:
trapport-local
•
CPU—CPU usage has exceeded 80%.
•
Memory—Memory (RAM) usage has exceeded 80%.
•
Log disk usage—Disk space usage for the log partition or disk has exceeded 90%.
•
System—System events.
•
RAID—
•
HA—HA events.
•
Remote-Storage—
Source (Local) port number for trap packets sent to SNMP managers in this community. The
default is 162.
trapport-remote Destination (Remote) port number for trap packets sent to SNMP managers in this community.
The default is 162.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
178
config host
IP address of the SNMP manager to receive traps and be permitted to query the FortiADC
system.
ip
SNMP managers have read-only access. You can add up to 8 SNMP managers to each
community.
To allow any IP address using this SNMP community name to query the FortiADC system, enter
0.0.0.0. For security best practice reasons, however, this is not recommended.
Caution: The system sends security-sensitive traps, which should be sent only over a trusted
network, and only to administrative equipment.
Note: If there are no other host IP entries, entering only 0.0.0.0 effectively disables traps
because there is no specific destination for trap packets. If you do not want to disable traps,
you must add at least one other entry that specifies the IP address of an SNMP manager.
Example
FortiADC-VM # config system snmp user
FortiADC-VM (user) #
Add new entry 'docs'
FortiADC-VM (docs) #
FortiADC-VM (docs) #
edit docs
for node 1152
set status enable
end
FortiADC-VM # get system snmp user docs
status
: enable
security-level
:
query-status
: disable
queryport
: 161
trap-status
: disable
trapport-local
: 162
trapport-remote
: 162
trapevent
: cpu mem logdisk system raid ha remote-storage
config system tcpdump
This configuration is for the tcpdump utility in the Web UI. The configuration saves TCP dump commands and filter
expressions so that they can be re-run from the Web UI. The CLI supports its own tcpdump service. See execute
tcpdump/tcpdump6.
Before you begin:
•
You must have read-write permission for system settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
179
Syntax
config system tcpdump
edit <No.>
set host <ip&netmask>
set interface <datasource>
set logtraffic {enable|disable}
set max-packet-count <integer>
set port <integer>
set protocol {arp icmp tcp udp}
set specified-protocol {enable|disable}
set status {enable|disable}
end
host
IP address for the interface used for tcpdump.
interface
Interface to use for tcpdump.
logtraffic
Enable/disable event logs about using tcpdump.
max-packet-count
Maximum number of packets to capture.
port
Port to use for tcpdump.
protocol
Specify the protocol traffic to capture.
specified-protocol
Enable/disable the protocol option.
status
Enable/disable the configuration.
Example
FortiADC-VM # config system tcpdump
FortiADC-VM (tcpdump) # edit 1
Add new entry '1' for node 2725
FortiADC-VM (1) # set interface port1
FortiADC-VM (1) # set status enable
FortiADC-VM (1) # set max-packet-count 5
FortiADC-VM (1) # end
FortiADC-VM # get system tcpdump 1
interface
: port1
status
: enable
logtraffic
: enable
ipv6
: disable
host
:
port
:
specified-protocol : disable
max-packet-count
: 5
config system time manual
Use this command to manage system time.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
180
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config system time manual
set daylight-saving-time {enable|disable}
set zone <0-71>
next
end
daylight-saving-time
Enable if you want the system to adjust its own clock when its time zone changes
between daylight saving time (DST) and standard time.
zone
Specify the code number for the time zone where the appliance is located.
Example
FortiADC-VM # get system time manual
daylight-saving-time: enable
zone
: 4
See also
•
execute date
config system time ntp
Use this command to manage the connection to an NTP server.
Before you begin:
•
You must have read-write permission for system settings.
Syntax
config
set
set
set
end
system time ntp
ntpsync {enable|disable}
ntpserver <string>
syncinterval <integer>
ntpsync
Enable/disable use of NTP.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
181
ntpserver
Specify the IP address or domain name of an NTP server or pool, such as pool.ntp.org.
To find an NTP server, go to http://www.ntp.org.
syncinterval
Specify how often the system synchronizes its time with the NTP server, in minutes. The default is
60. The valid range is 1-1440.
Example
FortiADC-VM # get system time ntp
ntpsync
: disable
FortiADC-VM # config system time ntp
FortiADC-VM (ntp) # set ntpsync enable
FortiADC-VM (ntp) # end
FortiADC-VM # get system time ntp
ntpsync
: enable
ntpserver
: pool.ntp.org
syncinterval
: 60
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
182
config user
The config user commands configure administrator authentication against LDAP or RADIUS servers.
This chapter is a reference for the following commands:
config user ldap
config user radius
config user ldap
Use this command to configure a connection to an LDAP server that can authenticate administrator logins.
Basic steps:
1. Create an LDAP authentication server configuration.
2. Select the LDAP server configuration when you add administrator users.
Before you begin:
•
You must know the IP address and port used to access the LDAP server. You must know the CN and DN where user
credentials are stored on the LDAP server.
•
You must have read-write permission for system settings.
Syntax
config system ldap
edit <name>
set cnid <string>
set dn <string>
set port <integer>
set server <string>
set vdom <datasource>
next
end
cnid
Common name (cn) attribute for the LDAP record. For example: cn
dn
Distinguished name (dn) attribute for the LDAP record. For example:
cn=John%20Doe,dc=example,dc=com
port
Port number for the server. The commonly used port for LDAP is 389.
server
IP address for the server.
vdom
If applicable, specify the virtual domain to which the authentication server belongs.
config user radius
Use this command to configure a connection to a RADIUS server that can authenticate administrator logins.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
183
Basic steps:
1. Create a RADIUS authentication server configuration.
2. Select the RADIUS server configuration when you add administrator users.
Before you begin:
•
You must know the IP address, port, authentication protocol, and shared secret used to access the RADIUS server.
•
You must have read-write permission for system settings.
Syntax
config system radius
edit <name>
set auth-type {chap|ms_chap|ms_chapv2|pap}
set port <integer>
set secret <passwd>
set server <string>
set vdom <datasource>
next
end
auth-type
•
chap—Challenge-Handshake Authentication Protocol.
•
ms_chap—Microsoft version of CHAP.
•
ms_chapv2—Microsoft version of CHAP, version 2.
•
pap—Password authentication protocol.
port
Port number for the server. The commonly used port for RADIUS is 1812.
secret
Shared secret string used when connecting to the server.
server
IP address for the server.
vdom
If applicable, specify the virtual domain to which the authentication server belongs.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
184
diagnose
The diagnose commands display diagnostic information that can help you troubleshoot problems. These commands do
not have an equivalent in the web UI.
This chapter is a reference for the following commands:
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
debug application
debug cli
debug enable
debug info
debug kernel
hardware deviceinfo
hardware ioport
hardware pciconfig
hardware sysinfo
netlink backlog
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
diagnose
netlink device
netlink interface
netlink ip/ipv6
netlink neighbor/neighbor6
netlink route/route6
netlink tcp
netlink udp
sniffer packet
system top
system vmware
diagnose debug application
Use this command to set the debug level for application daemons.
Syntax
diagnose debug application {alertmaild | cmdb_event | crlupdated | dnsproxy | flg_accessd
| flg_indexd | flg_reportd | gdns | haproxy | hasyncd | healthcheckd | info_centerd |
kernelconfd | lb | llb | miglogd | netd | ntpd | ospfd | rtmd | snmpd | sshd | synconf |
udproxy | updated} {<Enter>|<level>}
alertmaild
Get/set the debug level for alertmaild daemon.
dmdb_event
Get/set the debug level for dmdb_event daemon.
crlupdated
Get/set the debug level for crlupdated daemon.
dnsproxy
Get/set the debug level for dnsproxy daemon.
flg_accessd
Get/set the debug level for flg_accessd daemon.
flg_indexd
Get/set the debug level for flg_indexd daemon.
flg_reportd
Get/set the debug level for flg_reportd daemon.
gdns
Get/set the debug level for gdns daemon.
haproxy
Get/set the debug level for haproxy daemon.
hasyncd
Get/set the debug level for hasyncd daemon.
healthcheckd
Get/set the debug level for healthcheckd daemon.
info_centerd
Get/set the debug level for info_centerd daemon.
kernelconfd
Get/set the debug level for kernelconfd daemon.
lb
Get/set the debug level for lb daemon.
llb
Get/set the debug level for llb daemon.
miglogd
Get/set the debug level for miglogd daemon.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
185
netd
Get/set the debug level for netd daemon.
ntpd
Get/set the debug level for ntpd daemon.
ospfd
Get/set the debug level for ospfd daemon.
rtmd
Get/set the debug level for rtmd daemon.
snmpd
Get/set the debug level for snmpd daemon.
sshd
Get/set the debug level for sshd daemon.
synconf
Get/set the debug level for sysconf daemon.
udproxy
Get/set the debug level for udproxy daemon.
updated
Get/set the debug level for update daemon.
<Enter>
If you do not specify a debug level and press Enter, the command displays the current debug level.
<level>
<level> is a mask. Valid levels are the following values added together: 1 - error message, 2 - main
event, 4 - config event, 8 - file sync message, 16 - hb message, 31 - start all. For example, 3 means
error messages and main events.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
186
Example
FortiADC-VM # diagnose debug application
alertmaild
set/get debug level for
cmdb_event
set/get debug level for
crlupdated
set/get debug level for
dnsproxy
set/get debug level for
flg_accessd
set/get debug level for
flg_indexd
set/get debug level for
flg_reportd
set/get debug level for
gdns
set/get debug level for
haproxy
set/get debug level for
hasyncd
set/get debug level for
healthcheckd
set/get debug level for
info_centerd
set/get debug level for
kernelconfd
set/get debug level for
lb
set/get debug level for
llb
set/get debug level for
miglogd
set/get debug level for
netd
set/get debug level for
ntpd
set/get debug level for
ospfd
set/get debug level for
rtmd
set/get debug level for
snmpd
set/get debug level for
sshd
set/get debug level for
synconf
set/get debug level for
udproxy
set/get debug level for
updated
set/get debug level for
?
alertmaild daemon
cmdb event
crlupdated daemon
dnsproxy daemon
flg_accessd daemon
flg_indexd daemon
flg_reportd daemon
gdns daemon
haproxy daemon
HA synchronisation events
healthcheck daemon
info_centerd daemon
L4 kernelconf daemon
lb daemon
llb daemon
miglogd events
netd events
ntpd daemon
ospfd daemon
rtmd daemon
snmp daemon
sshd daemon
synconf daemon
udproxy daemon
updated daemonupdated feature
FortiADC-VM # diagnose debug application lb ?
<level>
set/get debug level for lb daemon
FortiADC-VM # diagnose debug application lb
lb debug level is 0
FortiADC-VM # diagnose debug application lb 3
FortiADC-VM # diagnose debug application lb
lb debug level is 3
diagnose debug cli
Use this command to set the debug level for CLI commands. The debug messages are returned when you enter CLI
commands.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
187
Syntax
diagnose debug cli {<Enter>|<level>}
<Enter>
If you do not specify a debug level and press Enter, the command displays the current debug level.
