FortiOS CLI Reference - Fortinet Document Library

FortiOS™ Handbook
CLI Reference for FortiOS 4.3
FortiOS™ Handbook CLI Reference for FortiOS 4.3
February 25, 2013
01-430-99686-20130225
Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation
docs.fortinet.com
Knowledge Base
kb.fortinet.com
Customer Service & Support
support.fortinet.com
Training Services
training.fortinet.com
FortiGuard
fortiguard.com
Document Feedback
techdocs@fortinet.com
FortiOS Handbook
Contents
Introduction
19
How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Availability of commands and options . . . . . . . . . . . . . . . . . . . . . . .
19
19
Document conventions and other information . . . . . . . . . . . . . . . . . . . . .
19
What’s new
21
alertemail
41
setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
antivirus
47
heuristic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
48
mms-checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
50
profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
config {http | https | ftp | ftps | imap | imaps | pop3 | pop3s | smtp | smtps | nntp | im}
51
config nac-quar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53
quarfilepattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
application
59
list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
60
name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
63
dlp
65
compound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
filepattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
fp-doc-source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70
fp-sensitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
72
rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
73
sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
79
settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
82
FortiOS™ Handbook v3: CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
3
Contents
endpoint-control
83
app-detect rule-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
84
profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85
settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
87
firewall
89
address, address6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
90
addrgrp, addrgrp6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
92
carrier-endpoint-bwl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
93
carrier-endpoint-ip-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
94
central-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
95
dnstranslation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
96
gtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
97
interface-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
interface-policy6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
ipmacbinding setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
ipmacbinding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
ippool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
ldb-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
local-in-policy, local-in-policy6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
mms-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config dupe {mm1 | mm4} . . . . . . . . . . . . . . . . . . . . . . . . . .
config flood {mm1 | mm4} . . . . . . . . . . . . . . . . . . . . . . . . . .
config log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7}
config notif-msisdn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
121
126
127
128
129
132
multicast-policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
policy, policy6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
config identity-based-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
profile-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
4
CLI Reference for FortiOS 4.3 for FortiOS 4.0 MR3
01-430-99686-20130225
http://docs.fortinet.com/
Contents
profile-protocol-options .
config http . . . . . .
config https. . . . . .
config ftp . . . . . . .
config ftps . . . . . .
config imap . . . . . .
config imaps . . . . .
config pop3 . . . . .
config pop3s . . . . .
config smtp. . . . . .
config smtps . . . . .
config nntp . . . . . .
config im . . . . . . .
config ssl-server . . .
config mail-signature .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
149
151
152
153
154
155
155
156
156
157
158
159
159
159
160
schedule onetime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
schedule recurring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
schedule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
service custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
service explicit-web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
service group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
service group-explicit-web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
shaper per-ip-shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
shaper traffic-shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
sniff-interface-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
sniff-interface-policy6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
ssl setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
vip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
vipgrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
ftp-proxy
195
explicit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
gui
197
console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
icap
199
profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
imp2p
203
aim-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
FortiOS™ Handbook v3: CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
5
Contents
icq-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
msn-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
old-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
yahoo-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
ips
211
DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
config limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
log
223
custom-field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 | syslogd3
| webtrends | fortiguard} filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
disk setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
eventfilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
{fortianalyzer | syslogd} override-filter . . . . . . . . . . . . . . . . . . . . . . . . . 235
fortianalyzer override-setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting. . . . . . . . . . . . . . . . . . 237
fortiguard setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
gui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
memory setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
memory global-setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
syslogd override-setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
{syslogd | syslogd2 | syslogd3} setting . . . . . . . . . . . . . . . . . . . . . . . . . 246
trafficfilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
webtrends setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
netscan
251
assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
pbx
255
dialplan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
6
CLI Reference for FortiOS 4.3 for FortiOS 4.0 MR3
01-430-99686-20130225
http://docs.fortinet.com/
Contents
did . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
ringgrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
voice-menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
sip-trunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
report
267
chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
style. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
router
285
access-list, access-list6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
aspath-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
auth-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config router bgp . . . . . . . . . . . . . . . . . . . .
config admin-distance . . . . . . . . . . . . . . . . .
config aggregate-address, config aggregate-address6
config neighbor. . . . . . . . . . . . . . . . . . . . .
config network, config network6 . . . . . . . . . . . .
config redistribute, config redistribute6 . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
290
293
296
296
297
304
305
community-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
gwdetect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
isis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
config isis-interface . . . . . . . . . . . . . . . . . .
config isis-net . . . . . . . . . . . . . . . . . . . . .
config redistribute {bgp | connected | ospf | rip | static}
config summary-address. . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
310
313
314
314
315
key-chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
multicast . . . . . . . . .
Sparse mode . . . . .
Dense mode . . . . .
config router multicast
config interface . . . .
config pim-sm-global
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
318
318
319
320
321
324
multicast-flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
FortiOS™ Handbook v3: CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
7
Contents
ospf . . . . . . . . . . . . . .
config router ospf . . . .
config area . . . . . . . .
config distribute-list . . .
config neighbor. . . . . .
config network . . . . . .
config ospf-interface . . .
config redistribute . . . .
config summary-address.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
329
331
333
338
338
339
339
342
343
ospf6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
prefix-list, prefix-list6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
rip . . . . . . . . . . . .
config router rip . .
config distance . . .
config distribute-list
config interface . . .
config neighbor. . .
config network . . .
config offset-list . .
config redistribute .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
354
355
356
357
358
359
360
361
361
ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Using route maps with BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
static6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
spamfilter
379
bword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
dnsbl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
emailbwl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
fortishield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
ipbwl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
iptrust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
mheader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
config {imap | imaps | pop3 | pop3s | smtp | smtps} . . . . . . . . . . . . . . . . 395
config {gmail | msn-hotmail | yahoo-mail} . . . . . . . . . . . . . . . . . . . . . 396
8
CLI Reference for FortiOS 4.3 for FortiOS 4.0 MR3
01-430-99686-20130225
http://docs.fortinet.com/
Contents
system
397
3g-modem custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
accprofile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
alertemail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
amc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
arp-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
auto-install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
autoupdate clientoverride . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
autoupdate override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
autoupdate push-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
autoupdate schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
autoupdate tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
aux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
bug-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
central-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
ddns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
dhcp reserved-address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
dhcp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
dhcp6 server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
dns-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
dns-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
elbc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
fips-cc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
fortiguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
fortiguard-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
gi-gk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
gre-tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
ha . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
ipv6-tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
mac-address-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
FortiOS™ Handbook v3: CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
9
Contents
modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
npu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
object-tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
password-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
port-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
proxy-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
pstn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
replacemsg admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
replacemsg alertmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
replacemsg auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
replacemsg ec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
replacemsg fortiguard-wf. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
replacemsg ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
replacemsg http . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
replacemsg im . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
replacemsg mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
replacemsg mm1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
replacemsg mm3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
replacemsg mm4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
replacemsg mm7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
replacemsg-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
replacemsg-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
replacemsg-image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
replacemsg nac-quar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
replacemsg nntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
replacemsg spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
replacemsg sslvpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
replacemsg traffic-quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
replacemsg webproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
resource-limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
session-helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
session-sync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
session-ttl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
10
CLI Reference for FortiOS 4.3 for FortiOS 4.0 MR3
01-430-99686-20130225
http://docs.fortinet.com/
Contents
sit-tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
snmp community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
snmp sysinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
snmp user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
sp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
switch-interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
tos-based-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
vdom-dns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
vdom-link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
vdom-property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
vdom-sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
wccp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
user
575
Configuring users for authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Configuring users for password authentication . . . . . . . . . . . . . . . . . . 576
Configuring peers for certificate authentication . . . . . . . . . . . . . . . . . . 576
ban . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
fortitoken . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
fsso . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
ldap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
local. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
peergrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
sms-provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
tacacs+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
voip
599
profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
config sip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
config sccp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
FortiOS™ Handbook v3: CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
11
Contents
vpn
611
certificate ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
certificate crl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
certificate local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
certificate ocsp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
certificate remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
ipsec concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
ipsec forticlient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
ipsec manualkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
ipsec manualkey-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
ipsec phase1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
ipsec phase1-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
ipsec phase2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
ipsec phase2-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
l2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
pptp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
ssl settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
ssl web host-check-software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
ssl web portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
ssl web virtual-desktop-app-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
wanopt
671
auth-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
ssl-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
webcache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
config cache-exemption-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
web-proxy
685
explicit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
forward-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
webfilter
693
content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
12
CLI Reference for FortiOS 4.3 for FortiOS 4.0 MR3
01-430-99686-20130225
http://docs.fortinet.com/
Contents
content-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
fortiguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
ftgd-local-cat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
ftgd-local-rating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
ftgd-warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
override-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
profile . . . . . . .
config ftgd-wf
config override
config quota .
config web . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
704
707
708
709
709
urlfilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
wireless-controller
713
ap-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
vap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719
vap-group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
wtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
wtp-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
execute
727
backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
batch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
bypass-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
carrier-license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
central-mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
cfg reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
cfg save. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
clear system arp table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
cli check-template-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
cli status-msg-only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
disk raid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
FortiOS™ Handbook v3: CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
13
Contents
dhcp lease-clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742
dhcp lease-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
disconnect-admin-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744
enter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
factoryreset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746
firmware-list update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747
formatlogdisk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
forticlient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
fortiguard-log update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750
fortitoken . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
fsso refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752
ha disconnect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
ha manage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
ha synchronize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
interface dhcpclient-renew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
interface pppoe-reconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
log client-reputation-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
log delete-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
log delete-rolled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
log display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
log filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
log fortianalyzer test-connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
log list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
log rebuild-sqldb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
log recreate-sqldb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
log-report reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
log roll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
modem dial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
modem hangup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
modem trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
mrouter clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
netscan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773
pbx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
ping-options, ping6-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778
14
CLI Reference for FortiOS 4.3 for FortiOS 4.0 MR3
01-430-99686-20130225
http://docs.fortinet.com/
Contents
reboot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
report-config reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
revision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
router clear bfd session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
router clear bgp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
router clear ospf process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
router restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
send-fds-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
set system session filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
set-next-reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
sfp-mode-sgmii. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
tac report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
traceroute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
tracert6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800
update-ase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
update-av. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
update-ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803
update-modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
update-now. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805
upd-vd-license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
usb-disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 808
vpn certificate ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
vpn certificate crl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810
vpn certificate local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811
vpn certificate remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
vpn ipsec tunnel down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815
vpn ipsec tunnel up. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
vpn sslvpn del-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817
vpn sslvpn del-tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818
vpn sslvpn del-web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
FortiOS™ Handbook v3: CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
15
Contents
vpn sslvpn list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820
wireless-controller delete-wtp-image . . . . . . . . . . . . . . . . . . . . . . . . . 821
wireless-controller list-wtp-image . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
wireless-controller reset-wtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
wireless-controller restart-acd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824
wireless-controller restart-wtpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825
wireless-controller upload-wtp-image . . . . . . . . . . . . . . . . . . . . . . . . . 826
get
827
endpoint-control app-detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828
firewall dnstranslation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
firewall iprope appctrl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
firewall iprope list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832
firewall proute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833
firewall service predefined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
firewall shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
gui console status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
gui topology status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
hardware cpu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
hardware memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840
hardware nic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
hardware npu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
hardware status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
ips decoder status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
ips rule status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847
ips session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848
ipsec tunnel list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
log sql status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850
netscan scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
netscan settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
get pbx branch-office. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853
pbx dialplan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854
pbx did . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855
pbx extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
pbx ftgd-voice-pkg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
pbx global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
16
CLI Reference for FortiOS 4.3 for FortiOS 4.0 MR3
01-430-99686-20130225
http://docs.fortinet.com/
Contents
pbx ringgrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
pbx sip-trunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860
pbx voice-menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
report database schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
router info bfd neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
router info bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
router info gwdetect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
router info isis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
router info kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868
router info multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
router info ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
router info protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872
router info rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
router info routing-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874
router info vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
router info6 bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876
router info6 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
router info6 kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
router info6 ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
router info6 protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
router info6 rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
router info6 routing-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882
system admin list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
system admin status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884
system arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
system auto-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
system central-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887
system checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888
system cmdb status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
system dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
system fdp-fortianalyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891
system fortianalyzer-connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
system fortiguard-log-service status . . . . . . . . . . . . . . . . . . . . . . . . . . 893
system fortiguard-service status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
system ha-nonsync-csum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895
system ha status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
FortiOS™ Handbook v3: CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
17
Contents
system info admin ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898
system info admin status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899
system interface physical. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900
system mgmt-csum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
system performance firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
system performance status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903
system performance top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
system session list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905
system session status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906
system session-helper-info list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
system session-info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908
system source-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
system startup-error-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910
system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912
user adgrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914
vpn ike gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 915
vpn ipsec tunnel details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 916
vpn ipsec tunnel name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
vpn ipsec stats crypto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
vpn ipsec stats tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
vpn ssl monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920
vpn status l2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 921
vpn status pptp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922
vpn status ssl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
webfilter ftgd-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924
webfilter status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
wireless-controller scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
18
tree
929
Appendix
931
CLI Reference for FortiOS 4.3 for FortiOS 4.0 MR3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
Introduction
This document describes FortiOS™ Handbook v3 CLI commands used to configure and manage a
FortiGate unit from the command line interface (CLI).
•
How this guide is organized
How this guide is organized
Most of the chapters in this document describe the commands for each configuration branch of the
FortiOS™ Handbook CLI. The command branches and commands are in alphabetical order.
This document also contains the following sections:
What’s new describes changes to the v3 CLI.
execute describes execute commands.
get describes get commands.
tree describes the tree command.
Availability of commands and options
Some FortiOS™ Handbook CLI commands and options are not available on all FortiGate units. The
CLI displays an error message if you attempt to enter a command or option that is not available.
You can use the question mark ‘?’ to verify the commands and options that are available.
Commands and options may not be available for the following reasons:
•
FortiGate model. All commands are not available on all FortiGate models. For example, low
end FortiGate models do not support the aggregate option of the config system
interface command.
•
Hardware configuration. For example, some AMC module commands are only available when
an AMC module is installed.
•
FortiOS Carrier, FortiGate Voice, FortiWiFi etc. Commands for extended functionality are not
available on all FortiGate models. The CLI Reference includes commands only available for
FortiWiFi units, FortiOS Carrier, and FortiGate Voice units
Document conventions and other information
See “Appendix” on page 931.
FortiOS™ Handbook v3: CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
19
Document conventions and other information
20
Introduction
CLI Reference for FortiOS 4.3 for FortiOS 4.0 MR3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
What’s new
As the FortiOS Handbook is being developed, the FortiGate CLI Reference for FortiOS 4.3 is becoming a dictionary of
FortiOS CLI commands. Examples have been removed from this CLI Reference and command explanations are being
more sharply focused on defining the command and its options, ranges, defaults and dependencies. The CLI
Reference now includes FortiOS Carrier commands and future versions will include FortiGate Voice commands. Also
command histories have been removed.
The table below lists CLI commands and options that have been added to FortiOS v3.
Command
Change
config antivirus profile
edit <name_str>
set filepattable
Removed. Use config dlp sensor.
set options file-filter
Option removed. Use config dlp sensor.
set options strict-file
Option removed. Use config dlp sensor.
config ftps
New fields to configure antivirus for FTPS.
config {http https ftp ftps smtp smtps
pop3 pop3s imap imaps im nntp}
set archive-block
New field. Selects archive types to block.
set archive-log
New field. Selects archive types to block.
config antivirus quarantine
set drop-blocked ftps
Changed. ftps option added.
set heuristic ftps
Changed. ftps option added.
set drop-infected ftps
Changed. ftps option added.
config antivirus service ftps
New command.
config application list
edit <app_list_str>
set p2p-black-list
New field. Blacklists Bittorrent, eDonkey, or Skype.
config entries
edit <id_integer>
set action reset
New option. Resets network connection.
set application
This field now accepts multiple options.
set block-video
New. Blocks or allows MSN video chats.
set chart
Removed.
set category
This field now accepts multiple options.
config dlp filepattern
New command. Configures file patterns used for DLP file
blocking.
config dlp fp-doc-source
New command. Adds fingerprinting document sources.
config dlp fp-sensitivity
New command. Adds fingerprinting sensitivity labels.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
21
What’s new
Command
Change
config dlp rule
edit <rule_name>
set field file-size
New option. Searches for files of specified size.
set field file-type
New option. Searches for files of specified type.
set field fingerprint
New option. Searches for fingerprinted files.
set field regexp
New option. Searches for a match using a regular
expression string.
set field file-bytes
New attribute. Searches for specific data at a specific
location in the file.
set file-bytes
New field, Specifies data for file-bytes search.
set file-byte-hex
New field, Enables use of hexadecimal in file-bytes.
set file-byte-offset
New field. Location in file to find file-bytes data.
set protocol session-control
Option removed.
config dlp sensor
edit <sensor_str>
set flow-based
New field. Enables flow-based DLP.
set options strict-file
Field moved from config antivirus profile.
config compound-rule
config rule
Subcommands removed. Use config filter.
config filter
New subcommand. Configures DLP sensors, formerly
configured in config compound-rule and config
rule.
config endpoint-control profile
edit <rule_list_name>
set
set
set
set
set
set
require-av warn
require-av warn
require-av-uptodate warn
require-firewall warn
require-license warn
require-webfilter warn
New warn option, Warns user about non-compliance, but
allows access.
config firewall address, address6
edit <name_str>
set color
New field. Sets icon color.
set country
New field. Set country code for geography type address.
set tags
New field. Applies object tags.
set type geography
New option for Geography-based filtering.
config firewall addrgrp, addrgrp6
edit <name_str>
set color
New field. Sets icon color.
config firewall local-in-policy, local-in- New command. Creates firewall policies for traffic
policy6
destined for the FortiGate unit itself.
22
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
What’s new
Command
Change
config firewall multicast-policy
edit <index_int>
set auto-asic-offload
New field. Enables session offload to NP or SP
processors.
set logtraffic
New field. Enables logging of multicast traffic.
config firewall policy, policy6
edit <index_int>
set application
New field. Enables tracking of application usage in auto
profiling.
set auth-method form
New option. Form-based authentication in explicit webproxy.
set auto-asic-offload
New field. Enables session offload to NP or SP
processors.
set bandwidth
New field. Enables tracking of bandwidth usage in auto
profiling.
set client-reputation
New field. Enables client reputation feature.
set client-reputation-mode
New field. Select learning or monitoring mode for client
reputation.
set dynamic-profile
New field. Enables dynamic profile.
set dynamic-profile-access
Enable dynamic profiles by protocol. Functionality moved
from system dynamic profile.
set dynamic-profile-group
New field. Selects the dynamic profile group.
set endpoint-keepalive-interface
New field. Specifies keepalive interface for
endpoint-check.
set failed-connection
New field. Enables tracking of failed connection attempts
in auto profiling.
set fsae
Renamed to fsso.
set fsae-agent-for-ntlm
Renamed to fsso-agent-for-ntlm.
set fsso
Renamed from fsae.
set fsso-agent-for-ntlm
Renamed from fsae-agent-for-ntlm.
set geo-location
New field. Enables tracking countries of destination IP
addresses in auto profiling.
set global-label
New field. Places policy in the named subsection in the
web-based manager policy list.
set icap-profile
New field. Select an Internet Content Adaptation Protocol
(ICAP) profile.
set identity-based
This field is invisible if dynamic-profile is enabled.
set logtraffic-app
New field. Enables traffic logging when application list
logging is enabled, regardless of logtraffic setting.
set ntlm-enabled-browsers
New field. Defines HTTP-User-Agent strings of supported
browsers.
set ntlm-guest
New field. Enables NTLM guest user access.
set schedule-timeout
New field. Enables forced timeout of session when policy
schedule ends.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
23
What’s new
Command
Change
config firewall policy, policy6 (cont’d)
set sessions
New field. Enables taking a snapshot of the number of
sessions every five minutes in auto profiling.
set srcintf ftp-proxy
New option. Use FTP proxy as source interface.
set tags
New field. Applies object tags.
set traffic-shaper-reverse
Field can now be set without setting traffic-shaper.
set web-auth-cookie
New field. Enables cookies for explicit proxy sessions.
set webcache
New: Apply web caching in a firewall policy.
set webproxy-forward-server
New field. Sets name of web proxy forwarding server.
config firewall profile-group
edit <name_str>
set icap-profile
New field. Sets an Internet Content Adaptation Protocol
(ICAP) profile.
config firewall profile-protocol-options
edit <name_str>
config ftp
set post-lang
config ftps
set unsupported-ssl
Removed. Post-lang does not apply to FTP.
New subcommand. Configures FTPS protocol options.
New field. Selects bypass or block action for
undecryptable SSL sessions.
config https
set options ssl-ca-list
New option. Verifies SSL session server certificate against
stored CA certificate list.
set client-cert-request
New field. Selects action to take if the client certificate
request fails during the SSL handshake.
set unsupported-ssl
New field. Selects bypass or block action for
undecryptable SSL sessions.
config imaps
set unsupported-ssl
New field. Selects bypass or block action for
undecryptable SSL sessions.
config pop3s
set unsupported-ssl
New field. Selects bypass or block action for
undecryptable SSL sessions.
config smtps
set unsupported-ssl
config ssl-server
New field. Selects bypass or block action for
undecryptable SSL sessions.
New subcommand. Configures SSL server settings for use
with the secure protocols (HTTPS, FTPS, POP3S, SMTPS).
config firewall schedule group
edit <name_str>
set color
24
New field. Sets icon color.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
What’s new
Command
Change
config firewall schedule onetime
edit <name_str>
set color
New field. Sets icon color.
config firewall schedule recurring
edit <name_str>
set color
New field. Sets icon color.
config firewall service custom
edit <name_str>
set color
New field. Sets icon color.
set
set
set
set
set
set
set
New session control options for custom services.
protocol TCP/UDP/SCTP
tcp-halfopen-timer
tcp-halfclose-timer
tcp-timewait-timer
udp-idle-timer
check-reset-range
session-ttl
config firewall service explicit-web
New command. Configures explicit web proxy services.
config firewall service group
edit <name_str>
set color
New field. Sets icon color.
config firewall service group-explicit-web New command. Configures explicit web proxy service
groups.
config firewall shaper per-ip-shaper
edit <name_str>
set
set
set
set
diffserv-forward
diffservcode-forward
diffserv-reverse
diffservcode-rev
New fields. Manage differentiated services code point
(DSCP) values.
config firewall shaper traffic-shaper
edit <name_str>
set diffserv
set diffservcode
New fields. Starts differentiated services for network
traffic.
config firewall sniff-interface-policy
edit <policy_id>
set logtraffic
New field. Enable traffic logging on one-arm policy.
config firewall vip
set extip
Changed. Now also accepts address range.
set http-cookie-domain-from-host
New field. Sets handling of SetCookie.
set ldb-method http-host
Changed. New method http-host added.
set ssl-algorithm
New field. Sets the permitted encryption algorithms for
SSL sessions according to encryption strength.
set ssl-client-renegotiation secure
New option. Requires secure renegotiation.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
25
What’s new
Command
Change
config firewall vip (continued)
set ssl-pfs
New field. Enables Perfect Forward Secrecy on SSL
connections.
set src-filter
New field. Specifies a source IP address filter.
config realserver
edit <table_id>
set http-host
New field. Sets the value of HOST header to match.
config ftp-proxy explicit
New. Configuration branch for enabling and configuring
the explicit FTP proxy.
config icap profile
New command. Configures an Internet Content
Adaptation Protocol (ICAP) profile.
config icap server
New command. Configures an Internet Content
Adaptation Protocol (ICAP) server.
config ips rule
set tags
New field. Applies object tags.
config ips sensor
edit <sensor_str>
config filter
config entries
edit <entry_name>
set
set
set
set
rate-count
rate-duration
rate-mode
rate-track
Renamed to config entries.
Renamed from config filter. Now includes all fields
from former config override subcommand.
Changed from <filter_str>.
New fields. Configure signature threshold in filter.
set rule
Field now accepts multiple entries.
set tags
New field. Applies object tags.
config override
Removed. Fields moved into config override
subcommand.
config log {disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd |
syslogd2 | syslogd3 | webtrends | fortiguard} filter
set extended-traffic-log
Renamed from other-traffic.
set explicit-proxy-traffic
Field name changed from webproxy-traffic.
set other-traffic
Rename to extended-traffic-log.
set webproxy-traffic
Field name changed to explicit-proxy-traffic.
config log disk setting
26
ms-per-transaction
New field, Sets the maximum time logs wait to be
committed.
rows-per-transaction
New field. Sets the number of log entries that triggers a log
commit.
set upload-format
New field. Selects either compact or text format for
uploaded logs.
set upload-ssl-conn
New field. Sets strength of algorithm used for
communication with FortiAnalyzer units.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
What’s new
Command
Change
config log eventfilter
set dns
New field. Enables logging of DNS lookups.
config log fortianalyzer override-setting
set enc-algorithm
New field. Sets strength of algorithm used for
communication with FortiAnalyzer units.
config log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting
set enc-algorithm
New field. Sets strength of algorithm used for
communication with FortiAnalyzer units.
set monitor-keepalive-period
New field. Sets interval between keepalive transmissions.
set monitor-failure-retry-period
New field. Sets interval between connection retries.
config log fortiguard setting
set enc-algorithm
config log gui
New field. Sets strength of algorithm used for
communication with FortiManager and FortiAnalyzer units.
New command. Select the device from which logs are
displayed in the web-based manager.
config netscan assets
edit <asset-id>
set scheduled
New. Enables asset to be included in scheduled scans.
set status
Removed. Use scheduled.
config netscan settings
set os-detection
New field. Enables host OS detection.
set scheduled-pause
set pause-from
set pause-to
New fields. Enables a scheduled pause in network
scanning and sets the start and end of that pause.
set service-detection
New field. Enables service detection.
set schedule
Removed. Use set scheduled in config netscan
assets.
set tcp-scan
New field. Enables TCP scan.
set udp-scan
New field. Enables UDP scan.
config pbx
New commands. Configure the PBX feature of the
FortiGate Voice unit.
config report chart
edit <chart-name>
set drill-down-chart
New field. Specifies chart for drill-down.
set period
New field. Selects 24-hour or seven-day chart period.
config report layout
edit <layout-name>
set cache-time-out
New field. Set the timeout period for cached report
datasets.
set cutoff-option
New field. Chooses report run-time or custom time for end
of report period.
set cutoff-time
New field. Sets report custom cutoff-time.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
27
What’s new
Command
Change
config report layout (continued)
set email-recipients
New field. Specifies recipients of emailed reports.
set email-send
New field. Enables emailing of reports.
set schedule-type demand
New option. Enables on-demand reports.
config body-item
edit <item-id>
set parameter1
New field. Sets the parameter value for this body item.
config router bgp
config neighbor
edit <neighbor_address>
set as-override
set as-override6
New field. Enables BGP AS override for IPv4 traffic.
New field. Enables BGP AS override for IPv6 traffic.
config router multicast
config interface
edit <interface_name>
set multicast-flow
New field. Connects the named multicast flow to this
interface.
set static-group
New field. Statically joins this interface to the named
multicast group.
config router multicast-flow
New command. Configures the source allowed for a
multicast flow when using PIM-SM or PIM-SSM.
config router ospf6
config area
edit <addr_ipv6>
config area
set nssa-default-informationoriginate
set nssa-default-informationoriginate-mteric
set nssa-default-informationoriginate-mteric-type
set nssa-redistribution
set nssa-translator-role
New fields. Same function as in config router ospf
command.
config spamfilter fortishield
set report-status
28
Field removed.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
What’s new
Command
Change
config spamfilter profile
edit <name_str>
set spam-filtering
New field. Enables or disables spam filtering.
set options
Field moved from protocol level.
set options spamfsphish
New option. Detect phishing URLs in email.
config gmail
New subcommand. Spamfilters gmail.
config msn-hotmail
New subcommand. Spamfilters MSN Hotmail.
config yahoo-mail
New subcommand. Spamfilters Yahoo mail.
config system 3g-modem custom
New command. Configures 3G PCMCIA modems.
config system accprofile
edit <profile-name>
set scope {vdom | global}
New field. Select global or single-VDOM scope for
administrator.
set utmgrp custom
set wifi
New field. Sets access to WiFi-related configuration.
config utmgrp-permission
set icap
New option. Configures level of access to Internet Content
Adaptation Protocol (ICAP) configuration.
config system admin
edit <name_str>
set accprofile-override
Changed from radius-accprofile-override.
Now, TACACS+ servers can also specify profile.
set allow-remove-admin-session
New field. Admins with super_admin profile can prevent
other admins from closing their session.
set gui-detail-panel-location
New field. Sets the position of the log details panel.
set radius-accprofile-override
Changed to accprofile-override.
config dashboard
edit <id>
set widget-type sessions-history
New option. Configures new sessions/second widget.
set widget-type dlp-usage
Removed. Use system monitors command.
set widget-type pol-usage
Removed. Use system monitors command.
set widget-type protocol-usage
New option. Configures Protocol Usage widget.
set widget-type sys-res
New option. Configures System Resources widget.
set widget-type top-attacks
Removed. Use system monitors command.
set widget-type top-viruses
Removed. Use system monitors command.
set ip-version
New field for sessions widget. Sets whether to display
IPv4 sessions, IPv6 sessions, or both.
config system bypass
New command. Configures bypass mode on FGT-600C
and FGT-1000C.
config system carrier-endpoint-translation Command removed.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
29
What’s new
Command
Change
config system central-management
set authorize-manager-only
Removed.
set auto-backup
Removed.
set copy-local-revision
Removed.
set enc-algorithm
New field. Sets strength of algorithm used for
communication with FortiManager and FortiAnalyzer units.
set mode
New field. Selects alternate backup mode for backup to a
FortiManager unit.
set serial-number
Removed.
set status
Removed.
config chassis-loadbalance
Removed. Configuration for chassis load balance is now
determined by the FortiSwitch configuration.
config system ddns
New command. Configures DDNS.
DDNS was removed from system interface.
config system dhcp reserved-address
Command deprecated. Use config reservedaddress subcommand of system dhcp server.
config system dhcp server
edit <id>
set auto-configuration
Update cached hardware address on HA events to
support option 116. Enabled by default.
set vci-match
set vci-string
New fields. Enables applying DHCP service only to hosts
with specified Vendor Class Identifier (VCI).
config reserved-address
edit <id_int>
set ip
set mac
New subcommand.
Replaces system dhcp reserved-address
command.
config system dhcp6 server
New command. Configures IPv6 DHCP servers.
config system dns
set source-ip
Set allowed source IP for communications to DNS server.
Part of Local-Out policy.
config system dynamic profile
Command removed.
Most options moved to user radius.
See also dynamic-profile-access in firewall
policy.
config system elbc
New command. Sets chassis load balancing (ELBC)
information for the FortiOS unit.
config system fortiguard-log
set source-ip
30
Set allowed source IP for communications to FAMS. Part
of Local-Out policy.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
What’s new
Command
Change
config system global
set admin-ssh-grace-time
New field. Sets maximum time permitted between making
an SSH connection to the FortiGate unit and
authenticating.
set csr-ca-attribute
New field. Enables use of the CA attribute in the certificate.
set dst
Default setting is now enable.
set explicit-proxy-auth-timeout
New field. Sets timeout for idle explicit web proxy
sessions.
set fmc-xg2-load-balance
New field. Starts XG2 load balancing.
set gui-ap-profile
New. Enables custom AP profile configuration options on
the web-based manager.
set gui-central-nat-table
New. Enables central NAT table configuration options on
the web-based manager.
set gui-client-reputation
New. Enables client reputation feature.
set gui-dns-database
New. Enables display of DNS database menu in the webbased manager.
set gui-dynamic-profile-display
New. Enables display of dynamic profile feature controls in
the web-based manager.
set gui-icap
New. Enable or disable ICAP configuration options on the
web-based manager.
set gui-implicit-id-based-policy
New. Enable or disable identity-based firewall implicit
policy configuration options on the web-based manager.
set gui-implicit-policy
New. Enable or disable implicit firewall policy configuration
options on the web-based manager.
set gui-ipsec-manual-key
New. Enables manual key IPsec configuration in the webbased manager.
set gui-load-balance
New field. Enables display of Load Balance in web-based
manager Firewall Objects menu.
set gui-object-tags
New. Enable or disable object tagging and object coloring
configuration options on the web-based manager.
set ipv6-accept-dad
New. Configures IPv6 DAD (Duplicate Address Detection)
operation.
set max-sql-log-size
New. Sets maximum size for SQL log database.
set num-cpus
New field. Sets number of active CPUs.
set sql-logging
New field. Enables SQL logging on models equipped with
hard disk, not SSD.
set sslvpn-sport
Field removed. Use set port in vpn ssl settings.
set strict-dirty-session-check
New field. Enables dropping of sessions that no longer
match policy due to routing or policy change.
set wifi-certificate
set wifi-ca-certificate
New fields. Select WiFi server certificates.
set wimax-4g-usb
New field. Enables access to a WIMAX 4G USB device.
set wireless-mode
New field. Sets wireless operating mode for FortiWiFi
units.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
31
What’s new
Command
Change
config system ha
set cpu-threshold
New. Configure dynamic weighted load balancing for CPU
usage.
set ftp-proxy-threshold
New. Configure dynamic weighted load balancing for FTP
proxy sessions.
set http-proxy-threshold
New. Configure dynamic weighted load balancing for
HTTP proxy sessions.
set ha-uptime-diff-margin
New. Change the cluster age difference margin (grace
period) ignored by the cluster when selecting a primary
unit based on age.
set imap-proxy-threshold
New. Configure dynamic weighted load balancing for
IMAP proxy sessions.
set memory-threshold
New. Configure dynamic weighted load balancing for
memory usage.
set nntp-proxy-threshold
New. Configure dynamic weighted load balancing for
NNTP proxy sessions.
set pop3-proxy-threshold
New. Configure dynamic weighted load balancing for
POP3 proxy sessions.
set smtp-proxy-threshold
New. Configure dynamic weighted load balancing for
SMTP proxy sessions.
set session-pickup-delay
{enable | disable}
New. Improve performance by synchronizing session only
if they are active for more than 30 seconds.
set session-sync-dev
New. Specify up to 8 interfaces to be used for session
synchronization (session pickup) instead of the heartbeat
interface.
set subsecond
Removed. Not necessary. Underlying NIC driver supports
subsecond link failure detection. User can set the
hb-interval/threshold values for subsecond failover.
set weight
Default changed to set all weights to 40. Range changed
to 0 to 255 (was 0 to 31).
config system interface
edit <interface_name>
set elbc-default-gw
New field. Adds a default gateway to hidden front panel
ports in ELBC mode.
set explicit-ftp-proxy
New field. Enables use of explicit FTP proxy.
set ddns (and related ddns- fields)
Removed. See new system ddns command.
set fp-disable
Removed.
set npu-fastpath
Removed.
set peer-interface
Removed. Use config system port-pair command.
set secondary-IP
New field. Enables configuration of a secondary IP
address on the interface.
set vrrp-virtual-mac
New field. Enables VRRP virtual MAC addresses for the
VRRP routers added to this interface.
config ipv6
set ip6-allowaccess
32
Added SNMP option.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
What’s new
Command
Change
config system modem
set wireless-custom-product-id
Removed. Use config system 3g-modem custom.
<pid_hex>
set wireless-custom-vendor-id <vid_hex>
config system monitors
New command. Adds per-VDOM monitoring widgets
moved from system admin dashboard configuration.
config system npu
set elbc-mode
New field. Selects required configuration of internal NPUs
of a FGT-5001 for ELBC.
set npu-cascade-cluster
New field. Enables cascade cluster mode on models
3950B and 3951B.
config system ntp
set source-ip
Set allowed source IP for communications to NTP server.
Part of Local-Out policy.
config ntpserver
edit <serverid_int>
set authentication
set key
set key-id
New fields. Configure MD5 authentication on NTPv3
servers.
config system password-policy
set must-contain
Removed.
set min-lower-case
set min-upper-case
set min-non-alphanumeric
set-min-number
New fields. These fields replace the must-contain field
and its options.
set expire
Changed to set expire-day.
set expire-day
Name changed from set expire.
set expire-status
New field. Enables password expiry.
config system port-pair
New command. Defines Transparent mode port pairs.
config system object-tag
New command. Creates object tags.
config system replacemsg ftp
ftp-dl-archive-block
New message. Archive file transfer was blocked.
config system replacemsg ftp
explicit-banner
New message. Greeting banner for explicit FTP proxy.
config system replacemsg http
http-archive-block
New message. Transfer contained a blocked archive.
config system replacemsg http
http-client-archive-block
New message. The user is not allowed to upload the file.
config system replacemsg http
http-invalid-cert-block
New message. An invalid security certificate was detected.
config system replacemsg im
im-video-chat-block
New replacement message type for blocked MSN video
chats.
config system replacemsg-image
New command for FortiOS. Stores images for some
replacement message pages.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
33
What’s new
Command
Change
config system settings
set gateway6
New. Configure IPv6 default gateway.
set ip6
New. Configure IPv6 IP address.
set manageip6
New. Configures IPv6 management address prefix.
config system snmp community
edit <index_number>
config hosts
set ip
config hosts6
Changed. Now accepts IP/Netmask.
New. Configures IPv6 hosts.
config system snmp user
edit <user_name>
set notify hosts6
config system sp
New. Sets IPv6 IP addresses to which SNMP notifications
(SNMP traps) are sent when events occur.
New command. Configures offloading traffic to a FortiASIC
Security Processing (SP) Module.
config system vdom-dns
set source-ip
Set allowed source IP for communications to DNS server.
Part of Local-Out policy.
config system wccp
edit <service_id>
set server-list
Changed. Now accepts up to four server IP addresses.
config system wireless ap-status
Command removed. Use wireless-controller ap-status.
config system wireless settings
Command removed. Use wireless-controller setting and
wireless-controller wtp-profile.
config user fortitoken
New command. Registers a FortiToken device with the
FortiGate unit.
config user fsso
set source-ip
Set allowed source IP for communications to FSAE server.
Part of Local-Out policy.
config user ldap
edit <server_name>
set filter
set group-member-check
set group-object-filter
Field renamed to group-object-filter.
New fields. Configure how group membership is
determined.
config user peer
edit <peer_name>
set ldap-mode
34
New field. Selects either password or userPrincipalName
authentication of the user.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
What’s new
Command
Change
config user radius
set dynamic-profile-access
set dp- options
Fields moved from system dynamic profile.
set source-ip
Set allowed source IP for communications to RADIUS
server. Part of Local-Out policy.
config user setting
set auth-multi-group
New field. Can improve performance in some Active
Directory configurations.
set auth-invalid-max
New field, Sets the maximum number of failed
authentication attempts to allow before the client is
blocked.
set auth-timeout-type
New field. Enables hard timeouts for user sessions.
config user sms-provider
New command. Configures a cell phone service provider
for the FortiToken two-factor authentication SMS text
message option.
config user tacacs+
set source-ip
Set allowed source IP for communications to TACACS+
server. Part of Local-Out policy.
config voip profile
edit <profile_name>
config sip
set ips-rtp
New field. Causes RTP traffic to inherit the IPS settings
from the SIP firewall policy.
config vpn ipsec manualkey
edit <gateway_name>
set authentication
New authentication options: SHA384 and SHA 512.
config vpn ipsec manualkey-interface
edit <gateway_name>
set auth-alg
New authentication options: SHA384 and SHA 512.
config vpn ipsec phase1
edit <gateway_name>
set auto-negotiate
New field. Enables auto-retry of phase 1 connection.
set fcc-enforcement
New field. When enabled, limits connections to FortiClient
Connect clients only.
set negotiate-timeout
New field. Sets how long to wait for IPsec SA to establish.
set proposal
New authentication options: SHA384 and SHA 512.
config vpn ipsec phase1-interface
edit <gateway_name>
set auto-negotiate
New field. Enables auto-retry of phase 1 connection.
set dns-mode
New field. Selects automatic or manual assignment of
DNS servers.
set fcc-enforcement
New field. When enabled, limits connections to FortiClient
Connect clients only.
set negotiate-timeout
New field. Sets how long to wait for IPsec SA to establish.
set proposal
New authentication options: SHA384 and SHA 512.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
35
What’s new
Command
Change
config vpn ssl settings
set port
New field. Configures SSL VPN port for this VDOM.
config vpn ssl web portal
edit <portal_name_str>
set allow-access citrix portforward
rdpnative
New allow-access application types.
set skip-check-for-unsupportedbrowser
New field. Enables skipping host check on browsers that
do not support it.
set skip-check-for-unsupported-os
New field. Enables skipping host check on operating
systems that do not support it.
config widget
edit <id_int>
set allow-apps
New application types available: citrix portforward
rdpnative
config bookmarks
edit <bookmarkname>
set apptype
New application types available: citrix portforward
rdpnative
set additional-params
New field. Sends additional command-line parameters to
the application.
set keyboard-layout
New field. Sets keyboard layout for RDP bookmark.
set listening-port
New field. Sets listening port for portforward bookmark.
set logon-user
set logon-password
New fields. Set logon credentials for RDP bookmark.
set remote-port
New field. Sets remote port for portforward bookmark.
set screen-height
New field. Sets screen height for RDP or Native RDP
bookmark.
set screen-width
New field. Sets screen width for RDP or Native RDP
bookmark.
set show-status-window
New field. Enables status window for portforward
bookmark.
config wanopt settings
set tunnel-ssl-algorithm
Selects encryption strength for secure tunnel.
config wanopt ssl-server
set ssl-algorithm
config wanopt storage
set webcache-storage-percentage
New field. Sets the permitted encryption algorithms for
SSL sessions according to encryption strength.
New field. Sets portion of storage used for web cache.
config wanopt webcache
set explicit
Removed: Web caching can now be applied in a firewall
policy.
config web-proxy explicit
set outgoing-ip
36
Changed. Multiple IP addresses are now accepted.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
What’s new
Command
Change
config web-proxy forward-server
New command. Configures explicit web proxy forwarding,
also called proxy chaining.
config webfilter fortiguard
set request-packet-size-limit
New. Limit size of URL request packets sent to FDS server.
config webfilter ftgd-ovrd
Renamed to webfilter override.
config webfilter ftgd-ovrd-user
Renamed to webfilter override-user.
config webfilter override
Renamed from ftgd-ovrd.
Extensively reorganized to simplify configuration.
config webfilter override-user
Renamed from ftgd-ovrd-user.
Extensively reorganized to simplify configuration.
config webfilter profile
Extensively reorganized to simplify configuration.
config override
set profile-attribute
set profile-type
config webfilter profile
edit <name_str>
New fields. If profile type is radius, the override profile is
configured based on the retrieved attribute.
Command reorganized to simplify configuration of the
webfilter profile.
set flow-based
New field. Enables flow-based web filtering.
set options {intrinsic javafilter js
jscript unknown vbs wf-cookie
wf-referer}
New options for web filtering of HTTP content.
config ftgd-wf
Command re-organized.
set options ftgd-disable
New option. Disables FortiGuard.
set options log-all-urls
New option. Logs all URLs even if FortiGuard disabled.
config filter
edit <id_str>
set log
New field. Disables FortiGuard logging.
config webfilter urlfilter
edit <list_int>
config entries
edit <url_str>
set action monitor
Monitor option replaces pass option.
set action pass
Monitor option replaces pass option.
set exempt {all
| activex-java-cookie | av
| dlp | filepattern
| fortiguard | web-content}
New exempt options for URL filtering.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
37
What’s new
Command
Change
config wireless-controller global
set ac-discovery-type
New field. Sets type of controller discovery APs use.
set ac-port
New field. Sets control traffic port.
set ac-radio-type
Removed. Use band in wireless-controller wtpprofile.
set data-ethernet-II
New field. Enables use of Ethernet frame type with 802.3
data tunnel mode.
set local-radio-vdom
New field. Selects the VDOM to which the FortiWiFi unit’s
built-in wireless access point belongs.
set max-discoveries
New field. Sets the maximum number of Discovery
Request messages per round.
set max-failed-dtls
New field. Sets the maximum number of DTLS session
attempts.
set plain-control-message
Removed.
set rogue-scan-mac-adjacency
New field. Sets the maximum numeric difference between
an AP’s Ethernet and wireless MAC values to match for
rogue detection.
config wireless-controller setting
set country
New field. Per-VDOM country selection to determine WiFi
channel selection.
config wireless-controller timers
set darrp-optimize
New field. Sets interval for DARRP optimization.
set darrp-wtp-tune
New field. Sets interval for DARRP channel selection.
set rogue-ap-log
New field. Sets interval for periodic logging or rogue APs.
config wireless-controller vap
edit <vap_name>
38
set auth
Field options are now usergroup or radius and they
apply when WPA-Enterprise security is used. New option:
captive portal.
set intra-vap-privacy
New field. Block communication between clients on the
same AP.
set mac-filter-enable
New field. Enables MAC address filtering.
set portal-message
New field. Sets message for captive portal page.
set portal-message-override-group
New field. Selects a replacement message group that
contains customized messages for the captive portal.
set security
Field option names changed to reflect common wireless
terminology, for example wpa-personal. Captive portal
mode added.
set selected-usergroups
New field. Selects the user groups that are permitted to
authenticate to this AP.
config mac-filter-list
New subcommand. Configures a MAC filter list.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
What’s new
Command
Change
config wireless-controller wtp
edit <wtp-id>
set wtp-profile
New field. Specifies AP profile to use.
set coordinate-enable
New field. Enables use of AP coordinates.
set coordinate-x
New field. AP X-co-ordinate.
set coordinate-y
New field. AP Y-co-ordinate.
set geography
Field removed. Use set country in wirelesscontroller setting.
set power-level
Field value is no longer in dBm. Now it is a 0 to 100 scale,
with 100 meaning maximum power.
set region-code
New field. Read-only. Displays AP’s region setting.
set vaps
New field. Set the virtual access points carried on this
physical access point. This is used only when wtpprofile is not set.
config wireless-controller wtp-profile
config radio-1
config radio-2
New
config platform
New subcommand. Sets wireless hardware platform.
set type
Changed. All option removed. Must be specific. Type
222B for FortiAP-222B added.
execute bypass-mode
New command. Manually switches into or out of bypass
mode on FGT-600C and FGT-1000C.
execute central-mgmt register-device
execute central-mgmt unregister-device
New commands. Control registering and unregistering the
FortiGate unit with a specified FortiManager unit.
execute forticlient ...
New commands to manage FortiClient enforcement.
execute fortitoken activate
New command. Activate FortiToken devices with
FortiGuard.
execute fortitoken sync
New command. Synchronize a FortiToken device.
execute log client-reputation-report
Several new commands to support auto-profiling.
execute log filter category
New options for SQL and memory logging.
execute log rebuild-sqldb
New command. Rebuilds the SQL database from log files.
execute log-report reset
New command. Deletes all logs, archives and userconfigured report templates.
execute npu-cli
Command removed.
execute report-config reset
New. Restores report templates to factory default without
deleting logs.
execute set system session filter
New. Sets filters for VPN and firewall session get
commands.
execute tracert6
New command. Traceroute for IPv6 protocol.
execute update-modem
New command. Updates modem list.
execute vpn ipsec tunnel down
New command. Activates IPsec VPN tunnel.
execute vpn ipsec tunnel up
New command. Brings down IPsec VPN tunnel.
execute wireless-controller restart-daemon Command removed. Use either of following commands.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
39
What’s new
40
Command
Change
execute wireless-controller restart-acd
execute wireless-controller restart-wtpd
New command. Restarts wireless-controller daemon.
New command. Restarts AP daemon.
get firewall shaper per-ip
New command. Provides information about per-IP traffic
shapers.
get firewall shaper traffic
New command. Provides information about shared traffic
shapers.
get hardware npu sp list
New command. Displays information about FortiASIC
Security Processors.
get netscan scan host <asset-id>
New command. Lists hosts detected for an asset.
get netscan scan status
New command. Lists previous scan time and detected
hosts.
get netscan scan summary
New command. Lists discovered vulnerabilities.
get router info gwdetect
New command. Shows gateway detection status.
get router info6 kernel
New command. Shows IPv6 kernel routing table.
get system ha-nonsync-csum
New command. FortiManager uses this command to
obtain a system checksum.
get system mgmt-csum
New command. Returns object checksums for
FortiManager.
get system source-ip status
New. Shows which services force their communications to
use a specific source IP address.
get system wireless detected-ap
Command removed. Use get wireless-controller scan.
get vpn ike gateway
Renamed from get vpn status ike gateway.
get
get
get
get
get
get
get
get
get
get
Commands removed.
vpn
vpn
vpn
vpn
vpn
vpn
vpn
vpn
vpn
vpn
ipsec status concentrators
status concentrators
status ike config
status ike errors
status ike routes
status ike status detailed
status ipsec
status tunnel dialup-list
status tunnel number
status tunnel stat
get vpn status ike gateway
Command renamed to get vpn ike gateway
get vpn status tunnel list
Command renamed to
get vpn ipsec tunnel details
get vpn status tunnel name
Command renamed to get vpn ipsec tunnel name
get vpn status ike crypto
Command renamed to get vpn ipsec stats crypto
get vpn ipsec stats crypto
Renamed from get vpn status ike crypto.
get vpn ipsec stats tunnel
New command.
get vpn ipsec tunnel details
Renamed from get vpn status tunnel list.
get vpn ipsec tunnel name
Renamed from get vpn status tunnel name.
get wireless-controller scan
New command. Returns results of wireless scanning.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
alertemail
Use the config alertemail command to configure the FortiGate unit to monitor logs for log messages with
certain severity levels. If the message appears in the logs, the FortiGate unit sends an email to predefined recipients
of the log message encountered. Alert emails provide immediate notification of issues occurring on the FortiGate unit,
such as system failures or network attacks.
You must configure the server setting under config system alertemail before the commands
under config alertemail become accessible.
This chapter describes the following command:
setting
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
41
setting
alertemail
setting
Use this command to configure the FortiGate unit to send an alert email to up to three recipients. This command can
also be configured to send an alert email a certain number of days before the FDS license expires and/or when the
disk usage exceeds a certain threshold amount. You need to configure an SMTP server before configuring alert email
settings. See “system alertemail” on page 409 for more information.
Syntax
config alertemail setting
set username <user-name_str>
set mailto1 <email-address_str>
set mailto2 <email-address_str>
set mailto3 <email-address_str>
set filter-mode {category | threshold}
set email-interval <minutes_int>
set emergency-interval <minutes_int>
set alert-interval <minutes_int>
set critical-interval <minutes_int>
set error-interval <minutes_int>
set warning-interval <minutes_int>
set notification-interval <minutes_int>
set information-interval <minutes_int>
set debug-interval <minutes_int>
set severity {alert | critical | debug | emergency | error | information
| notification | warning}
set IPS-logs {disable | enable}
set firewall-authentication-failure-logs {disable | enable}
set HA-logs {enable | disable}
set IPsec-error-logs {disable | enable}
set FDS-update-logs {disable | enable}
set PPP-errors-logs {disable | enable}
set sslvpn-authentication-errors-logs {disable | enable}
set antivirus-logs {disable | enable}
set webfilter-logs {disable | enable}
set configuration-changes-logs {disable | enable}
set violation-traffic-logs {disable | enable}
set admin-login-logs {disable | enable}
set local-disk-usage-warning {disable | enable}
set FDS-license-expiring-warning {disable | enable}
set FDS-license-expiring-days <days_int>
set local-disk-usage <percentage>
set fortiguard-log-quota-warning {disable | enable}
end
42
Variable
Description
Default
username <user-name_str>
Enter a valid email address in the format user@domain.com.
This address appears in the From header of the alert email.
No default.
mailto1 <email-address_str>
Enter an email address. This is one of the email addresses
where the FortiGate unit sends an alert email.
No default.
mailto2 <email-address_str>
Enter an email address. This is one of the email addresses
where the FortiGate unit sends an alert email.
No default.
mailto3 <email-address_str>
Enter an email address. This is one of the email addresses
where the FortiGate unit sends an alert email.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
alertemail
setting
Variable
Description
Default
filter-mode
{category | threshold}
Select the filter mode of the alert email.
The following fields display only when threshold is
selected:
• emergency-interval
• alert-interval
• critical-interval
• error-interval
• warning-interval
• notification-interval
• information-interval
• debug-interval
• severity
category
email-interval <minutes_int>
Enter the number of minutes the FortiGate unit should wait
before sending out an alert email. This is not available when
filter-mode is threshold.
5
emergency-interval
<minutes_int>
1
Enter the number of minutes the FortiGate unit should wait
before sending out alert email for emergency level messages.
Only available when filter-mode is threshold.
alert-interval <minutes_int>
Enter the number of minutes the FortiGate unit should wait
before sending out an alert email for alert level messages.
Only available when filter-mode is threshold.
2
critical-interval
<minutes_int>
Enter the number of minutes the FortiGate unit should wait
before sending out an alert email for critical level messages.
Only available when filter-mode is threshold.
3
error-interval <minutes_int>
Enter the number of minutes the FortiGate unit should wait
before sending out an alert email for error level messages.
Only available when filter-mode is threshold.
5
warning-interval
<minutes_int>
10
Enter the number of minutes the FortiGate unit should wait
before sending out an alert email for warning level messages.
Only available when filter-mode is threshold.
notification-interval
<minutes_int>
Enter the number of minutes the FortiGate unit should wait
before sending out an alert email for notification level
messages. Only available when filter-mode is
threshold.
20
information-interval
<minutes_int>
Enter the number of minutes the FortiGate unit should wait
before sending out an alert email for information level
messages. Only available when filter-mode is
threshold.
30
debug-interval <minutes_int>
Enter the number of minutes the FortiGate unit should wait
before sending out an alert email for debug level messages.
Only available when filter-mode is threshold.
60
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
43
setting
44
alertemail
Variable
Description
Default
severity {alert | critical
| debug | emergency | error
| information | notification
| warning}
Select the logging severity level. This is only available when
filter-mode is threshold. The FortiGate unit logs all
messages at and above the logging severity level you select.
For example, if you select error, the unit logs error,
critical, alert, and emergency level messages.
alert – Immediate action is required.
critical – Functionality is affected.
debug – Information used for diagnosing or debugging the
FortiGate unit.
emergency – The system is unusable.
error – An erroneous condition exists and functionality is
probably affected.
information – General information about system
operations
notification – Information about normal events.
warning – Functionality might be affected.
alert
IPS-logs {disable | enable}
Enable or disable IPS logs.
disable
firewall-authenticationfailure-logs
{disable | enable}
Enable or disable firewall authentication failure logs.
disable
HA-logs {enable | disable}
Enable or disable high availability (HA) logs.
disable
IPsec-error-logs
{disable | enable}
Enable or disable IPSec error logs
disable
FDS-update-logs
{disable | enable}
Enable or disable FDS update logs.
disable
PPP-errors-logs
{disable | enable}
Enable or disable PPP error logs.
disable
sslvpn-authenticationerrors-logs
{disable | enable}
Enable or disable SSL VPN authentication error logs.
disable
antivirus-logs
{disable | enable}
Enable or disable antivirus logs.
disable
webfilter-logs
{disable | enable}
Enable or disable web filter logs.
disable
configuration-changes-logs
{disable | enable}
Enable or disable configuration changes logs.
disable
violation-traffic-logs
{disable | enable}
Enable or disable traffic violation logs.
disable
admin-login-logs
{disable | enable}
Enable or disable admin login logs
disable
local-disk-usage-warning
{disable | enable}
Enable or disable local disk usage warning in percent. For
example enter the number 15 for a warning when the local
disk usage is at 15 percent. The number cannot be 0 or 100.
disable
FDS-license-expiring-warning
{disable | enable}
Enable or disable to receive an email notification of the expire
date of the FDS license.
disable
FDS-license-expiring-days
<days_int>
Enter the number of days to be notified by email when the
FDS license expires. For example, if you want notification five
days in advance, enter 5.
15
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
alertemail
setting
Variable
Description
Default
local-disk-usage
<percentage>
Enter a number for when the local disk’s usage exceeds that
number.
75
fortiguard-log-quota-warning
{disable | enable}
Enable to receive an alert email when the FortiGuard Log &
Analysis server reaches its quota.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
45
setting
46
alertemail
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
antivirus
Use antivirus commands to configure antivirus scanning for services, quarantine options, and to enable or disable
grayware and heuristic scanning.
This chapter describes the following commands:
heuristic
mms-checksum
notification
profile
quarantine
quarfilepattern
service
settings
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
47
heuristic
antivirus
heuristic
Use this command to configure heuristic scanning for viruses in binary files.
Syntax
config antivirus heuristic
set mode {pass | block | disable}
end
48
Variable
Description
Default
mode
{pass | block | disable}
Enter pass to enable heuristic scanning but pass detected files to
the recipient. Suspicious files are quarantined if quarantine is
enabled.
Enter block to enable heuristic scanning and block detected
files. A replacement message is forwarded to the recipient.
Blocked files are quarantined if quarantine is enabled.
Enter disable to disable heuristic scanning.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
antivirus
mms-checksum
mms-checksum
Use this command in FortiOS Carrier to create a list of attachment checksum values. Messages containing these
attachments can be blocked by the MMS profile.
Syntax
config antivirus mms-checksum
edit <entry_id>
set comment <comment_str>
config entries
edit <entry_name>
set checksum <checksum_value>
set status {enable | disable}
end
end
Variable
Description
comment <comment_str>
Optionally, enter a comment.
<entry_name>
Enter a name for the blockable item.
Default
checksum <checksum_value> Enter the checksum value.
status {enable | disable} Enable the entry.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
enable
49
notification
antivirus
notification
Use this command for FortiOS Carrier to configure the viruses that trigger notification messages.
A notification list must be added to the MMS profile to generate notification messages.
Syntax
config antivirus notification
edit <list_id_int>
set name <name_str>
set comment <comment_str>
config entries
edit <virus_str>
set prefix {enable | disable}
set status {enable | disable}
end
end
50
Keywords and variables
Description
Default
<list_id_int>
Enter the ID number of the list to edit. Each notification list has a
unique ID number. Enter edit ? to view all the lists with their
ID numbers.
No default.
name <name_str>
Enter a name for the notification list. If the list is new, you must
enter a name. You can also use this command to change the
name of an existing notification list.
No default.
comment <comment_str>
Enter an optional comment for the notification list. You can also
use this command to change the name of an existing notification
list.
No default.
<virus_str>
Enter the virus pattern to edit an existing list entry, or enter a new
virus pattern to create a new list entry.
No default.
prefix {enable | disable} Enable to match the virus pattern with the beginning of any virus
name. Disable to match the virus pattern with all of any virus
name.
For example, a pattern of BDoor.ACJ!tr.bdr with the prefix
setting disabled will have the FortiGate unit check for a virus with
that exact name. With the prefix setting enabled, a prefix match
entry for BDoor will generate a notification message for any of
the dozens of virus variants starting with BDoor.
enable
status {enable | disable} If required, you can disable a notification entry without removing
it from the list. The FortiGate unit will ignore the list entry. By
default, all list entries are enabled as soon as you create them.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
antivirus
profile
profile
Use this command to configure UTM antivirus profiles for firewall policies. Antivirus profiles configure how virus
scanning is applied to sessions accepted by a firewall policy that includes the antivirus profile.
Syntax
config antivirus profile
edit <name_str>
set comment <comment_str>
set av-virus-log {disable | enable}
set av-block-log {disable | enable}
config {http | https | ftp | ftps | imap | imaps | pop3 | pop3s | smtp | smtps |
nntp | im}
set archive-block [corrupted encrypted mailbomb multipart nested unhandled]
set archive-log [corrupted encrypted mailbomb multipart nested unhandled]
set avdb {default | extended | normal | flow-based}
set options {avmonitor | avquery | quarantine | scan}
config nac-quar
set infected {none | quar-interface | quar-scr-ip}
set expiry <duration_str>
set log {disable | enable}
end
end
Variable
Description
Default
<name_str>
Enter the name of the antivirus profile.
comment <comment_str>
Optionally enter a description of up to 63 characters of the
antivirus profile.
av-virus-log {disable |
enable}
Enable or disable logging for virus scanning.
enable
av-block-log {disable |
enable}
Enable or disable logging for antivirus file blocking.
enable
config {http | https | ftp | ftps | imap | imaps | pop3 | pop3s | smtp | smtps | nntp |
im}
Configure virus scanning options for the selected protocol.
Variable
Description
Default
archive-block [corrupted
encrypted mailbomb
multipart nested
unhandled]
Select which types of archive to block.
null
archive-log [corrupted
encrypted mailbomb
multipart nested
unhandled]
Select which types of archive to log.
null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
51
profile
antivirus
Variable
Description
Default
avdb {default | extended
| normal | flow-based}
default
Select the antivirus database to use for the protocol.
default — use the database selected in “antivirus settings” on
page 58.
extended — select the extended virus database, which includes
both In the Wild viruses and a large collection of zoo viruses that
are no longer seen in recent virus studies. It is suitable for an
enhanced security environment.
extreme — select the extreme virus database, which includes
both In the Wild viruses and all available zoo viruses that are no
longer seen in recent virus studies. It is suitable for an enhanced
security environment.
flow-based — select the flow-based virus database, which
includes In the Wild viruses and some commonly seen viruses on
the network. Flow-based virus scan is an alternate to the filebased virus scan. It provides better performance but lower
coverage rate compared to file-based virus scan.
normal — select the regular virus database, which includes In the
Wild viruses and most commonly seen viruses on the network. For
regular virus protection, it is sufficient to use this database.
options {avmonitor |
avquery | quarantine |
scan}
Select one or more options apply to virus scanning for the
protocol. To select more than one, enter the option names
separated by a space. Some options are only available for some
protocols.
avmonitor — log detected viruses, but allow them through the
firewall without modification.
avquery — use the FortiGuard AV query service.
quarantine — quarantine files that contain viruses. This feature
is available for FortiGate units that contain a hard disk or are
connected to a FortiAnalyzer unit.
scan Scan files transferred using this protocol for viruses.
config nac-quar
Configure NAC quarantine virus scanning options.
52
Variable
Description
Default
expiry <duration_str>
5m
Set the duration of the quarantine in the days, hours, minutes
format ###d##h##m. The minimum setting is 5 minutes. This field
is available when infected is not none.
infected {none |
quar-interface |
quar-scr-ip}
Select to quarantine infected hosts to banned user list.
none — no action is taken.
quar-interface — quarantine all traffic on infected interface.
quar-src-ip — quarantine all traffic from source IP.
none
log {disable | enable}
Enable or disabling logging for NAC quarantine.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
antivirus
quarantine
quarantine
Use this command to set file quarantine options. FortiGate units with a hard disk or a connection to a FortiAnalyzer
unit can quarantine files. FortiGate features such as virus scanning can quarantine files.
Syntax
config antivirus quarantine
set agelimit <hours_int>
set destination {disk | FortiAnalyzer | NULL}
set drop-blocked {ftp ftps http imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set drop-heuristic {ftp ftps http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set drop-infected {ftp ftps http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set drop-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp}
set enable-auto-submit {disable | enable}
set lowspace {drop-new | ovrw-old}
set maxfilesize <MB_int>
set quarantine-quota <MB_int>
set sel-status {fileblocked heuristic}
set store-blocked {ftp http imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set store-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set store-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
set store-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp}
set use-fpat {enable | disable}
set use-status {enable | disable}
end
Variable
Description
Default
agelimit <hours_int>
Specify how long files are kept in quarantine to a maximum of 479
hours. The age limit is used to formulate the value in the TTL
column of the quarantined files list. When the limit is reached the
TTL column displays EXP and the file is deleted (although a record
is maintained in the quarantined files list). Entering an age limit of 0
(zero) means files are stored on disk indefinitely depending on low
disk space action. This option appears when destination is not set
to NULL.
0
destination
{disk | FortiAnalyzer
| NULL}
The destination for quarantined files:
disk is the FortiGate unit internal hard disk, if present.
FortiAnalyzer is a FortiAnalyzer unit the FortiGate unit is
configured to use.
NULL disables the quarantine.
This command appears only if the FortiGate unit has an internal
hard disk or is configured to use a FortiAnalyzer unit.
NULL
drop-blocked
{ftp ftps http imap mm1
mm3 mm4 mm7 nntp pop3
smtp}
Do not quarantine blocked files found in traffic for the specified
protocols. The files are deleted.
MM1, MM3, MM4, and MM7 traffic types supported only in FortiOS
Carrier.
imap
nntp
drop-heuristic
{ftp ftps http im imap
mm1 mm3 mm4 mm7 nntp pop3
smtp}
Do not quarantine files found by heuristic scanning in traffic for the
specified protocols.
NNTP support for this field will be added in the future.
MM1, MM3, MM4, and MM7 traffic types supported in FortiOS
Carrier.
http im
imap
nntp
pop3
smtp
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
53
quarantine
54
antivirus
Variable
Description
Default
drop-infected
{ftp ftps http im imap
mm1 mm3 mm4 mm7 nntp pop3
smtp}
Do not quarantine virus infected files found in traffic for the
specified protocols.
NNTP support for this field will be added in the future.
MM1, MM3, MM4, and MM7 traffic types supported in FortiOS
Carrier.
im imap
nntp
drop-intercepted
{ftp http imap mm1 mm3
mm4 mm7 pop3 smtp}
For FortiOS Carrier, do not quarantine intercepted files found in
traffic for the specified protocols. The files are deleted.
imap smtp
pop3 http
ftp mm1
mm3 mm4
mm7
enable-auto-submit
{disable | enable}
Enable or disable automatic submission of the quarantined files
matching the use-fpat or use-status settings.
This option appears when destination is not set to NULL.
disable
lowspace
{drop-new | ovrw-old}
Select the method for handling additional files when the FortiGate
hard disk is running out of space.
Enter ovwr-old to drop the oldest file (lowest TTL), or drop-new
to drop new quarantine files.
This option appears when destination is not set to NULL.
ovrw-old
maxfilesize <MB_int>
Specify, in MB, the maximum file size to quarantine.
The FortiGate unit keeps any existing quarantined files over the
limit. The FortiGate unit does not quarantine any new files larger
than this value. The file size range is 0-499 MB. Enter 0 for
unlimited file size.
0
quarantine-quota <MB_int> Set the antivirus quarantine quota in MB, which is the amount of
disk space to reserve for quarantining files.
0
sel-status
{fileblocked heuristic}
Configure the status used for automatic uploading of quarantined
files.
This option appears when destination is not set to NULL.
No default.
store-blocked
{ftp http imap mm1 mm3
mm4 mm7 nntp pop3 smtp}
Quarantine blocked files found in traffic for the specified protocols. No default.
NNTP support for this field will be added in the future.
HTTP, FTP, MM1, MM3, MM4, and MM7 traffic types supported in
FortiOS Carrier.
store-heuristic
{ftp http im imap mm1 mm3
mm4 mm7 nntp pop3 smtp}
Quarantine files found by heuristic scanning in traffic for the
specified protocols.
NNTP support for this field will be added in the future.
MM1, MM3, MM4, and MM7 traffic types supported in FortiOS
Carrier.
No default.
store-infected
{ftp http im imap mm1 mm3
mm4 mm7 nntp pop3 smtp}
Quarantine virus infected files found in traffic for the specified
protocols.
NNTP support for this field will be added in the future.
MM1, MM3, MM4, and MM7 traffic types supported in FortiOS
Carrier.
No default.
store-intercepted
{ftp http imap mm1 mm3
mm4 mm7 pop3 smtp}
Quarantine intercepted FortiOS Carrier files found in traffic of the
specified protocols.
imap smtp
pop3 http
ftp mm1
mm3 mm4
mm7
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
antivirus
quarantine
Variable
Description
Default
use-fpat
{enable | disable}
Enable or disable using file patterns to select quarantined files for
automatic uploading. See “antivirus quarfilepattern” on page 56 for
information on how to configure the file patterns used for automatic
uploading.
This option appears when destination is not set to NULL.
disable
use-status
{enable | disable}
Enable or disable using file status to select quarantined files for
automatic uploading.
This option appears when destination is not set to NULL.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
55
quarfilepattern
antivirus
quarfilepattern
Use this command to configure the file patterns used by automatic file uploading. This command is only available on
FortiGate units with a hard drive.
Syntax
config antivirus quarfilepattern
edit <pattern_str>
set status {disable | enable}
end
56
Variable
Description
Default
<pattern_str>
The file pattern to be quarantined. The pattern can include the
asterisk * wildcard character. For example, *.bat matches all
files with the bat file extension.
status {disable | enable}
Enable or disable using a file pattern.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
antivirus
service
service
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in HTTP, HTTPS, FTP,
POP3, IMAP, and SMTP traffic.
Syntax
config antivirus service <service_str>
set block-page-status-code <integer>
set scan-bzip2 {enable | disable}
set uncompnestlimit <depth_int>
set uncompsizelimit <MB_int>
end
Variable
Description
<service_str>
The service being configured: HTTP, HTTPS, FTP, FTPS, IM,
IMAP, NNTP, POP3, SMTP.
block-page-status-code
<integer>
Set a return code for HTTP replacement pages.
This field is only for the HTTP service.
200
scan-bzip2
{enable | disable}
Enable to allow the antivirus engine to scan the contents of
bzip2 compressed files. Requires antivirus engine 1.90 for full
functionality. Bzip2 scanning is extemely CPU intensive.
Unless this feature is required, leave scan-bzip2 disabled.
disable
uncompnestlimit
<depth_int>
Set the maximum number of archives in depth the AV engine
will scan with nested archives. The limit is from 2 to 100. The
supported compression formats are arj, bzip2, cab, gzip, lha,
lzh, msc, rar, tar, and zip. Bzip2 support is disabled by
default.
12
uncompsizelimit <MB_int>
Set the maximum uncompressed file size that can be
buffered to memory for virus scanning. Enter a value in
megabytes between 1 and the maximum oversize threshold.
Enter “?” to display the range for your FortiGate unit. Enter 0
for no limit (not recommended).
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
57
settings
antivirus
settings
Use this command to select the default antivirus database and to enable or disable grayware detection as part of
antivirus scanning.
Syntax
config antivirus settings
set default-db {extended | extreme | flow-based | normal}
set grayware {enable | disable}
end
Variable
Description
Default
default-db {extended |
extreme | flow-based |
normal}
Select the default antivirus database to use for virus scanning.
You can override the default database for specific protocols in
the antivirus profile, see “antivirus profile” on page 51.
extended — select the extended virus database, which
includes both In the Wild viruses and a large collection of zoo
viruses that are no longer seen in recent virus studies. It is
suitable for an enhanced security environment.
extreme — select the extreme virus database, which includes
both In the Wild viruses and all available zoo viruses that are no
longer seen in recent virus studies. It is suitable for an enhanced
security environment.
flow-based — select the flow-based virus database, which
includes In the Wild viruses and some commonly seen viruses on
the network. Flow-based virus scan is an alternate to the filebased virus scan. It provides better performance but lower
coverage rate compared to file-based virus scan.
normal — select the regular virus database, which includes In
the Wild viruses and most commonly seen viruses on the
network. For regular virus protection, it is sufficient to use this
database.
normal
grayware {enable | disable} Enable or disable grayware detection. Grayware includes
adware, dial, downloader, hacker tool, keylogger, RAT and
spyware.
58
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
application
Use these commands to configure application control.
list
name
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
59
list
application
list
Use this command to create application control lists and configure the application options.
Syntax
config application list
edit <app_list_str>
config entries
edit <id_integer>
set action {block | pass | reset}
set application [<app1_int> <app2_int> ...]
set behavior {0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8}
set block-audio {enable | disable}
set block-encrypt {enable | disable}
set block-file {enable | disable}
set block-im {enable | disable}
set block-photo {enable | disable}
set block-video {enable | disable}
set category {<cat_int> | All}
set comment <comment_string>
set im-no-content-summary {enable | disable}
set inspect-anyport {enable | disable}
set log {disable | enable}
set log-packet {disable | enable}
set protocols <protocols_str>
set session-ttl <ttl_int>
set shaper <shaper_str>
set shaper-reverse <shaper_str>
set sub-category {<subcat_int> | all}
set tags <tag_str>
set technology <technology_Str>
set vendor <vendor_int>
end
end
set comment <comment_string>
set log {disable | enable}
set other-application-action {block | pass}
set other-application-log {enable | disable}
set p2p-black-list [bittorrent edonkey skype]
set unknown-application-action {block | pass}
set unknown-application-log {disable | enable}
end
60
Variable
Description
Default
<app_list_str>
The name of the application control list.
No default.
<id_integer>
Enter the unique ID of the list entry you want to edit, or enter
an unused ID to create a new one.
action {block | pass |
reset}
Enter the action the FortiGate unit will take with traffic from the
application of the specified type.
• block will stop traffic from the specified application.
• pass will allow traffic from the specified application.
• reset will reset the network connection.
block
application [<app1_int>
<app2_int> ...]
Enter one or more application integers to specify applications.
Enter set application ? to list all application integers in
the currently configured category.
all
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
application
list
Variable
Description
behavior
{0 | 1 | 2 | 3 | 4 | 5 | 6
| 7 | 8}
Select the application behavior filter to apply. Options include
0 — Other
1 — Reasonable
2 — Botnet
3 — Evasion
4 — Loss of productivity
5 — Excessive bandwidth
6 — Tunneling
7 — Reconnaissance
8 — Encrypted tunneling
block-audio
{enable | disable}
Enable to block audio.
This command is available only when application is set to
AIM, ICQ, MSN, or Yahoo.
disable
block-encrypt
{enable | disable}
Enable to block encrypted IM sessions.
This command is available only when application is set to
AIM, ICQ, MSN, or Yahoo.
disable
block-file
{enable | disable}
Enable to block IM file transfers.
This command is available only when application is set to
AIM, ICQ, MSN, or Yahoo.
disable
block-im
{enable | disable}
Enable to block instant messages.
This command is available only when application is set to
AIM, ICQ, MSN, or Yahoo.
disable
block-photo
{enable | disable}
Enable to block IM photo sharing.
This command is available only when application is set to
AIM, ICQ, MSN, or Yahoo.
disable
block-video
{enable | disable}
Enable to block MSN video chat.
This command is available only when application is set to
MSN.
disable
category {<cat_int> | All}
Enter the category integer to specify an application category, All
or enter All to include all categories.
Set a specific category to limit the scope of the All setting of
the application command. For example, setting category
to im and application to All will have the list entry include
all IM applications. Similarly, the applications listed with the
set application ? command will be limited to the
currently configured category.
Enter set category ? to list all category integers.
comment <comment_string>
Optionally, enter a descriptive comment.
No default.
im-no-content-summary
{enable | disable}
Enable to prevent display of content information on the
dashboard.
This command is available only when application is set to
AIM, ICQ, MSN, or Yahoo.
disable
inspect-anyport
{enable | disable}
Enable to inspect all ports not used by any proxy for IM traffic. disable
This command is available only when application is set to
AIM, ICQ, MSN, or Yahoo.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
61
list
62
application
Variable
Description
Default
log {disable | enable}
Enable to have the FortiGate until log the occurrence and the enable
action taken if traffic from the specified application is detected.
Enable for an application control list to have the FortiGate unit
log the occurrence and the action taken if traffic from any of
the applications in the application control list is detected.
log-packet {disable |
enable}
Enable or disable packet logging for an application in the
application control list.
disable
other-application-action
{block | pass}
Enter the action the FortiGate unit will take for unrecognized
application traffic or supported application traffic not
configured in the current application control list.
pass
other-application-log
{enable | disable}
disable
Enter the logging action the FortiGate unit will take for
unrecognized application traffic or supported application traffic
not configured in the current application control list.
p2p-black-list [bittorrent
edonkey skype]
Enter the P2P applications that are blacklisted,
null
protocols <protocols_str>
Enter the protocols that these applications use. Enter one or
more protocol numbers separated by spaces. For a list of
protocol numbers, enter set protocols ?.