<level>
Valid range is 0 to 8, where 0 disables debug logs and 8 generates the most verbose logging.
Example
FortiADC-VM # diagnose debug cli 8
After you set the debug level, messages are written to the CLI when you enter commands:
FortiADC-VM # config system interface
FortiADC-VM (interface) # edit 2
Add new entry '2' for node 1
FortiADC-VM (2) # set ip 123
set attribute [4]ip
invalid ip address/mask 123.
data converting failed 4
Command fail. Return code is -39
FortiADC-VM (2) # end
attribute 'type' must be set
fgtlog: added a new entry '2' failed (-56) for "system interface"
Command fail. Return code is -56
FortiADC-VM #
diagnose debug enable
Use this command to turn debug log output on or off.
Debug logging can be very resource intensive. To minimize the performance impact on your system,
use debugging only during periods of minimal traffic, with a local console CLI connection rather than a
Telnet or SSH CLI connection. Disable debugging when you are finished.
By default, the most verbose logging that is available from the web UI for any log type is the Information severity level.
Due to their usually unnecessary nature, logs at the severity level of Debug are disabled and hidden. They can only be
enabled and viewed from the CLI. Typically this is done only if your configuration seems to be correct, you cannot
diagnose the problem without more information, and possibly suspect that you may have found either a hardware failure
or software bug.
To generate debug logs, you must:
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
188
1. Set the verbosity level for the specific module whose debugging information you want to view, via a debug log
command such as:
debug application hasyncd 5
2. Enable debug logs overall. To do this, enter:
diagnose debug enable
3. View the debug logs. For convenience, debugging logs are immediately output to your local console display or
terminal emulator, but debug log files can also be uploaded to a server. For more complex issues or bugs, this may be
required in order to send debug information to Fortinet Technical Support.
Debug logs will be generated only if the application is running. To verify the application is running, use
diagnose system top.
4. The CLI displays debug logs as they occur until you disable it by entering:
diagnose debug disable
•
Close your terminal emulator, thereby ending your administrative session.
•
Send a termination signal to the console by pressing Ctrl+C.
•
Reboot the appliance. To do this, you can use the command:
execute reboot
Syntax
diagnose debug {enable|disable}
debug {enable|disable}
Select whether to enable or disable recording of logs at the debug severity level.
diagnose debug info
Use this command to display a list of debug log settings.
Syntax
diagnose debug info
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
189
Example
FortiADC-VM # diagnose debug info
debug output: disable
kernel debug level: 0 (0x0)
cli/cmdb debug level: 0 (0x0)
cmdb_event debug level: 0 (0x0)
gdns debug level: 0 (0x0)
kernelconfd debug level: 0 (0x0)
info_centerd debug level: 0 (0x0)
hasyncd debug level: 0 (0x0)
updated debug level: 0 (0x0)
miglogd debug level: 0 (0x0)
sshd debug level: 0 (0x0)
healthcheckd debug level: 2 (0x2)
netd debug level: 0 (0x0)
lb debug level: 0 (0x0)
udproxyd debug level: 0 (0x0)
haproxyd debug level: 0 (0x0)
dnsproxyd debug level: 0 (0x0)
alertmaild debug level: 0 (0x0)
synconf debug level: 0 (0x0)
ntpd debug level: 0 (0x0)
crlupdated debug level: 0 (0x0)
snmpd debug level: 0 (0x0)
flg_indexd debug level: 0 (0x0)
flg_reportd debug level: 0 (0x0)
flg_accessd debug level: 0 (0x0)
rtmd debug level: 0 (0x0)
ospfd debug level: 0 (0x0)
llb debug level: 0 (0x0)
diagnose debug kernel
Use this command to set the debug log level for kernel debugging. When enabled, kernel errors are printed to the screen.
Syntax
diagnose debug kernel {<Enter>|<level>}
<Enter>
If you do not specify a debug level and press Enter, the command displays the current debug level.
<level>
Valid range is 0 to 8, where 0 disables debug logs and 8 generates the most verbose logging.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
190
Example
FortiADC-VM # diagnose debug kernel ?
<Integer>
debug level (0-8).
FortiADC-VM # diagnose debug kernel 5
FortiADC-VM # diagnose debug kernel
Kernel debug level is 5
diagnose hardware deviceinfo
Use this command to display hardware information that might be useful in debugging.
Syntax
diagnose hardware {get|set} deviceinfo ide [ide0|ide1|drivers]
diagnose hardware {get|set} deviceinfo nic {<Enter>|<port>}
diagnose hardware {get|set} deviceinfo nic-detail {<Enter>|<port>}
ide
Displays disk settings.
nic
Displays port settings. If you do not specify a port and press Enter, the command displays output
for all ports.
nic-detail
Displays detailed port settings and statistics. If you do not specify a port and press Enter, the
command displays output for all ports.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
191
Example
FortiADC-VM # diagnose hardware get deviceinfo ?
ide
display IDE device status
nic
display network interface controller status
nic-detail
display detailed network interface controller status
FortiADC-VM # diagnose hardware get deviceinfo ide ?
ide1
ide0
drivers
FortiADC-VM # diagnose hardware get deviceinfo ide drivers
ide-gd version 1.18
FortiADC-VM # diagnose hardware get deviceinfo ide ide1
1.model:
pci
2.mate:
ide0
3.channel:
1
FortiADC-VM # diagnose hardware get deviceinfo ide ide0
1.model:
pci
2.mate:
ide1
3.channel:
0
FortiADC-VM # diagnose hardware get deviceinfo nic-detail port1
Interface: port1
driver: vmxnet3
version: 1.1.29.0-k-NAPI
firmware-version:
bus-info: 0000:03:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no
Settings for port1:
Supported ports: [ TP ]
Supported link modes:
1000baseT/Full
10000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: No
Advertised link modes: Not reported
Advertised pause frame use: No
Advertised auto-negotiation: No
Speed: 10000Mb/s
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
192
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: off
MDI-X: Unknown
Supports Wake-on: uag
Wake-on: d
Link detected: yes
Pause parameters for port1:
Cannot get device pause settings: Operation not supported
Inter-|
Receive
| Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packe
ts errs drop fifo colls carrier compressed
port10:
0
0 0 0 0
0
0
0
0
0
0
0
0
0
0
0
diagnose hardware ioport
Use this command to display I/O information that might be useful in debugging.
Syntax
diagnose hardware {get|set} ioport {byte|word|long} <address_hex>
ioport
Specify whether to read bye, word, or long from the port.
address_hex
The hexadecimal address of the I/O port.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
193
Example
First, use the diagnose hardware sysinfo command to find the address hex number for the port you want to
diagnose:
FortiADC-VM # diagnose hardware get sysinfo ioports
0000-0cf7 : PCI Bus 0000:00
0000-001f : dma1
0020-0021 : pic1
0040-0043 : timer0
0050-0053 : timer1
0060-0060 : keyboard
0064-0064 : keyboard
0070-0077 : rtc
0080-008f : dma page reg
00a0-00a1 : pic2
00c0-00df : dma2
00f0-00ff : fpu
0170-0177 : 0000:00:07.1
0170-0177 : piix
01f0-01f7 : 0000:00:07.1
01f0-01f7 : piix
02f8-02ff : serial
0376-0376 : 0000:00:07.1
0376-0376 : piix
03c0-03df : vga+
03f6-03f6 : 0000:00:07.1
03f6-03f6 : piix
03f8-03ff : serial
0cf0-0cf1 : pnp 00:00
0cf8-0cff : PCI conf1
0d00-feff : PCI Bus 0000:00
1000-103f : 0000:00:07.3
1000-103f : pnp 00:00
1000-1003 : ACPI PM1a_EVT_BLK
1004-1005 : ACPI PM1a_CNT_BLK
1008-100b : ACPI PM_TMR
100c-100f : ACPI GPE0_BLK
1010-1015 : ACPI CPU throttle
1040-104f : 0000:00:07.3
1040-104f : pnp 00:00
1060-107f : pnp 00:0b
1080-10bf : 0000:00:07.7
10c0-10cf : 0000:00:07.1
10c0-10cf : piix
10d0-10df : 0000:00:0f.0
1400-14ff : 0000:00:10.0
2000-3fff : PCI Bus 0000:02
4000-4fff : PCI Bus 0000:03
4000-400f : 0000:03:00.0
5000-5fff : PCI Bus 0000:0b
5000-500f : 0000:0b:00.0
6000-6fff : PCI Bus 0000:13
6000-600f : 0000:13:00.0
7000-7fff : PCI Bus 0000:1b
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
194
7000-700f
8000-8fff :
8000-800f
9000-9fff :
9000-900f
a000-afff :
a000-a00f
b000-bfff :
b000-b00f
c000-cfff :
c000-c00f
d000-dfff :
d000-d00f
e000-efff :
: 0000:1b:00.0
PCI Bus 0000:04
: 0000:04:00.0
PCI Bus 0000:0c
: 0000:0c:00.0
PCI Bus 0000:14
: 0000:14:00.0
PCI Bus 0000:1c
: 0000:1c:00.0
PCI Bus 0000:05
: 0000:05:00.0
PCI Bus 0000:0d
: 0000:0d:00.0
PCI Bus 0000:15
Then, use the diagnose hardware ioport command to display the ioport value:
FortiADC-VM # diagnose hardware get ioport long 001f
inl(001f)=ffffffff
diagnose hardware pciconfig
Use this command to display PCI registers that might be useful in debugging.