No default
session-ttl <ttl_int>
0
Enter the application’s session TTL. Enter 0 to disable this
option. If this option is not enabled, the TTL defaults to the
setting of the config system session-ttl CLI command.
shaper <shaper_str>
Enter the name of a traffic shaper to enable traffic shaping for
this application.
No default
shaper-reverse
<shaper_str>
Enter the name of a traffic shaper to enable reverse traffic
shaping for this application.
No default
sub-category
{<subcat_int> | all}
Enter the sub-category integer to specify an application subcategory, or enter all to include all sub-categories.
To see a list of sub-category numbers, enter
set category ?.
all
tags <tag_str>
Optionally, assign object tags.
No default
technology
<technology_Str>
Select the technologies involved in these applications. Enter
one or more or the following technology numbers separated by
spaces, or enter all.
0—Other
1—Web browser
2—Client
3—Server
4—Peer-to-peer
all
unknown-application-action
{block | pass}
Pass or block applications that have not been added to this
application list.
pass
unknown-application-log
{disable | enable}
Enable or disable recording log messages when an application disable
not added to the application list is detected.
vendor <vendor_int>
Enter the vendors to include. Enter one or more vendor
numbers separated by spaces, or enter all. For a list of
vendor numbers, enter set vendor ?.
all
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
application
name
name
Use this command to view the settings of each application. The application category and ID are displayed. This
command is ‘read only’ and cannot be used to change application settings.
Syntax
config application name <app_str>
get
set tags <tags_str>
end
Variable
Description
Default
name <app_str>
Enter the name of the application you want to view. Enter
config application name ? to list all the applications.
No default
tags <tags_str>
Enter object tags applied to this address. Separate tag names
with spaces.
null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
63
name
64
application
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
dlp
Use these commands to configure Data Leak Prevention (DLP).
compound
filepattern
fp-doc-source
fp-sensitivity
rule
sensor
settings
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
65
compound
dlp
compound
Use this command to add or edit DLP compound rules. DLP compound rules are groupings of DLP rules that also
change the way they behave when added to a DLP sensor. Individual rules can be configured with only a single
attribute. When this attribute is discovered in network traffic, the rule is activated.
Compound rules allow you to group individual rules to specify far more detailed activation conditions. Each included
rule is configured with a single attribute, but every attribute must be present before the rule is activated.
For example, create two rules and add them to a sensor:
• Rule 1 checks SMTP traffic for a sender address of spammer@example.com
• Rule 2 checks SMTP traffic for the word “sale” in the message body
When the sensor is used, either rule could be activated if its configured condition is true. If only one condition is true,
only the corresponding rule would be activated. Depending on the contents of the SMTP traffic, neither, either, or both
could be activated.
If you remove these rules from the sensor, add them to a compound rule, and add the compound rule to the sensor,
the conditions in both rules have to be present in network traffic to activate the compound rule. If only one condition
is present, the message passes without any rule or compound rule being activated.
By combining the individually configurable attributes of multiple rules, compound rules allow you to specify far more
detailed and specific conditions to trigger an action.
Syntax
config dlp compound
edit <compound_rule_str>
set comment <comment_str>
set member <rule1> [<rule2> ...]
set protocol {email | ftp | http | im | nntp}
set sub-protocol <sub_protocol_1> [<sub_protocol_2> ...]
end
clone <name1> to <name2>
end
66
Variable
Description
Default
compound_rule_str
The name of the compound rule.
No default.
comment <comment_str>
Optionally, enter a descriptive comment. Enclose the comment
in quotes if you want to include spaces.
No default.
member <rule1> [<rule2>
...]
Enter a space-delimited list of DLP rules that belong to this
compound rule. For information about creating rules, see “dlp
rule” on page 73.
No default.
protocol {email | ftp
| http | im | nntp}
Select the protocol to which this compound rule applies.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
dlp
compound
Variable
Description
Default
sub-protocol
<sub_protocol_1>
[<sub_protocol_2> ...]
Select the sub-protocols to which this compound rule applies.
This is not available if protocol is nntp. For other protocols,
the available sub-protocols are:
• http: http-get, http-post
• email: smtp, pop3, imap
• ftp: ftp-get, ftp-put
• im: aim (AOL IM), icq, msn, ym (Yahoo IM)
If your FortiGate unit supports SSL content scanning and
inspection, the following sub-protocols are also available:
• http: https-get, https-post
• email: smtps, pop3s, imaps
Separate multiple sub-protocol names with a space.
No default.
clone <name1> to <name2>
Clone an existing DLP compound rule. Cloning can be used for
upgrading default DLP regular expressions to new improved
ones.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
67
filepattern
dlp
filepattern
Use this command to add, edit or delete the file patterns used for DLP file blocking and to set which protocols to
check for files to block.
Syntax
config dlp filepattern
edit <filepattern_list_int>
set name <list_name_str>
set comment <comment_str>
config entries
edit <filepattern_str>
set action {allow | block}
set active {ftp http im imap imaps mm1 mm3 mm4 mm7 nntp pop3 pop3s smtp
smtps}
set file-type {unknown | ignored | activemime | arj | aspack | base64 | bat
| binhex | bzip | bzip2 | cab | jad | elf | exe | fsg | gzip | hlp | hta
| html | javascript | lzh | msc | msoffice | mime | petite | prc | rar
| class | sis | tar | upx | uue | cod | zip}
set filter-type {pattern | type}
end
68
Variable
Description
Default
<filepattern_list_int>
A unique number to identify the file pattern list.
name <list_name_str>
Enter a name for the file pattern header list.
comment <comment_str>
Optionally enter a comment about the file pattern header list.
<filepattern_str>
The name of the file pattern being configured. This can be any
character string.
action {allow | block}
The action taken when a matching file is being transferred via a set
active protocol.
• Select allow to have the FortiGate unit allow matching files.
• Select block to have the FortiGate unit block matching files.
block
active
{ftp http im imap imaps
mm1 mm3 mm4 mm7 nntp pop3
pop3s smtp smtps}
The action specified will affect the file pattern in the selected
protocols.
MM1, MM3, MM4, and MM7 traffic types are supported by FortiOS
Carrier.
Varies.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
dlp
filepattern
Variable
Description
Default
file-type
{unknown | ignored
| activemime | arj
| aspack | base64 | bat
| binhex | bzip | bzip2
| cab | jad | elf | exe
| fsg | gzip | hlp | hta
| html | javascript | lzh
| msc | msoffice | mime
| petite | prc | rar
| class | sis | tar | upx
| uue | cod | zip}
This command is only available and valid when filter-type is
set to type.
Select the type of file the file filter will search for. Note that unlike
the file pattern filter, this file type filter will examine the file contents
to determine the what type of file it is. The file name and file
extension is ignored.
Because of the way the file type filter works, renaming files to make
them appear to be of a different type will not allow them past the
FortiGate unit without detection.
Two of the available options are not file types:
• Select unknown to configure a rule affecting every file format
the file type filter unit does not recognize. Unknown includes
every file format not available in the file-type command.
• Select ignored to configure a rule affecting traffic the
FortiGate unit typically does not scan. This includes primarily
streaming audio and video.
unknown
filter-type {pattern
| type}
Select the file filter detection method.
• Enter pattern to examine files only by their names. For
example, if filter-type is set to pattern, and the pattern
is *.zip, all files ending in .zip will trigger this file filter. Even
files ending in .zip that are not actually ZIP archives will trigger
this filter.
• Enter type to examine files only by their contents. Using the
above example, if filter-type is set to type, and the type is
zip, all ZIP archives will trigger this file filter. Even files
renamed with non-zip file extensions will trigger this filter.
pattern
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
69
fp-doc-source
dlp
fp-doc-source
Use this command to add fingerprinting document sources including the server and filepath for the source files.
Syntax
config dlp fp-doc-source
edit <name>
set date <int>
set file-path <server_filepath>
set file-pattern <wildcard_pattern>
set keep-modified {enable | disable}
set password <pwd_string>
set period {daily | weekly | monthly | none}
set remove-deleted {enable | disable}
set scan-subdirectories {enable | disable}
set sensitivity <name>
set server <server_location>
set server-type <samba>
set tod-hour <int>
set tod-min <int>
set username <string>
set weekday {day_str>
end
70
Variable
Description
Default
<name>
Enter a name for this document source.
date <int>
Set the date (day of month) to check the server. This is available
when period is monthly.
file-path
<server_filepath>
Enter the path to the file on the server.
file-pattern
<wildcard_pattern>
Enter the file pattern to match when using DLP blocking. Can
include wildcards, and should include file type. For example to
match all files that end in fortinet.xls you would enter set
file-pattern "*fortinet.xls"
keep-modified
{enable | disable}
Enable to keep modified files in the list.
password <pwd_string>
Enter the Samba password string to use when logging into the
server.
period {daily | weekly |
monthly | none}
Select the interval of time to use when checking the server.
remove-deleted
{enable | disable}
Select enable to remove deleted chunks of documents from the
server.
scan-subdirectories
{enable | disable}
Enable to scan directories contained in the current directory
while fingerprinting documents.
sensitivity <name>
Select a configured sensitivity label to apply to this
configuration.
server <server_location>
Enter the IP address or IPv6 location of the server.
server-type <samba>
Enter the type of DLP server. Currently only samba servers are
supported.
samba
tod-hour <int>
Set the time of day (hour) to check the server. This is available
when period is not none.
1
1
none
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
dlp
fp-doc-source
Variable
Description
Default
tod-min <int>
Set the time of day (minute) to check the server. This is
available when period is not none.
0
username <string>
Enter the Samba login name to use when logging into the
server.
weekday {day_str>
Enter the day of the week (e.g., “monday”) to check the server.
This is available when period is weekly.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
sunday
71
fp-sensitivity
dlp
fp-sensitivity
Use this command to add fingerprinting sensitivity labels that can be applied to document sources and DLP rules.
These entries are labels only.
Syntax
config dlp fp-sensitivity
edit <name_string>
end
72
Variable
Description
Default
<name_string>
Enter a string that will be a label. It will be used to describe DLP
rules.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
dlp
rule
rule
Use this command to add or edit DLP rules. DLP rules are the core element of the data leak prevention feature. These
rules define the data to be protected so the FortiGate unit can recognize it. For example, an included rule uses regular
expressions to describe Social Security number:
([0-6]\d{2}|7([0-6]\d|7[0-2]))[ \-]?\d{2}[ \-]\d{4}
Rather than having to list every possible Social Security number, this regular expression describes the structure of a
Social Security number. The pattern is easily recognizable by the FortiGate unit.
DLP rules can be combined into compound rules and they can be included in sensors. If rules are specified directly in
a sensor, traffic matching any single rule will trigger the configured action. If the rules are first combined into a
compound rule and then specified in a sensor, every rule in the compound rule must match the traffic to trigger the
configured action.
Individual rules in a sensor are linked with an implicit OR condition while rules within a compound rule are linked with
an implicit AND condition.
Syntax
config dlp rule
edit rule_name <rule_str>
set description <desc_str>
set field {always | attachment-size | attachment-text | attachment-type | body
| cgi-parameters | cookie-content | encrypted | file-pattern | file-bytes
| file_size | file-text | file-type | fingerprint | header | hostname
| receiver | regex | sender | server | subject | transfer-size | url | user
| user-group}
set file-bytes <data_str>
set file-byte-hex {enable | disable}
set file-byte-offset <offset_int>
set file-pattern <pattern_str>
set file-pattern-negated {enable | disable}
set file-scan {archive-content archive-whole ms-word-content ms-word-whole
pdf-content pdf-whole}
set file-type <type_int>
set file-type-negated {enable | disable}
set http-header-field <field_name_str>
set http-header-pattern <pattern_str>
set http-header-negated {enable | disable}
set http-header-wildcard {enable | disable}
set http-header-utf8 {enable | disable}
set match-percentage <int>
set negated {enable | disable}
set operator {equal | greater-equal | less-equal | not-equal}
set protocol {email | http | https | ftp | nntp | im | all}
set regexp <regex_str>
set regexp-negated {enable | disable}
set regexp-wildcard {enable | disable}
set regexp-utf8 {enable | disable}
set rule_name <rule_str>
set sensitivity <str>
set string <str>
set string-negated {enable | disable}
set sub-protocol <sub_protocol_1> [<sub_protocol_2> ...]
set value <value_int>
end
clone <name1> to <name2>
end
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
73
rule
dlp
f
74
Variable
Description
Default
rule_name <rule_str>
Enter the name of the rule you want to edit. Enter a new name to create a
DLP rule.
No default
description
<desc_str>
Enter an optional description of the DLP rule. Enclose the description in
quotes if you want to include spaces.
No default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
dlp
rule
Variable
Description
Default
field {always
| attachment-size
| attachment-text
| attachment-type
| body
| cgi-parameters
| cookie-content
| encrypted
| file-pattern
| file-bytes
| file_size
| file-text
| file-type
| fingerprint
| header | hostname
| receiver | regex
| sender | server
| subject
| transfer-size | url
| user | user-group}
Enter the attribute the DLP rule will examine for a match. The available
fields will depend on the protocol and sub-protocol you’ve set.
always — Match all transfers. This option is available for all protocols.
attachment-size — Check the attachment file size. This option is
available for Email.
attachment-text — Check the attachment for a text string. This option is
available for Email.
attachment-type — Search email messages for file types or file patterns
as specified in the selected file filter. This option is available for Email.
body — Search for text in the message or page body. This option is
available for Email, HTTP, and NNTP.
cgi-parameters — Search for a CGI parameter in any web page with
CGI code. This option is available for HTTP.
cookie-content — Search the contents of cookies for a text string. This
option is available for HTTP.
encrypted — Check whether files are or are not encrypted. Encrypted
files are archives and MS Word files protected with passwords. Because
they are password protected, the FortiGate unit cannot scan the
contents of encrypted files.
file-pattern — Search for file patterns and file types. The patterns and
types configured in file filter lists and a list is selected in the DLP rule.
This option is available for FTP, HTTP, IM, and NNTP.
file-bytes — Search for specific data at a specific location in transferred
text files.
file-size — Search for files of specified size.
file-text — Search for text in transferred text files. This option is available
in FTP, IM, and NNTP.
file-type — Search for file patterns and file types. The patterns and types
configured in file filter lists and a list is selected in the DLP rule. This
option is available for FTP, HTTP, IM, and NNTP.
fingerprint — Search for files that have been fingerprinted.
header — Search for a text string in HTTP headers.
hostname — Search for the host name when contacting a HTTP server.
receiver — Search for a text string in the message recipient email
address. This option is available for Email.
regexp — Search for a match using a regular expression string.
sender — Search for a text string in the message sender user ID or email
address. This option is available for Email and IM.
server — Search for the server’s IP address in a specified address
range. This option is available for FTP, NNTP.
subject — Search for a text string in the message subject. This option is
available for Email.
transfer-size — Check the total size of the information transfer. In the
case of email traffic for example, the transfer size includes the message
header, body, and any encoded attachment.
url — Search for the specified URL in HTTP traffic.
user — Search for traffic from an authenticated user.
user-group — Search for traffic from any authenticated user in a user
group.
body
file-bytes <data_str> Enter the data to be found using the file-bytes attribute.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
null
75
rule
76
dlp
Variable
Description
Default
file-byte-hex
{enable | disable}
Enable to accept hexadecimal data in file-bytes string.
disable
file-byte-offset
<offset_int>
Enter the offset in bytes from the beginning of the file for file-bytes
search.
0
file-pattern
<pattern_str>
Enter a base-64 string the FortiGate unit will search for in files. A match
will trigger the rule.
No default
file-pattern-negated
{enable | disable}
Enable to trigger the rule when a file does not contain the pattern
specified with the file-pattern command.
disable
file-scan
{archive-content
archive-whole
ms-word-content
ms-word-whole
pdf-content
pdf-whole}
You can select file options for any protocol to configure how the DLP rule
handles archive files, MS-Word files, and PDF files found in content
traffic.
Note: Office 2007/2008 DOCX files are not recognized as MS-Word by
the DLP scanner. To scan the contents of DOCX files, select the
archive-content option.
archive-content — When selected, files within archives are extracted
and scanned in the same way as files that are not archived.
archive-whole — When selected, archives are scanned as a whole. The
files within the archive are not extracted and scanned individually.
ms-word-content — When selected the text contents of MS Word DOC
documents are extracted and scanned for a match. All metadata and
binary information is ignored.
ms-word-whole — When selected, MS Word DOC files are scanned. All
binary and metadata information is included. If you are scanning for text
entered in a DOC file, use the Scan MS-Word option. Binary formatting
codes and file information may appear within the text, causing text
matches to fail.
pdf-content — When selected, the text contents of PDF documents are
extracted and scanned for a match. All metadata and binary information
is ignored.
pdf-whole — When selected, PDF files are scanned. All binary and
metadata information is included. If you are scanning for text in PDF files,
use the Scan PDF Text option. Binary formatting codes and file
information may appear within the text, causing text matches to fail.
null
file-type <type_int>
When you set the field command to file-type, use the file-type
command to specify which file-type list is used. The <type_int>
variable corresponds to the list position in the UTM > AntiVirus > File
Filter list in the web-based manager. For example, enter 3 to specify the
third list.
No default
file-type-negated
{enable | disable}
Enable to trigger the rule when the file type does not match that
specified with the file-type command.
disable
http-header-field
<field_name_str>
Enter the name of the HTTP header field to examine.
This command is available only when protocol is set to http, and
field is set to header.
No default
http-header-pattern
<pattern_str>
Enter the pattern to search for in the HTTP header field specified with the
http-header-field command. Use regular expression syntax to
define the pattern. To use wildcards instead, set
http-header-wildcard to enable.
No default
http-header-negated
{enable | disable}
Enable to trigger the rule when the pattern does not match that specified
with the http-header-pattern command.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
dlp
rule
Variable
Description
Default
http-header-wildcard
{enable | disable}
Enable to use wildcard syntax to define the pattern with the
http-header-pattern command. When disabled, regular expression
syntax is used.
disable
http-header-utf8
{enable | disable}
Either ASCII or UTF-8 encoding can be used when comparing patterns
with network traffic. Enable http-header-utf8 to use UTF-8 encoding
and disable it to use ASCII.
disable
match-percentage
<int>
Enter the percentage of a document that must match a fingerprinted
document for the result to be considered a match. Enter 100 to require
an exact match. In this case, even a single changed character causes a
match failure.
50
negated
{enable | disable}
When the field command is set to encrypted, password protected
archives and MS Word documents trigger the rule. To reverse this
behavior and trigger the rule when archives and MS Word documents are
not password protected, set negated to enable.
disable
operator {equal
| greater-equal
| less-equal
| not-equal}
When the FortiGate unit checks sizes or quantities, an operator must be
used to specify when the rule is triggered. The operators are:
equal — The rule is triggered when the stated quantity is equal to the
quantity detected.
greater-equal — The rule is triggered when the stated quantity is greater
then or equal to the quantity detected.
less-equal — The rule is triggered when the stated quantity is less than
or equal to the quantity detected.
not-equal — The rule is triggered when the stated quantity is not equal
to the quantity detected. The detected quantity can be greater than or
less than the stated quantity.
equal
protocol {email
| http | https | ftp
| nntp | im | all}
Select the type of content traffic to which the DLP rule the rule will apply.
The available rule options vary depending on the protocol that you
select. Select all to include all protocols.
No default
regexp <regex_str>
Enter the regular expression or wildcard to test. Use the
regexp-wildcard field to choose between regular expression syntax
and wildcards.
No default
regexp-negated
{enable | disable}
By default, DLP rules are triggered when the FortiGate unit discovers
network traffic that matches the regular expressions or wildcards
specified in DLP rules. Enable regexp-negated to have the DLP rule
triggered when traffic does not match the regular expression or wildcard
specified in the rule.
disable
regexp-wildcard
{enable | disable}
DLP rule expressions can be written using regular expressions or
wildcards. Enable regexp-wildcard to use wildcards and disable it to
use regular expressions.
disable
regexp-utf8 {enable |
disable}
Either ASCII or UTF-8 encoding can be used when comparing rules with
network traffic. Enable regexp-utf8 to use UTF-8 encoding and
disable it to use plain ASCII.
disable
sensitivity <str>
Enter the sensitivity of the rule. The default types are Warning,
Private, and Critical.
No default
string <str>
When the field command is set to user or user-group, use the string
command to specify the user name or user-group name.
No default
string-negated
{enable | disable}
Enable string-negated to have the DLP rule triggered when the user
or user-group specified with the string command does not match.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
77
rule
78
dlp
Variable
Description
Default
sub-protocol
<sub_protocol_1>
[<sub_protocol_2>
...]
null
Set the sub-protocols to which this rule applies. This is not available if
protocol is nntp. For other protocols, the available sub-protocols are:
• http: http-get, http-post
• email: smtp, pop3, imap
• ftp: ftp-get, ftp-put
• im: aim (AOL IM), icq, msn, ym (Yahoo IM)
• session-ctrl: sip, simple, sccp
If your FortiGate unit supports SSL content scanning and inspection, the
following sub-protocols are also available:
• http: https-get, https-post
• email: smtps, pop3s, imaps
Separate multiple sub-protocol names with a space.
value <value_int>
Field types that search for matches based on numbers require a number 0
be specified with the value command. For example, the attachmentsize command checks attachments based on their size, measured in
kilobytes.
clone <name1> to
<name2>
Clone an existing DLP rule. Cloning can be used for upgrading default
DLP regular expressions to new improved ones.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
dlp
sensor
sensor
Use this command to create a DLP sensor. DLP sensors are simply collections of DLP rules and DLP compound
rules. The DLP sensor also includes settings such as action, archive, and severity for each rule or compound rule.
Syntax
config dlp sensor
edit <sensor_str>
set comment <comment_str>
set dlp-log {disable | enable}
set flow-based {disable | enable}
set nac-quar-log (disable | enable}
set options {strict-file}
config filter
edit <filter_str>
set action {ban | block | exempt | log-only | quarantine-ip
| quarantine-port}
set archive {disable | enable | summary-only}
set compound-name <compount_rule_str>
set expiry {<int>d <int>h <int>m | indefinite}
set file-type <table_str>
set file-scan {archive-content | archive-whole}
set filter-type {advanced-rule | advanced-compound-rule | file-type | filesize | fingerprint | regexp}
set fp-sensitivity <str>
set regexp <regex_str>
set regexp-wildcard {enable | disable}
set regexp-utf8 {enable | disable}
set rule-name <advanced_rule_str>
set severity <severity_int>
set status {enable | disable}
end
clone <name1> to <name2>
end
Variable
Description
Default
<sensor_str>
Enter the name of a sensor to edit. Enter a new name to
create a new DLP sensor.
No default
comment <comment_str>
Enter an optional description of the DLP sensor. Enclose
the description in quotes if you want to include spaces.
No default
dlp-log {disable | enable}
Enable or disable logging for data leak protection.
enable
flow-based
{disable | enable}
Enable or disable flow-based DLP.
disable
nac-quar-log (disable |
enable}
Enable or disable logging when data leak protection
quarantine’s a user.
disable
options {strict-file}
strict-file is required for file filtering to function when the
URL contains a ? character. For example, a file pattern
configured to block *.exe will not block file.exe if the
URL is www.example.com/download?filename=file.exe
unless strict-file is specified.
No default
edit <filter_str>
Add a rule to a sensor by specifying the name of a DLP rule
that has already been added.
No default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
79
sensor
80
dlp
Variable
Description
Default
action {ban | block
| exempt | log-only
| quarantine-ip
| quarantine-port}
Enter the action taken when the rule is triggered.
ban — Block all traffic to or from the user using the
protocol that triggered the rule and add the user to the
Banned User list if the user is authenticated. If the user is
not authenticated, block all traffic of the protocol that
triggered the rule from the user’s IP address.
block — prevents the traffic matching the rule from being
delivered.
exempt — Prevent any DLP sensors from taking action on
matching traffic. This action overrides any other action from
any matching sensors.
log-only — Prevent the DLP rule from taking any action on
network traffic but log the rule match. Other matching rules
in the same sensor and other sensors may still operate on
matching traffic.
quarantine-ip — Block access through the FortiGate unit
for any IP address that sends traffic matching a sensor with
this action. The IP address is added to the Banned User
list.
quarantine-port — Block access to the network from any
client on the interface that sends traffic matching a sensor
with this action.
log-only
archive {disable | enable
| summary-only}
Configure DLP archiving for the rule or compound rule.
disable — disable DLP archiving for the rule or compound
rule. This option is not valid if the rule or compound rule
protocol is session-ctrl.
enable — enable full DLP archiving for the rule or
compound rule.
summary-only — enable summary DLP archiving for the
rule or compound rule.
DLP archiving requires a FortiAnalyzer unit or the
FortiGuard Analysis and Management Service.
disable
compound-name
<compount_rule_str>
Enter the compound rule to use when the field-type is set
to advanced compound rule.
No default
expiry {<int>d <int>h
<int>m | indefinite}
For the actions ban, ban-sender, quarantine-ip, and
quarantine-port, you can set the duration of the
ban/quarantine. The duration can be indefinite or a
specified number of days, hours, or minutes.
<int>d — Enter the number of days followed immediate
with the letter ‘d’. For example, 7d represents seven days.
<int>h — Enter the number of hours followed immediate
with the letter ‘h’. For example, 12h represents 12 hours.
<int>m — Enter the number of minutes followed immediate
with the letter ‘m’. For example, 30m represents
30 minutes.
indefinite — Enter indefinite to keep the
ban/quarantine active until the user or IP address is
manually removed from the banned user list.
indefinite
file-type <table_str>
Enter the file pattern table to use when the field-type is set
to file type.
No default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
dlp
sensor
Variable
Description
Default
file-scan {archive-content
| archive-whole}
Set file-scan to archive-content to have DLP examine
the files within compressed archives. DLP will not examine
files within archives if the setting is archive-whole.
No default
filter-type
{advanced-rule |
advanced-compound-rule |
file-type | file-size |
fingerprint | regexp}
Enter the type of DLP rule.
fingerprint
fp-sensitivity <str>
Enter the sensitivity of the rule. The default types are
Warning, Private, and Critical.
No default
regexp <regex_str>
Enter the regular expression or wildcard to test. Use the
regexp-wildcard field to choose between regular
expression syntax and wildcards.
No default
regexp-wildcard {enable |
disable}
DLP rule expressions can be written using regular
expressions or wildcards. Enable regexp-wildcard to
use wildcards and disable it to use regular expressions.
disable
regexp-utf8 {enable |
disable}
Either ASCII or UTF-8 encoding can be used when
comparing rules with network traffic. Enable regexp-utf8
to use UTF-8 encoding and disable it to use plain ASCII.
disable
rule-name
<advanced_rule_str>
Enter the advanced rule to use when the field-type is set to
advanced rule.
No default
severity <severity_int>
Enter the severity of the content that the rule or compound
rule is a match for. <severity_int> is an integer from 1
to 5.
Use the severity to indicate the seriousness of the
problems that would result from the content passing
through the FortiGate unit. For example, if the DLP rule
finds high-security content the severity could be 5. On the
other hand if the DLP rule finds any content the severity
should be 1.
DLP adds the severity to the severity field of the log
message generated when the rule or compound rule
matches content. The higher the number the greater the
severity.
1
status {enable | disable}
You can disable a sensor rule or compound rule by setting
status to disable. The item will be listed as part of the
sensor, but it will not be used.
disable
clone <name1> to <name2>
Clone an existing DLP sensor. Cloning can be used for
upgrading default DLP regular expressions to new
improved ones.
No default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
81
settings
dlp
settings
Use this command designate logical storage for DLP fingerprinting database.
These entries are labels only.
Syntax
config dlp settings
set db-mode {remove-modified-then-oldest | remove-oldest | stop-adding}
set size <maxsize_int>
set storage-device <device>
end
Variable
82
Description
Default
db-mode {remove-modified- Select the method of maintaining the database size.
then-oldest | removeremove-modified-then-oldest — remove oldest chunks
oldest | stop-adding}
first, and then remove oldest file entries
remove-oldest — just remove the oldest files first
stop-adding — don’t remove files, just stop adding to it.
stop-adding
size <maxsize_int>
Enter the maximum total size of files within storage in MB.
16
storage-device <device>
Enter the storage device name.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
endpoint-control
Use endpoint-control commands to configure the following parts of the Endpoint NAC feature:
• application detection rules
• Endpoint NAC profiles
• the required minimum version of FortiClient Endpoint Security
• the FortiClient installer download location
Endpoint NAC is enabled in firewall policies.
This chapter contains the following sections:
app-detect rule-list
profile
settings
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
83
app-detect rule-list
endpoint-control
app-detect rule-list
Use this command to configure the application detection part of the Endpoint NAC feature. Endpoint NAC must be
enabled in the firewall policy.
Syntax
config endpoint-control app-detect rule-list
edit <rule_list_name>
set comment <comment_str>
set other-application-action {allow | deny | monitor}
config entries
edit <rule_id>
set category <category_id>
set vendor <vendor_id>
set application <application_id>
set action {allow | deny | monitor}
set status {installed | not-installed running | not-running}
set tags <tags_str>
end
end
84
Variable
Description
Default
<rule_list_name>
Enter the application rule list name.
action
{allow | deny | monitor}
Select what to do if this application is running on the endpoint:
• allow — allow the endpoint to connect
• deny — block the endpoint
• monitor — include endpoint’s information in statistics and
logs
deny
application
<application_id>
Select the application ID. Enter 0 for all applications.
For a list of applications, enter set application ?
0
category <category_id>
Enter the application category ID. Enter 0 for all categories.
For a list of category IDs, enter set category ?
0
comment <comment_str>
Optionally enter a descriptive comment.
No default.
other-application-action
{allow | deny | monitor}
Select what to do if applications not included in this list are
running on the endpoint:
• allow — allow the endpoint to connect
• deny — block the endpoint
• monitor — include endpoint’s information in statistics and
logs
monitor
tags <tags_str>
Enter tags for this rule-list entry.
status
Select the condition on which to take action.
{installed | not-installed
running | not-running}
installed
vendor <vendor_id>
0
Enter the vendor ID. Enter 0 for all vendors.
For a list of vendor IDs, enter set vendor ?
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
endpoint-control
profile
profile
Use this command to configure an Endpoint NAC profile.
Syntax
config endpoint-control profile
edit <profile_name>
set application-detection {enable | disable}
set application-detection-rule-list <rulelist_name>
set capability-based-check {enable|disable}
set feature-enforcement {enable | disable}
set recommendation-disclaimer {enable | disable}
set require-av {enable | disable | warn}
set require-avuptodate {enable | disable| warn}
set require-firewall {enable | disable| warn}
set require-license {enable | disable| warn}
set require-webfilter {enable | disable| warn}
set replacemsg-override-group <groupname_string>
end
Variable
Description
Default
<profile_name>
Enter a name for this Endpoint NAC profile.
No default.
application-detection
{enable | disable}
Enable application detection.
disable
application-detection-rule-list
<rulelist_name>
Enter the name of the application rule list to use. See
“endpoint-control app-detect rule-list” on page 84. This is
available if application-detection is enabled.
No default.
capability-based-check
{enable|disable}
Enable to allow non-compliant endpoint access.
disable
feature-enforcement
{enable | disable}
Enable to deny access to endpoints that do not have
FortiClient Endpoint Security installed.
disable
recommendation-disclaimer
{enable | disable}
Enable to use Endpoint NAC Recommendation Portal
replacement message, which allows user to continue
without installing FortiClient Endpoint Security.
Disable to use Endpoint NAC Download Portal
replacement message, which only allows user to
download FortiClient Endpoint Security installer.
enable
require-av
{enable | disable | warn}
Enable to deny access to endpoints that do not have the
FortiClient antivirus feature enabled. Select warn to warn
the user but allow access. This is available if featureenforcement is enabled.
disable
require-avuptodate
{enable | disable| warn}
Enable to deny access to endpoints with out-of-date
FortiClient antivirus signatures. Select warn to warn the
user but allow access. This is available if featureenforcement and require-av are enabled.
disable
require-firewall
{enable | disable| warn}
Enable to deny access to endpoints that do not have the
FortiClient firewall enabled. Select warn to warn the user
but allow access.
This is available if feature-enforcement is enabled.
disable
require-license
{enable | disable| warn}
Enable to deny access to endpoints on which FortiClient
is not licensed. Select warn to warn the user but allow
access.
This is available if feature-enforcement is enabled.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
85
profile
86
endpoint-control
Variable
Description
Default
require-webfilter
{enable | disable| warn}
Enable to deny access to endpoints that do not have the
FortiClient web filter feature enabled. Select warn to warn
the user but allow access.
This is available if feature-enforcement is enabled.
disable
replacemsg-override-group
<groupname_string>
Enter the replacement message group name to use for
portal message generating. The group must have its
group-type set to ec. Maximum of 35 characters long.
If no group is specified, the default will take effect.If the
group does not contain certain ec messages they will be
loaded from the per-vdom or global settings.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
endpoint-control
settings
settings
Use this command to configure the required minimum version of FortiClient Endpoint Security and the installer
download location. This is part of the Endpoint Control feature.
Syntax
config endpoint-control settings
set compliance-timeout <minutes>
set download-location {custom | fortigate | fortiguard}
set download-custom-link <url>
set enforce-minimum-version {enable | disable}
set version <major.minor.patch>
set version-check {latest | minimum}
end
Variable
Description
Default
compliance-timeout
<minutes>
Enter the inactivity timeout for compliant endpoints.
Range 1 to 480 minutes.
5
download-location {custom
| fortigate | fortiguard}
Select location from which FortiClient application is
downloaded:
custom — set download-custom-link to a URL that
provides the download
fortigate — this FortiGate unit, available on some models
fortiguard — FortiGuard Services
fortiguard
download-custom-link <url> Enter a URL where the FortiClient installer can be
downloaded. This is available if download-location is
custom.
No default.
enforce-minimum-version
{enable | disable}
Enable to require that Endpoints run a version of FortiClient
Endpoint Security defined by version or version-check.
disable
version
<major.minor.patch>
Enter the minimum acceptable version of the FortiClient
4.0.0
application. This is available if version-check is minimum.
version-check
{latest | minimum}
Enter latest to require the newest version available from
the download location. Enter minimum to specify a minimum
version in version. This is available if enforce-minimumversion is enabled.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
minimum
87
settings
88
endpoint-control
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
firewall
Use firewall commands to configure firewall policies and the data they use.
This chapter contains the following sections:
address, address6
addrgrp, addrgrp6
carrier-endpoint-bwl
carrier-endpoint-ip-filter
central-nat
dnstranslation
gtp
interface-policy
interface-policy6
ipmacbinding setting
ipmacbinding table
ippool
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
ldb-monitor
local-in-policy, local-in-policy6
mms-profile
multicast-policy
policy, policy6
profile-group
profile-protocol-options
schedule onetime
schedule recurring
schedule group
service custom
service explicit-web
service group
service group-explicit-web
shaper per-ip-shaper
shaper traffic-shaper
sniff-interface-policy
sniff-interface-policy6
ssl setting
vip
vipgrp
89
address, address6
firewall
address, address6
Use this command to configure firewall addresses used in firewall policies. An IPv4 firewall address is a set of one or
more IP addresses, represented as a domain name, an IP address and a subnet mask, or an IP address range. An
IPv6 firewall address is an IPv6 6-to-4 address prefix.
Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. If an
address is selected in a policy, it cannot be deleted until it is deselected from the policy.
Syntax
config firewall address
edit <name_str>
set associated-interface <interface_str>
set cache-ttl <ttl_int>
set color <color_int>
set comment <comment_string>
set country <country_code>
set end-ip <address_ipv4>
set fqdn <domainname_str>
set start-ip <address_ipv4>
set subnet <address_ipv4mask>
set tags <tags_str>
set type {ipmask | iprange | fqdn |_geography | wildcard}
set wildcard <address_ip4mask>
end
config firewall address6
edit <name_str>
set ip6 <address_ipv6prefix>
end
Variable
Description
Default
The following fields are for config firewall address.
90
<name_str>
Enter the name of the address.
No default.
associated-interface
<interface_str>
Enter the name of the associated interface.
If not configured, the firewall address is bound to an interface
during firewall policy configuration.
No default.
cache-ttl <ttl_int>
Enter minimum time-to-live (TTL) of individual IP addresses in
FQDN cache. This is available when type is fqdn.
0
color <color_int>
Set the icon color to use in the web-based manager.
0 sets the default, color 1.
0
comment <comment_string> Enter a descriptive comment for this address.
No default.
country <country_code>
Enter the two-letter country code. For a list of codes, enter
set country ? This is available when type is geography.
null
end-ip <address_ipv4>
If type is iprange, enter the last IP address in the range.
0.0.0.0
fqdn <domainname_str>
If type is fqdn, enter the fully qualified domain name (FQDN).
No default.
start-ip <address_ipv4>
If type is iprange, enter the first IP address in the range.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
address, address6
Variable
Description
Default
subnet
<address_ipv4mask>
If type is ipmask, enter an IP address then its subnet mask, in
dotted decimal format and separated by a space, or in CIDR format
with no separation. For example, you could enter either:
• 172.168.2.5/32
• 172.168.2.5 255.255.255.255
The IP address can be for a single computer or a subnetwork. The
subnet mask corresponds to the class of the IP address being
added.
• A single computer’s subnet mask is 255.255.255.255 or
/32.
• A class A subnet mask is 255.0.0.0 or /8.
• A class B subnet mask is 255.255.0.0 or /26.
• A class C subnet mask is 255.255.255.0 or /24.
0.0.0.0
0.0.0.0
tags <tags_str>
Enter object tags applied to this address. Separate tag names with
spaces.
null
type {ipmask | iprange
| fqdn |_geography
| wildcard}
Select whether this firewall address is a subnet address, an
address range, fully qualified domain name, a geography-based
address, or an IP with a wildcard netmask.
ipmask
wildcard
<address_ip4mask>
This is available if type is wildcard.
0.0.0.0
0.0.0.0
The following fields are for config firewall address6.