Syntax
diagnose hardware {get|set} pciconfig [bus <bus> | id <id> | option <option> | <Enter>]
bus
Display registers for the specified bus.
id
Display registers for the specified id.
option
Options for displaying the register.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
195
Example
FortiADC-VM # diagnose hardware get pciconfig ?
bus
list devices on the specified bus
id
list devices with the specified vendor and device ID
option
v n t x H1
<Enter>
FortiADC-VM #
00:00.0 Class
00:01.0 Class
00:07.0 Class
00:07.1 Class
00:07.3 Class
00:07.7 Class
00:0f.0 Class
00:10.0 Class
00:11.0 Class
00:15.0 Class
00:15.1 Class
00:15.2 Class
00:15.3 Class
00:15.4 Class
00:15.5 Class
00:15.6 Class
00:15.7 Class
00:16.0 Class
00:16.1 Class
00:16.2 Class
00:16.3 Class
00:16.4 Class
00:16.5 Class
00:16.6 Class
00:16.7 Class
00:17.0 Class
00:17.1 Class
00:17.2 Class
00:17.3 Class
00:17.4 Class
00:17.5 Class
00:17.6 Class
00:17.7 Class
00:18.0 Class
00:18.1 Class
00:18.2 Class
00:18.3 Class
00:18.4 Class
00:18.5 Class
00:18.6 Class
00:18.7 Class
03:00.0 Class
04:00.0 Class
05:00.0 Class
0b:00.0 Class
diagnose hardware get pciconfig
0600: 8086:7190 (rev 01)
0604: 8086:7191 (rev 01)
0601: 8086:7110 (rev 08)
0101: 8086:7111 (rev 01)
0680: 8086:7113 (rev 08)
0880: 15ad:0740 (rev 10)
0300: 15ad:0405
0100: 1000:0030 (rev 01)
0604: 15ad:0790 (rev 02)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0604: 15ad:07a0 (rev 01)
0200: 15ad:07b0 (rev 01)
0200: 15ad:07b0 (rev 01)
0200: 15ad:07b0 (rev 01)
0200: 15ad:07b0 (rev 01)
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
196
0c:00.0
0d:00.0
13:00.0
14:00.0
1b:00.0
1c:00.0
Class
Class
Class
Class
Class
Class
0200:
0200:
0200:
0200:
0200:
0200:
15ad:07b0
15ad:07b0
15ad:07b0
15ad:07b0
15ad:07b0
15ad:07b0
(rev
(rev
(rev
(rev
(rev
(rev
01)
01)
01)
01)
01)
01)
FortiADC-VM # diagnose hardware get pciconfig option ?
v
verbose information
n
display number id
t
tree view of bus
x
dump configuration space data in hexadecimal
H1
direct access hardware
FortiADC-VM # diagnose hardware get pciconfig option t
-[00]-+-00.0
+-01.0-[01]-+-07.0
+-07.1
+-07.3
+-07.7
+-0f.0
+-10.0
+-11.0-[02]-+-15.0-[03]----00.0
+-15.1-[04]----00.0
+-15.2-[05]----00.0
+-15.3-[06]-+-15.4-[07]-+-15.5-[08]-+-15.6-[09]-+-15.7-[0a]-+-16.0-[0b]----00.0
+-16.1-[0c]----00.0
+-16.2-[0d]----00.0
+-16.3-[0e]-+-16.4-[0f]-+-16.5-[10]-+-16.6-[11]-+-16.7-[12]-+-17.0-[13]----00.0
+-17.1-[14]----00.0
+-17.2-[15]-+-17.3-[16]-+-17.4-[17]-+-17.5-[18]-+-17.6-[19]-+-17.7-[1a]-+-18.0-[1b]----00.0
+-18.1-[1c]----00.0
+-18.2-[1d]-+-18.3-[1e]-+-18.4-[1f]-+-18.5-[20]--
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
197
+-18.6-[21]-`-18.7-[22]--
diagnose hardware sysinfo
Use this command to display system information that might be useful in debugging.
Syntax
diagnose hardware {get|set} sysinfo {cpu | interrupts | iomen | ioports | memory | mtrr |
slab | stream | df>
cpu
Display detailed information for all CPU.
interrupts
Display system interrupt information.
iomem
Display the memory map of I/O ports.
ioports
Display the address list of I/O ports.
memory
Display system memory information.
mttr
Display the memory type range register.
slab
Display memory allocation information.
stream
Display STREAM benchmark results.
df
Display disk free information.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
198
Example
FortiADC-VM # diagnose hardware get sysinfo ?
cpu
display detailed information for all installed CPU(s)
interrupts
display system interrupts information
iomem
display the memory map of I/O ports
ioports
display the address list of I/O ports
memory
display system memory information
mtrr
display the memory type range register
slab
display memory allocation information
stream
display STREAM benchmark results
df
display disk free information
FortiADC-VM # diagnose hardware get sysinfo df
Filesystem
Size
Used Available Use% Mounted on
/dev/root
193.7M
141.6M
52.1M 73% /
none
0
0
0
0% /proc
none
0
0
0
0% /sys
none
0
0
0
0% /sys/kernel/debug
none
256.0M
7.6M
248.4M
3% /tmp
none
0
0
0
0% /dev/pts
none
256.0M
0
256.0M
0% /dev/shm
/dev/sda2
96.8M
68.8M
23.1M 75% /data
/dev/sdb1
23.5G
1.3G
21.0G
6% /var/log
/dev/sda3
378.3M
10.1M
348.7M
3% /home
/dev/loop0
984.3M
35.2M
899.1M
4% /var/log/debug
diagnose netlink backlog
Use this command to set the backlog length.
Syntax
diagnose netlink backlog [get] [<integer>]
[get]
Specify the get option to display the current setting. Otherwise, the command sets the backlog length.
<integer>
Backlog length.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
199
Example
FortiADC-VM # diagnose netlink backlog ?
get
see current backlog length
<backlog>
set new backlog length
FortiADC-VM # diagnose netlink backlog get
Current backlog is 1000
FortiADC-VM # diagnose netlink backlog 2000
FortiADC-VM # diagnose netlink backlog get
Current backlog is 2000
diagnose netlink device
Use this commadn to display network interface RX/TX statistics.
Syntax
diagnose netlink device
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
200
Example
FortiADC-VM # diagnose netlink device
Inter-|
Receive
| Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packe
ts errs drop fifo colls carrier compressed
vtb0:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
vtb1:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
260
port3: 418337774 4267852 0 168 0
0
0 363608
2
0
0
0
0
0
0
port10:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
260
port8: 418337474 4267847 0 163 0
0
0 363608
2
0
0
0
0
0
0
vsport-101010A:
0
0
0
0
0
0
0
0
2
60
2
0
0
0
0
0
0
260
port5: 418337654 4267850 0 166 0
0
0 363608
2
0
0
0
0
0
0
gre0:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
gre1:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2910
port2: 418334234 4267793 0 169 0
0
0 363608
63
0
0
0
0
0
0
bond0:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
imq0:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
260
port7: 418337534 4267848 0 164 0
0
0 363608
2
0
0
0
0
0
0
lo: 123360587 775740 0 0 0
0
0
0 123360587 7
75740
0
0
0
0
0
0
260
port4: 418337714 4267851 0 167 0
0
0 363608
2
0
0
0
0
0
0
port9: 418337474 4267847 0 162 0
0
0 363609 1034285 1
2167
0
0
0
0
0
0
port1: 491225752 5104578 0 170 0
0
0 363608 174736576 15
03116
0
0
0
0
0
0
sit0:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
port6: 418337594 4267849 0 165 0
0
0 363608
260
0
0
0
0
0
0
2
haport0:
0
0
0
0
0
0
0
0 1034025 12
165
0
5
0
0
0
0
diagnose netlink interface
Use this command to display detailed network interface information, such as family, type, MTU, flags. It is similar to the
shell command ifconfig.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
201
Syntax
diagnose netlink interface list [<Enter>|<interface>]
Example
FortiADC-VM # diagnose netlink interface ?
list
list interface
FortiADC-VM # diagnose netlink interface list ?
<interface-name>
interface name
port1
physical
port2
physical
port3
physical
port4
physical
port5
physical
port6
physical
port7
physical
port8
physical
port9
physical
port10
physical
FortiADC-VM # diagnose netlink interface list port1
if=port1 family=00 type=1 index=4 mtu=1500 link=0 master=0
flags=up broadcast run multicast
Qdisc=pfifo_fast hw_addr=00:09:0f:09:00:01: broadcast_addr=ff:ff:ff:ff:ff:ff:
stat: rxp=6453991526227804 txp=749850502384418443 rxb=0 txb=170 rxe=363546 txe=0
rxd=0 txd=0 mc=0 collision=0
re: rxl=0 rxo=6474731918196736 rxc=5103452 rxf=1502687 rxfi=491093643 rxm=174588
175
te: txa=0 txc=0 txfi=170 txh=0 txw=363546
diagnose netlink ip/ipv6
Use these commands to list interface details, or to add or delete a physical network interface.
Back up the configuration before deleting a network interface table entry.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
202
Syntax
diagnose
diagnose
diagnose
diagnose
netlink
netlink
netlink
netlink
<ip|ipv6>
<ip|ipv6>
<ip|ipv6>
<ip|ipv6>
add <interface_name> <ipaddress> <netmask>
delete <interface_name> <ipaddress>
flush
list
<interface_name>
Name of the interface to add or delete from the network interface table.
<ipaddress>
IP address of the network interface.
<netmask>
Subnet mask.
Example
FortiADC-VM # FortiADC-VM # diagnose netlink ip ?
add
add netlink ip address
delete
delete netlink ip address
flush
flush netlink ip address
list
list netlink ip address
FortiADC-VM # diagnose netlink ip list
IP=127.0.0.1 MASK=255.255.255.0 index=1 devname=lo
IP=127.129.1.1 MASK=255.255.255.255 index=1 devname=lo
IP=172.30.144.100 MASK=255.255.252.0 index=4 devname=port1
IP=10.1.1.1 MASK=255.255.255.255 index=4 devname=port1
IP=7.7.7.7 MASK=255.255.255.255 index=7 devname=port2
IP=5.5.5.5 MASK=255.255.255.255 index=7 devname=port2
IP=11.11.11.11 MASK=255.255.255.255 index=7 devname=port2
IP=12.12.12.12 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.9 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.8 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.7 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.6 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.5 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.4 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.3 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.2 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.1 MASK=255.255.255.255 index=7 devname=port2
IP=172.0.0.0 MASK=255.255.255.255 index=7 devname=port2
IP=1.1.100.1 MASK=255.255.255.255 index=7 devname=port2
IP=1.1.100.2 MASK=255.255.255.255 index=7 devname=port2
IP=169.254.160.134 MASK=255.255.0.0 index=17 devname=haport0
diagnose netlink neighbor/neighbor6
Use these commands to list the neighbor table (ARP cache), or to add or delete neighbors.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
203
Syntax
diagnose
diagnose
diagnose
diagnose
netlink
netlink
netlink
netlink
<neighbor|neighbor6>
<neighbor|neighbor6>
<neighbor|neighbor6>
<neighbor|neighbor6>
add <interface_name> <ipaddress> <macaddress>
delete <interface_name> <ipaddress>
flush
list
<interface_name>
Name of the interface to add or delete from the neighbors table.
<ipaddress>
IP address of the network interface.
<macaddress>
MAC address.
Example
FortiADC-VM # diagnose netlink neighbor list
ifindex=1 ifname=lo 127.0.0.1 00:00:00:00:00:00 state=00000040 use=2255 confirm=8255
update=2255 ref=0
diagnose netlink route/route6
Use this command to display the route table.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
204
Syntax
diagnose netlink <route|route6> <list | flush>
Example
FortiADC-VM # diagnose netlink route ?
list
list routing table
flush
flush routing table
FortiADC-VM # diagnose netlink route list
tab=252 type=local protocol=boot flag=00000000 oif=1(lo) prio=400
tab=0 type=unreachable protocol=kernel flag=00000000 oif=1(lo) prio=ffffffff
tab=254 type=unicast protocol=kernel flag=00000000 oif=17(haport0) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=4(port1) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=7(port2) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=10(port3) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=12(port4) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=5(port5) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=8(port6) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=11(port7) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=13(port8) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=6(port9) dst:fe80::/64 prio=100
tab=254 type=unicast protocol=kernel flag=00000000 oif=9(port10) dst:fe80::/64 prio=100
tab=0 type=unreachable protocol=kernel flag=00000000 oif=1(lo) prio=ffffffff
tab=255 type=local protocol=unspec flag=00000000 oif=1(lo) dst:::1/128 gwy::: prio=0
tab=255 type=local protocol=unspec flag=00000000 oif=1(lo) dst:fe80::/128 gwy::: prio=0
[...]
diagnose netlink tcp
Use this command to view a list of TCP raw socket details, including:
•
sl — Kernel socket hash slot.