<name_str>
Enter the name of the IPv6 address prefix.
ip6 <address_ipv6prefix> If the IP address is IPv6, enter an IPv6 IP address prefix.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
No default.
::/0
91
addrgrp, addrgrp6
firewall
addrgrp, addrgrp6
Use this command to configure firewall address groups used in firewall policies.
You can organize related firewall addresses into firewall address groups to simplify firewall policy configuration. For
example, rather than creating three separate firewall policies for three firewall addresses, you could create a firewall
address group consisting of the three firewall addresses, then create one firewall policy using that firewall address
group.
Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. If an
address group is selected in a policy, it cannot be deleted unless it is first deselected in the policy.
Syntax
config firewall addrgrp, addrgrp6
edit <name_str>
set comment <comment_string>
set member <name_str>
set color <color_int>
end
92
Variable
Description
Default
<name_str>
Enter the name of the address group.
No default.
comment <comment_string>
Enter any comments for this address group.
No default.
member <name_str>
Enter one or more names of firewall addresses to add to the
address group. Separate multiple names with a space. To
remove an address name from the group, retype the entire new
list, omitting the address name.
No default.
color <color_int>
Set the icon color to use in the web-based manager.
0 sets the default, color 1.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
carrier-endpoint-bwl
carrier-endpoint-bwl
Use FortiOS Carrier carrier end point filtering (also called carrier end point blocking) to control access to MMS
services for users according to their carrier end point. Carrier end point filtering can filter MM1, MM3, MM4, and MM7
messages according to the carrier end points in the From or To addresses of the messages.
Syntax
config firewall carrier-endpoint-bwl
edit <carr-endpnt-lst-integer>
set comment <carr_endpnt_lst_comment>
config entries
edit <carr_endpnt_pattern>
set pattern-type {regexp | wildcard | simple}
set action {none | block | exempt-mass-MMS | exempt }
set log-action {archive | intercept}
set status {enable | disable}
next
set name <carr_endpnt_lst_name>
next
end
Variable
Description
Default
action {none | block
| exempt-mass-MMS
| exempt }
The action (or actions archive and intercept) to take if
the carrier end point expression is found in the list.
none — no action is taken
block — message is not delivered to intended recipient, log
message in AV LOG as blocked due to carrier end point
exempt-mass-MMS — no mass MMS scanning performed
exempt — exempt user messages from all scanning
block
log-action
{archive | intercept}
archive — Message is delivered to intended recipient,
MMS transaction is forwarded to FortiAnalyzer archive, an
entry is generated in content summary for FortiGate unit.
intercept — Message is delivered to intended recipient,
files are quarantined based on quarantine configuration, log
message in AV LOG as intercepted due to carrier end point.
No default
<carr_endpnt_lst_comment>
Optional description of the carrier end point filter list. The
comment text must be less than 63 characters long, or it will
be truncated. Spaces are replaced with a plus sign (+).
null
<carr_endpnt_pattern>
The carrier end point pattern to use for filtering/searching.
No default
<carr-endpnt-lst-integer>
A unique number to identify the carrier end point filter list.
No default
name <carr_endpnt_lst_name> The name of the carrier end point filter list.
null
pattern-type {regexp
| wildcard | simple}
Set the pattern type for the banned word. Choose from
regexp, wildcard., or simple. Create patterns for
banned carrier end point expressions using Perl regular
expressions or wildcards.
wildcard
status {enable | disable}
Enable carrier end point filter search for carrier end point
expression in carr-endpnt-expression.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
93
carrier-endpoint-ip-filter
firewall
carrier-endpoint-ip-filter
In mobile networks, neither the user name nor the IP address can be used to identify a specific user. The only element
unique to a user is the carrier end point. The carrier end point IP filter provides a mechanism to block network access
for a specific list of carrier end points.
The carrier end point IP filter feature uses a carrier end point filter list created using the CLI command config firewall
carrier-endpoint-bwl. To set up a carrier end point IP filter, you must create the carrier end point filter list prior to
enabling the carrier end point IP filter feature.
Syntax
config firewall carrier-endpoint-ip-filter
edit <carr_endpnt>
set log-status {enable | disable}
set status {enable | disable}
next
end
94
Variable
Description
Default
<carr_endpnt>
The carrier end point to be blocked.
No default
log-status {enable | disable}
Enable or disable writing a log message when the
carrier end point is blocked.
disable
status {enable | disable}
Enable or disable blocking the carrier end point.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
central-nat
central-nat
Use this command to create NAT rules as well as NAT mappings that are set up by the global firewall table. Multiple
NAT rules can be added on a FortiGate nd these NAT rules can be used in firewall policies.
A Typical NAT rule consists of:
•
source ip address
•
original port number
•
translated ip address
• translated port number
IP addresses can be single address or multiple addresses that are predefined with an IP pool. Similarly, port numbers
can also be a single port or a range of ports.
Syntax
config firewall central-nat
edit <name_str>
set status {enable | disable}
set orig-addr <name_ip>
set nat-ippool <name_ip>
set orig-port <port_int>
set nat-port <port_int-port_int>
end
end
Variable
Description
Default
status {enable | disable}
Enable or disable central NAT rule
enable
orig-addr <name_ip>
Enter source ip address name
nat-ippool <name_ip>
Enter translated ip pool name for translated addresses
orig-port <port_int>
Enter port number of the source ip
0
nat-port <port_int-port_int>
Enter translated port or port range
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
95
dnstranslation
firewall
dnstranslation
Use this command to add, edit or delete a DNS translation entry. If DNS translation is configured, the FortiGate unit
rewrites the payload of outbound DNS query replies from internal DNS servers, replacing the resolved names’ internal
network IP addresses with external network IP address equivalents, such as a virtual IP address on a FortiGate unit’s
external network interface. This allows external network hosts to use an internal network DNS server for domain
name resolution of hosts located on the internal network.
Syntax
config firewall dnstranslation
edit <index_int>
set dst <destination_ipv4>
set netmask <address_ipv4mask>
set src <source_ipv4>
end
96
Variable
Description
Default
<index_int>
Enter the unique ID number of the DNS translation entry.
No default.
dst <destination_ipv4>
Enter the IP address or subnet on the external network to
substitute for the resolved address in DNS query replies.
dst can be either a single IP address or a subnet on the external
network, but must be equal in number to the number of mapped IP
addresses in src.
0.0.0.0
netmask
<address_ipv4mask>
If src and dst are subnets rather than single IP addresses, enter
the netmask for both src and dst.
0.0.0.0
src <source_ipv4>
Enter the IP address or subnet on the internal network to compare
with the resolved address in DNS query replies. If the resolved
address matches, the resolved address is substituted with dst.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
gtp
gtp
Use this command to configure GTP profiles. This command is FortiOS Carrier only.
Syntax
config firewall gtp
edit <name_str>
config apn
edit index_int
set action {allow | deny}
set selection-mode {ms net vrf}
set value <networkid_str>
end
config ie-remove-policy
edit <index_int>
set remove-ies {apn-restriction rat-type rai uli imei}
set sgsn-addr <addr/group_str>
end
config ie-validation
set apn-restriction {disable | enable}
set charging-ID {disable | enable}
set charging-gateway-addr {disable | enable}
set end-user-addr {disable | enable}
set gsn-addr {disable | enable}
set imei {disable | enable}
set imsi {disable | enable}
set mm-context {disable | enable}
set ms-tzone {disable | enable}
set ms-validated {disable | enable}
set msisdn {disable | enable}
set nsapi {disable | enable}
set pdp-context {disable | enable}
set qos-profile {disable | enable}
set rai {disable | enable}
set rat-type {disable | enable}
set reordering-required {disable | enable}
set selection-mode {disable | enable}
set uli {disable | enable}
end
config imsi
edit <index_int>
set action {allow | deny}
set apn <networkid_str>
set mcc-mnc <mccmnc_str>
set selection-mode {ms net vrf}
end
config ip-policy
edit <index_int>
set action {allow | deny}
set dstaddr <address_str>
set srcaddr <address_str>
end
config message-filter
edit <index_int>
set create-aa-pdp {allow | deny}
set create-mbms {allow | deny}
set create-pdp {allow | deny}
set data-record {allow | deny}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
97
gtp
firewall
set delete-aa-pdp {allow | deny}
set delete-mbms {allow | deny}
set delete-pdp {allow | deny}
set echo {allow | deny}
set error-indication {allow | deny}
set failure-report {allow | deny}
set fwd-relocation {allow | deny}
set fwd-srns-context {allow | deny}
set gtp-pdu {allow | deny}
set identification {allow | deny}
set mbms-notification {allow | deny}
set node-alive {allow | deny}
set note-ms-present {allow | deny}
set pdu-notification {allow | deny}
set ran-info {allow | deny}
set redirection {allow | deny}
set relocation-cancel {allow | deny}
set send-route {allow | deny}
set sgsn-context {allow | deny}
set support-extension {allow | deny}
set unknown-message-action {allow | deny}
set update-mbms {allow | deny}
set update-pdp {allow | deny}
set version-not-support {allow | deny}
end
config message-rate-limit
edit <index_int>
set
set
set
end
config noip-policy
edit <index_int>
set action {allow | deny}
set start <protocol_int>
set end <protocol_int>
set type {etsi | ietf}
end
config policy
edit <index_int>
set action {allow | deny}
set apn <apn_str>
set imei <imei_str>
set imsi <imsi_str>
set max-apn-restriction {all | private-1 | private-2 | public-1 | public-2}
set messages {create-req create-res update-req update-res}
set rai <rai_str>
set rat-type {any geran utran wlan}
set uli <uli_str>
end
set addr-notify <Gi_ipv4>
set apn-filter {enable | disable}
set authorized-sgsns <addr/grp_str>
set context-id <id_int>
set control-plane-message-rate-limit <limit_int>
set create-aa-pdp {allow | deny}
set create-pdp {allow | deny}
set data-record {allow | deny}
98
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
gtp
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
end
default-apn-action {allow | deny}
default-imsi-action {allow | deny}
default-ip-action {allow | deny}
default-noip-action {allow | deny}
default-policy-action {allow | deny}
delete-aa-pdp {allow | deny}
delete-pdp {allow | deny}
denied-log {enable | disable}
echo {allow | deny}
error-indication {allow | deny}
extension-log {enable | disable}
failure-report {allow | deny}
forwarded-log {enable | disable}
fwd-relocation {allow | deny}
fwd-srns-context {allow | deny}
gtp-in-gtp {allow | deny}
gtp-pdu {allow | deny}
handover-group
identification {allow | deny}
ie-remover {enable | disable}
imsi-filter {enable | disable}
interface-notify <interface_str>
invalid-reserved-field {allow | deny}
ip-filter {enable | disable}
log-freq <drop_int>
max-message-length <bytes_int>
min-message-length <bytes_int>
miss-must-ie {allow | deny}
node-alive {allow | deny}
noip-filter {enable | disable}
note-ms-present {allow | deny}
out-of-state-ie {allow | deny}
out-of-state-message {allow | deny}
pdu-notification {allow | deny}
policy-filter {enable | disable}
port-notify <port_int>
ran-info {allow | deny}
rate-limited-log {enable | disable}
redirection {allow | deny}
relocation-cancel {allow | deny}
reserved-ie {allow | deny}
send-route {allow | deny}
seq-number-validate {enable | disable}
sgsn-context {allow | deny}
spoof-src-addr {allow | deny}
state-invalid-log {enable | disable}
support-extension {allow | deny}
traffic-count-log {enable | disable}
tunnel-limit <limit_int>
tunnel-limit-log {enable | disable}
tunnel-timeout <time_int>
unknown-message-action {allow | deny}
update-pdp {allow | deny}
version-not-support {allow | deny}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
99
gtp
firewall
Variable
Description
Default
<name_str>
Enter the name of this GTP profile.
No default.
apn
The following commands are the options for config apn.
index_int
Enter the unique ID number of the APN filter profile.
No default.
action {allow | deny}
Select to allow or deny traffic matching both the APN
and Selection Mode specified for this APN filter profile.
allow
selection-mode {ms net vrf}
Select the selection mode or modes required for the
APN. The selection mode indicates where the APN
originated and whether the Home Location Register
(HLR) has verified the user subscription.
• Enter ms to specify a mobile station provided APN,
subscription not verified. This Selection Mode
indicates that the mobile station (MS) provided the
APN and that the HLR did not verify the user's
subscription to the network.
• Enter net to specify a network-provided APN,
subscription not verified. This Selection Mode
indicates that the network provided a default APN
because the MS did not specify one, and that the
HLR did not verify the user's subscription to the
network.
• Enter vrf to specify a mobile station or networkprovided APN, subscription verified. This Selection
Mode indicates that the MS or the network provided
the APN and that the HLR verified the user's
subscription to the network.
ms net vrf
value <networkid_str>
Enter the network ID and operator ID of the APN.
No default.
ie-remove-policy
The following commands are the set options for config ie-remove-policy.
<index_int>
Enter the unique ID number of the IE removal policy.
No default.
remove-ies {apn-restriction
rat-type rai uli imei}
Select the information elements to be removed from
messages prior to being forwarding to the HGGSN. Any
combination of R6 information elements (RAT, RAI, ULI,
IMEI-SV and APN restrictions) may be specified.
apnrestriction
rat-type rai
uli imei
sgsn-addr <addr/group_str>
Enter an SGSN address or group the IE removal policy
will be applied to.
all
ie-validation
The following commands allow validating specific parts of the IE
100
apn-restriction
{disable | enable}
Enable to restrict the Access Point Number (APN).
Restricting the APN limits the IP packet data networks
that can be associated with the GTP tunnel.
disable
charging-ID
{disable | enable}
Enable to validate the charging ID in the IE.
disable
charging-gateway-addr
{disable | enable}
Enable to validate the charging gateway address.
disable
end-user-addr
{disable | enable}
Enable to validate the end user address.
disable
gsn-addr {disable | enable}
Enable to validate the GSN address.
disable
imei {disable | enable}
Enable to validate the IMEI (SV).
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
gtp
Variable
Description
Default
imsi {disable | enable}
Enable to validate the IMSI.
disable
mm-context
{disable | enable}
Enable to validate the MM context.
disable
ms-tzone {disable | enable}
Enable to validate the mobile station (MS) timezone.
disable
ms-validated
{disable | enable}
Enable to validate the MS.
disable
msisdn {disable | enable}
Enable to validate the MSISDN.
disable
nsapi {disable | enable}
Enable to validate the NSAPI.
disable
pdp-context
{disable | enable}
Enable to validate the PDP context.
disable
qos-profile
{disable | enable}
Enable to validate the Quality of Service (QoS).
disable
rai {disable | enable}
Enable to validate the RAI.
disable
rat-type {disable | enable}
Enable to validate the RAT type.
disable
reordering-required
{disable | enable}
Enable to validate the required reordering.
disable
selection-mode
{disable | enable}
Enable to validate the selection mode.
disable
uli {disable | enable}
Enable to validate the User Location Information (ULI).
disable
imsi
The following commands are the options for config imsi.
<index_int>
Enter the unique ID number of the IMSI filtering policy.
disable
action {allow | deny}
Select to allow or deny traffic matching both the APN
and Selection Mode specified for this APN filter profile
allow
apn <networkid_str>
Enter the network ID and operator ID of the APN.
No default.
mcc-mnc <mccmnc_str>
Enter the MCC and MNC.
No default.
selection-mode {ms net vrf}
ms net vrf
Select the selection mode or modes. The selection
mode indicates where the APN originated and whether
the Home Location Register (HLR) has verified the user
subscription.
• Enter ms to specify a mobile station provided APN,
subscription not verified. This Selection Mode
indicates that the mobile station (MS) provided the
APN and that the HLR did not verify the user's
subscription to the network.
• Enter net to specify a network-provided APN,
subscription not verified. This Selection Mode
indicates that the network provided a default APN
because the MS did not specify one, and that the
HLR did not verify the user's subscription to the
network.
• Enter vrf to specify a mobile station or networkprovided APN, subscription verified. This Selection
Mode indicates that the MS or the network provided
the APN and that the HLR verified the user's
subscription to the network.
ip-policy
The following commands are the options for config ip-policy.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
101
gtp
firewall
Variable
Description
Default
<index_int>
Enter the unique ID number of the encapsulated IP
traffic filtering policy.
No default.
action {allow | deny}
Select to allow or deny traffic matching both the source
and destination addresses specified for this APN filter
profile
allow
dstaddr <address_str>
Enter the name of a destination address or address
group.
No default.
srcaddr <address_str>
Enter the name of a source address or address group.
No default.
message-filter
The following tunnel management messages are used to create, update and delete tunnels used to route tunneled
PDUs between a MS and a PDN via SGSN and GGSN.
102
create-aa-pdp {allow | deny} Allow Anonymous Access Packet Data Protocol (AA
PDP) tunnel management messages.
These messages are used to create a tunnel between a
context in the SGSN and context GGSN.
allow
create-mbms {allow | deny}
Allow Multimedia Broadcast Multicast Service (MBMS)
create messages. These messages occur when a GTPU tunnel is setup for a multicast flow.
allow
create-pdp {allow | deny}
allow
Allow create PDP context tunnel management
messages.
SEnt from a SGSN to a GGSN node as part of the GPRS
PDP Context Activation procedure
data-record {allow | deny}
Allow data record messages.
Data record messages are used to reliably transport
CDRs from the point of generation (SGSN/GGSN) to
non-volatile storage in the CGF
allow
delete-aa-pdp {allow | deny} Allow Anonymous Access (AA) PDP context tunnel
management messages.
These messages are sent between the SGSN and
GGSN as part of the AA PDP context deactivation
procedure.
allow
delete-mbms {allow | deny}
Allow delete MBMS messages.
These messages are part of the request to deactivate
the MBMS context. When the response is received, the
MBMS context will be inactive.
allow
delete-pdp {allow | deny}
Allow delete PDP context tunnel management message. allow
Messages are sent as part of the GPRS Detach
Procedure to deactivate an activated PDP Context.
echo {allow | deny}
Allow Echo path management messages.
These messages are sent to a GSN peer to see if it is
alive.
allow
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
gtp
Variable
Description
error-indication {allow |
deny}
allow
Allow error indication message.
These messages are sent to the GGSN when a tunnel
PDU is received when
• no PDP context exists
• PDP context is inactive
• no MM context exists
• GGSN deletes its PDP context when the message is
received
failure-report {allow |
deny}
Allow failure report messages.
The GGSN sends the failure report request, and the
GSN sends the response. Causes for the failure can
include:
• request accepted
• no resources available
• service not supported
• system failure
• mandatory IE incorrect
• mandatory IE missing
• optional IE incorrect
• invalid message format
• version not supported
fwd-relocation {allow |
deny}
allow
Allow forward relocation mobility management
messages.
These messages indicate mobile activation/deactivation
within a Routing Area. This prevents paging of a mobile
device that is not active (visited VLR rejects calls from
the HLR or applies Call Forwarding). Note that the
mobile station does not maintain an attach/detach state.
SRNS contexts contain for each concerned RAB the
sequence numbers of the GTP-PDUs next to be
transmitted in uplink and downlink directions.
fwd-srns-context {allow |
deny}
allow
Allow forward SRNS context mobility management
messages.
This procedure may be used to trigger the transfer of
SRNS contexts from RNC to CN (PS domain) in case of
inter system forward handover.
gtp-pdu {allow | deny}
Allow GPRS Packet data unit delivery management
messages.
identification {allow |
deny}
allow
Allow identification mobility management messages.
If the mobile station (MS) identifies itself at GPRS attach,
and the SGSN has changed since the detach, the new
SGSN will send an identification message to the old
SGSN to get the IMSI.
mbms-notification {allow |
deny}
Allow MBMS notification MBMS messages.
These are used for the notification of the radio access
devices.
allow
node-alive {allow | deny}
Allow node alive GTP-U messages.
This message is used to inform the rest of the network
when a node starts service.
allow
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
allow
allow
103
gtp
firewall
Variable
Description
Default
note-ms-present {allow |
deny}
Allow Note MS messages.
This message is sent when an MS should be reachable
for GPRS.
allow
pdu-notification {allow |
deny}
Allow PDU notification messages including response,
request, and reject response.
These messages are sent between the GGSN and
SGSN as part of the new PDP context initiation
procedure.
allow
ran-info {allow | deny}
Allow Radio Access Network (RAN) information
messages.
allow
redirection {allow | deny}
allow
Allow redirection GTP-U messages.
Used to divert the flow of CDRs from the CDFs to
another CGF when the sender is being removed, or they
are used when the CGF has lost its connection to a
downstream system.
relocation-cancel {allow |
deny}
Allow relocation cancel mobility messages.
Send to cancel the relocation of a connection.
send-route {allow | deny}
allow
Allow Send Routing information for GPRS messages.
This message is sent to get the IP address of the SGSN
where the MS is located when there is no PDP context.
sgsn-context {allow | deny}
allow
Allow Serving GPRS Support Node (SGSN) context
request, response, and acknowledge messages.
The new SGSN will send this message to the old SGSN
to get the Mobility Management (MM) and PDP contexts
for the MS.
support-extension {allow |
deny}
Allow messages about support various header
extensions.
unknown-message-action
{allow | deny}
allow
Allow unknown message action messages.
This message type needs to be set to deny as that will
prevent malformed messages which may be attempts to
hack into the network.
update-mbms {allow | deny}
Allow MBMS update messages.
update-pdp {allow | deny}
allow
Allow Update PDP context tunnel management
messages.
Messages sent as part of the GPRS Inter-SGSN Routing
Update procedure, and is used to change the QoS and
the path.
version-not-support {allow
| deny}
allow
Allow version not supported path management
messages.
This message indicates the more recent version of GTP
that is supported.
allow
allow
allow
message-rate-limit
The following commands are rate limits in packets per second for various message context requests and
responses. A rate of zero indicates there is no rate limiting in place.
104
create-aa-pdp-request
0
create-aa-pdp-response
0
create-mbms-request
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
gtp
Variable
Description
Default
create-mbms-response
0
create-pdp-request
0
create-pdp-response
0
delete-aa-pdp-request
0
delete-aa-pdp-response
0
delete-mbms-request
0
delete-mbms-response
0
delete-pdp-request
0
delete-pdp-response
0
echo-reponse
0
echo-request
0
error-indication
0
failure-report-request
0
failure-report-response
0
fwd-reloc-complete-ack
0
fwd-relocation-complete
0
fwd-relocation-request
0
fwd-relocation-response
0
fwd-srns-context
0
fwd-srns-context-ack
0
g-pdu
0
identification-request
0
identification-response
0
mbms-de-reg-request
0
mbms-de-reg-response
0
mbms-notify-rej-request
0
mbms-notify-rej-response
0
mbms-notify-request
0
mbms-notify-response
0
mbms-reg-request
0
mbms-reg-response
0
mbms-ses-start-request
0
mbms-ses-start-response
0
mbms-ses-stop-request
0
mbms-ses-stop-response
0
note-ms-request
note ms GPRS present request
0
note-ms-response
note ms GPRS present response
0
pdu-notify-rej-request
pdu-notify-rej-response
0
rate limit (packs/s) for pdu notification reject response
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
0
105
gtp
firewall
Variable
Description
Default
pdu-notify-request
0
pdu-notify-response
0
ran-info
0
RAN information relay
relocation-cancel-request
0
relocation-cancel-response
0
send-route-request
0
send-route-response
0
sgsn-context-ack
0
sgsn-context-request
0
sgsn-context-response
0
support-ext-hdr-notify
0
update-mbms-request
0
update-mbms-response
0
update-pdp-request
0
update-pdp-response
0
version-not-support
0
noip-policy
The following commands are the options for config noip-policy.
<index_int>
Enter the unique ID number of the encapsulated non-IP
traffic filtering policy.
No default.
action {allow | deny}
Select to allow or deny traffic matching the message
protocol specified for this APN filter profile
allow
start <protocol_int>
Enter the number of the start protocol. Acceptable rate
values range from 0 to 255.
0
end <protocol_int>
Enter the number of the end protocol. Acceptable rate
values range from 0 to 255.
0
type {etsi | ietf}
Select an ETSI or IETF protocol type.
etsi
policy
The following commands are the options for config policy.
106
<index_int>
Enter the unique ID number of the advanced filtering
policy.
No default.
action {allow | deny}
Select to allow or deny traffic matching the message
attributes specified for this advanced filtering policy
allow
apn <apn_str>
Enter the APN suffix, if required.
No default.
imei <imei_str>
Enter the IMEI (SV) pattern, if required.
No default.
imsi <imsi_str>
Enter the IMSI prefix, if required.
No default.
max-apn-restriction {all |
private-1 | private-2 |
public-1 | public-2}
Select the maximum APN restriction.
all
messages {create-req
create-res update-req
update-res}
Enter the type or types of GTP messages.
create-req
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
gtp
Variable
Description
Default
rai <rai_str>
Enter the Routing Area Identifier (RAI) pattern.
The RAI and ULI are commonly used to determine a
mobile user’s location.
No default.
rat-type {any geran utran
wlan}
Enter one or more Radio Access Technology (RAT)
types.
• any - accept any RAT type
• geran - GSM EDGE Radio Access Network
• utran - UMTS Terrestrial Radio Access Network
• wlan - Wireless LAN
any
uli <uli_str>
Enter the ULI pattern.
No default.
The following commands are the options for edit <profile_str>.
addr-notify <Gi_ipv4>
Enter the IP address of the Gi firewall.
0.0.0.0
apn-filter
{enable | disable}
Select to apply APN filter policies.
disable
authorized-sgsns
<addr/grp_str>
Enter authorized SSGN addresses or groups. Any SSGN
groups not specified will not be able to send packets to
the GGSN. All firewall addresses and groups defined on
the FortiGate unit are available for use with this
command.
all
context-id <id_int>
Enter the security context ID. This ID must match the ID
entered on the server Gi firewall.
696
control-plane-message-ratelimit <limit_int>
Enter the control plane message rate limit. Acceptable
rate values range from 0 (no limiting) to 2147483674
packets per second.
FortiGate units can limit the packet rate to protect the
GSNs from possible Denial of Service (DoS) attacks,
such as Border gateway bandwidth saturation or a GTP
flood.
0
create-aa-pdp
{allow | deny}
Select to allow or deny all create AA pdp messages.
allow
create-pdp {allow | deny}
Select to allow or deny all create pdp messages.
allow
data-record {allow | deny}
Select to allow or deny all data record messages.
allow
default-apn-action
{allow | deny}
Select to allow or deny any APN that is not explicitly
defined with in an APN policy.
allow
default-imsi-action
{allow | deny}
Select to allow or deny any IMSI that is not explicitly
defined in an IMSI policy.
allow
default-ip-action
{allow | deny}
Select to allow or deny any encapsulated IP address
traffic that is not explicitly defined in an IP policy.
allow
default-noip-action
{allow | deny}
Select to allow or deny any encapsulated non-IP
protocol that is not explicitly defined in a non-IP policy.
allow
default-policy-action
{allow | deny}
Select to allow or deny any traffic that is not explicitly
defined in an advanced filtering policy.
allow
delete-aa-pdp
{allow | deny}
Select to allow or deny all delete AA pdp messages.
allow
delete-pdp {allow | deny}
Select to allow or deny all delete pdp messages.
allow
denied-log
{enable | disable}
Select to log denied GTP packets.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
107
gtp
108
firewall
Variable
Description
Default
echo {allow | deny}
Select to allow or deny all echo messages.
allow
error-indication
{allow | deny}
Select to allow or deny all error indication messages.
allow
extension-log
{enable | disable}
Select to log extended information about GTP packets.
When enabled, this additional information will be
included in log entries:
• IMSI
• MSISDN
• APN
• Selection Mode
• SGSN address for signaling
• SGSN address for user data
• GGSN address for signaling
• GGSN address for user data
disable
failure-report
{allow | deny}
Select to allow or deny all failure report messages.
allow
forwarded-log
{enable | disable}
Select to log forwarded GTP packets.
disable
fwd-relocation
{allow | deny}
Select to allow or deny all forward relocation messages. allow
fwd-srns-context
{allow | deny}
Select to allow or deny all forward SRNS messages.
allow
gtp-in-gtp {allow | deny}
Select to allow or deny GTP packets that contains
another GTP packet in its message body.
allow
gtp-pdu {allow | deny}
Select to allow or deny all G-PDU messages.
allow
handover-group
Handover requests will be honored only from the
addresses listed in the specified address group. This
way, an untrusted GSN cannot highjack a GTP tunnel
with a handover request.
identification
{allow | deny}
Select to allow or deny all identification messages.
allow
ie-remover
{enable | disable}
Select whether to use information element removal
policies.
disable
imsi-filter
{enable | disable}
Select whether to use IMSI filter policies.
disable
interface-notify
<interface_str>
Enter any local interface of the FortiGate unit. The
interface IP address will be used to send the “clear
session” message.
invalid-reserved-field
{allow | deny}
deny
Select to allow or deny GTP packets with invalid
reserved fields. Depending on the GTP version, a
varying number of header fields are reserved and should
contain specific values. If the reserved fields contain
incorrect values, the packet will be blocked if this field is
set to deny.
ip-filter
{enable | disable}
Select whether to use encapsulated IP traffic filtering
policies.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
gtp
Variable
Description
log-freq <drop_int>
Enter the number of messages to drop between logged 0
messages.
An overflow of log messages can sometimes occur
when logging rate-limited GTP packets exceed their
defined threshold. To conserve resources on the syslog
server and the FortiGate unit, you can specify that some
log messages are dropped. For example, if you want
only every twentieth message to be logged, set a
logging frequency of 19. This way, 19 messages are
skipped and the next logged.
Acceptable frequency values range from 0 to
2147483674. When set to ‘0’, no messages are skipped.
max-message-length
<bytes_int>
Enter the maximum GTP message size, in bytes, that the 1452
FortiGate unit will allows to pass.
Acceptable values range from 0 to 2147483674 bytes.
When set to ‘0’, the maximum size restriction is
disabled.
min-message-length
<bytes_int>
Enter the minimum GTP message size, in bytes, that the 0
FortiGate unit will allows to pass.
Acceptable values range from 0 to 2147483674 bytes.
When set to ‘0’, the minimum size restriction is disabled.
miss-must-ie {allow | deny}
Select to allow or deny passage of GTP packets with
missing mandatory information elements to the GGSN.
deny
node-alive {allow | deny}
Select to allow or deny all node alive messages.
allow
noip-filter
{enable | disable}
Enable or disable the configured encapsulated non-IP
traffic filtering policies.
disable
note-ms-present
{allow | deny}
Select to allow or deny all note MS GPRS present
messages.
allow
out-of-state-ie
{allow | deny}
Select to allow or deny passage of GTP Packets with
out of sequence information elements.
deny
out-of-state-message
{allow | deny}
Select to allow or deny out of state messages.
The GTP protocol requires a certain state to be kept by
both the GGSN and SGSN. Since the GTP has a state,
some message types can only be sent when in specific
states. Packets that do not make sense in the current
state should be filtered or rejected
deny
pdu-notification
{allow | deny}
Select to allow or deny all pdu notification messages.
allow
policy-filter
{enable | disable}
Enable or disable the configured advanced filtering
policies.
disable
port-notify <port_int>
Enter the server firewall’s listening port number.
21123
ran-info {allow | deny}
Select to allow or deny all RAN info relay messages.
allow
rate-limited-log
{enable | disable}
Select to log rate-limited GTP packets.
disable
redirection {allow | deny}
Select to allow or deny all redirection messages.
allow
relocation-cancel
{allow | deny}
Select to allow or deny all relocation cancel messages.
allow
reserved-ie {allow | deny}
Select to allow or deny GTP messages with reserved or deny
undefined information elements.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
109
gtp
110
firewall
Variable
Description
Default
send-route {allow | deny}
Select to allow or deny all send route messages.
allow
seq-number-validate
{enable | disable}
Enable or disable sequence number validation
The GTP packet header contains a sequence number.
The receiving GGSN and the sending GGSN use this
number to ensure the packets are in sequence. The
FortiGate unit can assume this task and save GGSN
resources.
disable
sgsn-context {allow | deny}
Select to allow or deny all SGSN context messages.
allow
spoof-src-addr
{allow | deny}
Select to allow or deny packets containing spoofed MS deny
addresses.
As the MS address is negotiated within the PDP Context
creation handshake, any packets originating from the
MS that contain a different source address will be
detected and dropped if this field is set to deny.
state-invalid-log
{enable | disable}
Select to log GTP packets that have failed stateful
inspection.
support-extension
{allow | deny}
Select to allow or deny all support extension messages. allow
traffic-count-log
{enable | disable}
disable
Enable or disable logging the total number of control
and user data messages received from and forwarded to
the GGSNs and SGSNs the FortiGate unit protects.
tunnel-limit <limit_int>
Enter the maximum number of GTP tunnels according to 0
the GSN capacity.
tunnel-limit-log
{enable | disable}
disable
Select to log packets dropped because the maximum
limit of GTP tunnels for the destination GSN is reached.
tunnel-timeout <time_int>
Enter a tunnel timeout value, in seconds. By setting a
timeout value, you can configure the FortiGate unit to
remove hanging tunnels.
Acceptable values range from 0 to 2147483674
seconds. When set to ‘0’, the timeout is disabled.
86400
unknown-message-action
{allow | deny}
Select to allow or deny all unknown message types.
allow
update-pdp {allow | deny}
Select to allow or deny all update pdp messages.
allow
version-not-support
{allow | deny}
Select to allow or deny all version not supported
messages.
allow
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
interface-policy
interface-policy
DoS policies, called interface policies in the CLI, are primarily used to apply DoS sensors to network traffic based on
the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a
traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and
behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an
attacking system starts an abnormally large number of sessions with a target system. The large number of sessions
slows down or disables the target system so legitimate users can no longer use it. You can also use the Interfacepolicy command to invoke an IPS sensor as part of a DoS policy.
The interface-policy command is used for DoS policies applied to IPv4 addresses. For IPv6 addresses, use
interface-policy6 instead.
Syntax
config firewall interface-policy
edit <policy_id>
set application-list-status {enable | disable}
set application_list <app_list_str>
set av-profile-status {enable | disable}
set av-profile <avprofile_name>
set dlp-profile-status {enable | disable}
set dlp-profile <avprofile_name>
set dstaddr <dstaddr_ipv4>
set interface <int_str>
set ips-DoS-status {enable | disable}
set ips-DoS <DoS_str>
set ips-sensor-status {enable | disable}
set ips-sensor <sensor_str>
set service <service_str>
set srcaddr <srcaddr_ipv4>
set status {enable | disable}
set webfilter-profile-status {enable | disable}
set webfilter-profile <webfilter_profile_name>
end
Variable
Description
Default
application-list-status
{enable | disable}
Enable to have the FortiGate unit apply an application black/white
list to matching network traffic.
disable
application_list
<app_list_str>
No default.
Enter the name of the application black/white list the FortiGate
unit uses when examining network traffic.
This option is available only when application-list-status
is set to enable.
av-profile-status
{enable | disable}
Enable to apply an antivirus profile to traffic on this interface.
disable
av-profile
<avprofile_name>
Enter the antivirus profile to apply. This is available when
av-profile-status is enabled.
No default.
dlp-profile-status
{enable | disable}
Enable to apply a Data Leak Prevention (DLP) profile to traffic on
this interface.
disable
dlp-profile
<avprofile_name>
Enter the Data Leak Prevention (DLP) profile to apply. This is
available when dlp-profile-status is enabled.
No default.
dstaddr <dstaddr_ipv4>
Enter an address or address range to limit traffic monitoring to
network traffic sent to the specified address or range.
interface <int_str>
The interface or zone to be monitored.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
111
interface-policy
112
firewall
Variable
Description
Default
ips-DoS-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic for DoS
sensor violations.
disable
ips-DoS <DoS_str>
Enter the name of the DoS sensor the FortiGate unit will use when No default.
examining network traffic.
This option is available only when ips-DoS-status is set to
enable.
ips-sensor-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic for
attacks and vulnerabilities.
disable
ips-sensor <sensor_str>
Enter the name of the IPS sensor the FortiGate unit will use when
examining network traffic.
This option is available only when ips-sensor-status is set to
enable.
No default.
service <service_str>
Enter a service to limit traffic monitoring to only the selected type.
You may also specify a service group, or multiple services
separated by spaces.
No default.
srcaddr <srcaddr_ipv4>
Enter an address or address range to limit traffic monitoring to
network traffic sent from the specified address or range.
No default.
status {enable | disable} Enable or disable the DoS policy. A disabled DoS policy has no
effect on network traffic.
enable
webfilter-profile-status
{enable | disable}
Enable to apply a webfilter profile to traffic on this interface.
disable
webfilter-profile
<webfilter_profile_name>
Enter the webfilter profile to apply. This is available when
webfilter-profile-status is enabled.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
interface-policy6
interface-policy6
DoS policies (called interface policies in the CLI) for IPv6 addresses, are used to apply IPS sensors to network traffic
based on the FortiGate interface it is leaving or entering as well as the source and destination addresses.
The interface-policy6 command is used for DoS policies applied to IPv6 addresses. For IPv4 addresses, use
interface-policy instead.
Syntax
config firewall interface-policy6
edit <policy_id>
set application-list-status {enable | disable}
set application_list <app_list_str>
set av-profile-status {enable | disable}
set av-profile <avprofile_name>
set dlp-profile-status {enable | disable}
set dlp-profile <avprofile_name>
set dstaddr6 <dstaddr_ipv6>
set interface
set ips-sensor-status {enable | disable}
set ips-sensor <sensor_str>
set service6 <service_str>
set srcaddr6 <srcaddr_ipv6>
set status {enable | disable}
set webfilter-profile-status {enable | disable}
set webfilter-profile <webfilter_profile_name>
end
Variable
Description
Default
application-list-status
{enable | disable}
Enable to have the FortiGate unit apply an application
black/white list to matching network traffic.
disable
application_list <app_list_str>
No default.
Enter the name of the application black/white list the
FortiGate unit uses when examining network traffic.
This option is available only when application-liststatus is set to enable.
av-profile-status
{enable | disable}
Enable to apply an antivirus profile to traffic on this
interface.
disable
av-profile <avprofile_name>
Enter the antivirus profile to apply. This is available when
av-profile-status is enabled.
No default.
dlp-profile-status
{enable | disable}
Enable to apply a Data Leak Prevention (DLP) profile to
traffic on this interface.
disable
dlp-profile <avprofile_name>
Enter the Data Leak Prevention (DLP) profile to apply. This
is available when dlp-profile-status is enabled.
No default.
dstaddr6 <dstaddr_ipv6>
Enter an address or address range to limit traffic
monitoring to network traffic sent to the specified address
or range.
interface
The interface or zone to be monitored.
No default.
ips-sensor-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic
for attacks and vulnerabilities.
disable
ips-sensor <sensor_str>
Enter the name of the IPS sensor the FortiGate unit will
use when examining network traffic.
This option is available only when ips-sensor-status
is set to enable.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
113
interface-policy6
114
firewall
Variable
Description
Default
service6 <service_str>
Enter a service to limit traffic monitoring to only the
selected type. You may also specify a service group, or
multiple services separated by spaces.
srcaddr6 <srcaddr_ipv6>
Enter an address or address range to limit traffic
monitoring to network traffic sent from the specified
address or range.
status {enable | disable}
Enable or disable the DoS policy. A disabled DoS policy
has no effect on network traffic.
enable
webfilter-profile-status
{enable | disable}
Enable to apply a webfilter profile to traffic on this
interface.
disable
webfilter-profile
<webfilter_profile_name>
Enter the webfilter profile to apply. This is available when
webfilter-profile-status is enabled.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
ipmacbinding setting
ipmacbinding setting
Use this command to configure IP to MAC address binding settings.
IP/MAC binding protects the FortiGate unit and/or the network from IP address spoofing attacks. IP spoofing attacks
attempt to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different
computer. It is simple to change a computer’s IP address to mimic that of a trusted host, but MAC addresses are
often added to Ethernet cards at the factory, and are more difficult to change. By requiring that traffic from trusted
hosts reflect both the IP address and MAC address known for that host, fraudulent connections are more difficult to
construct.
To configure the table of IP addresses and the MAC addresses bound to them, see “ipmacbinding table” on
page 116. To enable or disable IP/MAC binding for an individual FortiGate unit network interface, see ipmac in
“system interface” on page 465.
If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the
IP/MAC table is changed, or a new computer is added to the network, update the IP/MAC table. If
you do not update the IP/MAC binding list, the new or changed hosts will not have access to or
through the FortiGate unit. For details on updating the IP/MAC binding table, see “ipmacbinding
table” on page 116.
If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC address
is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding
configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are
allowed to access the DHCP server. Use caution when enabling and providing access to the
DHCP server.
Syntax
config firewall ipmacbinding setting
set bindthroughfw {enable | disable}
set bindtofw {enable | disable}
set undefinedhost {allow | block}
end
Variable
Description
Default
bindthroughfw
{enable | disable}
Select to use IP/MAC binding to filter packets that a firewall policy would
normally allow through the FortiGate unit.
disable
bindtofw
{enable | disable}
Select to use IP/MAC binding to filter packets that would normally
connect to the FortiGate unit.
disable
undefinedhost
{allow | block}
Select how IP/MAC binding handles packets with IP and MAC addresses
that are not defined in the IP/MAC list for traffic going through or to the
FortiGate unit.
• allow: Allow packets with IP and MAC address pairs that are not in
the IP/MAC binding list.
• block: Block packets with IP and MAC address pairs that are not in
the IP/MAC binding list.
This option is available only when either or both bindthroughfw and
bindtofw are enable.
block
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
115
ipmacbinding table
firewall
ipmacbinding table
Use this command to configure IP and MAC address pairs in the IP/MAC binding table. You can bind multiple IP
addresses to the same MAC address, but you cannot bind multiple MAC addresses to the same IP address.
To configure the IP/MAC binding settings, see “ipmacbinding setting” on page 115. To enable or disable IP/MAC
binding for an individual FortiGate unit network interface, see ipmac in “system interface” on page 465.
If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the
IP/MAC table is changed, or a new computer is added to the network, update the IP/MAC table. If
you do not update the IP/MAC binding list, the new or changed hosts will not have access to or
through the FortiGate unit.
If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC address
is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding
configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are
allowed to access the DHCP server. Use caution when enabling and providing access to the
DHCP server.
Syntax
config firewall ipmacbinding table
edit <index_int>
set ip <address_ipv4>
set mac <address_hex>
set name <name_str>
set status {enable | disable}
end
116
Variable
Description
Default
<index_int>
Enter the unique ID number of this IP/MAC pair.
No default.
ip <address_ipv4>
Enter the IP address to bind to the MAC address.
To allow all packets with the MAC address, regardless of the IP
address, set the IP address to 0.0.0.0.
0.0.0.0
mac <address_hex>
Enter the MAC address.
To allow all packets with the IP address, regardless of the MAC
address, set the MAC address to 00:00:00:00:00:00.
00:00:00:
00:00:00
name <name_str>
Enter a name for this entry on the IP/MAC address table.
(Optional.)
noname
status {enable | disable}
Select to enable this IP/MAC address pair.
Packets not matching any IP/MAC binding will be dropped.
Packets matching an IP/MAC binding will be matched against
the firewall policy list.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
ippool
ippool
Use this command to configure IP address pools.
Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool,
rather than the IP address assigned to that FortiOS™ Handbook unit interface. In Transparent mode, IP pools are
available only from the FortiGate CLI.
An IP pool defines a single IP address or a range of IP addresses. A single IP address in an IP pool becomes a range
of one IP address. For example, if you enter an IP pool as 1.1.1.1 the IP pool is actually the address range 1.1.1.1 to
1.1.1.1.
If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP
requests for all of the IP addresses in the overlapping IP pools.
For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces:
• port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255)
• port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255)
And the following IP pools:
• IP_pool_1: 1.1.1.10-1.1.1.20
• IP_pool_2: 2.2.2.10-2.2.2.20
• IP_pool_3: 2.2.2.30-2.2.2.40
The port1 interface overlap IP range with IP_pool_1 is:
• (1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) = 1.1.1.10-1.1.1.20
The port2 interface overlap IP range with IP_pool_2 is:
• (2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20
The port2 interface overlap IP range with IP_pool_3 is:
• (2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40
And the result is:
• The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20
• The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.30-2.2.2.40
Select NAT in a firewall policy and then select Dynamic IP Pool and select an IP pool to translate the source address
of packets leaving the FortiGate unit to an address randomly selected from the IP pool.
Syntax
config firewall ippool
edit <index_int>
set endip <address_ipv4>
set startip <address_ipv4>
end
Variable
Description
Default
<index_int>
The unique ID number of this IP pool.
No default.
endip <address_ipv4>
The end IP of the address range. The end IP must be higher than the
start IP. The end IP does not have to be on the same subnet as the IP
address of the interface for which you are adding the IP pool.
0.0.0.0
startip <address_ipv4>
The start IP of the address range. The start IP does not have to be on
the same subnet as the IP address of the interface for which you are
adding the IP pool.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
117
ldb-monitor
firewall
ldb-monitor
Use this command to configure health check settings.
Health check settings can be used by load balancing VIPs to determine if a real server is currently responsive before
forwarding traffic. One health check is sent per interval using the specified protocol, port and HTTP-GET, where
applicable to the protocol. If the server does not respond during the timeout period, the health check fails and, if
retries are configured, another health check is performed. If all health checks fail, the server is deemed unavailable,
and another real server is selected to receive the traffic according to the selected load balancing algorithm.
Health check settings can be re-used by multiple real servers. For details on enabling health checking and using
configured health check settings, see “firewall vip” on page 178.
Syntax
config firewall ldb-monitor
edit <name_str>
set http-get <httprequest_str>
set http-match <contentmatch_str>
set interval <seconds_int>
set port <port_int>
set retry <retries_int>
set timeout <seconds_int>
set type {http | ping | tcp}
end
118
Variable
Description
Default
<name_str>
Enter the name of the health check monitor.
No default.
http-get
<httprequest_str>
For HTTP health check monitors, add a URL that the FortiGate unit
uses when sending a get request to check the health of a HTTP
server. The URL should match an actual URL for the real HTTP
servers. The URL is optional.
The URL would not usually include an IP address or domain name.
Instead it should start with a /and be followed by the address of an
actual web page on the real server. For example, if the IP address
of the real server is 10.10.10.1, the URL /test_page.htm
causes the FortiGate unit to send am HTTP get request to
http://10.10.10.1/test_page.htm.
This option appears only if type is http.
No default.
http-match
<contentmatch_str>
For HTTP health check monitors, add a phrase that a real HTTP
server should include in response to the get request sent by the
FortiGate unit using the content of the http-get option. If the
http-get URL returns a web page, the http-match option
should exactly match some of the text on the web page. You can
use the http-get and http-matched options to verify that an
HTTP server is actually operating correctly by responding to get
requests with expected web pages. http-match is only required if
you add a http-get URL.
For example, you can set http-match to “server test page”
if the real HTTP server page defined by http-get contains the
phrase server test page. When the FortiGate unit receives the
web page in response to the URL get request, the system searches
the content of the web page for the http-match phrase.
This option appears only if type is http.
No default.
interval <seconds_int>
Enter the interval time in seconds between health checks.
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
ldb-monitor
Variable
Description
Default
port <port_int>
Enter the port number used to perform the health check. If you set
the Port to 0, the health check monitor uses the port defined in
the real server. This way you can use a single health check monitor
for different real servers.
This option does not appear if type is ping.
0
retry <retries_int>
Enter the number of times that the FortiGate unit should retry the
health check if a health check fails. If all health checks, including
retries, fail, the server is deemed unavailable.
3
timeout <seconds_int>
Enter the timeout in seconds. If the FortiGate unit does not receive
a response to the health check in this period of time, the health
check fails.
2
type {http | ping |
tcp}
Select the protocol used by the health check monitor.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
119
local-in-policy, local-in-policy6
firewall
local-in-policy, local-in-policy6
Use these commands to create firewall policies for traffic destined for the FortiGate unit itself.
Syntax
config firewall local-in-policy (for IPv4 traffic)
config firewall local-in-policy6 (for IPv6 traffic)
edit <index_int>
set action {accept | deny}
set auto-asic-offload {enable | disable}
set intf <name_str>
set srcaddr <name_str>
set dstaddr <name_str>
set service <name_str>
set schedule <name_str>
set status {enable | disable}
end
120
Variable
Description
Default
<index_int>
Enter the unique ID number of this policy. Enter 0 to assign the
next available ID.
action {accept | deny}
Select the action that the FortiGate unit will perform on traffic
matching this firewall policy.
deny
auto-asic-offload
{enable | disable}
Enable or disable session offload to NP or SP processors.
enable
intf <name_str>
Enter the source interface. This is the interface through which
the traffic reaches the FortiGate unit.
No default.
srcaddr <name_str>
Enter one or more source firewall addresses for the policy.
Separate multiple firewall addresses with a space.
No default.
dstaddr <name_str>
Enter one or more destination firewall addresses for the policy.
Separate multiple firewall addresses with a space.
No default.
service <name_str>
Enter the name of one or more services, or a service group, to
match with the firewall policy. Separate multiple services with a
space.
No default.
schedule <name_str>
Enter the name of the one-time or recurring schedule or
schedule group to use for the policy.
No default.
status
{enable | disable}
Enable or disable this policy.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
mms-profile
mms-profile
Use this command to configure MMS profiles. This command applies to FortiOS Carrier only.
Syntax
config firewall mms-profile
edit <profile_str>
set avnotificationtable <index_int>
set bwordtable <index_int>
set carrier-endpoint-prefix {enable | disable}
set carrier-endpoint-prefix-range-min <limit_int>
set carrier-endpoint-prefix-range-max <limit_int>
set carrier-endpoint-prefix-string <prefix_str>
set carrierendpointbwltable <index_int>
set comment <str>
set exmwordtable <index_int>
set filepattable <index_int>
set mm1 {archive-full archive-summary avmonitor avquery bannedword block
carrier-endpoint-bwl chunkedbypass clientcomfort exemptword
no-content-summary oversize remove-blocked scan server-comfort strict-file}
set mm1-addr-hdr <identifier_str>
set mm1-addr-source {cookie | http-header}
set mm1-convert-hex {enable | disable}
set mm1-retr-dupe {enable | disable}
set mm1-retrieve-scan {enable | disable}
set mm1comfortamount <size_int>
set mm1comfortinterval <seconds_int>
set mm3 {archive-full archive-summary avmonitor avquery bannedword block
carrier-endpoint-bwl fragmail no-content-summary oversize remove-blocked
scan servercomfort splice}
set mm4 {archive-full archive-summary avmonitor avquery bannedword block
carrier-endpoint-bwl fragmail no-content-summary oversize remove-blocked
scan servercomfort splice}
set mm7 {archive-full archive-summary avmonitor avquery bannedword block
carrier-endpoint-bwl chunkedbypass clientcomfort exemptword no-contentsummary oversize remove-blocked scan server-comfort strict-file}
set mm1oversizelimit <limit_int>
set mm3oversizelimit <limit_int>
set mm4oversizelimit <limit_int>
set mm7-addr-hdr <identifier_str>
set mm7-addr-source {cookie | http-header}
set mm7-convert-hex {enable | disable}
set mm7comfortamount <size_int>
set mm7comfortinterval <seconds_int>
set mm7oversizelimit <limit_int>
set mms-checksum-table <tableID_int>
set mmsbwordthreshold <score_int>
config dupe {mm1 | mm4}
set action1 {alert-notif archive archive-first block intercept log}
set block-time1 <minutes_int>
set limit1 <duplicatetrigger_int>
get protocol1
set status1 {enable | disable}
set status2 {enable | disable}
set window1 <minutes_int>
end
config flood {mm1 | mm4}
set action1 {alert-notif archive archive-first block intercept log}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
121
mms-profile
firewall
set block-time1 <minutes_int>
set limit1 <floodtrigger_int>
set status1 {enable | disable}
set status2
get protocol1
set window1 <minutes_int>
end
config log
set log-antispam-mass-mms {enable | disable}
set log-av-block {enable | disable}
set log-av-carrier-endpoint-filter {enable | disable}
set log-av-oversize {enable | disable}
set log-av-virus {enable | disable}
set log-intercept {enable | disable}
set log-mms-notification {enable | disable}
set log-web-content {enable | disable}
end
config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7}
set alert-int <int>
set alert-int-mode {minutes | hours}
set alert-src-msisdn <str>
set alert-status {enable | disable}
set bword-int <noticeinterval_int>
set bword-int-mode {minutes | hours}
set bword-status {enable | disable}
set carrier-endpoint-bwl-int <interval_int>
set carrier-endpoint-bwl-int-mode {hours | minutes}
set carrier-endpoint-bwl-status {enable | disable}
set days-allowed {monday tuesday wednesday thursday friday saturday sunday}
set detect-server {enable | disable}
set dupe-int <interval_int>
set dupe-int-mode {hours | minutes}
set dupe-status {enable | disable}
set file-block-int <interval_int>
set file-block-int-mode {hours | minutes}
set file-block-status {enable | disable}
set flood-int <interval_int>
set flood-int-mode {hours | minutes}
set flood-status {enable | disable}
set from-in-header {enable | disable}
set mmsc-hostname {<fqdn_str> | <ipv4>}
set mmsc-password <passwd_str>
set mmsc-port <port_int>
set mmsc-url <url_str>
set mmsc-username <user_str>
set msg-protocol {mm1 | mm3 | mm4 | mm7}
set msg-type {deliver-req | send-req}
get protocol
set rate-limit <limit_int>
set tod-window-start <window_time>
set tod-window-duration <window_time>
set user-domain <fqdn_str>
set vas-id <vas_str>
set vasp-id <vasp_str>
set virus-int <interval_int>
set virus-int-mode {hours | minutes}
set virus-status {enable | disable}
end
config notif-msisdn
122
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
mms-profile
edit <msisdn_int>
set threshold {dupe-thresh-1 dupe-thresh-2 dupe-thresh-3 flood-thresh-1
flood-thresh-2 flood-thresh-3}
end
end
Variable
Description
Default
<profile_str>
Enter the name of this MMS profile.
No default.
avnotificationtable
<index_int>
Enter the ID number of the antivirus notification list to be used
for the MMS profile. Antivirus notification tables contain virus
names that, when detected, will have the FortiGate unit send a
notification message to the administrator. For more information
on antivirus notification tables, see “notification” on page 50
No default.
bwordtable <index_int>
Enter the ID number of the web content block filter to be used
for MMS traffic.
The web content block tables can be configured using the
config webfilter bword command.
No default.
carrierendpointbwltable
<index_int>
Enter the ID number of the endpoint, such as MSISDN, filtering
table to use for MMS traffic with the MMS profile.
No default.
carrier-endpoint-prefix
{enable | disable}
Select to add the country code to the extracted carrier
endpoint, such as MSISDN, for logging and notification
purposes. You can limit the number length for the test numbers
used for internal monitoring without a country code.
disable
carrier-endpointprefix-range-min
<limit_int>
Enter the minimum carrier endpoint prefix length. If this and
endpoint-prefix-range-max are set to zero (0), length is
not limited.
This option appears only if msisdn-prefix is enable.
0
carrier-endpointprefix-range-max
<limit_int>
Enter the maximum endpoint prefix length. If this and
endpoint-prefix-range-min are set to zero (0), length is
not limited.
This option appears only if msisdn-prefix is enable.
0
carrier-endpointprefix-string
<prefix_str>
Enter the endpoint, such as MSISDN, prefix.
This option appears only if endpoint-prefix is enable.
No default.
comment <str>
Enter an optional comment to give additional detail about the
MMS profile.
exmwordtable
<index_int>
Enter the ID number of the webfilter exempt word list to be
used with the MMS profile.
The web content exempt tables can be configured using the
config webfilter exmword command.
No default.
filepattable
<index_int>
Enter the ID number of the file pattern list to be used with the
MMS profile.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
123
mms-profile
firewall
Variable
Description
Default
mm1 {archive-full
archive-summary
avmonitor avquery
bannedword block
carrier-endpoint-bwl
chunkedbypass
clientcomfort
exemptword
no-content-summary
oversize remove-blocked
scan server-comfort
strict-file}
Select actions, if any, the FortiGate unit will take on MMS
messages of the specified protocol.
archive-full — Content archive both metadata and the MMS
message itself.
archive-summary — Content archive metadata.
avmonitor — Log detected viruses, but allow them through the
firewall without modification.
avquery — Use the FortiGuard Antivirus service for virus
detection using MD5 checksums.
bannedword — Block messages containing content in the
banned word list.
block — Block messages matching the file patterns selected
by mms-file-pat-table, even if the files do not contain
viruses.
carrier-endpoint-bwl — Enable the black/white list specified
with the carrierendpointbwltable command.
chunkedbypass — Allow web sites that use chunked
encoding for HTTP to bypass the firewall. Chunked encoding
means the HTTP message body is altered to allow it to be
transferred in a series of chunks. Use of this feature is a risk.
Malicious content could enter the network if web content is
allowed to bypass the firewall. This option only available for the
mm1 and mm7 commands.
clientcomfort — Apply client comforting to prevent client
timeout. This option is available only for mm1 and mm7.
exemptword — Exempt words from content blocking. This
option only available for the mm1 and mm7 commands.
fragmail — Pass fragmented email messages. Fragmented
email messages cannot be scanned for viruses. This option
only available for the mm3 and mm4 commands.
no-content-summary — Omit MMS filtering statistics from the
dashboard.
oversize — Block files that are over the file size limit.
remove-blocked — Remove blocked items from messages.
scan — Scan files for viruses and worms.
server-comfort — Apply server comforting and prevent server
timeout. This option is available only for mm1 and mm7.
splice — Simultaneously scan a message and send it to the
recipient. If the FortiGate unit detects a virus, it prematurely
terminates the connection and returns an error message to the
recipient, listing the virus name and infected file name. This
option is available only for mm3 and mm4.
strict-file — Perform stricter checking for blocked files as
specified in config antivirus filepattern. This can
prevent circumvention by web sites with elaborate scripting
using .exe or .dll files if those patterns are blocked. This
option is available only for mm1 and mm7.
No default.
mm3 {archive-full
archive-summary
avmonitor avquery
bannedword block
carrier-endpoint-bwl
fragmail
no-content-summary
oversize remove-blocked
scan servercomfort
splice}
mm4 {archive-full
archive-summary
avmonitor avquery
bannedword block
carrier-endpoint-bwl
fragmail
no-content-summary
oversize remove-blocked
scan servercomfort
splice}
mm7 {archive-full
archive-summary
avmonitor avquery
bannedword block
carrier-endpoint-bwl
chunkedbypass
clientcomfort
exemptword
no-content-summary
oversize remove-blocked
scan server-comfort
strict-file}
124
no-contentsummary
splice
splice
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
mms-profile
Variable
Description
Default
mm1-addr-hdr
<identifier_str>
Enter the sender address (MSISDN) identifier.
If mm1-addr-source is http-header, the address and its
identifier in the HTTP request header is in the format of:
<Sender Address Identifier>: <MSISDN Value>
For example, the HTTP header might contain:
x-up-calling-line-id: 6044301297
where x-up-calling-line-id would be the Sender Address
Identifier.
If mm1-addr-source is cookie, the address and its identifier
in the HTTP request header’s Cookie field is in the format of
attribute-value pairs:
Cookie: id=<cookie-id>;
<Sender Address Identifier>=<MSISDN Value>
For example, the HTTP request headers might contain:
Cookie: id=0123jf!a;x-up-calling-lineid=6044301297
where x-up-calling-line-id would be the sender address
identifier.
x-upcallingline-id
mm1-addr-source
{cookie | http-header}
Select to extract the sender’s address from the HTTP header
field or a cookie.
http-header
mm1-convert-hex
{enable | disable}
Select to convert the sender address from ASCII to
hexadecimal or from hexadecimal to ASCII. This is required by
some applications.
disable
mm1-retr-dupe
{enable | disable}
Select to scan MM1 mm1-retr messages for duplicates. By
default, mm1-retr messages are not scanned for duplicates as
they may often be the same without necessarily being bulk or
spam.
This option is available only if status is enable for the
config dupe mm1 command.
disable
mm1-retrieve-scan
{enable | disable}
Select to scan message retrieval by MM1. If you select scan for enable
all MMS interfaces, messages are scanned while being sent,
and so scanning message retrieval by MM1 is redundant. In this
case, you can disable MM1 message retrieval scanning to
improve performance.
mm1comfortamount
<size_int>
Enter the number of bytes client comforting sends each interval 1
to show a download is progressing.
The interval time is set using mm1comfortinterval.
mm1comfortinterval
<seconds_int>
Enter the time in seconds before client comforting starts after a 10
download has begun. It is also the interval between subsequent
client comforting sends.
The amount of data sent each interval is set using
mm1comfortamount.
mm1oversizelimit
<limit_int>
Block files in MM1 streams that are over this file size limit in KB. 10240
mm3oversizelimit
<limit_int>
Block files in MM3 streams that are over this file size limit in KB. 10240
mm4oversizelimit
<limit_int>
Block files in MM4 streams that are over this file size limit in KB. 10240
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
125
mms-profile
firewall
Variable
Description
Default
mm7-addr-hdr
<identifier_str>
Enter the sender address (MSISDN) identifier.
If mm7-addr-source is http-header, the address and its
identifier in the HTTP request header is in the format of:
<Sender Address Identifier>: <MSISDN Value>
For example, the HTTP header might contain:
x-up-calling-line-id: 6044301297
where x-up-calling-line-id would be the Sender Address
Identifier.
If mm7-addr-source is cookie, the address and its identifier
in the HTTP request header’s Cookie field is in the format of
attribute-value pairs:
Cookie: id=<cookie-id>;
<Sender Address Identifier>=<MSISDN Value>
For example, the HTTP request headers might contain:
Cookie: id=0123jf!a;x-up-calling-lineid=6044301297
where x-up-calling-line-id would be the sender address
identifier.
x-upcallingline-id
mm7-addr-source {cookie
| http-header}
Select to extract the sender’s address from the HTTP header
field or a cookie.
http-header
mm7-convert-hex
{enable | disable}
Select to convert the sender address from ASCII to
hexadecimal or from hexadecimal to ASCII. This is required by
some applications.
disable
mm7oversizelimit
<limit_int>
Block files in MM7 streams that are over this file size limit in KB. 10240
mm7comfortamount
<size_int>
Enter the number of bytes client comforting sends each interval
to show a download is progressing.
The interval time is set using mm7comfortinterval.
1
mm7comfortinterval
<seconds_int>
Enter the time in seconds before client comforting starts after a
download has begun. It is also the interval between subsequent
client comforting sends.
The amount of data sent each interval is set using
mm7comfortamount.
10
mms-checksum-table
<tableID_int>
Enter the MMS content checksum table ID.
mmsbwordthreshold
<score_int>
Enter the maximum score an MMS message can have before
being blocked. If the combined scores of the content block
patterns appearing in an MMS message exceed the threshold
value, the message will be blocked.
10
remove-blocked-constlength
{enable | disable}
Select to preserve the length of the MMS message when
removing blocked content, such as viruses.
disable
config dupe {mm1 | mm4}
Duplicate MMS messages can result from bulk MMS messages, MMS spam, attacks, or other issues.
You can use the config dupe subcommand to detect and act on MMS duplicate messages. Thresholds that define
excessive duplicate messages and response actions are both configurable.
You can configure MMS duplicate message detection for MM1 messages using config dupe mm1 and for MM4
messages using config dupe mm4.
126
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
mms-profile
There are four threshold settings each for mm1 and mm4. The integer at the end of each command indicates which
threshold you are configuring. By default, only the first threshold is available for configuration. Enable status2 to gain
access to the second threshold. Then enable status3 to gain access to the third threshold. Finally, enable status 4 to
gain access to the fourth threshold. They must be enabled in sequence.
Variable
Description
Default
action1 {alert-notif
archive archive-first
block intercept log}
Select the actions to take, if any, when excessive duplicate
messages are detected. To select more than one action,
separate each action with a space.
alert-notif — Enable to have the FortiGate unit send a
notification message If this threshold is exceeded.
archive — Archive duplicates in excess of the configured
threshold.
archive-first — Archive the first duplicate in excess of the
configured threshold.
block — Block and intercept excess duplicates. If block is
selected, messages are also intercepted, even if intercept is
not selected.
intercept — Intercept excess duplicates.
log — Log excess duplicates. This option takes effect only if
logging is enabled for bulk MMS message detection. See “logantispam-mass-mms {enable | disable}” on page 129.
This option appears only if status is set to enable for the
MMS interface.
archive
block
intercept
log
block-time1
<minutes_int>
Enter the amount of time in minutes during which the FortiGate 100
unit will perform the action after a message flood is detected.
This option appears only if status is enable for the MMS
interface.
limit1
<duplicatetrigger_int>
Enter the number of messages which signifies excessive
message duplicates if exceeded within the window.
This option appears only if status is enable for the MMS
interface.
100
protocol1
The MMS interface that you are configuring. protocol can be
mm1 or mm2 depending on whether you entered config dupe
mm1 or config dupe mm4.
This variable can be viewed with the get command, but cannot
be set.
.
status1
{enable | disable}
Select to detect and act upon duplicate MMS messages.
disable
status2
{enable | disable}
Enable to gain access to the second set of threshold
configuration settings.
disable
window1 <minutes_int>
Enter the period of time in minutes during which excessive
message duplicates will be detected if the limit is exceeded.
This option appears only if status is enable for the protocol
(MM1 or MM4).
60
config flood {mm1 | mm4}
Excessive MMS activity (message floods) can result from bulk MMS messages, MMS spam, attacks, or other issues.
You can use the config flood subcommand to detect and act on MMS message floods. Thresholds that define a
flood of message activity and response actions are both configurable.
You can configure MMS flood detection for MM1 messages using config flood mm1 and for MM4 messages
using config flood mm4.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
127
mms-profile
firewall
There are four threshold settings for mm1 and mm4. The integer at the end of each command indicates which
threshold you are configuring. By default, only the first threshold is available for configuration. Enable status2 to gain
access to the second threshold. Then enable status3 to gain access to the third threshold. Finally, enable status 4 to
gain access to the fourth threshold. They must be enabled in sequence.
Variable
Description
Default
action1 {alert-notif
archive archive-first
block intercept log}
Select which actions to take, if any, when excessive message block
intercept
activity is detected. To select more than one action, separate
log
each action with a space.
alert-notif — Enable to have the FortiGate unit send a
notification message If this threshold is exceeded.
archive — Archive messages in excess of the configured
threshold.
archive-first — Archive the first message in excess of the
configured threshold.
block — Block and intercept excess messages. If block is
selected, messages are also intercepted, even if intercept is
not selected.
intercept — Intercept excess messages.
log — Log excess messages. This option takes effect only if
logging is enabled for bulk MMS message detection. See “logantispam-mass-mms {enable | disable}” on page 129.
This option appears only if status is enable for the MMS
interface.
block-time1
<minutes_int>
Enter the amount of time in minutes during which the FortiGate 100
unit will perform the action after a message flood is detected.
This option appears only if status is enable for the MMS
interface.
limit1
<floodtrigger_int>
Enter the number of messages which signifies excessive
message activity if exceeded within the window.
This option appears only if status is enable for the MMS
interface.
protocol1
The MMS interface that you are configuring. protocol can be
mm1 or mm2 depending on whether you entered config
flood mm1 or config flood mm4.
This variable can be viewed with the get command, but cannot
be set.
status1
{enable | disable}
Select to detect and act upon excessive MMS message
activity.
disable
status2
{enable | disable}
Enable to gain access to the second threshold configuration
settings.
disable
window1 <minutes_int>
Enter the period of time in minutes during which excessive
message activity will be detected if the limit is exceeded.
This option appears only if status is enable for the MMS
interface.
60
100
config log
Use this command to write event log messages when the options that you have enabled in this MMS profile perform
an action. For example, if you enable antivirus protection you could also use the config log command to enable
log-av-block so that the FortiGate unit writes an event log message every time a virus is detected.
All of the config log fields are the same as the corresponding config policy fields except the following
128
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
mms-profile
Variable
Description
Default
log-antispam-mass-mms
{enable | disable}
Enable to log duplicate or flood MMS notification messages.
Also select the log action for each protocol and bulk MMS
message event that you want to log. For details, see “action1
{alert-notif archive archive-first block intercept log}” on
page 127 and “action1 {alert-notif archive archive-first block
intercept log}” on page 127.
disable
log-av-block
{enable | disable}
Enable to log blocked viruses and files.
disable
log-av-carrier-endpoint- Enable to log endpoint, such as MSISDN, blocking, intercepts, disable
filter
and archiving in MMS messages.
{enable | disable}
log-av-oversize
{enable | disable}
Enable to log oversized messages.
disable
log-av-virus
{enable | disable}
Enable to log detected viruses.
disable
log-intercept
{enable | disable}
Enable to log MMS intercept actions in MMS messages.
disable
log-mms-notification
{enable | disable}
Enable to log MMS notification messages in MMS messages.
disable
log-web-content
{enable | disable}
Enable to log blocked web content.
disable
config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7}
Use this command to configure how the FortiGate unit sends MMS messages to MMS clients to inform them that
messages have been sent from their device that violate the settings in this MMS profile. To enable sending
notifications you need to enable notification types. You can enable all notification types or you can enable separate
notifications for web content blocking, file blocking, end point blocking, flooding, duplicate messages, and virus
scanning. You can also use the MMS notifications options to configure how the notification messages are sent.
The FortiGate unit sends notification messages immediately for the first event, then at a configurable interval if events
continue to occur. If the interval does not coincide with the window of time during which notices may be sent, the
FortiGate unit waits and sends the notice in the next available window. Subsequent notices contain a count of the
number of events that have occurred since the previous notification.
There are separate notifications for each notification type, including virus events. Virus event notifications include the
virus name. Up to three viruses are tracked for each user at a time. If a fourth virus is found, one of the existing
tracked viruses is removed.
The notifications are MM1 m-send-req messages sent from the FortiGate unit directly to the MMSC for delivery to
the client. The host name of the MMSC, the URL to which m-send-req messages are sent, and the port must be
specified.
Variable
Description
Default
alert-int <int>
Enter the interval the FortiGate will use to send alert
messages. The integer you enter will be interpreted as hours
or minutes depending on how the alert-int-mode
command is set.
1
alert-int-mode
{minutes | hours}
Enter minutes or hours. This setting will determine whether hour
the integer entered with the alert-int command is
interpreted as minutes or hours.
alert-src-msisdn <str>
Enter the address the alert messages will appear to be sent
from.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
129
mms-profile
130
firewall
Variable
Description
Default
alert-status
{enable | disable}
Enable to have the FortiGate unit send alert messages.
enable
bword-int
<noticeinterval_int>
Enter the banned word notification send interval.
24
bword-int-mode
{minutes | hours}
Select whether the value specified in the bword-int
command is minutes or hours.
hours
bword-status
{enable | disable}
Select to send notices for banned word events.
disable
carrier-endpoint-bwl-int Enter the amount of time between notifications for endpoint
<interval_int>
black/white list events. Also set endpoint-bwl-status to
enable and select the time unit in
endpoint-bwl-int-mode.
24
carrier-endpoint-bwlint-mode
{hours | minutes}
Select the unit of time in minutes or hours for
carrier-endpoint-bwl-int.
hours
carrier-endpoint-bwlstatus
{enable | disable}
Select to send notices for endpoint black/white list events.
disable
days-allowed {monday
tuesday wednesday
thursday friday saturday
sunday}
Notifications will be sent on the selected days of the week.
monday
tuesday
wednesday
thursday
friday
saturday
sunday
detect-server
{enable | disable}
Select to automatically determine the server address.
enable
dupe-int <interval_int>
Enter the amount of time between notifications of excessive
MMS duplicates. Also set dupe-status to enable and
select the time unit in dupe-int-mode.
24
dupe-int-mode
{hours | minutes}
Select the unit of time in minutes or hours for dupe-int.
Available only for MM1 and MM4 notifications.
hours
dupe-status
{enable | disable}
Select to send notices for excessive MMS message duplicate disable
events. Available only for MM1 and MM4 notifications.
Available only for MM1 and MM4 notifications.
file-block-int
<interval_int>
Enter the amount of time between notifications of file block
events. Also set file-block-status to enable and select
the time unit in file-block-int-mode.
24
file-block-int-mode
{hours | minutes}
Select whether the value specified in the file-block-int
command is minutes or hours.
hours
file-block-status
{enable | disable}
Select to send notices for file block events.
disable
flood-int <interval_int> Enter the amount of time between notifications of excessive
MMS activity. Also set flood-status to enable and select
the time unit in flood-int-mode. Available only for MM1
and MM4 notifications.
24
flood-int-mode
{hours | minutes}
hours
Select the unit of time in minutes or hours for flood-int.
Available only for MM1 and MM4 notifications.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
mms-profile
Variable
Description
Default
flood-status
{enable | disable}
Select to send notices for excessive MMS message activity
events. Available only for MM1 and MM4 notifications.
disable
from-in-header
{enable | disable}
Select to insert the “from” address in the HTTP header.
disable
mmsc-hostname
{<fqdn_str> | <ipv4>}
Enter the FQDN or the IP address of the destination server.
No default.
mmsc-password
<passwd_str>
Enter the password required for sending messages using this
server. (Optional)
No default.
mmsc-port <port_int>
Enter the port number the server is using.
Varies by
msg-protocol.
mmsc-url <url_str>
Enter the URL address of the server.
No default.
mmsc-username <user_str> Enter the user-name required for sending messages using this
server. (Optional)
No default.
msg-protocol
{mm1 | mm3 | mm4 | mm7}
Depends on
protocol
{mm1 | mm3 |
mm4 | mm7}.
Select the protocol to use for sending notification messages.
msg-type
Select the type of notification message directed to either a
{deliver-req | send-req} VASP or a MMSC.
deliver-req
protocol
The MMS interface that you are configuring. protocol can
be mm1, mm3, mm4 or mm7 depending on the message type
that you are configuring notifications for.
This variable can be viewed with the get command, but
cannot be set.
rate-limit <limit_int>
Enter the number of notifications to send per second. If you
enter zero (0), the notification rate is not limited.
0
tod-window-start
<window_time>
Select the time of day to begin sending notifications. If you
select a start and end time of zero (00:00), notifications are
not limited by time of day.
00:00
tod-window-duration
<window_time>
Select the duration of the period during which the FortiGate
unit will send notification messages. If you select a start and
duration time of zero (00:00), notifications are not limited by
time of day.
00:00
user-domain <fqdn_str>
Enter the FQDN of the server to which the user’s address
belongs.
No default.
vas-id <vas_str>
Enter the value added service (VAS) ID to be used when
sending a notification message.
This option is available only when msg-type is set to sendreq.
No default.
vasp-id <vasp_str>
Enter the value added service provider (VASP) ID to be used
when sending a notification message.
This option is available only when msg-type is set to sendreq.
No default.
virus-int <interval_int> Enter the amount of time between notifications for antivirus
events. Also set virus-status to enable and select the
time unit in virus-int-mode.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
24
131
mms-profile
firewall
Variable
Description
Default
virus-int-mode
{hours | minutes}
Select the unit of time in minutes or hours for virus-int.
hours
virus-status
{enable | disable}
Select to send notices for antivirus events.
disable
Example
This example shows how to enable sending MMS notifications for all MM3 notification types and set the interval for
each one to 400 minutes:
config firewall mms-profile
edit example
config notification mm3
set bword-status enable
set bword-int-mode minutes
set bword-int 400
set file-block-status enable
set file-block-mode minutes
set file-block-int 400
set carrier-endpoint-bwl-status enable
set carrier-endpoint-bwl-int-mode minutes
set carrier-endpoint-bwl-int 400
set virus-status enable
set virus-int-mode minutes
set virus-int 400
end
end
config notif-msisdn
Individual MSISDN users can be configured to have specific duplicate and flood thresholds.
132
Variable
Description
Default
<msisdn_int>
Enter the MSISDN number. Enter a new number to create a
new entry.
threshold {dupe-thresh-1
dupe-thresh-2
dupe-thresh-3
flood-thresh-1
flood-thresh-2
flood-thresh-3}
Enter the thresholds on which this MSISDN user will receive an
alert. Clear all thresholds with the unset threshold
command.