•
local_address — IP address and port number pair of the network interface in hexadecimal, such as
DD01010A:0050.
•
rem_address — Remote host network interface and port number pair. If not connected, this will contain
00000000:0000.
•
st — TCP state code (e.g. OA for listening, 01 for established, or 06 for timeout wait)
•
tx_queue — Kernel memory usage by the transmission queue.
•
rx_queue — Kernel memory usage by the retransmission queues.
•
tr, tm-> when, retrnsmt — Kernel socket state debugging information.
•
uid — User ID of the socket’s creator (on FortiADC, always 0).
•
timeout — Connection timeout.
•
inode — Pseudo-file system i-node of the process.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
205
Syntax
diagnose netlink tcp
Example
FortiADC-VM # diagnose netlink tcp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt ui
d timeout inode
0: 86A0FEA9:0015 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 2455 1 ffff88005ad16f40 100 0 0 10 0
1: 0100007F:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 2852 1 ffff88005c6acd80 100 0 0 10 0
2: 64901EAC:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 2855 1 ffff88005c6ad440 100 0 0 10 0
3: 64901EAC:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 38004000 1 ffff88005f4ce880 100 0 0 10 0
4: 86A0FEA9:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 38004001 1 ffff88005f4cc6c0 100 0 0 10 0
5: 0100007F:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 38004003 1 ffff88005f4ce1c0 100 0 0 10 0
6: 64901EAC:0017 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 2451 1 ffff88005ad15b00 100 0 0 10 0
7: 86A0FEA9:0017 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 2452 1 ffff88005ad161c0 100 0 0 10 0
8: 0100007F:0017 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 2453 1 ffff88005ad16880 100 0 0 10 0
9: 0100007F:03B9 00000000:0000 0A 00000000:00000000 00:00000000 00000000
0
0 2959 1 ffff88005c6adb00 100 0 0 10 0
[...]
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
206
diagnose netlink udp
Use this command to view a list of UDP raw socket details, including:
•
sl — Kernel socket hash slot.
•
local_address — IP address and port number pair of the network interface in hexadecimal, such as
DD01010A:0050.
•
rem_address — Remote host network interface and port number pair. If not connected, this will contain
00000000:0000.
•
st — TCP state code in hexadecimal (e.g. 0A for listening, 01 for connection established, or 06 for waiting for data)
•
tx_queue — Kernel memory usage by the transmission (Tx) queue.
•
rx_queue — Kernel memory usage by the retransmission (Rx) queues. (This is not used by UDP, since the protocol
itself does not support retransmission.)
•
tr, tm-> when, retrnsmt — Kernel socket state debugging information. (These are not used by UDP, since the
protocol itself does not support retransmission.)
•
uid — User ID of the socket’s creator (on FortiADC, always 0).
•
timeout — Connection timeout.
•
inode — Pseudo-file system inode of the process.
•
ref, pointer — Pseudo-file system references.
Syntax
diagnose netlink udp
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
207
Example
FortiADC-VM # diagnose netlink udp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt ui
d timeout inode ref pointer drops
171: 0100007F:0FA0 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 1165 2 ffff88006bf90000 0
202: 00000000:87BF 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 4962 2 ffff88006bf91500 0
223: 00000000:F7D4 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 38534860 2 ffff88005f319180 0
318: 00000000:3033 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 38504036 2 ffff88005f318700 0
319: 00000000:D034 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 3279 2 ffff88006bf90e00 0
320: 64901EAC:0035 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 2854 2 ffff88006bf90a80 0
320: 0100007F:0035 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 2851 2 ffff88006bf90700 0
475: 00000000:ECD0 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 24123242 2 ffff88005f318000 0
494: 00000000:24E3 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 38500439 2 ffff88005f318a80 0
546: 00000000:2D17 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 20533867 2 ffff88005f318380 0
610: 00000000:9957 00000000:0000 07 00000000:00000000 00:00000000 00000000
0 37907911 2 ffff88005f319500 0
0
1010: 00000000:52E7 00000000:0000 07 00000000:00000000 00:00000000 00000000
0
0 3576 2 ffff88006bf90380 0
diagnose sniffer packet
Use this command to perform a packet trace on one or more network interfaces.
Packet capture, also known as sniffing or packet analysis, records some or all of the packets seen by a network interface
(that is, the network interface is used in promiscuous mode). By recording packets, you can trace connection states to
the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to
detect.
FortiADC appliances have a built-in sniffer. Packet capture on FortiADC appliances is similar to that of FortiGate
appliances. Packet capture output appears on your CLI display until you stop it by pressing Ctrl+C, or until it reaches the
number of packets that you have specified to capture.
Packet capture can be very resource intensive. To minimize the performance impact on your
FortiADC appliance, use packet capture only during periods of minimal traffic, with a local console CLI
connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you
are finished.
For additional information on the packet sniffer utility, see the Fortinet Knowledge Base article Using the FortiOS built-in
packet sniffer.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
208
Syntax
diagnose sniffer packet [{any | <interface_name>} [{none | '<filter_str>'} [{1 | 2 | 3}
[<packets_int>]]]]
{any | <interface_name>}
Type the name of a network interface whose packets you want to capture, such as
port1, or type any to capture packets on all network interfaces.
If you omit this and the following parameters for the command, the command
captures all packets on all network interfaces.
{none | '<filter_str>'}
Type either none to capture all packets, or type a filter that specifies which protocols
and port numbers that you do or do not want to capture, such as 'tcp port 25'.
Surround the filter string in quotes ( ' ).
Filters use tcpdump syntax:
'[[src|dst] host {<host1_fqdn> | <host1_ipv4>}] [and|or]
[[src|dst] host {<host2_fqdn> | <host2_ipv4>}] [and|or]
[[arp|ip|gre|esp|udp|tcp] port <port1_int>] [and|or]
[[arp|ip|gre|esp|udp|tcp] port <port2_int>]'
To display only the traffic between two hosts, specify the IP addresses of both hosts.
To display only forward or reply packets, indicate which host is the source, and which
is the destination.
For example, to display UDP port 1812 traffic between 1.example.com and either
2.example.com or 3.example.com, you would enter:
'udp and port 1812 and src host 1.example.com and dst
\( 2.example.com or 2.example.com \)'
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
209
{1 | 2 | 3}
Type one of the following integers indicating the depth of packet headers and
payloads to capture:
•
1 — Display the packet capture timestamp, plus basic fields of the IP header: the
source IP address, the destination IP address, protocol name, and destination
port number.
Does not display all fields of the IP header; it omits:
•
•
•
IP version number bits
•
Internet header length (ihl)
•
type of service/differentiated services code point (tos)
•
explicit congestion notification
•
total packet or fragment length
•
packet ID
•
IP header checksum
•
time to live (TTL)
•
IP flag
•
fragment offset
• options bits
2 — All of the output from 1, plus the packet payload in both hexadecimal and
ASCII.
3 — All of the output from 2, plus the the link layer (Ethernet) header.
For troubleshooting purposes, Fortinet Technical Support may request the most
verbose level (3).
<packets_int>
Type the number of packets to capture before stopping.
If you do not specify a number, the command will continue to capture packets until
you press Ctrl+C.
Example
The following example captures three packets of traffic from any port number or protocol and between any source and
destination (a filter of none), which passes through the network interface named port1. The capture uses a low level of
verbosity (indicated by 1).
Commands that you would type are highlighted in bold; responses from the FortiADC appliance are not bolded.
FortiADC-VM # diagnose sniffer packet port1 none 1
interfaces=[port1]
filters=[none]
0.000000 172.30.144.20.53800 -> 172.30.144.100.22:
0.000000 172.30.144.100.22 -> 172.30.144.20.53800:
0.000000 172.30.144.100.22 -> 172.30.144.20.53800:
3
ack 202368347
psh 202368415 ack 2508304372
psh 202368531 ack 2508304372
If you are familiar with the TCP protocol, you might notice that the packets are from the middle of a TCP connection.
Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be
from an SSH session.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
210
Example
The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1 and
192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either host as
the source or destination in the IP header (src or dst), the sniffer captures both forward and reply traffic.
FortiADC# diagnose sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp
port 80' 1
A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator
presses Ctrl+C. The sniffer then confirms that five packets were seen by that network interface. Below is a sample
output.
192.168.0.2.3625 -> 192.168.0.1.80:
192.168.0.1.80 -> 192.168.0.2.3625:
192.168.0.2.3625 -> 192.168.0.1.80:
192.168.0.2.3625 -> 192.168.0.1.80:
192.168.0.1.80 -> 192.168.0.2.3625:
5 packets received by filter
0 packets dropped by kernel
syn
syn
ack
psh
ack
2057246590
3291168205 ack 2057246591
3291168206
2057246591 ack 3291168206
2057247265
diagnose system top
Use this command to view a list of the most system-intensive processes and to change the refresh rate.
Syntax
diagnose system top [delay <integer]
delay
Refresh interval (seconds).
Once you execute this command, it continues to run and display in the CLI window until you enter q (quit).
While the command is running, you can press Shift + P to sort the five columns of data by CPU usage (the default) or
Shift + M to sort by memory usage.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
211
Example
This example displays a list of the top system processes and sets the update interval at 10 seconds.
FortiADC-VM # diagnose system top ?
refresh display period
delay
FortiADC-VM # diagnose system top delay ?
<delay>
delay in seconds
FortiADC-VM # diagnose system top delay 30
Run Time: 13 days, 5 hours and 9 minutes
0U, 1S, 97I; 1620T, 613F
php-fpm
635
S
1.9
0.7
php-fpm
636
S
1.9
0.7
mysqld
528
S
0.0
5.8
named
1238
S
0.0
1.0
alertemail
522
S
0.0
0.9
php-fpm
13467
S
0.0
0.6
php-fpm
525
S
0.0
0.6
cmdbsvr
86
S
0.0
0.6
cli
13065
S
0.0
0.5
snmpd
536
S
0.0
0.2
miglogd
523
S
0.0
0.2
nginx
524
S
0.0
0.2
updated
512
S
0.0
0.2
cli
21276
R
0.0
0.2
flg_indexd
10367
S
0.0
0.2
lb
520
S
0.0
0.2
sshd
515
S
0.0
0.2
scheduled
506
S
0.0
0.2
info_cente
533
S
0.0
0.2
crlupdated
535
S
0.0
0.2
hasyncd
518
S
0.0
0.2
flg_access
10370
S
0.0
0.2
llbd
507
S
0.0
0.1
netd
511
S
0.0
0.1
lvs
517
S
0.0
0.1
gdns
516
S
0.0
0.1
llbr_hcd
509
S
0.0
0.1
keepalived
519
S
0.0
0.1
getty
513
S
0.0
0.1
The first line indicates the up time. The second line lists the processor and memory usage, where the parameters from
left to right mean:
•
U — Percent of user CPU usage (in this case 0%)
•
S — Percent of system CPU usage (in this case 1%)
•
I — Percentage of CPU idle (in this case 97%)
•
T — Total memory in kilobytes (in this case 1620 KB)
•
F — Available memory in kilobytes (in this case 613 KB)
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
212
The five columns of data provide the process name (such as updated), the process ID (pid), the running status, the
CPU usage, and the memory usage. The status values are:
•
S — Sleeping (idle)
•
R — Running
•
Z — Zombie (crashed)
•
< — High priority
•
N — Low priority
diagnose system vmware
Use this command to view information about a virtual appliance.