(null)
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
multicast-policy
multicast-policy
Use this command to configure a source NAT IP. This command can also be used in Transparent mode to enable
multicast forwarding by adding a multicast policy.
The matched forwarded (outgoing) IP multicast source IP address is translated to the configured IP address. For
additional options related to multicast, see multicast-forward {enable | disable} in “system settings” on page 548 and
tp-mc-skip-policy {enable | disable} in “system global” on page 444.
Syntax
config firewall multicast-policy
edit <index_int>
set action {accept | deny}
set auto-asic-offload {enable | disable}
set dnat <address_ipv4>
set dstaddr <address_ipv4mask>
set dstintf <name_str>
set logtraffic {enable | disable}
set nat <address_ipv4>
set srcaddr <address_ipv4mask>
set srcintf <name_str>
set protocol <multicastlimit_int>
set start-port <port_int>
set end-port <port_int>
end
Variable
Description
Default
<index_int>
Enter the unique ID number of this multicast policy.
No default.
action {accept | deny}
Enter the policy action.
accept
auto-asic-offload
{enable | disable}
Enable or disable session offloading to SP processors.
Only available in NAT/Route operation mode.
enable
dnat <address_ipv4>
Enter an IP address to destination network address translate
(DNAT) externally received multicast destination addresses to
addresses that conform to your organization's internal addressing
policy.
0.0.0.0
dstaddr
<address_ipv4mask>
Enter the destination IP address and netmask, separated by a
space, to match against multicast NAT packets.
0.0.0.0
0.0.0.0
dstintf <name_str>
Enter the destination interface name to match against multicast
NAT packets.
No default.
logtraffic
{enable | disable}
Enable or disable recording traffic log messages for this policy.
disable
nat <address_ipv4>
Enter the IP address to substitute for the original source IP
address.
0.0.0.0
srcaddr
<address_ipv4mask>
Enter the source IP address and netmask to match against
multicast NAT packets.
0.0.0.0
0.0.0.0
srcintf <name_str>
Enter the source interface name to match against multicast NAT
packets.
No default.
protocol
<multicastlimit_int>
Limit the number of protocols (services) sent out via multicast
using the FortiGate unit.
0
start-port <port_int>
The beginning of the port range used for multicast.
No default.
end-port <port_int>
The end of the port range used for multicast.
65535
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
133
policy, policy6
firewall
policy, policy6
Use this command to add, edit, or delete firewall policies.
Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the
FortiGate unit to decide what to do with a connection request. The policy directs the firewall to allow the connection,
deny the connection, require authentication before the connection is allowed, or apply IPSec or SSL VPN processing.
If you are creating an IPv6 policy, some of the IPv4 options, such as NAT and VPN settings, are not
applicable.
Syntax
config firewall policy, policy6
edit <index_int>
set action {accept | deny | ipsec | ssl-vpn}
set application {enable | disable}
set auth-cert <certificate_str>
set auth-method {basic | digest | fsso | form | ntlm}
set auth-path {enable | disable}
set auth-redirect-addr <domainname_str>
set auto-asic-offload {enable | disable}
set bandwidth {enable | disable}
set central-nat {enable | disable}
set client-reputation {enable | disable}
set client-reputation-mode {learning | monitoring}
set comments <comment_str>
set custom-log-fields <fieldid_int>
set dponly {disable | enable}
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <dscp_bin>
set diffservcode-rev <dscp_bin>
set disclaimer {enable | disable}
set dstaddr <name_str>
set dstintf <name_str>
set dynamic-profile-access {ftp ftps http https im imap imaps nntp pop3 pop3s
smtp smtps}
set dynamic-profile-group <groupname_string>
set fixedport {enable | disable}
set endpoint-check {enable | disable}
set endpoint-profile <ep_profile_name>
set failed-connection {enable | disable}
set fsso {enable | disable}
set fsso-server-for-ntlm <server_str>
set geo-location {enable | disable}
set global-label <label_str>
set gtp_profile <name_str>
set icap-profile <icap_pr_name>
set identity-based {enable | disable}
set inbound {enable | disable}
set ip-based {enable | disable}
set ippool {enable | disable}
set label <label_string>
set logtraffic {enable | disable}
set logtraffic-app {enable | disable}
set log-unmatched-traffic {disable | enable}
set match-vip {enable | disable}
134
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
policy, policy6
set nat {enable | disable}
set natinbound {enable | disable}
set natip <address_ipv4mask>
set natoutbound {enable | disable}
set ntlm {enable | disable}
set ntlm-enabled-browsers <user-agent_string>
set ntlm-guest {enable | disable}
set outbound {enable | disable}
set per-ip-shaper <shaper_name>
set poolname <name_str>
set redirect-url <name_str>
set replacemsg-override-group <group_string>
set rtp-nat {disable | enable}
set rtp-addr <name_str>
set schedule <name_str>
set schedule-timeout {enable | disable}
set service <name_str>
set sessions {enable | disable}
set session-ttl <session_time_integer>
set srcaddr <name_str>
set srcintf <name_str>
set sslvpn-auth {any | ldap | local | radius | tacacs+}
set sslvpn-ccert {enable | disable}
set sslvpn-cipher {0 | 1 | 2}
set status {enable | disable}
set tags <tags_str>
set tcp-mss-sender <maximumsize_int>
set tcp-mss-receiver <maximumsize_int>
set tcp-reset {enable | disable}
set traffic-shaper <name_str>
set traffic-shaper-reverse <name_str>
set per-ip-shaper <name_str>
set vpntunnel <name_str>
set wccp {enable | disable}
set web-auth-cookie {enable | disable}
set webcache {disable | enable}
set web-proxy-forward-server <fwd_server_name_string>
set utm-status {disable | enable}
set profile-type {group | single}
set profile-group {group | single}
set profile-protocol-options <name_str>
set av-profile <name_str>
set webfilter-profile <name_str>
set spamfilter-profile <name_str>
set ips-sensor <name_str>
set dlp-sensor <name_str>
set application-list <name_str>
set voip-profile <name_str>
set mms-profile <name_str>
set replacemsg-group <name_str>
config identity-based-policy
edit <policy_id>
set groups <group_name>
set logtraffic {enable | disable}
set schedule <name_str>
set service <name_str>
set traffic-shaper <name_str>
set traffic-shaper-reverse <name_str>
set per-ip-shaper <name_str>
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
135
policy, policy6
firewall
set
set
set
set
set
set
set
set
set
set
set
set
set
end
end
utm-status {disable | enable}
profile-type {group | single}
profile-group {group | single}
profile-protocol-options <name_str>
av-profile <name_str>
webfilter-profile <name_str>
spamfilter-profile <name_str>
ips-sensor <name_str>
dlp-sensor <name_str>
application-list <name_str>
voip-profile <name_str>
mms-profile <name_str>
replacemsg-group <name_str>
end
136
Variable
Description
Default
<index_int>
Enter the unique ID number of this policy.
No default.
action
{accept | deny | ipsec |
ssl-vpn}
Select the action that the FortiGate unit will perform on traffic
matching this firewall policy.
• accept: Allow packets that match the firewall policy. Also
enable or disable nat to make this a NAT policy (NAT/Route
mode only), enable or disable ippool so that the NAT policy
selects a source address for packets from a pool of IP
addresses added to the destination interface, and enable or
disable fixedport so that the NAT policy does not translate
the packet source port.
• deny: Deny packets that match the firewall policy.
• ipsec: Allow and apply IPSec VPN. When action is set to
ipsec, you must specify the vpntunnel attribute. You may
also enable or disable the inbound, outbound,
natoutbound, and natinbound attributes and/or specify a
natip value.
• ssl-vpn: Allow and apply SSL VPN. When action is set to
ssl-vpn, you may specify values for the sslvpn-auth,
sslvpn-ccert, and sslvpn-cipher attributes.
For IPv6 policies, only accept, deny and ssl-vpn options are
available.
deny
application
{enable | disable}
Enable or disable tracking the application usage of each host.
This is available when auto-profiling is enabled.
disable
auth-cert
<certificate_str>
Select an HTTPS server certificate for policy authentication.
self-sign is the built-in, self-signed certificate; if you have
added other certificates, you may select them instead.
This option appears only if identity-based is enable.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
policy, policy6
Variable
Description
auth-method
{basic | digest
| fsso | form | ntlm}
If srcintf is web-proxy and identity-based is enabled, basic
select the authentication method. Basic and digest methods are
part of RFC 2617.
basic — client must authenticate with a user-ID and password for
each realm. User name and password are sent unencrypted
digest — a nonce value is sent to client in the challenge and is
included when the client sends a response of an MD5 checksum
for the combination of their user-ID, password, nonce, and URI
requested. The FortiOS unit has all this information and can
confirm the MD5 checksum is correct.
fsso — use Fortinet Single Sign On (FSSO) authentication with
FSSO clients on a Windows AD network. This option is available
only if ip-based is enabled.
form — use Form-based authentication
ntlm — NT Lan manager (ntlm) - ntlm uses Windows AD and
Internet Explorer to authenticate through the browser. Useful
when FSSO client cannot be installed on Windows AD server.
If basic is enabled, FSSO_GUEST_user cannot be selected
under Identity Based Policy (IBP).
auth-path {enable |
disable}
Select to apply authentication-based routing. You must also
specify a RADIUS server, and the RADIUS server must be
configured to supply the name of an object specified in config
router auth-path. For details on configuring authenticationbased routes, see “router auth-path” on page 289.
This option appears only when the FortiGate unit is operating in
NAT mode and identity-based is enable.
For details on NAT and transparent mode, see “opmode {nat |
transparent}” on page 550.
disable
auth-redirect-addr
<domainname_str>
Enter the IP address or domain name to redirect user HTTP
requests after accepting the authentication disclaimer. The
redirect URL could be to a web page with extra information (for
example, terms of usage).
To prevent web browser security warnings, this should match the
CN field of the specified auth-cert, which is usually a fully
qualified domain name (FQDN).
This option appears only if identity-based is enable.
No default.
auto-asic-offload
{enable | disable}
Enable or disable session offload to NP or SP processors.
This is available on models that have network processors.
enable
bandwidth
{enable | disable}
Enable or disable tracking the bandwidth usage of each host. This disable
is available when auto-profiling is enabled.
central-nat
{enable | disable}
Enable or disable use of the central NAT table in this policy.
This is available only when nat is enabled.
disable
client-reputation
{enable | disable}
Enable to turn on client reputation monitoring.
This option is visible only when action is set to accept.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
137
policy, policy6
138
firewall
Variable
Description
Default
client-reputation-mode
{learning | monitoring}
Set client reputation mode to one of learning or monitoring.
Set to learning to establish a baseline of client network usage
patterns.
Set to monitoring when baseline has been established. It will
monitor the client’s network patterns for abnormalities. When
monitoring, client network usage data is logged for use in reports.
This is available when client-reputation is enabled.
comments <comment_str>
Enter a description or other information about the policy.
(Optional)
comment_str is limited to 63 characters. Enclose the string in
single quotes to enter special characters or spaces.
No default.
custom-log-fields
<fieldid_int>
Enter custom log field index numbers to append one or more
custom log fields to the log message for this policy. Separate
multiple log custom log field indices with a space. (Optional.)
This option takes effect only if logging is enabled for the policy,
and requires that you first define custom log fields. For details,
see “log custom-field” on page 224.
No default.
dponly {disable | enable}
For FortiOS Carrier, enable to configure the firewall policy to only
accept sessions with source addresses that are in the dynamic
profile user context list. Sessions with source addresses that are
not in the user context list do not match the policy. For sessions
that don’t match the policy, the FortiOS Carrier unit continues
searching down the policy list for a match.
disable
diffserv-forward
{enable | disable}
Enable or disable application of the differentiated services code
point (DSCP) value to the DSCP field of forward (original) traffic. If
enabled, also configure diffservcode-forward.
disable
diffserv-reverse
{enable | disable}
Enable or disable application of the differentiated services code
point (DSCP) value to the DSCP field of reverse (reply) traffic. If
enabled, also configure diffservcode-rev.
disable
diffservcode-forward
<dscp_bin>
Enter the differentiated services code point (DSCP) value that the 000000
FortiGate unit will apply to the field of originating (forward)
packets. The value is 6 bits binary. The valid range is 000000111111.
This option appears only if diffserv-forward is enable.
For details and DSCP configuration examples, see the Knowledge
Center article Differentiated Services Code Point (DSCP) behavior.
diffservcode-rev
<dscp_bin>
Enter the differentiated services code point (DSCP) value that the 000000
FortiGate unit will apply to the field of reply (reverse) packets. The
value is 6 bits binary. The valid range is 000000-111111.
This option appears only if diffserv-rev is enable
For details and DSCP configuration examples, see the Knowledge
Center article Differentiated Services Code Point (DSCP) behavior.
disclaimer {enable |
disable}
Enable to display the authentication disclaimer page, which is
configured with other replacement messages. The user must
accept the disclaimer to connect to the destination.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
policy, policy6
Variable
Description
Default
dstaddr <name_str>
Enter one or more destination firewall addresses, or a virtual IP, if
creating a NAT policy. Separate multiple firewall addresses with a
space.
If action is set to ipsec, enter the name of the IP address to
which IP packets may be delivered at the remote end of the IPSec
VPN tunnel.
If action is set to ssl-vpn, enter the name of the IP address
that corresponds to the host, server, or network that remote
clients need to access behind the FortiGate unit.
For details on configuring virtual IPs, see “vip” on page 178.
No default.
dstintf <name_str>
Enter the destination interface for the policy. The interface can be
a physical interface, a VLAN subinterface, or a zone.
If action is set to ipsec, enter the name of the interface to the
external (public) network.
If action is set to ssl-vpn, enter the name of the interface to
the local (private) network.
Note: If a interface or VLAN subinterface has been added to a
zone, the interface or VLAN subinterface cannot be used for
dstintf.
No default.
dynamic-profile
{enable | disable}
Enable to use dynamic profile authentication with this firewall
policy. This option available only if dynamic start server is
configured. See “user radius” on page 589.
This option available only if identity based policy is not enabled.
disable
dynamic-profile-access
{ftp ftps http https im
imap imaps nntp pop3
pop3s smtp smtps}
Enable dynamic profile for one or more protocols.
No default
dynamic-profile-group
<groupname_string>
Enter the UTM profile group name to apply to this dynamic profile
firewall policy.
fixedport
{enable | disable}
Enable to preserve packets’ source port number, which may
otherwise be changed by a NAT policy. Some applications do not
function correctly if the source port number is changed, and may
require this option.
If fixedport is enable, you should usually also enable IP pools;
if you do not configure an IP pool for the policy, only one
connection can occur at a time for this port.
endpoint-check
{enable | disable}
disable
Enable to perform endpoint NAC compliance check. This check
denies access to this firewall policy for hosts that do not have upto-date FortiClient Endpoint Security software running. You need
to also configure endpoint-profile.
Note: If the firewall policy involves a load balancing virtual IP, the
endpoint compliance check is not performed.
For more information, see “endpoint-control” on page 83.
endpoint-keepaliveinterface <intf_name>
If endpoint-check is enabled, this field is available to specify the
keepalive interface. The default is a null string, which is
interpreted as the source interface.
endpoint-profile
<ep_profile_name>
Select the endpoint NAC profile to apply. This is available when
No default.
endpoint-check is enabled. For information about creating
endpoint NAC profiles, see “endpoint-control profile” on page 85.
failed-connection
{enable | disable}
Enable or disable tracking of failed connection attempts. This is
available when auto-profiling is enabled.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
disable
null
disable
139
policy, policy6
140
firewall
Variable
Description
Default
fsso {enable | disable}
Enable or disable Directory Service authentication.
disable
fsso-server-for-ntlm
<server_str>
Restrict NTLM authentication to one particular server only for this
policy. Enter the name of a server defined in user fsso.
No default.
geo-location
{enable | disable}
Enable or disable determining the country of each destination IP
address. This is available when auto-profiling is enabled.
disable
global-label <label_str>
Put policy in the named subsection in the web-based manager.
Subsection is created if it does not already exist.
No default.
gtp_profile <name_str>
For FortiOS Carrier, enter the name of a profile to add the GTP
profile to the policy.
No default.
icap-profile
<icap_pr_name>
Optionally, enter the name of an Internet Content Adaptation
Protocol (ICAP) profile. This is available if utm-status is
enable.
null
identity-based
{enable | disable}
Select to enable or disable identity-based policy authentication.
This field appears only if action is accept.
This field is unavailable if dynamic-profile is enabled.
disable
inbound
{enable | disable}
When action is set to ipsec, enable or disable traffic from
computers on the remote private network to initiate an IPSec VPN
tunnel.
disable
ip-based
{enable | disable}
If srcintf is web-proxy and identity-based is enabled,
enable ip-based to handle FSSO authentication.
Will cause an error if disabled when the firewall policy refers to
directory based user groups such as FSSO.
disable
ippool
{enable | disable}
When the action is set to accept and NAT is enabled, configure a
NAT policy to translate the source address to an address
randomly selected from the first IP pool added to the destination
interface of the policy.
disable
label <label_string>
Optionally, enter a label for this policy. The label is visible in the
web-based manager in Section View.
No default.
logtraffic
{enable | disable}
Enable or disable recording traffic log messages for this policy.
disable
logtraffic-app
{enable | disable}
Enable to log traffic while application logging is active.
enable
log-unmatched-traffic
{disable | enable}
Enable or disabling logging dropped traffic for policies with
identity-based enabled.
disable
match-vip
{enable | disable}
If you want to explicitly drop a packet that is not matched with a
firewall policy and write a log message when this happens, you
can add a general policy (source and destination address set to
ANY) to the bottom of a policy list and configure the firewall policy
to DENY packets and record a log message when a packet is
dropped.
In some cases, when a virtual IP performs destination NAT (DNAT)
on a packet, the translated packet may not be accepted by a
firewall policy. If this happens, the packet is silently dropped and
therefore not matched with the general policy at the bottom of the
policy list.
To catch these packets, enable match-vip in the general policy.
Then the DNATed packets that are not matched by a VIP policy
are matched with the general policy where they can be explicitly
dropped and logged.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
policy, policy6
Variable
Description
Default
nat {enable | disable}
Enable or disable network address translation (NAT). NAT
translates the address and the port of packets accepted by the
policy. When NAT is enabled, ippool and fixedport can also
be enabled or disabled.
This option appears only if action is accept or ssl-vpn.
disable
natinbound
{enable | disable}
Enable or disable translating the source addresses IP packets
emerging from the tunnel into the IP address of the FortiGate
unit’s network interface to the local private network.
This option appears only if action is ipsec.
disable
natip <address_ipv4mask>
When action is set to ipsec and natoutbound is enabled,
specify the source IP address and subnet mask to apply to
outbound clear text packets before they are sent through the
tunnel.
If you do not specify a natip value when natoutbound is
enabled, the source addresses of outbound encrypted packets
are translated into the IP address of the FortiGate unit’s external
interface. When a natip value is specified, the FortiGate unit
uses a static subnetwork-to-subnetwork mapping scheme to
translate the source addresses of outbound IP packets into
corresponding IP addresses on the subnetwork that you specify.
For example, if the source address in the firewall encryption policy
is 192.168.1.0/24 and the natip value is 172.16.2.0/24, a source
address of 192.168.1.7 will be translated to 172.16.2.7.
0.0.0.0
0.0.0.0
natoutbound
{enable | disable}
When action is set to ipsec, enable or disable translating the
source addresses of outbound encrypted packets into the IP
address of the FortiGate unit’s outbound interface. Enable this
attribute in combination with the natip attribute to change the
source addresses of IP packets before they go into the tunnel.
disable
ntlm {enable | disable}
Enable or disable Directory Service authentication via NTLM.
If you enable this option, you must also define the user groups.
This option appears only if identity-based is enable.
disable
ntlm-enabled-browsers
<user-agent_string>
Enter the HTTP-User-Agent strings of supported browsers.
Enclose each string in quotes and separate strings with a space.
Browsers with non-matching strings get guest access.
No default.
ntlm-guest
{enable | disable}
Enable or disable NTLM guest user access.
disable
outbound
{enable | disable}
When action is set to ipsec, enable or disable traffic from
computers on the local private network to initiate an IPSec VPN
tunnel.
disable
per-ip-shaper
<shaper_name>
Enter the name of the per-IP traffic shaper to apply. For
information about per-IP traffic shapers, see firewall shaper perip-shaper.
No default.
poolname <name_str>
Enter the name of the IP pool.
This variable appears only if nat and ippool are enable.
No default.
redirect-url <name_str>
Enter a URL, if any, that the user is redirected to after
authenticating and/or accepting the user authentication
disclaimer.
This option only appears if disclaimer is enable.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
141
policy, policy6
142
firewall
Variable
Description
Default
replacemsg-override-group
<group_string>
Select a replacement message override group from the available
configured groups.This will override the default replacement
message for this policy.
rtp-nat {disable |
enable}
Enable to apply source NAT to RTP packets received by the
firewall policy. This field is used for redundant SIP configurations.
If rtp-nat is enabled you must add one or more firewall
addresses to the rtp-addr field.
rtp-addr <name_str>
Enter one or more RTP firewall addresses for the policy. Separate
multiple firewall addresses with a space.
This field is only available when rtp-nat is enabled.
schedule <name_str>
Enter the name of the one-time or recurring schedule or schedule
group to use for the policy.
No default.
schedule-timeout
{enable | disable}
Enable to force session to end when policy schedule end time is
reached.
disable
service <name_str>
Enter the name of one or more services, or a service group, to
match with the firewall policy. Separate multiple services with a
space.
No default.
sessions
{enable | disable}
Enable or disable taking a snapshot of the number of active
sessions for the policy every five minutes. This is available when
auto-profiling is enabled.
disable
session-ttl
<session_time_integer>
Set the timeout value in the policy to override the global timeout
setting defined by using config system session-ttl. When
it is on default value, it will not take effect.
0
srcaddr <name_str>
Enter one or more source firewall addresses for the policy.
Separate multiple firewall addresses with a space.
If action is set to ipsec, enter the private IP address of the
host, server, or network behind the FortiGate unit.
If action is set to ssl-vpn and the firewall encryption policy is
for web-only mode clients, type all.
If action is set to ssl-vpn and the firewall encryption policy is
for tunnel mode clients, enter the name of the IP address range
that you reserved for tunnel mode clients. To define an address
range for tunnel mode clients, see “ssl settings” on page 658.
No default.
srcintf <name_str>
Enter the source interface for the policy. The interface can be a
physical interface, a VLAN subinterface, a zone, ftp-proxy, or
web-proxy.
If the interface or VLAN subinterface has been added to a zone,
interface or VLAN subinterface cannot be used for srcintf.
If action is set to ipsec, enter the name of the interface to the
local (private) network.
If action is set to ssl-vpn, enter the name of the interface that
accepts connections from remote clients.
No default.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
policy, policy6
Variable
Description
Default
sslvpn-auth
{any | ldap | local |
radius | tacacs+}
If action is set to ssl-vpn, enter one of the following client
authentication options:
• If you want the FortiGate unit to authenticate remote clients
using any local user group, a RADIUS server, or LDAP server,
type any.
• If the user group is a local user group, type local.
• If the remote clients are authenticated by an external RADIUS
server, type radius.
• If the remote clients are authenticated by an external LDAP
server, type ldap.
• If the remote clients are authenticated by an external
TACACS+ server, type tacacs+.
You must also set the name of the group which will use the
authentication method.
any
sslvpn-ccert
{enable | disable}
If action is set to ssl-vpn, enable or disable the use of security
certificates to authenticate remote clients.
disable
sslvpn-cipher {0 | 1 | 2}
If action is set to ssl-vpn, enter one of the following options to
determine the level of SSL encryption to use. The web browser on
the remote client must be capable of matching the level that you
select:
• To use any cipher suite, type 0.
• To use a 164-bit or greater cipher suite (high), type 1.
• To use a 128-bit or greater cipher suite (medium), type 2.
0
status
{enable | disable}
Enable or disable the policy.
enable
tags <tags_str>
Enter object tags applied to this policy. Separate tag names with
spaces.
null
tcp-mss-sender
<maximumsize_int>
Enter a TCP Maximum Sending Size number for the sender.
When a FortiGate unit is configured to use PPPoE to connect to
an ISP, certain web sites may not be accessible to users. This
occurs because a PPPoE frame takes an extra 8 bytes off the
standard Ethernet MTU of 1500.
When the server sends the large packet with DF bit set to 1, the
ADSL provider’s router either does not send an “ICMP
fragmentation needed” packet or the packet is dropped along the
path to the web server. In either case, the web server never knows
fragmentation is required to reach the client.
In this case, configure the tcp-mss-sender option to enable
access to all web sites. For more information, see the article
Cannot view some web sites when using PPPoE on the Fortinet
Knowledge Center.
0
tcp-mss-receiver
<maximumsize_int>
Enter a TCP MSS number for the receiver.
0
tcp-reset
{enable | disable}
Perform a TCP Reset on TCP traffic that matches a deny policy.
disable
traffic-shaper <name_str>
Select a traffic shaper for the policy. A traffic shaper controls the
bandwidth available to, and sets the priority of the traffic
processed by, the policy.
This option appears only if identity-based is disable.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
143
policy, policy6
144
firewall
Variable
Description
Default
traffic-shaper-reverse
<name_str>
Select a reverse traffic shaper. For example, if the traffic direction
that a policy controls is from port1 to port2, select this option will
also apply the policy shaping configuration to traffic from port2 to
port1.
No default.
per-ip-shaper <name_str>
Select a per-ip traffic shaper for the policy. A traffic shaper
controls the bandwidth available to, and sets the priority of the
traffic processed by, the policy.
This option appears only if a traffic-shaper is selected.
No default.
vpntunnel <name_str>
Enter the name of a Phase 1 IPSec VPN configuration to apply to
the tunnel.
This option appears only if action is ipsec.
No default.
wccp {enable | disable}
Enable or disable web cache on the policy. If enabled, the
FortiGate unit will check the learned web cache information, and
may redirect the traffic to the web cache server.
disable
web-auth-cookie
{enable | disable}
Enable to reduce the number of authentication requests to the
authentication server when session-based authentication is
applied using explicit web proxy. This is only available when
session based authentication is enabled.
disable
webcache
{disable | enable}
Enable or disable WAN optimization web caching for HTTP traffic
accepted by the firewall policy. This option is available only on
FortiGate units that support WAN Optimization and web caching.
disable
web-proxy-forward-server
<fwd_server_name_string>
Enter the name of the web-proxy forward server.
Available if srcintf is web-proxy.
No default.
utm-status {disable |
enable}
disable
Enable or disable UTM for the firewall policy. If you enable UTM
you must add one ore more UTM profiles and sensors (or a group
profile) to the firewall policy.
This option appears only if identity-based is disable.
profile-type {group |
single}
Select whether to add individual UTM profiles or a UTM profile
group to the firewall policy.
This option appears only if identity-based is disable.
profile-group {group |
single}
(null)
Enter the name of a UTM profile group to add to the firewall
policy. This option is available if profile-type is set to group.
This option appears only if identity-based is disable and
utm-status is enable.
profile-protocol-options
<name_str>
Enter the name of the protocol options profile to add to the
firewall policy.
This option appears only if identity-based is disable and
utm-status is enable.
av-profile <name_str>
Enter the name of the antivirus profile to add to the firewall policy. (null)
This option appears only if identity-based is disable and
utm-status is enable. To add an av-profile, you must
obtain an adequate profile name in profile-protectionoptions.
single
(null)
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
policy, policy6
Variable
Description
Default
webfilter-profile
<name_str>
Enter the name of the web filtering profile to add to the firewall
policy.
This option appears only if identity-based is disable and
utm-status is enable.To add a webfilter-profile, you
must obtain an adequate profile name in profileprotection-options.
(null)
spamfilter-profile
<name_str>
Enter the name of the email filter profile to add to the firewall
policy.
This option appears only if identity-based is disable and
utm-status is enable.To add a spamfilter-profile, you
must obtain an adequate profile name in profileprotection-options.
(null)
ips-sensor <name_str>
Enter the name of the IPS sensor to add to the firewall policy.
This option appears only if identity-based is disable and
utm-status is enable.
This option is not available in IPv6 firewall policies.
(null)
dlp-sensor <name_str>
Enter the name of the DLP sensor to add to the firewall policy.
This option appears only if identity-based is disable and
utm-status is enable.
(null)
application-list
<name_str>
Enter the name of the application list to add to the firewall policy. (null)
This option appears only if identity-based is disable and
utm-status is enable.
This option is not available in IPv6 firewall policies.
voip-profile <name_str>
Enter the name of the VoIP profile to add to the firewall policy.
This option appears only if identity-based is disable and
utm-status is enable.
(null)
mms-profile <name_str>
For FortiOS Carrier, enter the name of the MMS profile to add to
the firewall policy.
This option appears only if identity-based is disable and
utm-status is enable.
(null)
replacemsg-group
<name_str>
For FortiOS Carrier, enter the name of the replacement message
group to add to the firewall policy.
This option appears only if identity-based is disable and
utm-status is enable.
default
config identity-based-policy
Create an identity-based firewall policy that requires authentication. This option is only available if identity-based
is enabled.
Variable
Description
Default
<policy_id>
Enter the name for the identity-based policy.
No default.
groups <group_name>
Enter the user group name for the identity-based policy.
No default.
logtraffic
{enable | disable}
Enable or disable traffic logging for the identity-based policy.
disable
schedule <name_str>
Enter the firewall schedule for the identity-based policy.
No default.
service <name_str>
Enter the firewall service for the identity-based policy.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
145
policy, policy6
146
firewall
Variable
Description
Default
traffic-shaper <name_str>
Enter the traffic shaper for the identity-based policy.
No default.
traffic-shaper-reverse
<name_str>
Enter the reverse direction traffic shaper for the identity-based
policy.
No default.
per-ip-shaper <name_str>
Enter the per-IP traffic shaper for the identity-based policy.
No default.
utm-status {disable |
enable}
Enable or disable UTM for the identity-based policy. If you enable disable
UTM you must add one ore more UTM profiles and sensors (or a
profile group) to the identify-based policy.
profile-type {group |
single}
Select whether to add individual UTM profiles or a UTM profile
group to the identity-based policy.
single
profile-group {group |
single}
Enter the name of a UTM profile group to add to the identitybased policy. This option is available if profile-type is set to
group.
(null)
profile-protocol-options
<name_str>
Enter the name of the protocol options profile to add to the firewall (null)
policy.
av-profile <name_str>
Enter the name of the antivirus profile to add to the identify-based (null)
policy.
webfilter-profile
<name_str>
Enter the name of the web filtering profile to add to the identifybased policy.
(null)
spamfilter-profile
<name_str>
Enter the name of the email filter profile to add to the identifybased policy.
(null)
ips-sensor <name_str>
Enter the name of the IPS sensor to add to the identify-based
policy.
(null)
dlp-sensor <name_str>
(null)
Enter the name of the DLP sensor to add to the identify-based
policy.To add a dlp-sensor, you must obtain an adequate name
in profile-protection-options.
application-list
<name_str>
Enter the name of the application list to add to the identify-based (null)
policy.
voip-profile <name_str>
Enter the name of the VoIP profile to add to the identify-based
policy.
(null)
mms-profile <name_str>
For FortiOS Carrier, enter the name of the MMS profile to add to
the identify-based policy.
(null)
replacemsg-group
<name_str>
For FortiOS Carrier, enter the name of the replacement message
group to add to the identify-based policy.
default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
profile-group
profile-group
Use this command in FortiOS Carrier to create profile groups. A profile group can contain an antivirus profile, IPS
sensor, web filter profile, email filter profile, DLP sensor, application control list, a VoIP profile, an MMS profile and a
replacement message group. Once you create profile groups you can add them to firewall policies instead of adding
individual UTM profiles and lists.
Syntax
config firewall profile-group
edit <name_str>
set profile-protocol-options <name_str>
set av-profile <name_str>
set icap-profile <name_str>
set webfilter-profile <name_str>
set spamfilter-profile <name_str>
set ips-sensor <name_str>
set dlp-sensor <name_str>
set application-chart {top10-app | top10-media-user | top10-p2p-user}
set application-list <name_str>
set voip-profile <name_str>
set mms-profile <name_str>
set replacemsg-group <name_str>
end
Variable
Description
<name_str>
Enter the name of the profile group.
profile-protocol-options
<name_str>
Enter the name of the protocol options profile to add to the profile (null)
group.
av-profile <name_str>
Enter the name of the antivirus profile to add to the profile group.
To add an av-profile, you must obtain an adequate profile
name in profile-protection-options.
icap-profile <name_str>
Enter the name of the Internet Content Adaptation Protocol (ICAP) (null)
profile to add to the profile group. To add an icap-profile, you
must obtain an adequate profile name in profile-protectionoptions.
webfilter-profile
<name_str>
Enter the name of the web filtering profile to add to the profile
group. To add a webfilter-profile, you must obtain an
adequate profile name in profile-protection-options.
spamfilter-profile
<name_str>
Enter the name of the email filter profile to add to the profile group. (null)
To add a spamfilter-profile, you must obtain an adequate
profile name in profile-protection-options.
ips-sensor <name_str>
Enter the name of the IPS sensor to add to the profile group.
dlp-sensor <name_str>
(null)
Enter the name of the DLP sensor to add to the profile group.To
add an dlp-sensor, you must obtain an adequate profile name in
profile-protection-options.
application-chart
{top10-app
| top10-media-user
| top10-p2p-user}
Enter the application chart type.
• top10-app: Top 10 applications chart
• top10-media-user: Top 10 media users chart
• top10-p2p-user: Top 10 P2P users chart
(null)
application-list
<name_str>
Enter the name of the application list to add to the profile group.
(null)
voip-profile <name_str>
Enter the name of the VoIP profile to add to the profile group.
(null)
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
(null)
(null)
(null)
147
profile-group
148
firewall
Variable
Description
Default
mms-profile <name_str>
For FortiOS Carrier, enter the name of the MMS profile to add to
the profile group.
(null)
replacemsg-group
<name_str>
For FortiOS Carrier, enter the name of the replacement message
group to add to the profile group.
default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
profile-protocol-options
profile-protocol-options
Use this command to configure UTM protocol options profiles for firewall policies. Protocol options configure how
UTM functionality identifies content protocols such as HTTP, FTP, and SMTP. Every firewall policy that includes UTM
profiles must include a protcol.options profile.
To configure the ssl-server, change client-cert-request from bypass.
Syntax
config firewall profile-protocol-options
edit <name_str>
set comment <comment_str>
set oversize-log {disable | enable}
set ssl-invalid-server-cert-log {disable | enable}
set intercept-log {enable | disable}
config http
set port <port_number_int>
set inspect-all {disable | enable}
set options {chunkedbypass | clientcomfort | no-content-summary | oversize
| servercomfort}
set comfort-interval <interval_int>
set comfort-amount <amount_int>
set post-lang <charset1> [<charset2>... <charset5>]
set oversize-limit <size_int>
set retry-count <retry_int>
config https
set port <port_number_int>
set options {allow-invalid-server-cert | no-content-summary | ssl-ca-list}
set comfort-interval <interval_int>
set comfort-amount <amount_int>
set post-lang <charset1> [<charset2>... <charset5>]
set oversize-limit <size_int>
set deep-scan {disable | enable}
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | block}
config ftp
set port <port_number_int>
set inspect-all {disable | enable}
set options {clientcomfort | no-content-summary | oversize | splice}
set comfort-interval <interval_int>
set comfort-amount <amount_int>
set post-lang <charset1> [<charset2>... <charset5>]
set oversize-limit <size_int>
config ftps
set port <port_number_int>
set options {allow-invalid-server-cert | clientcomfort | no-content-summary
| oversize | splice | ssl-ca-list}
set comfort-interval <interval_int>
set comfort-amount <amount_int>
set post-lang <charset1> [<charset2>... <charset5>]
set oversize-limit <size_int>
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | block}
config imap
set port <port_number_int>
set inspect-all {disable | enable}
set options {fragmail | no-content-summary | oversize}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
149
profile-protocol-options
firewall
set oversize-limit <size_int>
config imaps
set port <port_number_int>
set options {allow-invalid-server-cert | fragmail | no-content-summary |
oversize}
set oversize-limit <size_int>
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | block}
config pop3
set port <port_number_int>
set inspect-all {disable | enable}
set options {fragmail | no-content-summary | oversize}
set oversize-limit <size_int>
config pop3s
set port <port_number_int>
set options {allow-invalid-server-cert | fragmail | no-content-summary |
oversize}
set oversize-limit <size_int>
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | block}
config smtp
set port <port_number_int>
set inspect-all {disable | enable}
set options {fragmail | no-content-summary | oversize | splice}
set oversize-limit <size_int>
set server_busy {disable | enable}
config smtps
set port <port_number_int>
set fragmail no-content-summary
set options {fragmail | no-content-summary | oversize | splice}
set oversize-limit <size_int>
set client-cert-request {bypass | inspect | block}
set unsupported-ssl {bypass | block}
config nntp
set port <port_number_int>
set inspect-all {disable | enable}
set options { no-content-summary | oversize | splice}
set oversize-limit <size_int>
config im
set options { no-content-summary | oversize}
set oversize-limit <size_int>
config mail-signature
set status {disable | enable}
set signature <text>
config ssl-server
edit <table_id>
set ftps-client-cert-request {block | bypass | inspect}
set https-client-cert-request {block | bypass | inspect}
set imaps-client-cert-request {block | bypass | inspect}
set ip <ipv4_addr>
150
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
profile-protocol-options
set pops3-client-cert-request {block | bypass | inspect}
set smtps-client-cert-request {block | bypass | inspect}
end
end
Variable
Description
Default
<name_str>
Enter the name of the protocol options profile.
comment <comment_str>
Optionally enter a description of up to 63 characters of the
protocol options profile.
oversize-log {disable |
enable}
Enable or disable logging for antivirus oversize file blocking.
disable
ssl-invalid-server-certlog {disable | enable}
Enable or disable logging for SSL server certificate validation.
disable
intercept-log {enable |
disable}
Enable or disable logging for FortiOS Carrier antivirus file filter is
set to intercept.
config http
Configure HTTP protocol options.