Syntax
diagnose system vmware
Example
FortiADC-VM
UUID:
File:
Resources:
Registered:
Status:
servers.)
FDS code:
Warn count:
Copy count:
Received:
Warning:
Recv:
Dup:
# diagnose system vmware
564d2ec7705469089699f1852ce8a086
License file and resources are valid.
1 CPU/1 allowed, 1620 MB RAM/2048 MB allowed, 23 GB Disk/1024 GB allowed
1 (True)
1 (Valid: License has been successfully authenticated with registration
200
0
0
113788700
0
201503092104
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
213
execute
The execute commands have an immediate and decisive effect on your FortiADC appliance and, for that reason,
should be used with care. Unlike config commands, most execute commands do not result in any configuration
change.
This chapter is a reference for the following commands:
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
backup config
caching
certificate ca
certificate crl
certificate local
certificate remote
certificate config
date
factoryreset
formatlogdisk
log delete-file
log delete-type
log list-type
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
log rebuild-db
nslookup
ping/ping6
ping-options/ping6-options
reboot
restore config
restore image
shutdown
tcpdump/tcpdump6
tcpdump-file
traceroute
vmware license
execute backup config
Use this command to manually back up the configuration file to a TFTP server.
Syntax
execute backup config tftp <filename> <ipaddress> [<password>]
<filename>
Name of the file to be used for the backup file, such as FortiADC_backup.conf.
<ipaddress>
IP address of the TFTP server.
<password>
Password for use when encrypting the backup file using 128-bit AES.
If you do not provide a password, the backup file will be stored as clear text.
Example
This example uploads the system configuration to a file named FortiADC_backup.conf on a TFTP server at IP
address 192.168.1.23. The file will not be password-encrypted.
execute backup config tftp FortiADC_backup.cfg 192.168.1.23
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
214
execute caching
Use this command to show information about a virtual server cache or to clear the cache.
Syntax
execute caching {show|clean} <vsname>
show
Show cache statistics.
clean
Clear the cache.
<vsname>
Name of the virtual server.
Example
FortiADC-VM # execute caching ?
show
show
clean
clean
FortiADC-VM # execute caching show vs1
Warning: ram caching is not enabled on vs1
execute certificate ca
Use this command to import or export a certficate file. An alternative to config system certificate ca.
Syntax
execute certificate ca import tftp <filename> <ip>
execute certificate ca export tftp <cert> <filename> <ip>
<cert>
Local (FortiADC) certificate name.
<filename>
Name of the certificate file.
<ip>
IP address of the TFTP server.
Example
FortiADC-VM # execute certificate ca import tftp ca.crt 192.168.1.23
Done.
FortiADC-VM # execute certificate ca export tftp ca ca-export.crt 192.168.1.23
#
Done.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
215
execute certificate crl
Use this command to import or export a certficate file. An alternative to config system certificate crl.
Syntax
execute certificate crl import tftp <filename> <ip>
<filename>
Name of the certificate file.
<ip>
IP address of the TFTP server.
Example
FortiADC-VM # execute certificate crl import tftp crl.r0 192.168.1.23
Done.
execute certificate local
Use this command to import/export a certficate file or to generate/regenerate a certificate file. An alternative to config
system certificate local.
Syntax
execute certificate local
execute certificate local
execute certificate local
<org> <unit> <email>
execute certificate local
import tftp <filename> <ip>
export tftp <cert> <filename> <ip>
generate <cert_name> <keysize> <subject> <country> <state>
regenerate
<cert>
Local (FortiADC) certificate name.
<filename>
Name of the certificate file.
<ip>
IP address of the TFTP server.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
216
Example
FortiADC-VM # execute certificate local import tftp fortiadc.crt 192.168.1.23
FortiADC-VM # execute certificate local export tftp Factory fortiadc.crt 192.168.1.23
#
Done.
FortiADC-VM # execute certificate local generate csr_name_test 512 example nullca
sunnyvale fortinet fadc root
Generating a 512 bit RSA private key
Generating X.509 certificate request
Done.
FortiADC-VM # execute certificate local regenerate
self certificate regenerated!
execute certificate remote
Use this command to import or export a remote certficate file. An alternative to config system certificate remote.
Syntax
execute certificate remote import tftp <filename> <ip>
execute certificate remote export tftp <cert> <filename> <ip>
{import|export} Whether to import or export the file.
<cert>
Local (FortiADC) certificate name.
<filename>
Name of the certificate file.
<ip>
IP address of the TFTP server.
Example
FortiADC-VM # execute certificate remote import tftp ca.crt 192.168.1.23
Done.
FortiADC-VM # execute certificate remote export tftp ca remote.crt 192.168.1.23
Done.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
217
execute certificate config
Use this command to verify the certficate file is a supported type.
Syntax
execute certificate config verify
Example
FortiADC-VM # execute certificate config verify
execute date
Use this command to display or set the system date and time.
Syntax
execute date {<Enter> | <mm/dd/yyyy> [hh:mm:ss]}
<Enter>
If you do not specify a date, the command returns the current system date.
<mm/dd/yyyy>
Current date where the FortiADC appliance is located. MM/DD/YY format.
[hh:mm:ss]
HH:MM:SS format.
Example
FortiADC-VM # execute date ?
date <mm/dd/yyyy> [hh:mm:ss]
<mm/dd/yyyy>
mm/dd/yyyy, mm: 1-12, dd: 1-31, yyyy: 2001-2100
FortiADC-VM # execute date
Tue Mar 10 10:00:47 PDT 2015
FortiADC-VM # execute date 03/10/2015
send buff to ha. pid=31876, buff=
exec date
end
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
218
execute factoryreset
Use this command to reset the system to its default settings for the currently installed firmware version. If you have not
upgraded or downgraded the firmware, this restores factory default settings.
Back up your configuration first. This command resets all changes that you have made to the configuration
file and reverts the system to the default values for the firmware version. Depending on the firmware
version, this could include factory default settings for the IP addresses of network interfaces.
Syntax
execute factoryreset
Example
FortiADC-VM # execute factoryreset
This operation will change all settings to factory defaults!
Do you want to continue? (y/n)y
System is resetting to factory defaults...
execute formatlogdisk
Use this command to clear the logs from the hard disk and reformat the disk.
This operation deletes all locally stored log files.
Syntax
execute formatlogdisk
Example
FortiADC-VM # execute formatlogdisk
This operation will erase all data on the log disk!
Do you want to continue? (y/n)
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
219
execute log delete-file
Use this command to delete a log file.
Syntax
execute log delete-file <filename>
<filename>
Log filename.
execute log delete-type
Use this command to delete a log files for a specified log type.
Syntax
execute log delete-type {elog|tlog|alog|all}
elog
Delete event logs.
tlog
Delete traffic logs.
alog
Delete securty logs.
all
Delete logs for all types.
execute log list-type
Use this command to list log files for a specified log type.
Syntax
execute log list-type {elog|tlog|alog|all}
elog
List event logs.
tlog
List traffic logs.
alog
List securty logs.
all
List logs for all types.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
220
Example
FortiADC-VM # execute log list-type ?
<type|all>
list all log file by <type>(elog|tlog|alog|all)
FortiADC-VM # execute log list-type all
1.admin.elog 31440 Tue Mar 10 10:01:36 2015
1.app.elog 30578 Tue Feb 24 08:59:09 2015
1.config.elog 23239 Tue Mar 10 13:26:06 2015
1.system.elog 2291 Tue Mar 10 13:50:08 2015
1.dns.tlog 0 Tue Dec 9 12:10:52 2014
1.fw.tlog 0 Tue Dec 9 12:10:52 2014
1.slb_http.tlog 0 Tue Dec 9 12:10:52 2014
1.slb_layer4.tlog 0 Tue Dec 9 12:10:52 2014
1.slb_radius.tlog 0 Tue Dec 9 12:10:52 2014
1.slb_tcps.tlog 0 Tue Dec 9 12:10:52 2014
1.ip_reputation.alog 0 Tue Dec 9 12:10:52 2014
1.synflood.alog 0 Tue Dec 9 12:10:52 2014
FortiADC-VM # execute log rebuild-db
You need to wait 2 minutes at least until log rebuild completes
execute log rebuild-db
Use this command to rebuild the log database.
Syntax
execute log rebuild-db
Example
FortiADC-VM # execute log rebuild-db
You need to wait 2 minutes at least until log rebuild completes
execute nslookup
Use this command to perform nslookup queries.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
221
Syntax
execute nslookup name {<fqdn>|<ip>}
<fqdn>
Lookup the IP address for the specified host.
<ip>
Lookup the FQDN for the specified IP address.
Example
FortiADC-VM # execute nslookup name example.com
Non-authoritative answer:
Name:
example.com
Address: 93.184.216.34
execute ping/ping6
Use these commands to perform an ICMP ECHO request (also called a ping) to a host by specifying its fully qualified
domain name (FQDN) or IPv4 address, using the options configured by execute ping-options/ping6-options.
Pings are often used to test IP-layer connectivity during troubleshooting.
Syntax
execute {ping|ping6} {<hostname> | <ipaddress>}
<hostname>
Fully qualified domain name (FQDN) of the host to ping.
<ipaddress>
IP address to ping.
Example
This example pings a host with the IP address 172.16.1.10.
execute ping 172.16.1.10
The CLI displays the following:
PING 172.16.1.10 (172.16.1.10): 56 data bytes
64 bytes from 172.16.1.10: icmp_seq=0 ttl=128
64 bytes from 172.16.1.10: icmp_seq=1 ttl=128
64 bytes from 172.16.1.10: icmp_seq=2 ttl=128
64 bytes from 172.16.1.10: icmp_seq=3 ttl=128
64 bytes from 172.16.1.10: icmp_seq=4 ttl=128
--- 172.16.1.10 ping statistics --5 packets transmitted, 5 packets received, 0%
round-trip min/avg/max = 0.2/0.2/0.5 ms
time=0.5
time=0.2
time=0.2
time=0.2
time=0.2
ms
ms
ms
ms
ms
packet loss
The results indicate that a route exists between the FortiADC appliance and 172.16.1.10. It also indicates that during the
sample period, there was no packet loss, and the average response time was 0.2 milliseconds.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
222
Example
This example pings a host with the IP address 10.0.0.1.
execute ping 10.0.0.1
The CLI displays the following:
PING 10.0.0.1 (10.0.0.1): 56 data bytes
After several seconds, no output appears. The administrator halts the ping by pressing Ctrl+C. The CLI displays the
following:
--- 10.0.0.1 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss
The results indicate the host may be down, or there is no route between the FortiADC appliance and 10.0.0.1. To
determine the point of failure along the route, further diagnostic tests are required, such as execute traceroute.
Example
This example pings a host with the IP address 2001:0db8:85a3:::8a2e:0370:7334.
execute ping6 2607:f0b0:f:420::
The CLI displays the following:
PING 2607:f0b0:f:420:: (2607:f0b0:f:420::): 56 data bytes
After several seconds, no output appears. The administrator halts the ping by pressing Ctrl+C. The CLI displays the
following:
--- 2607:f0b0:f:420:: ping statistics --5 packets transmitted, 0 packets received, 100% packet loss
The results indicate the host may be down, or there is no route between the FortiADC appliance and 2607:f0b0:f:420::.
To determine the point of failure along the route, further diagnostic tests are required, such as execute traceroute.
execute ping-options/ping6-options
Use these commands to configure the behavior of the execute ping/ping6 command.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
223
Syntax
execute
execute
execute
execute
execute
execute
execute
execute
execute
execute
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
ping-options
data-size
data-size <bytes_int>
df-bit {yes | no}
pattern <bufferpattern_hex>
repeat-count <repeat_int>
source {auto | <interface_ipv4>}
timeout <seconds_int>
tos {<service_type>}
ttl <hops_int>
validate-reply {yes | no}
view-settings
Datagram size in bytes.The default is 56.
This option enables you to send out packets of different sizes for testing the effect
of packet size on the connection. If you want to configure the pattern that will be
used to buffer small datagrams to reach this size, also configure pattern
<bufferpattern_hex>.
df-bit
Enter either yes to set the DF bit in the IP header to prevent the ICMP packet from
being fragmented, or enter no to allow the ICMP packet to be fragmented.
pattern
Hexadecimal pattern, such as 00ffaabb, to fill the optional data buffer at the end
of the ICMP packet. The size of the buffer is determined by data-size <bytes_int>.
repeat-count
Number of times to repeat the ping. The default is 5.
source
Network interface from which the ping is sent. Enter either auto or a FortiADC
network interface IP address. The default is auto.
timeout
Response timeout in seconds. The default is 2.
tos
Type-of-service option value, either:
•
default — Do not indicate. (That is, set the TOS byte to 0.)
•
lowcost — Minimize cost.
•
lowdelay — Minimize delay.
•
reliability — Maximize reliability.
•
throughput — Maximize throughput.
ttl
Time-to-live (TTL) value. The default is 64.
validate-reply
Whether or not to validate ping replies.
view-settings
Display the current ping option settings.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
224
Example
FortiADC-VM # execute ping-option view-settings
Ping Options:
Repeat Count: 5
Data Size: 56
Timeout: 2
Interval: 1
TTL: 64
TOS: 0
DF bit: unset
Source Address: auto
Pattern:
Pattern Size in Bytes: 0
Validate Reply: no
FortiADC-VM # execute ping-option ?
data-size
ping option settings
df-bit
set DF bit in IP header <yes | no>
pattern
hex format of pattern, e.g. 00ffaabb
repeat-count
integer value to specify how many times to repeat ping
source
auto | <source interface ip>
timeout
integer value to specify timeout in seconds
tos
IP type-of-service option
ttl
integer value to specify time-to-live
validate-reply
validate reply data <yes | no>
view-settings
view the current settings for ping option
FortiADC-VM # execute ping-option repeat-count 3
FortiADC-VM # execute ping-option view-settings
Ping Options:
Repeat Count: 3
Data Size: 56
Timeout: 2
Interval: 1
TTL: 64
TOS: 0
DF bit: unset
Source Address: auto
Pattern:
Pattern Size in Bytes: 0
Validate Reply: no
execute reboot
Use this command to restart the FortiADC appliance.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
225
Syntax
execute reboot
Example
This example shows the reboot command in action.
execute reboot
The CLI displays the following:
This operation will reboot the system !
Do you want to continue? (y/n)
After you enter y (yes), the CLI displays the following:
System is rebooting...
If you are connected to the CLI through a local console, the CLI displays messages while the reboot is occurring.
If you are connected to the CLI through the network, the CLI will not display any notification while the reboot is occurring,
as this occurs after the network interfaces have been shut down. Instead, you may notice that the connection is
terminated. Time required by the reboot varies by many factors, such as whether or not hard disk verification is required,
but may be several minutes.
execute restore config
Use this command to restore the configuration from a configuration backup file on an TFTP server, or to install primary or
backup firmware.
Back up the configuration before restoring the configuration. This command restores configuration
changes only, and does not affect settings that remain at their default values. Default values may vary
by firmware version.
Syntax
execute restore config tftp <filename> <ip> [<password>}
<filename>
Name of the configuration file.
<ip>
IP address of the TFTP server.
password
Password that was used to encrypt the backup file, if any.
If you do not provide a password, the backup file must have been stored as clear text.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
226
Example
This example downloads a configuration file named backup.conf from the TFTP server, 192.168.1.23, to the FortiADC
appliance. The backup file was encrypted with the password P@ssword1.
FortiADC-VM # execute restore config tftp backup.conf 192.168.1.23 P@ssword1
This operation will overwrite the current settings!
Do you want to continue? (y/n)
The FortiADC appliance then applies the configuration backup and reboots.
execute restore image
Use this command to install firmware on the primary partition and reboot.
Back up the configuration before installing new firmware. Installing new firmware can change default
settings and reset settings that are incompatible with the new version.
Unlike installing firmware via TFTP during a boot interrupt, installing firmware using this command will attempt to
preserve settings and files, and not necessarily restore the FortiADC appliance to its firmware/factory default
configuration.
Syntax
execute restore image tftp <filename> <ip>
<filename>
Name of the firmware image file.
<ip>
IP address of the TFTP server.
Example
This example installs a firmware file named firmware.out from the TFTP server, 192.168.1.23, to the FortiADC
appliance.
FortiADC-VM # execute restore image tftp firmware.out 192.168.1.23
This operation will replace the current firmware version!
Do you want to continue? (y/n)
The FortiADC appliance downloads the firmware file, installs it, and reboots.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
227
execute shutdown
Use this command to prepare the FortiADC appliance to be powered down by halting the software, clearing all buffers,
and writing all cached data to disk.
Power off the FortiADC appliance only after issuing this command. Unplugging or switching off the
FortiADC appliance without issuing this command could result in data loss.
Syntax
execute shutdown
Example
This example shows the reboot command in action.
FortiADC-VM # execute shutdown
This operation will halt the system!
Do you want to continue? (y/n)
After you enter y (yes), the CLI displays the following:
System is shutting down...(power-cycle needed to restart)
If you are connected to the CLI through a local console, the CLI displays a message when the shutdown is complete.
If you are connected to the CLI through the network, the CLI will not display any notification when the shutdown is
complete, as this occurs after the network interfaces have been shut down. Instead, you may notice that the connection
times out.
execute tcpdump/tcpdump6
You use these commands to capture packets using tcpdump.
Syntax
execute tcpdump <interface> ["Expression"] [<count>] [pcap|text] [<filename>]
<interface>
Network interface to listen for traffic, such as port1 or port2.
["Expression"]
Specify a filter expression to determine the packets that are captured. Only packets that match the
expression are captured. If no expression is specified, all packets received at the interface are
captured. For information on filter expressions, see the TCP dump man page:
http://www.tcpdump.org/manpages/pcap-filter.7.html
[<count>]
Specify the number of packets to capture and then exit. The valid range is 1 to 10,000. If you do not
specify a count, you can terminate the capture by pressing Ctrl-C.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
228
[pcap|text]
Specify pcap or text. If you do not specify a file type, the results are printed to the screen and not to a
file.
[<filename>]
Specify the filename for the saved capture. Do not specify a filename extension. The extension .pcap
or .txt is added automatically.
Example
The following examples show the tcpdump commands:
FortiADC-VM # execute tcpdump port1 "tcp port 80" 5 text test1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port1, link-type EN10MB (Ethernet), capture size 65535 bytes
5 packets captured
5 packets received by filter
0 packets dropped by kernel
FortiADC-VM # execute tcpdump-file list
-rw-r--r-1 0
0
577 Sep
3 14:31 test1.txt
FortiADC-VM # execute tcpdump-file upload tftp test1.txt 192.168.1.23
See also
•
execute tcpdump-file
execute tcpdump-file
You use this command to manage tcpdump files.
Syntax
execute tcpdump-file {cat <filename>|delete <filename>|list|upload tftp <filename> <ip>}
cat <filename>
Display file contents to the screen.
delete <filename>
Delete the specified file.
list
List all packet capture files.
upload tftp <filename> <ip> Upload the specified file to the specfied TFTP server.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
229
Example
The following examples show the tcpdump commands:
FortiADC-VM # execute tcpdump-file ?
show one file
cat
delete
delete one file
list
list all files
upload
upload
FortiADC-VM # execute tcpdump-file list
-rw-r--r-1 0
0
802 Mar 10 14:17 test1.txt
FortiADC-VM # execute tcpdump-file cat test1.txt
14:16:58.073847 IP 1.1.1.2.80 > 172.30.144.100.27361: Flags [R.], seq 3807765751, ack
1748607346, win 2896, options [nop,nop,TS val 836272587 ecr 1224723070], length 0
14:16:58.599663 IP 172.30.144.100.27363 > 1.1.1.2.80: Flags [R.], seq 504059189, ack
4210316583, win 2920, options [nop,nop,TS val 1224738073 ecr 836272140], length 0
14:16:58.599684 IP 172.30.144.100.32792 > 1.1.1.1.80: Flags [R.], seq 802377254, ack
4202724881, win 2920, options [nop,nop,TS val 1224738073 ecr 836272140], length 0
14:17:01.723398 IP 1.1.1.1.80 > 172.30.144.100.32792: Flags [R.], seq 1, ack 0, win 2896,
options [nop,nop,TS val 836272952 ecr 1224733072], length 0
14:17:01.723872 IP 1.1.1.2.80 > 172.30.144.100.27363: Flags [R.], seq 1, ack 0, win 2896,
options [nop,nop,TS val 836272952 ecr 1224733072], length 0
FortiADC-VM # execute tcpdump-file upload tftp test1.txt 192.168.1.23
execute traceroute
Use this command to use ICMP to test the connection between the FortiADC appliance and another network device, and
display information about the time required for network hops between the device and the FortiADC appliance.
Syntax
execute traceroute {<hostname> | <ipaddress>}
<hostname>
Fully qualified domain name (FQDN) of the other network device.
<ipaddress>
IP address of the other network device.
Example
This example tests connectivity between the FortiADC appliance and docs.fortinet.com. In this example, the trace times
out after the first hop, indicating a possible connectivity problem at that point in the network.