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for HTTP content.
80
inspect-all {disable |
enable}
Enable to monitor all ports for the HTTP protocol. If you enable this disable
option you can’t select a port.
options {chunkedbypass
| clientcomfort
| no-content-summary
| oversize
| servercomfort}
noSelect one or more options apply to HTTP sessions. To select
contentmore than one, enter the option names separated by a space.
chunkedbypass allow web sites that use chunked encoding for summary
HTTP to bypass the firewall. Chunked encoding means the HTTP
message body is altered to allow it to be transferred in a series of
chunks. Use of this feature is a risk. Malicious content could enter
the network if web content is allowed to bypass the firewall.
clientcomfort apply client comforting and prevent client
timeout.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
servercomfort apply server comforting and prevent server
timeout.
comfort-interval
<interval_int>
Enter the time in seconds to wait before client comforting starts
after a download has begun. It is also the interval between
subsequent client comforting sends. The range is 1 to 900
seconds.
comfort-amount
<amount_int>
Enter the number of bytes client comforting sends each interval to 1
show that an HTTP download is progressing. The range is 1 to
10240 bytes.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
10
151
profile-protocol-options
firewall
Variable
Description
Default
post-lang <charset1>
[<charset2>...
<charset5>]
For HTTPS post pages, because character sets are not always
accurately indicated in HTTPS posts, you can use this option to
specify up to five character set encodings. The FortiGate unit
performs a forced conversion of HTTPS post pages to UTF-8 for
each specified character set. After each conversion the FortiGate
unit applies web content filtering and DLP scanning to the content
of the converted page.
Caution: Specifying multiple character sets reduces web filtering
and DLP performance.
10
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked, depending on whether oversize is a
selected HTTP option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
retry-count <retry_int>
0
Enter the number of times to retry establishing an HTTP
connection when the connection fails on the first try. The range is 0
to 100.
This allows the web server proxy to repeat the connection attempt
on behalf of the browser if the server refuses the connection the
first time. This works well and reduces the number of hang-ups or
page not found errors for busy web servers.
Entering zero (0) effectively disables this feature.
config https
Configure HTTPS protocol options.
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for HTTPS content.
443
options
{allow-invalid-server-cert
| no-content-summary
| ssl-ca-list}
Select one or more options apply to HTTPS sessions. To select nocontentmore than one, enter the option names separated by a space.
summary
allow-invalid-server-cert allow SSL sessions even if
server certificate validation failed for the session.
no-content-summary do not add content information from the
dashboard.
ssl-ca-list verify SSL session server certificate against
stored CA certificate list.
comfort-interval
<interval_int>
Enter the time in seconds to wait before client comforting starts
after a download has begun. It is also the interval between
subsequent client comforting sends. The range is 1 to 900
seconds.
10
comfort-amount <amount_int> Enter the number of bytes client comforting sends each interval 1
to show that an HTTP download is progressing. The range is 1 to
10240 bytes.
oversize-limit <size_int>
152
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the
file is passed or blocked. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
profile-protocol-options
Variable
Description
post-lang <charset1>
[<charset2>... <charset5>]
For HTTP post pages, because character sets are not always
accurately indicated in HTTP posts, you can use this option to
specify up to five character set encodings. The FortiGate unit
performs a forced conversion of HTTP post pages to UTF-8 for
each specified character set. After each conversion the FortiGate
unit applies web content filtering and DLP scanning to the
content of the converted page.
Default
Caution: Specifying multiple character sets reduces web filtering
and DLP performance.
deep-scan {disable |
enable}
Enable to decrypt HTTPS traffic and perform additional scanning disable
of the content of the HTTPS traffic. Using this option requires
adding HTTPS server certificates to the FortiGate unit so that
HTTPS traffic can be unencrypted.
client-cert-request
{bypass | inspect | block}
Select what action is taken by the FortiGate SSL proxy when the bypass
client certificate request fails during the SSL handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to
inspect or block that traffic.
unsupported-ssl
{bypass | block}
Select whether to bypass or block undecryptable SSL sessions. bypass
config ftp
Configure FTP protocol options.
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for FTP content.
21
inspect-all {disable |
enable}
Enable to monitor all ports for the FTP protocol. If you enable this
option you can’t select a port.
disable
options {clientcomfort |
no-content-summary |
oversize | splice}
Select one or more options apply to FTP sessions. To select more
than one, enter the option names separated by a space.
clientcomfort apply client comforting and prevent client
timeout.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
splice simultaneously scan a file and send it to the recipient. If
the FortiGate unit detects a virus, it prematurely terminates the
connection.
nocontentsummary
splice
comfort-interval
<interval_int>
Enter the time in seconds to wait before client comforting starts
after a download has begun. It is also the interval between
subsequent client comforting sends. The range is 1 to 900
seconds.
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
153
profile-protocol-options
firewall
Variable
Description
Default
comfort-amount
<amount_int>
Enter the number of bytes client comforting sends each interval to 1
show that an FTP download is progressing. The range is 1 to
10240 bytes.
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected FTP option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
10
config ftps
Configure FTPS protocol options.
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for FTPS content.
990
options
{allow-invalid-server-cert
| clientcomfort
| no-content-summary
| oversize | splice
| ssl-ca-list}
Select one or more options apply to FTPS sessions. To select
more than one, enter the option names separated by a space.
allow-invalid-server-cert allow SSL sessions whose
server certificate validation failed.
clientcomfort apply client comforting and prevent client
timeout.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
splice simultaneously scan a file and send it to the recipient. If
the FortiGate unit detects a virus, it prematurely terminates the
connection.
ssl-ca-list verify SSL session server certificate against
stored CA certificate list.
nocontentsummary
splice
comfort-interval
<interval_int>
Enter the time in seconds to wait before client comforting starts
after a download has begun. It is also the interval between
subsequent client comforting sends. The range is 1 to 900
seconds.
10
comfort-amount
<amount_int>
Enter the number of bytes client comforting sends each interval to 1
show that an FTPS download is progressing. The range is 1 to
10240 bytes.
post-lang <charset1>
For HTTP post pages, because character sets are not always
[<charset2>... <charset5>] accurately indicated in HTTP posts, you can use this option to
specify up to five character set encodings. The FortiGate unit
performs a forced conversion of HTTP post pages to UTF-8 for
each specified character set. After each conversion the FortiGate
unit applies web content filtering and DLP scanning to the content
of the converted page.
Caution: Specifying multiple character sets reduces web filtering
and DLP performance.
oversize-limit <size_int>
154
10
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected FTPS option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
profile-protocol-options
Variable
Description
Default
client-cert-request
Select what action is taken by the FortiGate SSL proxy when the bypass
{bypass | inspect | block} client certificate request fails during the SSL handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to inspect
or block that traffic.
unsupported-ssl
{bypass | block}
Select whether to bypass or block undecryptable SSL sessions.
bypass
config imap
Configure IMAP protocol options.
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for IMAP content.
143
inspect-all {disable |
enable}
Enable to monitor all ports for the IMAP protocol. If you enable this disable
option you can’t select a port.
options {fragmail
| no-content-summary
| oversize}
Select one or more options apply to IMAP sessions. To select more
than one, enter the option names separated by a space.
fragmail allow fragmented email. Fragmented email cannot be
scanned for viruses.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
fragmail
nocontentsummary
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected IMAP option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
10
config imaps
Configure secure IMAP (IMAPS) protocol options.
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for IMAPS content.
993
options {allow-invalidserver-cert | fragmail |
no-content-summary |
oversize}
Select one or more options apply to IMAPS sessions. To select
more than one, enter the option names separated by a space.
allow-invalid-server-cert allow SSL sessions even if
server certificate validation failed for the session.
fragmail allow fragmented email. Fragmented email cannot be
scanned for viruses.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
fragmail
nocontentsummary
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected IMAPS option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
155
profile-protocol-options
firewall
Variable
Description
Default
client-cert-request
{bypass | inspect
| block}
Select what action is taken by the FortiGate SSL proxy when the bypass
client certificate request fails during the SSL handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to inspect
or block that traffic.
unsupported-ssl
{bypass | block}
Select whether to bypass or block undecryptable SSL sessions.
bypass
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for POP3 content.
110
inspect-all {disable |
enable}
Enable to monitor all ports for the POP3 protocol. If you enable this disable
option you can’t select a port.
options {fragmail |
no-content-summary |
oversize}
Select one or more options apply to POP3 sessions. To select
more than one, enter the option names separated by a space.
fragmail allow fragmented email. Fragmented email cannot be
scanned for viruses.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
fragmail
nocontentsummary
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected POP3 option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
10
config pop3
Configure POP3 protocol options.
config pop3s
Configure secure POP3 (POP3S) protocol options.
156
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for POP3S content.
995
options {allow-invalidserver-cert | fragmail |
no-content-summary |
oversize}
Select one or more options apply to POP3S sessions. To select
more than one, enter the option names separated by a space.
allow-invalid-server-cert allow SSL sessions even if
server certificate validation failed for the session.
fragmail allow fragmented email. Fragmented email cannot be
scanned for viruses.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
fragmail
nocontentsummary
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
profile-protocol-options
Variable
Description
Default
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected POP3 option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
10
client-cert-request
{bypass | inspect |
block}
Select what action is taken by the FortiGate SSL proxy when the bypass
client certificate request fails during the SSL handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to inspect
or block that traffic.
unsupported-ssl
{bypass | block}
Select whether to bypass or block undecryptable SSL sessions.
bypass
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for SMTP content.
25
inspect-all {disable |
enable}
Enable to monitor all ports for the SMTP protocol. If you enable
this option you can’t select a port.
disable
options {fragmail |
no-content-summary |
oversize | splice}
Select one or more options apply to SMTP sessions. To select
more than one, enter the option names separated by a space.
fragmail allow fragmented email. Fragmented email cannot be
scanned for viruses.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
splice simultaneously scan a message and send it to the
recipient. If the FortiGate unit detects a virus, it prematurely
terminates the connection, and returns an error message to the
sender, listing the virus and infected file name. splice is selected
when scan is selected. With streaming mode enabled, select
either Spam Action (Tagged or Discard) for SMTP spam. When
streaming mode is disabled for SMTP, infected attachments are
removed and the email is forwarded (without the attachment) to
the SMTP server for delivery to the recipient.
Throughput is higher when streaming mode is enabled.
fragmail
nocontentsummary
splice
config smtp
Configure SMTP protocol options.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
157
profile-protocol-options
firewall
Variable
Description
Default
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected SMTP option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
10
server_busy
{disable | enable}
disable
Enable this options so that when the FortiGate unit attempts to
send an SMTP email but can’t because of a connection timeout or
connection error it returns a 412 server busy error message to the
email client attempting to send the message.
Usually the FortiGate unit accepts SMTP SYN from clients and
immediately send back ACK before actually connecting with the
real SMTP server. If the server responds back with NACK (service
not available) the FortiGate-to-server connection drops, but the
FortiGate-to-client connection will just hang until a timeout occurs.
This causes particular problems for systems that use alternative
servers, they may not move to the next server until the timeout
occurs. Not all SMTP mail servers behave in this way, some use an
SMTP HELO to confirm the connection is active and so do not
have an issue with this behavior.
config smtps
Configure secure SMTP (SMTPS) protocol options.
158
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for SMTPS content.
465
options {fragmail |
no-content-summary |
oversize | splice}
Select one or more options apply to SMTPS sessions. To select
more than one, enter the option names separated by a space.
fragmail allow fragmented email. Fragmented email cannot be
scanned for viruses.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
splice simultaneously scan a message and send it to the
recipient. If the FortiGate unit detects a virus, it prematurely
terminates the connection, and returns an error message to the
sender, listing the virus and infected file name. splice is selected
when scan is selected. With streaming mode enabled, select
either Spam Action (Tagged or Discard) for SMTPS spam. When
streaming mode is disabled for SMTP, infected attachments are
removed and the email is forwarded (without the attachment) to
the SMTPS server for delivery to the recipient.
Throughput is higher when streaming mode is enabled.
fragmail
nocontentsummary
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected SMTP option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
profile-protocol-options
Variable
Description
Default
client-cert-request
{bypass | inspect |
block}
Select what action is taken by the FortiGate SSL proxy when the bypass
client certificate request fails during the SSL handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to inspect
or block that traffic.
unsupported-ssl
{bypass | block}
Select whether to bypass or block undecryptable SSL sessions.
bypass
Variable
Description
Default
port <port_number_int>
Enter the port number to scan for NNTP content.
119
inspect-all
{disable | enable}
Enable to monitor all ports for the NNTP protocol. If you enable
this option you can’t select a port.
disable
options {
no-content-summary
| oversize | splice}
Select one or more options apply to NNTP sessions. To select
more than one, enter the option names separated by a space.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
splice simultaneously scan a file and send it to the recipient. If
the FortiGate unit detects a virus, it prematurely terminates the
connection.
nocontentsummary
oversize-limit <size_int>
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected NNTP option. The maximum file size for scanning in
memory is 10% of the FortiGate unit’s RAM.
10
Variable
Description
Default
options {
no-content-summary |
oversize}
Select one or more options apply to IM sessions. To select more
than one, enter the option names separated by a space.
no-content-summary do not add content information from the
dashboard.
oversize block files that are over the file size limit.
nocontentsummary
oversize-limit <size_int>
10
Enter the maximum in-memory file size that will be scanned, in
megabytes. If the file is larger than the oversize-limit, the file
is passed or blocked depending on whether oversize is a
selected IM option. The maximum file size for scanning in memory
is 10% of the FortiGate unit’s RAM.
config nntp
Configure NNTP protocol options.
config im
Configure IM protocol options.
config ssl-server
Configure ssl server settings for use with the secure protocols (https, ftps, pop3s, smtps).
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
159
profile-protocol-options
firewall
Variable
Description
Default
edit <table_id>
Enter a number to identify this SSL server in the list of configured
SSL servers
ftps-client-cert-request
{block | bypass | inspect}
Select what action is taken by the FortiGate SSL proxy when the bypass
client certificate request fails during the FTPS client handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to
inspect or block that traffic.
https-client-cert-request
{block | bypass | inspect}
Select what action is taken by the FortiGate SSL proxy when the bypass
client certificate request fails during the HTTPS client handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to
inspect or block that traffic.
imaps-client-cert-request
{block | bypass | inspect}
Select what action is taken by the FortiGate SSL proxy when the bypass
client certificate request fails during the IMAPS client handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to
inspect or block that traffic.
ip <ipv4_addr>
Enter the IP address of the SSL server.
pops3-client-cert-request
{block | bypass | inspect}
Select what action is taken by the FortiGate SSL proxy when the bypass
client certificate request fails during the POP3S client handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to
inspect or block that traffic.
smtps-client-cert-request
{block | bypass | inspect}
Select what action is taken by the FortiGate SSL proxy when the bypass
client certificate request fails during the SMTPS client
handshake.
SSL sessions that use client-certificates bypass the SSL
inspection by default. This command offers the options to
inspect or block that traffic.
config mail-signature
Configure email signature options for SMTP.
160
Variable
Description
Default
status {disable | enable}
Enable or disable adding an email signature to SMTP email
messages as they pass through the FortiGate unit.
disable
signature <text>
(null)
Enter a signature to add to outgoing email. If the signature
contains spaces, surround it with single or double quotes (‘ or ").
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
schedule onetime
schedule onetime
Use this command to add, edit, or delete one-time schedules.
Use scheduling to control when policies are active or inactive. Use one-time schedules for policies that are effective
once for the period of time specified in the schedule.
To edit a schedule, define the entire schedule, including the changes. This means entering all of
the schedule parameters, both those that are changing and those that are not.
Syntax
config firewall schedule onetime
edit <name_str>
set end <hh:mm> <yyyy/mm/dd>
set start <hh:mm> <yyyy/mm/dd>
set color <color_int>
end
Variable
Description
Default
<name_str>
Enter the name of this schedule.
No default.
end <hh:mm> <yyyy/mm/dd>
Enter the ending day and time of the schedule.
• hh - 00 to 23
• mm - 00, 15, 30, or 45
• yyyy - 1992 to infinity
• mm - 01 to 12
• dd - 01 to 31
00:00
2001/01/01
start <hh:mm>
<yyyy/mm/dd>
Enter the starting day and time of the schedule.
• hh - 00 to 23
• mm - 00, 15, 30, or 45
• yyyy - 1992 to infinity
• mm - 01 to 12
• dd - 01 to 31
00:00
2001/01/01
color <color_int>
Set the icon color to use in the web-based manager.
0 sets the default, color 1.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
161
schedule recurring
firewall
schedule recurring
Use this command to add, edit, and delete recurring schedules used in firewall policies.
Use scheduling to control when policies are active or inactive. Use recurring schedules to create policies that repeat
weekly. Use recurring schedules to create policies that are effective only at specified times of the day or on specified
days of the week.
If a recurring schedule is created with a stop time that occurs before the start time, the schedule
starts at the start time and finishes at the stop time on the next day. You can use this technique to
create recurring schedules that run from one day to the next. To create a recurring schedule that
runs for 24 hours, set the start and stop times to the same time.
Syntax
config firewall schedule recurring
edit <name_str>
set day <name_str>
set end <hh:mm>
set start <hh:mm>
set color <color_int>
end
162
Variable
Description
Default
<name_str>
Enter the name of this schedule.
No default.
day <name_str>
Enter the names of one or more days of the week for which the
schedule is valid. Separate multiple names with a space.
sunday
end <hh:mm>
Enter the ending time of the schedule.
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45 only
00:00
start <hh:mm>
Enter the starting time of the schedule.
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45 only
00:00
color <color_int>
Set the icon color to use in the web-based manager.
0 sets the default, color 1.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
schedule group
schedule group
Use this command to configure schedule groups.
Syntax
config firewall schedule group
edit <group-name_str>
set member {<schedule1_name> [schedule2_name ...]}
set color <color_int>
end
Variable
Description
Default
<group-name_str>
Enter the name of this schedule group.
No default.
member {<schedule1_name>
[schedule2_name ...]}
Enter one or more names of one-time or recurring firewall
schedules to add to the schedule group. Separate multiple
names with a space. To view the list of available schedules
enter set member ? at the prompt. Schedule names are
case-sensitive.
No default.
color <color_int>
Set the icon color to use in the web-based manager.
0 sets the default, color 1.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
163
service custom
firewall
service custom
Use this command to configure a firewall service that is not in the predefined service list.
To display a list of all predefined service names, enter the command get firewall service
predefined ?. To display a predefined service’s details, enter the command get firewall
service predefined <service_str>. For details, see “get firewall service predefined” on
page 834.
Syntax
config firewall service custom
edit <name_str>
set check-reset-range {disable | strict | default}
set color <color_int>
set comment <string>
set icmpcode <code_int>
set icmptype <type_int>
set protocol {ICMP | ICMP6 | IP | TCP/UDP/SCTP}
set protocol-number <protocol_int>
set sctp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int><srcporthigh_int>]
set session-ttl <seconds>
set tcp-halfclose-timer <seconds>
set tcp-halfopen-timer <seconds>
set tcp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int><srcporthigh_int>]
set tcp-timewait-timer <seconds_int>
set udp-idle-timer <seconds>
set udp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int><srcporthigh_int>]
end
164
Variable
Description
Default
<name_str>
Enter the name of this custom service.
No default
check-reset-range
{disable | strict |
default}
Configure ICMP error message verification.
• disable — The FortiGate unit does not validate ICMP error
messages.
• strict — If the FortiGate unit receives an ICMP error
packet that contains an embedded IP(A,B) | TCP(C,D)
header, then if FortiOS can locate the A:C->B:D session it
checks to make sure that the sequence number in the TCP
header is within the range recorded in the session. If the
sequence number is not in range then the ICMP packet is
dropped. If “extended-traffic-log {disable | enable}” on
page 226 is enabled the FortiGate unit logs that the ICMP
packet was dropped. Strict checking also affects how the
anti-replay option checks packets.
• default — Use the global setting defined in
system global.
This is available when protocol is TCP/UDP/SCTP.
default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
service custom
Variable
Description
Default
color <color_int>
Set the icon color to use in the web-based manager.
0 sets the default, color 1.
0
comment <string>
Add comments for the custom service.
No default
icmpcode <code_int>
Enter the ICMP code number. Find ICMP type and code
numbers at www.iana.org.
No default.
icmptype <type_int>
Enter the ICMP type number. The range for type_int is from 0- 0
255. Find ICMP type and code numbers at www.iana.org.
protocol
{ICMP | ICMP6 | IP |
TCP/UDP/SCTP}
Select the protocol used by the service. If you select
TCP/UDP/SCTP you must specify the tcp-portrange, udpportrange, or sctp-portrange.
IP
protocol-number
<protocol_int>
For an IP service, enter the IP protocol number. For information
on protocol numbers, see http://www.iana.org.
0
sctp-portrange
<dstportlow_int>[<dstporthigh_int>:
<srcportlow_int><srcporthigh_int>]
For SCTP services, enter the destination and source port
ranges.
If the destination port range can be any port, enter 0-65535. If
the destination is only a single port, simply enter a single port
number for dstportlow_int and no value for
dstporthigh_int.
If source port can be any port, no source port need be added. If
the source port is only a single port, simply enter a single port
number for srcportlow_int and no value for
srcporthigh_int.
No default.
session-ttl <seconds>
Enter the default session timeout in seconds. The valid range is
from 300 - 604 800 seconds. Enter 0 to use either the per-policy
session-ttl or per-VDOM session-ttl, as applicable.
This is available when protocol is TCP/UDP/SCTP.
0
tcp-halfclose-timer
<seconds>
Enter how many seconds the FortiGate unit should wait to close
a session after one peer has sent a FIN packet but the other has
not responded. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.
0
tcp-halfopen-timer
<seconds>
Enter how many seconds the FortiGate unit should wait to close
a session after one peer has sent an open session packet but
the other has not responded. The valid range is from 1 to 86400
seconds.
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
165
service custom
166
firewall
Variable
Description
Default
tcp-portrange
<dstportlow_int>[<dstporthigh_int>:
<srcportlow_int><srcporthigh_int>]
For TCP services, enter the destination and source port ranges. No default.
If the destination port range can be any port, enter 0-65535. If
the destination is only a single port, simply enter a single port
number for dstportlow_int and no value for
dstporthigh_int.
If source port can be any port, no source port need be added. If
the source port is only a single port, simply enter a single port
number for srcportlow_int and no value for
srcporthigh_int.
tcp-timewait-timer
<seconds_int>
0
Set the length of the TCP TIME-WAIT state in seconds. As
described in RFC 793, the “TIME-WAIT state represents waiting
for enough time to pass to be sure the remote TCP received the
acknowledgment of its connection termination request”.
Reducing the time of the TIME-WAIT state means the FortiGate
unit can close terminated sessions faster which means more
new sessions can be opened before the session limit is reached.
The valid range is 0 to 300 seconds. A value of 0 sets the TCP
TIME-WAIT to 0 seconds
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.
udp-idle-timer <seconds>
Enter the number of seconds before an idle UDP connection
times out. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
This is available when protocol is TCP/UDP/SCTP.
udp-portrange
<dstportlow_int>[<dstporthigh_int>:
<srcportlow_int><srcporthigh_int>]
For UDP services, enter the destination and source port ranges. No default.
If the destination port range can be any port, enter 0-65535. If
the destination is only a single port, simply enter a single port
number for dstportlow_int and no value for
dstporthigh_int.
If source port can be any port, no source port need be added. If
the source port is only a single port, simply enter a single port
number for srcportlow_int and no value for
srcporthigh_int.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
service explicit-web
service explicit-web
Use this command to configure explicit web proxy service.
Syntax
config firewall service explicit-web
edit <name_str>
set comment <comment_str>
set protocol {ALL CONNECT FTP HTTP SOCKS}
set tcp-portrange <range_str>
end
Variable
Description
edit <name_str>
Enter a name for the proxied service.
comment
<comment_str>
Optionally, enter a descriptive comment.
null
protocol {ALL
CONNECT FTP HTTP
SOCKS}
Select the protocol.
ALL
tcp-portrange
<range_str>
1-65535
Select the TCP port range to proxy.
<range_str> is
<dstport_low>[-<dstport_high>:<srcport_low>-<srcport_high>]
Source port range can be omitted if it is 1-65535.
<dstport_high> can be omitted if it is the same as <dstport_low>.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
167
service group
firewall
service group
Use this command to configure firewall service groups.
To simplify policy creation, you can create groups of services and then add one policy to provide or block access for
all the services in the group. A service group can contain predefined services and custom services in any
combination. A service group cannot contain another service group.
To edit a service group, enter all of the members of the service group, both those changing and
those staying the same.
Syntax
config firewall service group
edit <group-name_str>
set comment
set member <service_str>
set color <color_int>
end
168
Variable
Description
Default
<group-name_str>
Enter the name of this service group.
No default.
comment
Add comments for this service group
No default.
member <service_str>
Enter one or more names of predefined or custom firewall
services to add to the service group. Separate multiple names
with a space. To view the list of available services enter set
member ? at the prompt.
<service_str> is case-sensitive.
No default.
color <color_int>
Set the icon color to use in the web-based manager.
0 sets the default, color 1.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
service group-explicit-web
service group-explicit-web
Use this command to configure explicit web-proxy service groups.
Syntax
config firewall service group-explicit-web
edit <group-name_str>
set comment
set member <service_str>
end
Variable
Description
Default
<group-name_str>
Enter the name of this explicit web proxy service group.
No default.
comment
Add comments for this explicit web proxy service group
No default.
member <service_str>
Enter one or more names of explicit web proxy services
(defined in firewall service explicit-web) to add to the explicit
web proxy service group. Separate multiple names with a
space. To view the list of available services enter set
member ? at the prompt.
<service_str> is case-sensitive.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
169
shaper per-ip-shaper
firewall
shaper per-ip-shaper
Use this command to configure traffic shaping that is applied per IP address, instead of per policy or per shaper. As
with the shared traffic shaper, you select per-IP traffic shapers in firewall policies.
Syntax
config firewall shaper per-ip-shaper
edit <name_str>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <dscp_bin>
set diffservcode-rev <dscp_bin>
set max-bandwidth <kbps_int>
set max-concurrent-session <sessions_int>
end
170
Variable
Description
Default
edit <name_str>
Enter the name of the traffic shaper.
No default.
diffserv-forward
{enable | disable}
Enable or disable application of the differentiated services code
point (DSCP) value to the DSCP field of forward (original) traffic. If
enabled, also configure diffservcode-forward.
disable
diffserv-reverse
{enable | disable}
Enable or disable application of the differentiated services code
point (DSCP) value to the DSCP field of reverse (reply) traffic. If
enabled, also configure diffservcode-rev.
disable
diffservcode-forward
<dscp_bin>
Enter the differentiated services code point (DSCP) value that the
FortiGate unit will apply to the field of originating (forward) packets.
The value is 6 bits binary. The valid range is 000000-111111.
This option appears only if diffserv-forward is set to enable.
For details and DSCP configuration examples, see the Knowledge
Center article Differentiated Services Code Point (DSCP) behavior.
000000
diffservcode-rev
<dscp_bin>
Enter the differentiated services code point (DSCP) value that the
FortiGate unit will apply to the field of reply (reverse) packets. The
value is 6 bits binary. The valid range is 000000-111111.
This option appears only if diffserv-rev is set to enable
For details and DSCP configuration examples, see the Knowledge
Center article Differentiated Services Code Point (DSCP) behavior.
000000
max-bandwidth
<kbps_int>
Enter the maximum amount of bandwidth available for an IP
address controlled by the policy. Kbps_int can be 0 to
16 776 000 Kbits/second. If maximum bandwidth is set to 0 no
traffic is allowed by the policy.
0
max-concurrent-session
<sessions_int>
Enter the maximum number of sessions allowed for an IP address.
sessions_int can be 0 to 2097000. If maximum concurrent
sessions is 0 then no sessions are allowed.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
shaper traffic-shaper
shaper traffic-shaper
Use this command to configure shared traffic shaping that is applied to and shared by all traffic accepted by a firewall
policy. As with the per-IP traffic shaper, you select shared traffic shapers in firewall policies.
Syntax
config firewall shaper traffic-shaper
edit <name_str>
set diffserv {enable | disable}
set diffservcode <binary>
set guaranteed-bandwidth <bandwidth_value>
set maximum-bandwidth <bandwidth_value>
set per-policy {enable | disable}
set priority {high | low | medium}
end
end
Variable
Description
Default
edit <name_str>
Enter the name of the traffic shaper.
No default.
diffserv
{enable | disable}
Enable to start differentiated services on network traffic. DiffServ
enables classifying network traffic and quality of service (QoS)
guarantees on IP networks.
disable
diffservcode <binary>
Enter a 6 digit differentiate services code point (DSCP) binary code 000000
to match in the header of traffic to classify traffic. This code will be
used to match traffic for this traffic shaper.
guaranteed-bandwidth
<bandwidth_value>
Enter the amount of bandwidth guaranteed to be available for traffic 0
controlled by the policy. bandwidth_value can be 0 to
16 776 000 Kbits/second.
maximum-bandwidth
<bandwidth_value>
Enter the maximum amount of bandwidth available for traffic
controlled by the policy. bandwidth_value can be 0 to
16 776 000 Kbits/second. If maximum bandwidth is set to 0 no
traffic is allowed by the policy.
0
per-policy {enable |
disable}
Enable or disable applying this traffic shaper to a single firewall
policy that uses it.
disable
priority
{high | low | medium}
Select the priority level for traffic controlled by the policy.
high
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
171
sniff-interface-policy
firewall
sniff-interface-policy
Using this command you can add sniffer policies you can configure a FortiGate unit interface to operate as a one-arm
intrusion detection system (IDS) appliance by sniffing packets for attacks without actually receiving and otherwise
processing the packets.
To configure one-arm IDS, you need to configure one or more FortiGate interfaces to operated in one-arm sniffer
mode using the ips-sniffer-mode field of the config system interface command to configure an interface
to operate in one-arm sniffer mode. See “system ips-sniffer-mode {enable | disable}” on page 472 When you
configure an interface to operate in one-arm sniffer mode it cannot be used for any other purpose. For example, you
cannot add firewall policies for the interface and you cannot add the interface to a zone.
If you add VLAN interfaces to an interface configured for one-arm sniffer operation this VLAN
interface also operates in one-arm sniffer mode and you can add sniffer policies for this VLAN
interface.
After you have configured the interface for one-arm sniffer mode, connect the interface to a hub or to the SPAN port
of a switch that is processing network traffic.
Then use the config firewall sniff-interface-policy command to add Sniffer policies for that FortiGate interface that
include a DoS sensor, an IPS sensors, and an Application black/white list to detect attacks and other activity in the
traffic that the FortiGate interface receives from the hub or switch SPAN port.
In one-arm sniffer mode, the interface receives packets accepted by sniffer mode policies only. All packets not
received by sniffer mode policies are dropped. All packets received by sniffer mode policies go through IPS
inspection and are dropped after then are analyzed by IPS.
One-arm IDS cannot block traffic. However, if you enable logging in the DoS and IPS sensors and the application
black/white lists, the FortiGate unit records log messages for all detected attacks and applications.
The sniff-interface-policy command is applied to IPv4 addresses. For IPv6 addresses, use sniffinterface-policy6 instead.
Syntax
config firewall sniff-interface-policy
edit <policy_id>
set application-list-status {enable | disable}
set application_list <app_list_str>
set av-profile <string>
set av-profile-status {enable | disable}
set dlp-sensor <string>
set dlp-sensor-status {enable | disable}
set dstaddr <dstaddr_ipv4>
set interface <int_str>
set ips-DoS-status {enable | disable}
set ips-DoS <DoS_str>
set ips-sensor-status {enable | disable}
set ips-sensor <sensor_str>
set logtraffic {enable | disable}
set logtraffic-app {enable | disable}
set service <service_str>
set srcaddr <srcaddr_ipv4>
set status {enable | disable}
set webfilter-profile <string>
set webfilter-profile-status {enable | disable}
end
172
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
sniff-interface-policy
Variable
Description
Default
application-liststatus
{enable | disable}
Enable to have the FortiGate unit apply an application black/white list to
matching network traffic.
disable
application_list
<app_list_str>
Enter the name of the application black/white list the FortiGate unit uses
when examining network traffic.
This option is available only when application-list-status is set to
enable.
av-profile <string>
Select a configured antivirus profile from the list.
This option is available only when av-profile-status is enabled.
av-profile-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic for virus
signatures.
dlp-sensor <string>
Select one of the configured DLP sensors.
This option is only available when dlp-sensor-status is enabled.
dlp-sensor-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic for data leaks.
dstaddr
<dstaddr_ipv4>
Enter an address or address range to limit traffic monitoring to network
traffic sent to the specified address or range.
interface <int_str>
The interface or zone to be monitored.
ips-DoS-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic for DoS sensor
violations.
ips-DoS <DoS_str>
Enter the name of the DoS sensor the FortiGate unit will use when
examining network traffic.
This option is available only when ips-DoS-status is set to enable.
ips-sensor-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic for attacks and
vulnerabilities.
ips-sensor
<sensor_str>
Enter the name of the IPS sensor the FortiGate unit will use when
examining network traffic.
This option is available only when ips-sensor-status is set to
enable.
logtraffic
{enable | disable}
Enable to log traffic for this sniffer policy.
disable
logtraffic-app
{enable | disable}
Enable to log traffic while application logging is active.
enable
service
<service_str>
Enter a service to limit traffic monitoring to only the selected type. You
may also specify a service group, or multiple services separated by
spaces.
srcaddr
<srcaddr_ipv4>
Enter an address or address range to limit traffic monitoring to network
traffic sent from the specified address or range.
status
{enable | disable}
Enable or disable the sniffer policy. A disabled sniffer policy has no effect enable
on network traffic.
webfilter-profile
<string>
Select a webfilter profile from the list.
This options is available only when webfilter-profile-status is enabled.
webfilter-profilestatus
{enable | disable}
Enable to filter web traffic based on the selected profile.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
disable
disable
disable
disable
disable
173
sniff-interface-policy6
firewall
sniff-interface-policy6
Using this command you can add sniffer policies you can configure a FortiGate unit interface to operate as a one-arm
intrusion detection system (IDS) appliance for IPv6 traffic by sniffing packets for attacks without actually receiving
and otherwise processing the packets.
To configure one-arm IDS, you need to configure one or more FortiGate interfaces to operated in one-arm sniffer
mode using the ips-sniffer-mode field of the config system interface command to configure an interface
to operate in one-arm sniffer mode. See “system ips-sniffer-mode {enable | disable}” on page 472 When you
configure an interface to operate in one-arm sniffer mode it cannot be used for any other purpose. For example, you
cannot add firewall policies for the interface and you cannot add the interface to a zone.
If you add VLAN interfaces to an interface configured for one-arm sniffer operation this VLAN
interface also operates in one-arm sniffer mode and you can add sniffer policies for this VLAN
interface.
After you have configured the interface for one-arm sniffer mode, connect the interface to a hub or to the SPAN port
of a switch that is processing network traffic.
Then use the config firewall sniff-interface-policy command to add Sniffer policies for that FortiGate interface that
include a DoS sensor, an IPS sensors, and an Application black/white list to detect attacks and other activity in the
traffic that the FortiGate interface receives from the hub or switch SPAN port.
In one-arm sniffer mode, the interface receives packets accepted by sniffer mode policies only. All packets not
received by sniffer mode policies are dropped. All packets received by sniffer mode policies go through IPS
inspection and are dropped after then are analyzed by IPS.
One-arm IDS cannot block traffic. However, if you enable logging in the IPS sensors and the application black/white
lists, the FortiGate unit records log messages for all detected attacks and applications.
The interface-policy6 command is used for DoS policies applied to IPv6 addresses. For IPv4 addresses, use
interface-policy instead.
Syntax
config firewall interface-policy
edit <policy_id>
set application-list-status {enable | disable}
set application_list <app_list_str>
set av-profile <string>
set av-profile-status {enable | disable}
set dlp-sensor <string>
set dlp-sensor-status {enable | disable}
set dstaddr6 <dstaddr_ipv6>
set interface
set ips-sensor-status {enable | disable}
set ips-sensor <sensor_str>
set logtraffic {enable | disable}
set logtraffic-app {enable | disable}
set service6 <service_str>
set srcaddr6 <srcaddr_ipv6>
set status {enable | disable}
set webfilter-profile <string>
set webfilter-profile-status {enable | disable}
end
174
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
sniff-interface-policy6
Variable
Description
Default
application-liststatus
{enable | disable}
Enable to have the FortiGate unit apply an application black/white list to
matching network traffic.
disable
application_list
<app_list_str>
Enter the name of the application black/white list the FortiGate unit uses
when examining network traffic.
This option is available only when application-list-status is set to
enable.
av-profile <string>
Select a configured antivirus profile from the list.
This option is available only when av-profile-status is enabled.
av-profile-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic for virus
signatures.
dlp-sensor <string>
Select one of the configured DLP sensors.
This option is only available when dlp-sensor-status is enabled.
dlp-sensor-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic for data leaks.
dstaddr6
<dstaddr_ipv6>
Enter an address or address range to limit traffic monitoring to network
traffic sent to the specified address or range.
interface
The interface or zone to be monitored.
ips-sensor-status
{enable | disable}
Enable to have the FortiGate unit examine network traffic for attacks and
vulnerabilities.
ips-sensor
<sensor_str>
Enter the name of the IPS sensor the FortiGate unit will use when
examining network traffic.
This option is available only when ips-sensor-status is set to
enable.
logtraffic
{enable | disable}
Enable to log traffic for this sniffer policy.
disable
logtraffic-app
{enable | disable}
Enable to log the application for the traffic.
enable
service6
<service_str>
Enter a service to limit traffic monitoring to only the selected type. You
may also specify a service group, or multiple services separated by
spaces.
srcaddr6
<srcaddr_ipv6>
Enter an address or address range to limit traffic monitoring to network
traffic sent from the specified address or range.
status
{enable | disable}
Enable or disable the DoS policy. A disabled DoS policy has no effect on
network traffic.
webfilter-profile
<string>
Select a webfilter profile from the list.