FortiADC# execute traceroute docs.fortinet.com
traceroute to docs.fortinet.com (65.39.139.196), 30 hops max, 38 byte packets
1 172.16.1.200 (172.16.1.200) 0.324 ms 0.427 ms 0.360 ms
2 * * *
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
230
execute vmware license
Use this command to upload license files for a virtual appliance deployment.
Syntax
execute vmware license tftp <filename> <ip> [<password>]
<filename>
Name of the license file.
<ip>
IP address of the TFTP server.
<password>
Password if the license file is encrypted.
Example
FortiADC-VM # execute vmware license tftp license.lic 192.168.1.23
This operation will replace the current vmware license and reload the system!
Do you want to continue? (y/n)
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
231
get
Use get commands to display configuration settings and values. You must have read permission for the configuration
object you want to display.
show commands display user-configured setings but not default settings; get commands display all settings, including
both user-configured settings and defaults.
For example, you might get the current DNS settings:
FortiADC-VM # get system dns
primary
: 8.8.8.8
secondary
: 0.0.0.0
FortiADC-VM #
Notice that the command displays the setting for the secondary DNS server, even though it has not been configured, or
has reverted to its default value.
Also unlike show, unless used from within an object or table, get requires that you specify the object or table whose
settings you want to display.
For example, at the root prompt, the following command is valid:
FortiADC-VM # get system dns
primary
: 8.8.8.8
secondary
: 0.0.0.0
The following command displays no output:
FortiADC-VM # get
Like show, depending on whether or not you have specified an object, get displays one of two different outputs:
•
The configuration you have just entered but not yet saved
•
The configuration as it currently exists on the flash disk
For example, immediately after configuring the secondary DNS server setting but before saving it, get displays two
different outputs. In the following example, the first output from get indicates the value that you have configured but not
yet saved; the second output from get indicates the value that was last saved to disk.
FortiADC-VM # config system dns
FortiADC-VM (dns) # set secondary 192.168.1.10
FortiADC-VM (dns) # get
primary
: 8.8.8.8
secondary
: 192.168.1.10
FortiADC-VM (dns) # get system dns
primary
: 8.8.8.8
secondary
: 0.0.0.0
If you were to now enter end, saving your setting to disk, get output for both syntactical forms would again match.
However, if you were to enter abort at this point and discard your recently entered secondary DNS setting instead of
saving it to disk, the configuration would therefore match the second output, not the first.
If you have entered settings but cannot remember how they differ from the existing configuration, the
two different forms of get, with and without the object name, can be a useful way to remind yourself.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
232
Most get commands, such as get system dns, are used to display configured settings. You can find relevant
information about such commands in the corresponding config commands in the config chapter.
Other get commands, such as get router info ospf, get router info routing-table, get system performance, and get system
status, are used to display status, not configuration.
get router info ospf
Use this command to display status for OSPF.
Syntax
FortiADC-VM # get router info ospf ?
database
database
interface
show ospf interfaces
neighbor
show ospf neighbors
route
show ospf routing table
status
show ospf status
FortiADC-VM # get router info ospf database ?
asbr-summary
show ospf database ASBR summary link states
brief
show ospf LSA list
external
show ospf database external link states
max-age
LSAs in MaxAge list
network
show ospf database network link states
nssa-external
show ospf database NSSA external link states
router
show ospf database router link states
self-originate
show ospf database self-originated link states
summary
show ospf database network summary link states
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
233
Example
FortiADC-VM # get router info ospf status
OSPF Routing Process, Router ID: 1.1.1.2
Supports only single TOS (TOS0) routes
This implementation conforms to RFC2328
RFC1583Compatibility flag is disabled
OpaqueCapability flag is disabled
Initial SPF scheduling delay 200 millisec(s)
Minimum hold time between consecutive SPFs 1000 millisec(s)
Maximum hold time between consecutive SPFs 10000 millisec(s)
Hold time multiplier is currently 1
SPF algorithm has not been run
SPF timer is inactive
Refresh timer 10 secs
Number of external LSA 0. Checksum Sum 0x00000000
Number of opaque AS LSA 0. Checksum Sum 0x00000000
Number of areas attached to this router: 0
FortiADC-VM # get router info ospf database summary
OSPF Router with ID (1.1.1.2)
get router info routing-table
Use this command to display the routing table.
Syntax
FortiADC-VM # get router info routing-table ?
all
show all routing table entries
kernel-all
show all routing table entries
kernel-connected
show connected routing table entries
kernel-llb
show llb routing table entries
kernel-static
show static routing table entries
Example
FortiADC-VM # get router info routing-table all
Codes: K - kernel route, C - connected, S - static, O - OSPF, P - PPPoE
> - selected route, * - FIB route
S>* 0.0.0.0/0 [10/0] via 172.30.147.254, port1
C>* 169.254.0.0/16 is directly connected, haport0
C>* 172.30.144.0/22 is directly connected, port1
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
234
get system performance
Use this command to display CPU usage, memory usage, average system load, and up time.
Normal idle load varies by hardware platform, firmware, and configured features. To determine your specific baseline for
idle, configure your system completely, reboot, then view the system load. After at least 1 week of uptime with typical
traffic volume, view the system load again to determine the normal non-idle baseline.
System load is the average of percentages relative to the maximum possible capability of this hardware/system platform.
It includes:
•
Average system load
•
Number of HTTP daemon/proxy processes or children
•
Memory usage
•
Disk swap usage
Syntax
get system performance
Example
FortiADC-VM #
CPU usage:
Memory usage:
System Load:
Uptime:
get system performance
2% used, 98% idle
40% used
0
12 days 23 hours 32 minutes
get system status
Use this command to display system status information including:
•
Firmware version, build number and date
•
License and registration status
•
Serial number and boot loader (“Bios”) version
•
Log disk availability
•
Hostname
•
Current HA mode
•
Uptime
•
System time
Syntax
get system status
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
235
Example
FortiADC-VM # get system status
Version:
FortiADC-VM v4.2.1,build0308,150211
VM Registration:
Valid: License has been successfully authenticated with registration
servers.
VM License File:
License file and resources are valid.
VM Resources:
1 CPU/1 allowed, 1620 MB RAM/2048 MB allowed, 23 GB Disk/1024 GB
allowed
Serial-Number:
FADV010000028122
BIOS version:
n/a
Log disk:
Capacity 23 GB, Used 1 GB ( 5.67%), Free 22 GB
Hostname:
FortiADC-VM
HA configured mode: standalone
HA effective mode: Standalone
Distribution:
International
Uptime:
13 days 0 hours 7 minutes
Last reboot:
Tue Feb 24 08:58:51 2015
System time:
Mon Mar 09 10:06:33 2015
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
236
show
Use show commands to display configuration settings and values. You must have read permission for the configuration
object you want to display.
show commands display user-configured setings but not default settings; get commands display all settings, including
both user-configured settings and defaults.
For example, you might show the current DNS settings:
FortiADC-VM # show system dns
config system dns
set primary 8.8.8.8
end
Notice that the command does not display the setting for the secondary DNS server. This indicates that it has not been
configured, or has reverted to its default value.
Like get, depending on whether or not you have specified an object, show displays one of two different outputs:
•
The configuration you have just entered but not yet saved
•
The configuration as it currently exists on the flash disk
For example, immediately after configuring the secondary DNS server setting but before saving it, show displays two
different outputs. In the following example, the first output from show indicates the value that you have configured but not
yet saved; the second output from show indicates the value that was last saved to disk.
FortiADC-VM # config system dns
FortiADC-VM (dns) # set secondary 192.168.1.10
FortiADC-VM (dns) # show
config system dns
set primary 8.8.8.8
set secondary 192.168.1.10
end
FortiADC-VM (dns) # show system dns
config system dns
set primary 8.8.8.8
end
If you have entered settings but cannot remember how they differ from the existing configuration, the
two different forms of show, with and without the object name, can be a useful way to remind yourself.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
237
If you were to now enter end, saving your setting to disk, show output for both syntactical forms would again match.
However, if you were to enter abort at this point and discard your recently entered secondary DNS setting instead of
saving it to disk, the FortiADC appliance’s configuration would therefore match the second output, not the first.
When VDOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top
level items are show global and show vdom.
•
show global displays settings that only admin or other accounts with the super_admin_prof
access profile can change.
•
show vdom displays each VDOM and its respective settings.
This menu and CLI structure change is not visible to non-global accounts; VDOM administrators’
navigation menus continue to appear similar to when VDOMs are disabled, except that global settings
such as network interfaces, HA, and other global settings do not appear.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
238
Appendix A: Virtual domains
This appendix describes CLI commands when you use the virtual domains feature. It includes the following topcis:
•
“Overview”
•
“Enabling VDOMs” on page 239
•
“Creating VDOMs” on page 240
•
“Assigning interfaces to a VDOM” on page 241
•
“Assigning administrators to a VDOM” on page 241
•
“Disabling VDOMs” on page 241
Overview
You can use virtual domains (VDOMs) to delegate administration for tenant deployments. This can be useful for large
enterprises and multi-tenant deployments such as web hosting.
Virtual domains are not enabled by default. Enabling and configuring VDOMs can only be performed by the admin
administrator.
VDOMs alter the structure and available functions in the GUI and CLI, according to whether or not you are logging in as
the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned
access profile.
Table 15: Differences between administrator accounts when VDOMs are enabled
admin account
Other administrators
Access to config global
Yes
No
Can create administator accounts
Yes
No
Can create and enter all VDOMs
Yes
No
If VDOMs are enabled and you log in as admin, the complete set of CLI commands appear, allowing unrestricted access
and VDOM configuration. The admin administrator account cannot be restricted to a VDOM. Other administrators are
restricted to their VDOM, and cannot configure VDOMs or global settings.
If VDOMs are enabled and you log in as any other administrator, you enter the VDOM assigned to your account. By
default, administrator accounts other than the admin account are assigned to the root VDOM. A subset of the typical
menus or CLI commands appear, allowing access only to only feature configuration, logs and reports specific to your
VDOM. You cannot access global configuration settings or enter other VDOMs.
Enabling VDOMs
Before you begin:
•
Save a backup of the configuration. Enabling VDOMs changes the structure of your configuration, so you want to be
able to easily revert to the system state before VDOMs were enabled.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
239
To enable VDOMs
1. Log in with the admin account.
Other administrators do not have permissions to configure VDOMs.
2. Enter the following commands:
config system global
set vdom-admin enable
end
FortiADC terminates your administrative session.
3. Log in again.
When VDOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top level items are
config global and config vdom.
•
config global contains settings that only admin or other accounts with the prof_admin access profile can
change.
•
config vdom contains each VDOM and its respective settings.
This menu and CLI structure change is not visible to non-global accounts; VDOM administrators’ navigation menus
continue to appear similar to when VDOMs are disabled, except that global settings such as network interfaces, HA,
and other global settings do not appear.
4. Continue by defining VDOMs.
Creating VDOMs
Some settings can only be configured by the admin account — they are global. Global settings apply to the appliance
overall regardless of VDOM, such as:
•
network interfaces
•
system time
•
backups
•
administrator accounts
•
access profiles
•
FortiGuard connectivity settings
•
HA and configuration sync
•
SNMP
•
X.509 certificates
•
TCP SYN flood anti-DoS setting
•
exec ping and other global operations that exist only in the CLI
Only the admin account can configure global settings.
Other settings can be configured separately for each VDOM. They essentially define each VDOM. For example, the
policies of VDOM-A are separate from VDOM-B.
Initially, only the root VDOM exists, and it contains settings such as policies that were global before VDOMs were
enabled. Typically, you will create additional VDOMs, and few if any administrators will be assigned to the root VDOM.
After VDOMs are created, the admin account usually assigns other administrator accounts to configure their
VDOM-specific settings. However, as the root account, the admin administrator does have permission to configure all
settings, including those within VDOMs.
To create a VDOM
1. Log in with the admin account.
Other administrators do not have permissions to configure VDOMs.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
240
2. Enter the following commands:
config vdom
edit <VDOM_name>
where <VDOM_name> is the name of your new VDOM. (Alternatively, to configure the default root VDOM, type
root.
The new VDOM exists, but its settings are not yet configured.
Assigning interfaces to a VDOM
The following commands assign a network interface to a VDOM:
FortiADC-VM # config global
FortiADC-VM (global) # config system interface
FortiADC-VM (interface) # edit port10
FortiADC-VM (port10) # set vdom docs-vdom
FortiADC-VM (port10) # end
Changing interface(port10) vdom from root(1) to docs-vdom(233):
change vdom success.
Assigning administrators to a VDOM
The following commands create an administrator account and assign the administrator to a vdom:
FortiADC-VM # config global
FortiADC-VM (global) # config system admin
FortiADC-VM (admin) # edit docs-vdom-admin
Add new entry 'docs-vdom-admin' for node 78
FortiADC-VM (docs-vdom-admin) # set access-profile admin_prof
FortiADC-VM (docs-vdom-admin) # set vdom docs-vdom
FortiADC-VM (docs-vdom-admin) # end
Disabling VDOMs
Before you begin:
•
Save a backup of the configuration. Disabling VDOMs changes the structure of your configuration, and deletes most
VDOM-related settings. It keeps settings from the root VDOM only.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
241
To disable VDOMs
1. Assign interfaces to the root VDOM. For example:
FortiADC-VM # config global
FortiADC-VM (global) # config system interface
FortiADC-VM (interface) # edit port10
FortiADC-VM (port10) # set vdom root
FortiADC-VM (port10) # end
Changing interface(port10) vdom from docs-vdom(233) to root(1):
change vdom success.
2. Assign admin accounts to the root VDOM or delete them. For example:
FortiADC-VM (global) # config system admin
FortiADC-VM (admin) # delete docs-vdom-admin
FortiADC-VM (admin) # end
3. Delete non-root VDOMs:
FortiADC-VM # config vdom
FortiADC-VM (vdom) # delete docs-vdom
FortiADC-VM (vdom) # end
4. Disable VDOMs:
FortiADC-VM # config
FortiADC-VM (global)
FortiADC-VM (global)
FortiADC-VM (global)
global
# config system global
# set vdom-admin disable
# end
The system disables VDOMs and terminates your administrative session.
FortiADC CLI Reference 4.2
Fortinet Technologies Inc.
242
Index
Numerics
command 14
abbreviation 23
ambiguous 15, 23
CLI Console widget 11
completion 22
constraints 9
help 22
incomplete 15
interactive 23
line interface (CLI) 8
multi-line 15, 23
prompt 18, 22, 25
scope 15
syntax 9, 14
command line interface (CLI) 141
config 27, 28, 46, 65, 81, 119, 136, 183
configuration script 10
connection
trace 208
connection limit
security setting 30, 32
console port 10
constraint
CLI 9, 14
content rewriting 86
content routes 89, 132, 133
conventions 8
cookies 97
cp1252 24
CPU
load
process/thread 235
usage 174, 178, 211, 212, 213, 235
customer service 8
1-to-1 NAT 44
3DES 12
403 Forbidden 86
A
access profile 21
address objects 28, 29
admin 11, 21
administrative access
restricting 141
administrator
domain (ADOM) 239
trusted host 141
AES 12, 214
ambiguous command 15, 23
ASCII 24, 25, 210
audit 139
B
back-end servers 99
baseline 235
batch changes 10, 26
best practices 9
bit
strength 12, 214
bits
TOS 210
bits per second (bps) 11
Blowfish 12
boot
interrupt 10
loader 235
buffer
terminal emulator 25
D
data
loss 8
system 218
type
CLI 16
data-size
execute ping-options 224
daylight saving time (DST) 181
DB-9 10
debug log 188
debug_info 189
default
administrator account 11, 21
ADOM 241
password 11
destination server 99
df-bit
execute ping-options 224
C
cache
hard disk 228
caching 81
certificate
authority (CA) 144
field 144
revocation list (CRL) 144, 145, 152
revoke 145
checksum
header 210
CIDR 18, 165, 167
cipher 12
clock 181
Fortinet Technologies Inc.
243
FortiADC 4.2 CLI Reference
hash 207
HASH, persistence 97
health checks
LLB configuration 70
virtual server configuration 92
hexadecimal 210
HTTP
rewriting headers 86
HTTP 403 86
HTTP redirect 86
diagnose 185, 208
differentiated services code point (DSCP) 210
disk
format 219
swap 235
disk usage 174, 178
document
conventions 8
domain
administrative (ADOM) 239
dotted decimal 18
I
E
ID
packet 210
user 205
idle
CPU 235
import
CRL 145
incomplete command 15
indentation 15
_index 18
index number 18
input
constraint
CLI 9, 14
invalid 16
method 25
_int 18
interface address
resetting 219
interval
HA heartbeat 161
IP
address 141
private network 8
version
4 141
6 141
IP reputation 110
_ipv4 18
_ipv4/mask 18
_ipv4mask 18
_ipv6 18
_ipv6mask 18
ISO 8859-1 24
Issuer 144
_email 18
encoding 24
error
ambiguous 23
CLI 14, 15, 16, 23
invalid object 15
XSS 23
Ethernet 11, 12, 13, 210
execute 214
expected input
CLI 9, 14
F
fastest response 96
field 15
filter, QoS 41
fingerprint 13
FIPS-CC 12
firewall policy 35, 37
firmware
installing 226
restoring 10, 226
flag 210
flow
control 11
format log disk 219
FortiGuard 110
Fortinet
customer service 8
Technical Documentation
conventions 8
Technical Support 210
_fqdn 18
fragment 210
FTP profile 105
fully qualified domain name (FQDN) 18
K
key
SSH 13
G
gateway
proximity routes 76
GB2312 24
get 136
L
language 24, 25
Layer
1 210
Layer 2 feature support 113, 115
Layer 4 feature support 113, 115
Layer 7 feature support 113
H
hardening security 141
hardware failure 92
Fortinet Technologies Inc.
244
FortiADC 4.2 CLI Reference
password 11
lost 21, 140
reset 21
strength 140
with certificate 148
_pattern 18
pattern
execute ping-options 224
regular expression 18
peer connection 11
performance 9
debug logs 188
during downtime 92
packet capture 208
system 211
permissions 21
persistence
LLB configuration 74
virtual server configuration 97
ping 70, 72
plain text editor 26
policy routes 132, 133
pool, server 99
port
number 207, 210
SNMP 174, 178
PPPoE 165
process
load 235
profiles, configuration 104
protocol 210
proximity route 76
proxy
processes 235
least connections 96
line endings 26
link
failure 162
layer 210
monitor 162
link group, LLB 72
link policies, LLB 66
load
CPU 211, 235
process 235
RAM 213, 235
load balancing methods
virtual server configuration 96
local
console access 10, 141
locale 25
log
debug 188
login prompt 11
low encryption (LENC) 12
M
manager
SNMP 174, 179
mask
trusted administrative hosts 141
media access control (MAC) address
virtual 160
memory
usage 174, 178, 207, 211, 235
more 25
multi-line command 15, 23
N
Q
_name 18
NAT
virtual server source pool 96
netmask
administrator account 141
no object in the end 15
null modem 10, 11
QoS policies 41
query
OCSP 152
SNMP 174, 175, 178
queue 207
queue, QoS 41
O
R
object 14, 15
online certificate status protocol (OCSP) 144, 152
operator 14
error 16
option 15
OSPF 127
RAM
usage 213, 235
RAM cache 81
read-only 21, 136
real servers 99
re-encryption 102
reformat disk 219
regular expression 18
regular expressions 26
repeat-count
execute ping-options 224
Replacement location 87
reset
password 21, 140
restoring the firmware 10
P
packet
capture 208
trace 208
parity 11
partition 174, 178
Fortinet Technologies Inc.
245
FortiADC 4.2 CLI Reference
rewriting headers 86
RFC
1918 8, 141
3849 8, 141
5737 8, 141
RJ-45 11
RJ-45-to-DB-9 10, 11
role
administrator 136
role-based access control (RBAC) 136
root 21
ADOM 241
round robin 96
route table 132, 133
routes
proximity 76
Rx 207
synchronization
interval 182
syntax 9, 14
T
table 15
TCP 205
tcpdump 209
technical support 8
Telnet 10, 11, 12, 13, 141
time 218
to live (TTL) 210
timeout 207
execute ping-options 224
tips 9, 22
TLS
re-encryption 102
top processes 211
tos
execute ping-options 224
trace 208
trap 174, 175, 178
troubleshooting 9, 185, 210
trusted
host 141
ttl
execute ping-options 224
Tx 207
type
of service (TOS) bits 210, 224
S
schedule objects 171
Secure Shell (SSH) 10, 11, 12, 141
key 13
version 12
security
auditor 139
serial communications (COM) port 10, 11
serial number 235
server pool 99
session ID, persistence rules 97
severity
level 188
SHA-1 12
Shift-JIS 24
show 136, 237
simple network management protocol (SNMP)
agent 175
manager 174, 178, 179
query 174, 178
SNAT 33
sniffer 208
socket 207
source
execute ping-options 224
IP address 141
source NAT 33
source pool, NAT 96
special characters 24
SSL
re-encryption 102
standard time 181
static routes 132, 133
_str 18
strength
password 140
string 18
sub-command 15, 18, 19
Subject 144
swap 235
Fortinet Technologies Inc.
U
UDP 207
Unicode 24
unknown action 14
upload
CRL 145
uptime 162, 212, 235
_url 18
usage
CPU 174, 178, 211, 235
disk 174, 178
memory 235
RAM 174, 178, 205, 207
US-ASCII 24, 25, 210
user
name 140
UTF-8 24
V
_v4mask 18
_v6mask 18
validate-reply
execute ping-options 224
value 15
parse error 15, 18
view-settings
execute ping-options 224
246
FortiADC 4.2 CLI Reference
W
virtual
MAC address 160
virtual tunnel, LLB 79
Fortinet Technologies Inc.
wild cards 18
247
FortiADC 4.2 CLI Reference
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.
Open as PDF
Similar pages