This options is available only when webfilter-profile-status is enabled.
webfilter-profilestatus
{enable | disable}
Enable to filter web traffic based on the selected profile.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
disable
disable
disable
enable
disable
175
ssl setting
firewall
ssl setting
Use this command to configure SSL proxy settings so that you can apply antivirus scanning, web filtering, FortiGuard
web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS, IMAPS, POP3S, and
SMTPS traffic by using the config firewall profile command.
To perform SSL content scanning and inspection, the FortiGate unit does the following:
• intercepts and decrypts HTTPS, IMAPS, POP3S, and SMTPS sessions between clients and servers (FortiGate
SSL acceleration speeds up decryption)
• applies content inspection to decrypted content, including:
• HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP., and content archiving
•
HTTPS web filtering and FortiGuard web filtering
•
IMAPS, POP3S, and SMTPS spam filtering
•
re-encrypts the sessions and forwards them to their destinations.
Syntax
config firewall ssl setting
set caname <certificate_str>
set cert-cache-capacity <capacity_integer>
set cert-cache-timeout <timeout_integer>
set no-matching-cipher-action {bypass | drop}
set proxy-connect-timeout <timeout_integer>
set session-cache-capacity <capacity_integer>
set session-cache-timeout <port_int>
set ssl-dh-bits {1024 | 1536 | 2048 | 768}
set ssl-max-version {ssl-3.0 | tls-1.0}
set ssl-min-version {ssl-3.0 | tls-1.0}
set ssl-send-empty-frags {enable | disable}
end
176
Variable
Description
Default
caname <certificate_str>
Select the CA certificate used by SSL content scanning and
inspection for establishing encrypted SSL sessions.
Fortinet_CA
_SSLProxy
cert-cache-capacity
<capacity_integer>
Enter the capacity of the host certificate cache. The range is
from 0 to 200.
100
cert-cache-timeout
<timeout_integer>
Enter the time limit to keep the certificate cache. The range is
from 1 to 120 minutes.
10
no-matching-cipher-action
{bypass | drop}
Bypass or drop SSL traffic when unsupported cipher is being
used by the server.
bypass
proxy-connect-timeout
<timeout_integer>
Enter the time limit to make an internal connection to the
appropriate proxy process (1 - 60 seconds).
30
session-cache-capacity
<capacity_integer>
Enter the capacity of SSL session cache (0 - 1000).
500
session-cache-timeout
<port_int>
Enter the time limit in minutes to keep the SSL session.
20
ssl-dh-bits {1024 | 1536
| 2048 | 768}
Select the size of Diffie-Hellman prime used in DHE_RSA
negotiation.
1024
ssl-max-version {ssl-3.0
| tls-1.0}
Select the highest SSL/TLS version to negotiate.
tls-1.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
ssl setting
Variable
Description
Default
ssl-min-version {ssl-3.0
| tls-1.0}
Select the lowest SSL/TLS version to negotiate.
ssl-3.0
ssl-send-empty-frags
{enable | disable}
Enable or disable sending empty fragments to avoid attack
on CBC IV (SSL 3.0 & TLS 1.0 only).
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
177
vip
firewall
vip
Use this command to configure virtual IPs and their associated address and port mappings (NAT).
Virtual IPs can be used to allow connections through a FortiGate unit using network address translation (NAT) firewall
policies. Virtual IPs can use proxy ARP so that the FortiGate unit can respond to ARP requests on a network for a
server that is actually installed on another network. Proxy ARP is defined in RFC 1027.
For example, you can add a virtual IP to an external FortiGate unit interface so that the external interface can respond
to connection requests for users who are actually connecting to a server on the DMZ or internal network.
Depending on your configuration of the virtual IP, its mapping may involve port address translation (PAT), also known
as port forwarding or network address port translation (NAPT), and/or network address translation (NAT) of IP
addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your selection of:
• static vs. dynamic NAT mapping
• the dynamic NAT’s load balancing style, if using dynamic NAT mapping
• full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when configuring a firewall policy
with a virtual IP.
178
Static NAT
Static, one-to-one NAT mapping: an external IP address is always translated to the same
mapped IP address.
If using IP address ranges, the external IP address range corresponds to a mapped IP
address range containing an equal number of IP addresses, and each IP address in the
external range is always translated to the same IP address in the mapped range.
Static NAT with Port
Forwarding
Static, one-to-one NAT mapping with port forwarding: an external IP address is always
translated to the same mapped IP address, and an external port number is always
translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a mapped IP
address range containing an equal number of IP addresses, and each IP address in the
external range is always translated to the same IP address in the mapped range. If using
port number ranges, the external port number range corresponds to a mapped port
number range containing an equal number of port numbers, and each port number in the
external range is always translated to the same port number in the mapped range.
Load Balancing
Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the
mapped IP addresses. For each session, a load balancing algorithm dynamically selects
an IP address from the mapped IP address range to provide more even traffic distribution.
The external IP address is not always translated to the same mapped IP address.
Load Balancing with
Port Forwarding
Dynamic, one-to-many NAT mapping with port forwarding: an external IP address is
translated to one of the mapped IP addresses. For each session, a load balancing
algorithm dynamically selects an IP address from the mapped IP address range to provide
more even traffic distribution. The external IP address is not always translated to the same
mapped IP address.
Dynamic Virtual IPs
Dynamic, many-to-few or many-to-one NAT mapping: if you set the external IP address of
a virtual IP to 0.0.0.0, the interface maps traffic destined for any IP address, and is
dynamically translated to a mapped IP address or address range.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
vip
Server Load
Balancing
Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the
mapped IP addresses, as determined by the selected load balancing algorithm for more
even traffic distribution. The external IP address is not always translated to the same
mapped IP address.
Server load balancing requires that you configure at least one “real” server, but can use up
to eight (8) real servers per virtual IP (VIP). Real servers can be configured with health
check monitors. Health check monitors can be used to gauge server responsiveness
before forwarding packets.
Server Load
Balancing with Port
Forwarding
Dynamic, one-to-many NAT mapping with port forwarding: an external IP address is
translated to one of the mapped IP addresses, as determined by the selected load
balancing algorithm for more even traffic distribution.The external IP address is not
always translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but can use up
to eight (8) real servers per virtual IP (VIP). Real servers can be configured with health
check monitors. Health check monitors can be used to gauge server responsiveness
before forwarding packets.
If the NAT check box is not selected when building the firewall policy, the resulting policy does not
perform full (source and destination) NAT; instead, it performs destination network address translation
(DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP address, but
does not translate the source address. The private network is aware of the source’s public IP address.
For reply traffic, the FortiGate unit translates packets’ private network source IP address to match the
destination address of the originating packets, which is maintained in the session table.
The following limitations apply when adding virtual IPs, Load balancing virtual servers, and load balancing real
servers. Load balancing virtual servers are actually server load balancing virtual IPs. You can add server load balance
virtual IPs from the CLI.
•
Virtual IP extip entries or ranges cannot overlap with each other unless src-filter is used.
•
A virtual IP mappedip cannot be 0.0.0.0 or 255.255.255.255.
•
A real server IP cannot be 0.0.0.0 or 255.255.255.255.
•
If a static NAT virtual IP extip is 0.0.0.0, the mappedip must be a single IP address.
•
If a load balance virtual IP extip is 0.0.0.0, the mappedip can be an address range.
•
When port forwarding, the count of mappedport and extport numbers must be the same. The web-based
manager does this automatically but the CLI does not.
•
Virtual IP names must be different from firewall address or address group names.
Syntax
config firewall vip
edit <name_str>
set arp-reply {enable | disable}
set comment <comment_str>
set extintf <name_str>
set extip <address_ipv4>[-address_ipv4]
set extport <port_int>
set gratuitous-arp-interval <interval_seconds>
set http-cookie-age <age_int>
set http-cookie-domain <domain_str>
set http-cookie-domain-from-host {enable | disable}
set http-cookie-generation <generation_int>
set http-cookie-path <path_str>
set http-cookie-share {disable | same-ip}
set http-ip-header {enable | disable}
set http-multiplex {enable | disable}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
179
vip
firewall
set https-cookie-secure {disable | enable}
set id <id_num_str>
set ldb-method {first-alive | http-host | least-rtt | least-session
| round-robin | static | weighted}
set mappedip [<start_ipv4>-<end_ipv4>]
set mappedport <port_int>
set max-embryonic-connections <initiated_int>
set monitor <name_str>
set nat-source-vip {enable | disable}
set outlook-web-access {disable | enable}
set persistence {none | ssl-session-id | http-cookie(http)
set portforward {enable | disable}
set protocol {sctp | tcp | udp}
set server-type {http | https | imaps | ip | pop3s | smtps | ssl | tcp | udp}
set src-filter <addr_str>
set ssl-mode {full | half}
set ssl-algorithm {low | medium | high}
set ssl-certificate <certificate_str>
set ssl-client-renegotiation {allow | deny | secure}
set ssl-client-session-state-max <sessionstates_int>
set ssl-client-session-state-timeout <timeout_int>
set ssl-client-session-state-type {both | client | disable | time}
set ssl-dh-bits <bits_int>
set ssl-http-location-conversion {enable | disable}
set ssl-http-match-host {enable | disable}?
set ssl-max-version {ssl-3.0 | tls-1.0}
set ssl-min-version {ssl-3.0 | tls-1.0}
set ssl-pfs {allow | deny | require}
set ssl-send-empty-frags {enable | disable}
set ssl-server-session-state-max <sessionstates_int>
set ssl-server-session-state-timeout <timeout_int>
set ssl-server-session-state-type {both | count | disable | time}
set type {load-balance | server-load-balance | static-nat}
config realservers
edit <table_id>
set client-ip <ip_range_ipv4> [<ip_range_ipv4>] [<ip_range_ipv4>]
[<ip_range_ipv4>]
set healthcheck {enable | disable}
set holddown-interval <seconds_int>
set http-host <host_str>
set ip <server_ip>
set max-connections <connection_integer>
set monitor <healthcheck_str>
set port <port_ip>
set status {active | disable | standby}
set weight <loadbalanceweight_int>
end
end
180
Variable
Description
Default
<name_str>
Enter the name of this virtual IP address.
No default.
arp-reply
{enable | disable}
Select to respond to ARP requests for this virtual IP address.
enable
comment <comment_str>
Enter comments relevant to the configured virtual IP.
No default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
vip
Variable
Description
Default
extintf <name_str>
Enter the name of the interface connected to the source
network that receives the packets that will be forwarded to the
destination network. The interface name can be any FortiGate
network interface, VLAN subinterface, IPSec VPN interface, or
modem interface.
No default.
extip <address_ipv4>[address_ipv4]
Enter the IP address or address range on the external interface 0.0.0.0
that you want to map to an address or address range on the
destination network.
If type is static-nat and mappedip is an IP address range,
the FortiGate unit uses extip as the first IP address in the
external IP address range, and calculates the last IP address
required to create an equal number of external and mapped IP
addresses for one-to-one mapping.
To configure a dynamic virtual IP that accepts connections
destined for any IP address, set extip to 0.0.0.0.
extport <port_int>
Enter the external port number that you want to map to a port 0
number on the destination network.
This option only appears if portforward is enabled.
If portforward is enabled and you want to configure a static
NAT virtual IP that maps a range of external port numbers to a
range of destination port numbers, set extport to the first
port number in the range. Then set mappedport to the start
and end of the destination port range. The FortiGate unit
automatically calculates the end of the extport port number
range.
If type is server-load-balance, extport is available
unless server-type is ip. The value of extport changes to 80 if
server-type is http and to 443 if server-type is https.
gratuitous-arp-interval
<interval_seconds>
Configure sending of ARP packets by a virtual IP. You can set
the time interval between sending ARP packets. Set the
interval to 0 to disable sending ARP packets.
http-cookie-age <age_int>
60
Configure HTTP cookie persistence to change how long the
browser caches the cookie. Enter an age in minutes or set the
age to 0 to make the browser keep the cookie indefinitely. The
range is 0 to 525600 minutes.
This option is available when type is server-loadbalance, server-type is http or https and persistence is
http or https.
http-cookie-domain
<domain_str>
Configure HTTP cookie persistence to restrict the domain that
the cookie should apply to. Enter the DNS domain name to
restrict the cookie to.
This option is available when type is server-loadbalance, server-type is http or https and persistence is
http or https.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
0
181
vip
182
firewall
Variable
Description
Default
http-cookie-domain-fromhost {enable | disable}
disable
If enabled, when the FortiGate unit adds a SetCookie to the
HTTP(S) response, the Domain attribute in the SetCookie will
be set to the value of the Host: header, if there was one.
If there was no Host: header, the Domain attribute will be set to
the value of http-cookie-domain if it is set and if it is not then
the Domain attribute will not be included in the SetCookie.
This option is available when type is server-loadbalance, server-type is http or https and
persistence is http-cookie.
http-cookie-generation
<generation_int>
0
Configure HTTP cookie persistence to invalidate all cookies
that have already been generated. The exact value of the
generation is not important, only that it is different from any
generation that has already been used.
This option is available when type is server-loadbalance, server-type is http or https and persistence is
http or https.
http-cookie-path
<path_str>
Configure HTTP cookie persistence to limit the cookies to a
particular path, for example /new/path.
This option is available when type is server-loadbalance, server-type is http or https and persistence is
http or https.
http-cookie-share
{disable | same-ip}
same-ip
Configure HTTP cookie persistence to control the sharing of
cookies across more than one virtual server. The default setting
same-ip means that any cookie generated by one virtual
server can be used by another virtual server in the same virtual
domain.
Select disable to make sure that a cookie generated for a
virtual server cannot be used by other virtual servers.
This options is available when type is server-loadbalance, server-type is http or https and persistence is
http or https.
http-ip-header
{enable | disable}
disable
Select to preserve the client’s IP address in the XForwarded-For HTTP header line if HTTP multiplexing is
enabled. This can be useful if you require logging on the server
of the client’s original IP address. If this option is not selected,
in HTTP multiplexing configurations the header will contain the
IP address of the FortiGate unit.
This option appears only if portforward and httpmultiplex are enable.
http-multiplex
{enable | disable}
disable
Select to use the FortiGate unit to multiplex multiple client
connections into a few connections between the FortiGate unit
and the real server. This can improve performance by reducing
server overhead associated with establishing multiple
connections. The server must be HTTP/1.1 compliant.
This option is only available if server-type is http or
https.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
vip
Variable
Description
https-cookie-secure
{disable | enable}
Configure HTTP cookie persistence to enable or disable using disable
secure cookies for HTTPS sessions. Secure cookies are
disabled by default because they can interfere with cookie
sharing across HTTP and HTTPS virtual servers. If enabled,
then the Secure tag is added to the cookie inserted by the
FortiGate unit.
This option is available when type is server-loadbalance, server-type is http or https and persistence is
http or https.
id <id_num_str>
Enter a unique identification number for the configured virtual
IP. Not checked for uniqueness. Range 0 - 65535.
ldb-method
{first-alive | http-host
| least-rtt
| least-session
| round-robin | static
| weighted}
static
Select the method used by the virtual server to distribute
sessions to the real servers. You add real servers to the virtual
server using config realservers.
• first-alive: Always directs requests to the first alive
real server. In this case “first” refers to the order of the real
servers in the virtual server configuration. For example, if
you add real servers A, B and C in that order, then traffic
always goes to A as long as it is alive. If A goes down then
traffic goes to B and if B goes down the traffic goes to C. If
A comes back up, traffic goes to A. Real servers are
ordered in the virtual server configuration in the order in
which you add them, with the most recently added real
server last. If you want to change the order you must delete
and re-add real servers as required.
• http-host: Load balance HTTP requests by the contents
of the HOST header.
• least-rtt: Directs requests to the real server with the
least round trip time. The round trip time is determined by a
Ping monitor and is defaulted to 0 if no Ping monitors are
defined.
• least-session: Directs requests to the real server that
has the least number of current connections. This method
works best in environments where the real servers or other
equipment you are load balancing have similar capabilities.
• round-robin: Directs request to the next real server, and
treats all real servers as equals regardless of response time
or number of connections. Unresponsive real servers are
avoided. A separate real server is required.
• static: Distributes sessions evenly across all real servers
according to the session source IP address. This load
balancing method provides some persistence because all
sessions from the same source address would always go to
the same server. However, the distribution is stateless, so if
a real server is added or removed (or goes up or down) the
distribution is changed so persistence will be lost. Separate
real servers are not required.
• weighted: Real servers with a higher weight value receive
a larger percentage of connections at any one time. Server
weights can be set in config realservers set
weight
This option appears only if type is server-load-balance.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
No default.
183
vip
184
firewall
Variable
Description
Default
mappedip
[<start_ipv4>-<end_ipv4>]
Enter the IP address or IP address range on the destination
network to which the external IP address is mapped.
If type is static-nat and mappedip is an IP address range,
the FortiGate unit uses extip as the first IP address in the
external IP address range, and calculates the last IP address
required to create an equal number of external and mapped IP
addresses for one-to-one mapping.
If type is load-balance and mappedip is an IP address
range, the FortiGate unit uses extip as a single IP address to
create a one-to-many mapping.
0.0.0.0
mappedport <port_int>
Enter the port number on the destination network to which the
external port number is mapped.
You can also enter a port number range to forward packets to
multiple ports on the destination network.
For a static NAT virtual IP, if you add a map to port range the
FortiGate unit calculates the external port number range.
0
max-embryonic-connections
<initiated_int>
Enter the maximum number of partially established SSL or
HTTP connections. This should be greater than the maximum
number of connections you want to establish per second.
This option appears only if portforward is enable, and http
is enable or ssl is not off.
1000
monitor <name_str>
Select the health check monitor for use when polling to
determine a virtual server’s connectivity status.
No default.
nat-source-vip
{enable | disable}
Enable to prevent unintended servers from using a virtual IP.
The virtual IP will be used as the source IP address for
connections from the server through the FortiGate unit.
Disable to use the actual IP address of the server (or the
FortiGate destination interface if using NAT) as the source
address of connections from the server that pass through the
FortiGate unit.
disable
outlook-web-access
{disable | enable}
If the FortiGate unit provides SSL offload for Microsoft Outlook disable
Web Access then the Outlook server expects to see a FrontEnd-Https: on header inserted into the HTTP headers as
described in this Microsoft Technical Note. If outlook-webaccess is enabled FortiGate unit adds this header to all HTTP
requests.
This options is available when type is server-loadbalance, server-type is http or https.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
vip
Variable
Description
persistence {none | sslsession-id | httpcookie(http)
http https ssl
If the type is server-load-balance, configure persistence none
for a virtual server to make sure that clients connect to the
same server every time they make a request that is part of the
same session.
When you configure persistence, the FortiGate unit load
balances a new session to a real server according to the ldbmethod. If the session has an HTTP cookie or an SSL session
ID, the FortiGate unit sends all subsequent sessions with the
same HTTP cookie or SSL session ID to the same real server.
You can configure persistence if server-type is set to http,
https, or ssl.
• none: No persistence. Sessions are distributed solely
according to the ldb-method. Setting ldb-method to
static (the default) results in behavior equivalent to
persistence. See the description of static in “firewall ldbmethod {first-alive | http-host | least-rtt | least-session
| round-robin | static | weighted}” on page 183 for more
information.
• http-cookie: all HTTP or HTTPS sessions with the same
HTTP session cookie are sent to the same real server.
http-cookie is available if server-type is set to https
or ssl. If you select http-cookie you can also configure
http-cookie-domain, http-cookie-path, httpcookie-generation, http-cookie-age, and httpcookie-share for HTTP and these settings plus httpscookie-secure for HTTPS.
• ssl-session-id: all sessions with the same SSL session
ID are sent to the same real server. ssl-session-id is
available if server-type is set to https or ssl.
portforward
{enable | disable}
Select to enable port forwarding. You must also specify the
port forwarding mappings by configuring extport and
mappedport.
disable
protocol
{sctp | tcp | udp}
Select the protocol, TCP or UDP, to use when forwarding
packets.
tcp
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
185
vip
186
firewall
Variable
Description
Default
server-type {http | https
| imaps | ip | pop3s |
smtps | ssl | tcp | udp}
If the type is server-load-balance, select the protocol to
be load balanced by the virtual server (also called the server
load balance virtual IP). If you select a general protocol such as
ip, tcp, or udp the virtual server load balances all IP, TCP, or
UDP sessions. If you select specific protocols such as http,
https, or ssl you can apply additional server load balancing
features such as persistence and HTTP multiplexing.
• http: load balance only HTTP sessions with destination
port number that matches the extport setting. Change
extport to match the destination port of the sessions to
be load balanced. You can also configure httpmultiplex. You can also set persistence to httpcookie and configure http-cookie-domain, httpcookie-path, http-cookie-generation, httpcookie-age, and http-cookie-share settings for
cookie persistence.
• https: load balance only HTTPS sessions with destination
port number that matches the extport setting. Change
extport to match the destination port of the sessions to
be load balanced. You can also configure httpmultiplex and set persistence to http-cookie and
configure the same http-cookie options as for http
virtual servers plus the https-cookie-secure option.
You can also set persistence to ssl-session-id. You
can also configure the SSL options such as ssl-mode and
ssl-certificate and so on. https is available on
FortiGate units that support SSL acceleration.
• imaps: load balance only IMAPS sessions with destination
port number that matches the extport setting. Change
extport to match the destination port of the sessions to
be load balanced.
• ip: load balance all sessions accepted by the firewall
policy that contains this server load balance virtual IP. Since
all sessions are load balanced you don’t have to set the
extport.
• pop3s: load balance only POP3S sessions with destination
port number that matches the extport setting. Change
extport to match the destination port of the sessions to
be load balanced.
• smtps: load balance only SMTPS sessions with destination
port number that matches the extport setting. Change
extport to match the destination port of the sessions to
be load balanced.
• ssl: load balance only SSL sessions with destination port
number that matches the extport setting. Change
extport to match the destination port of the sessions to
be load balanced. You can also configure the SSL options
such as ssl-mode and ssl-certificate and so on.
• tcp: load balance only TCP sessions with destination port
number that matches the extport setting. Change
extport to match the destination port of the sessions to
be load balanced.
• udp: load balance only UDP sessions with destination port
number that matches the extport setting. Change
extport to match the destination port of the sessions to
be load balanced.
(none)
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
vip
Variable
Description
Default
src-filter <addr_str>
Enter a source address filter. Each address must be either an
IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate
addresses by spaces.
null
ssl-mode {full | half}
Select whether or not to accelerate SSL communications with
the destination by using the FortiGate unit to perform SSL
operations, and indicate which segments of the connection will
receive SSL offloading. Accelerating SSL communications in
this way is also called SSL offloading.
• full: Select to apply SSL acceleration to both parts of the
connection: the segment between the client and the
FortiGate unit, and the segment between the FortiGate unit
and the server. The segment between the FortiGate unit
and the server will use encrypted communications, but the
handshakes will be abbreviated. This results in
performance which is less than the option half, but still
improved over communications without SSL acceleration,
and can be used in failover configurations where the
failover path does not have an SSL accelerator. If the server
is already configured to use SSL, this also enables SSL
acceleration without requiring changes to the server’s
configuration.
• half: Select to apply SSL only to the part of the
connection between the client and the FortiGate unit. The
segment between the FortiGate unit and the server will use
clear text communications. This results in best
performance, but cannot be used in failover configurations
where the failover path does not have an SSL accelerator.
SSL 3.0 and TLS 1.0 are supported.
This option appears only if server-type is ssl or https.
full
ssl-algorithm
{low | medium | high}
Set the permitted encryption algorithms for SSL sessions
according to encryption strength:
low
— AES, 3DES, RC4, DES
medium — AES, 3DES, RC4
high — AES, 3DES
high
ssl-certificate
<certificate_str>
Enter the name of the SSL certificate to use with SSL
acceleration.
This option appears only if type is server-load-balance
and server-type is ssl.
No default.
ssl-client-renegotiation
{allow | deny | secure}
Select the SSL secure renegotiation policy.
allow — Allow, but do not require secure renegotiation.
deny — Do not allow renegotiation.
secure — Require secure renegotiation.
Secure renegotiation complies with RFC 5746 Secure
Negotiation Indication.
allow
ssl-client-session-statemax <sessionstates_int>
Enter the maximum number of SSL session states to keep for 1000
the segment of the SSL connection between the client and the
FortiGate unit.
This option appears only if type is server-load-balance
and server-type is ssl.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
187
vip
188
firewall
Variable
Description
Default
ssl-client-session-statetimeout <timeout_int>
Enter the number of minutes to keep the SSL session states for 30
the segment of the SSL connection between the client and the
FortiGate unit.
This option appears only if type is server-load-balance
and server-type is ssl.
ssl-client-session-statetype {both | client |
disable | time}
Select which method the FortiGate unit should use when
deciding to expire SSL sessions for the segment of the SSL
connection between the client and the FortiGate unit.
• both: Select to expire SSL session states when either
ssl-client-session-state-max or ssl-clientsession-state-timeout is exceeded, regardless of
which occurs first.
• count: Select to expire SSL session states when sslclient-session-state-max is exceeded.
• disable: Select to keep no SSL session states.
• time: Select to expire SSL session states when sslclient-session-state-timeout is exceeded.
This option appears only if type is server-load-balance
and server-type is ssl.
ssl-dh-bits <bits_int>
Enter the number of bits of the prime number used in the Diffie- 1024
Hellman exchange for RSA encryption of the SSL connection.
Larger prime numbers are associated with greater
cryptographic strength.
This option appears only if type is server-load-balance
and server-type is ssl.
ssl-http-locationconversion
{enable | disable}
Select to replace http with https in the reply’s Location
HTTP header field.
For example, in the reply, Location:
http://example.com/ would be converted to Location:
https://example.com/ .
This option appears only if type is server-load-balance
and server-type is https.
disable
ssl-http-match-host
{enable | disable}
Select to apply Location conversion to the reply’s HTTP
header only if the host name portion of Location matches the
request’s Host field, or, if the Host field does not exist, the
host name portion of the request’s URI. If disabled, conversion
occurs regardless of whether the host names in the request
and the reply match.
For example, if host matching is enabled, and a request
contains Host: example.com and the reply contains
Location: http://example.cc/, the Location field
does not match the host of the original request and the reply’s
Location field remains unchanged. If the reply contains
Location: http://example.com/, however, then the
FortiGate unit detects the matching host name and converts
the reply field to Location: https://example.com/ .
This option appears only if ssl-http-locationconversion is enable.
disable
ssl-max-version {ssl-3.0
| tls-1.0}
Enter the maximum version of SSL/TLS to accept in
negotiation.
This option appears only if type is server-load-balance
and server-type is ssl.
tls-1.0
both
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
vip
Variable
Description
Default
ssl-min-version {ssl-3.0
| tls-1.0}
Enter the minimum version of SSL/TLS to accept in
negotiation.
This option appears only if type is server-load-balance
and server-type is ssl.
ssl-3.0
ssl-pfs
{allow | deny | require}
Select handling of perfect forward secrecy (PFS) for
connections:
allow — Allow use of any cipher suite.
deny — Allow only non-Diffie-Hellman cipher-suites.
require — Allow only Diffie-Hellman cipher-suites.
allow
ssl-send-empty-frags
{enable | disable}
Select to precede the record with empty fragments to thwart
attacks on CBC IV. You might disable this option if SSL
acceleration will be used with an old or buggy SSL
implementation which cannot properly handle empty
fragments.
This option appears only if type is server-load-balance
and server-type is ssl, and applies only to SSL 3.0 and
TLS 1.0.
enable
ssl-server-session-statemax <sessionstates_int>
Enter the maximum number of SSL session states to keep for
the segment of the SSL connection between the server and the
FortiGate unit.
This option appears only if ssl-mode is full.
1000
ssl-server-session-statetimeout <timeout_int>
Enter the number of minutes to keep the SSL session states for
the segment of the SSL connection between the server and the
FortiGate unit.
This option appears only if ssl-mode is full.
30
ssl-server-session-statetype {both | count |
disable | time}
Select which method the FortiGate unit should use when
deciding to expire SSL sessions for the segment of the SSL
connection between the server and the FortiGate unit.
• both: Select to expire SSL session states when either
ssl-server-session-state-max or ssl-serversession-state-timeout is exceeded, regardless of
which occurs first.
• count: Select to expire SSL session states when sslserver-session-state-max is exceeded.
• disable: Select to keep no SSL session states.
• time: Select to expire SSL session states when sslserver-session-state-timeout is exceeded.
This option appears only if ssl-mode is full.
both
type
{load-balance |
server-load-balance |
static-nat}
Select the type of static or dynamic NAT applied by the virtual
IP.
• load-balance: Dynamic NAT load balancing with server
selection from an IP address range.
• server-load-balance: Dynamic NAT load balancing
with server selection from among up to eight
realservers, determined by your selected load
balancing algorithm and server responsiveness monitors.
• static-nat: Static NAT.
static-nat
realservers
The following commands are the options for config realservers, and are available only if type is
server-load-balance.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
189
vip
190
firewall
Variable
Description
Default
client-ip <ip_range_ipv4>
[<ip_range_ipv4>]
[<ip_range_ipv4>]
[<ip_range_ipv4>]
Restrict the clients that can connect to a real server according
to the client’s source IP address. Use the client-ip option to
enter up to four client source IP addresses or address ranges.
Separate each IP address or range with a space. The following
example shows how to add a single IP address and an IP
address range:
set client-ip 192.168.1.90 192.168.1.100192.168.1.120
Use the client-ip option if you have multiple real servers in
a server load balance VIP and you want to control which clients
use which real server according to the client’s source IP
address.
Different real servers in the same virtual server can have the
same or overlapping IP addresses and ranges. If an overlap
occurs, sessions from the overlapping source addresses are
load balanced among the real servers with the overlapping
addresses.
If you do not specify a client-ip all clients can use the real
server.
<table_id>
Enter an index number used to identify the server that you are
configuring. You can configure a maximum number of eight (8)
servers in a server load balancing cluster.
No default.
healthcheck
{enable | disable}
Enable to check the responsiveness of the server before
forwarding traffic. You must also configure monitor.
disable
holddown-interval
<seconds_int>
300
Enter the amount of time in seconds that the health check
monitor will continue to monitor the status of a server whose
status is active after it has been detected to be
unresponsive.
• If the server is detected to be continuously responsive
during this interval, a server whose status is standby will
be removed from current use and replaced with this server,
which will again be used by server load balanced traffic. In
this way, server load balancing prefers to use servers
whose status is active, if they are responsive.
• If the server is detected to be unresponsive during the first
holddown interval, the server will remain out of use for
server load balanced traffic, the health check monitor will
double the holddown interval once, and continue to monitor
the server for the duration of the doubled holddown
interval. The health check monitor continues to monitor the
server for additional iterations of the doubled holddown
interval until connectivity to the server becomes reliable, at
which time the holddown interval will revert to the
configured interval, and the newly responsive server whose
status is active will replace the standby server in the
pool of servers currently in use. In effect, if the status of a
server is active but the server is habitually unresponsive,
the health check monitor is less likely to restore the server
to use by server load balanced traffic until the server’s
connectivity becomes more reliable.
This option applies only to real servers whose status is
active, but have been detected to be unresponsive (“down”).
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
vip
Variable
Description
Default
http-host <host_str>
Enter the value of the HOST header to match. For traffic to use
the realserver, the HTTP(S) Host: header must match (case
insensitive) the value of the http-host attribute.
This is available when VIP ldb-method is http-host.
null
ip <server_ip>
Enter the IP address of a server in this server load balancing
cluster.
0.0.0.0
max-connections
<connection_integer>
Enter the limit on the number of active connections directed to
a real server. If the maximum number of connections is reached
for the real server, the FortiGate unit will automatically switch
all further connection requests to another server until the
connection number drops below the specified
limit.
0 means unlimited number of connections.
0
monitor <healthcheck_str>
Enter one or more names of health check monitor settings to
use when performing a health check, separating each name
with a space. If any of the configured health check monitors
detect failures, the FortiGate unit will deem the server
unresponsive, and will not forward traffic to that server. For
details on configuring health check monitor settings, see
“firewall ldb-monitor” on page 118.
This option appears only if healthcheck is enable.
No default.
port <port_ip>
Enter the port used if port forwarding is enabled.
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
191
vip
firewall
Variable
Description
Default
status {active |
disable | standby}
Select whether the server is in the pool of servers currently
being used for server load balanced traffic, the server is on
standby, or is disabled.
• active: The FortiGate unit may forward traffic to the server
unless its health check monitors determine that the server
is unresponsive, at which time the FortiGate unit will
temporarily use a server whose status is standby. The
healthcheck monitor will continue to monitor the
unresponsive server for the duration of holddowninterval. If this server becomes reliably responsive
again, it will be restored to active use, and the standby
server will revert to standby. For details on health check
monitoring when an active server is unresponsive, see
“holddown-interval <seconds_int>” on page 190.
• disable: The FortiGate unit will not forward traffic to this
server, and will not perform health checks. You might use
this option to conserve server load balancing resources
when you know that a server will be unavailable for a long
period, such as when the server is down for repair.
• standby: If a server whose status is active becomes
unresponsive, the FortiGate unit will temporarily use a
responsive server whose status is standby until the
server whose status is active again becomes reliably
responsive. If multiple responsive standby servers are
available, the FortiGate unit selects the standby server with
the greatest weight. If a standby server becomes
unresponsive, the FortiGate unit will select another
responsive server whose status is standby.
active
weight
<loadbalanceweight_int>
Enter the weight value of a specific server. Servers with a
greater weight receive a greater proportion of forwarded
connections, or, if their status is standby, are more likely to
be selected to temporarily replace servers whose status is
active, but that are unresponsive. Valid weight values are
between 1 and 255.
This option is available only if ldb-method is weighted.
1
Related topics
•
•
•
192
firewall policy, policy6
firewall ldb-monitor
firewall vipgrp
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
firewall
vipgrp
vipgrp
You can create virtual IP groups to facilitate firewall policy traffic control. For example, on the DMZ interface, if you
have two email servers that use Virtual IP mapping, you can put these two VIPs into one VIP group and create one
external-to-DMZ policy, instead of two policies, to control the traffic.
Firewall policies using VIP Groups are matched by comparing both the member VIP IP address(es) and port
number(s).
Syntax
config firewall vipgrp
edit <name_str>
set interface <name_str>
set member <virtualip_str>
end
Variable
Description
Default
<name_str>
Enter the name of the virtual IP group.
No default.
interface <name_str>
Enter the name of the interface to which the virtual IP group will be
bound.
No default.
member
<virtualip_str>
Enter one or more virtual IPs that will comprise the virtual IP group.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
193
vipgrp
194
firewall
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
ftp-proxy
Use ftp-proxy commands to configure the FortiGate explicit FTP proxy. You can use the FortiGate explicit FTP proxy
and interface settings to enable explicit FTP proxying on one or more interfaces. When enabled, the FortiGate unit
becomes a FTP proxy server. All FTP sessions received by interfaces with explicit FTP proxy enabled are intercepted
by the explicit FTP proxy relayed to their destinations.
To use the explicit FTP proxy, users must add the IP address of a FortiGate interface and the explicit proxy port
number to the proxy configuration settings of their FTP clients.
explicit
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
195
explicit
ftp-proxy
explicit
Use this command to enable the explicit FTP proxy, and configure the TCP port used by the explicit FTP proxy.
Syntax
config ftp-proxy explicit
set status {disable | enable}
set incoming-port <in_port_int>
set incoming-ip <incoming_address_ipv4>
set outgoing-ip <outgoing_address_ipv4>
set sec-default-action {accept | deny}
end
196
Variable
Description
Default
status {disable | enable}
Enable the explicit FTP proxy for FTP sessions.
disable
incoming-port
<in_port_int>
Enter the port number that traffic from FTP clients use to
connect to the explicit FTP proxy. The range is 0 to 65535.
Explicit FTP proxy users must configure their FTP client proxy
settings to use this port.
21
incoming-ip
<incoming_address_ipv4>
0.0.0.0
Enter the IP address of a FortiGate unit interface that should
accept sessions for the explicit FTP proxy. Use this command to
restrict the explicit FTP proxy to only accepting sessions from
one FortiGate interface.
The destination IP address of explicit FTP proxy sessions should
match this IP address.
This field is visible in NAT/Route mode only.
outgoing-ip
<outgoing_address_ipv4>
Enter the IP address of a FortiGate unit interface that explicit
FTP proxy sessions should exit the FortiGate unit from. Use this
command to restrict the explicit FTP proxy to only allowing
sessions to exit from one FortiGate interface.
This IP address becomes the source address of FTP proxy
sessions exiting the FortiGate unit.
This field is visible in NAT/Route mode only.
sec-default-action {accept
| deny}
deny
Configure the explicit FTP proxy to block (deny) or accept
sessions if firewall policies have not been added for the explicit
FTP proxy. To add firewall policies for the explicit FTP proxy add
a firewall policy and set the source interface to ftp-proxy.
The default setting denies access to the explicit FTP proxy
before adding a firewall policy. If you set this option to accept
the explicit FTP proxy server accepts sessions even if you
haven’t added an ftp-proxy firewall policy.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
gui
This chapter contains the following section:
console
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
197
console
gui
console
This command stores a base-64 encoded file that contains configuration of the dashboard and System > Status
web-based manager pages. This command is not user configurable
Syntax
config gui console
set preferences <filedata>
end
198
Variable
Description
Default
preferences <filedata>
Base-64 encoded file to upload containing the commands to set
up the web-based manager CLI console on the FortiGate unit.
No default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
icap
This chapter contains the following section:
profile
server
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
199
profile
icap
profile
Use this command to configure an Internet Content Adaptation Protocol (ICAP) profile.
Syntax
config icap profile
edit <icap_profile_name>
set request {enable | disable}
set request-failure {bypass | error}
set request-path <uri_str>
set request-server <server_str>
set response {enable | disable}
set response-failure
set response-path
set response-server
set streaming-content-bypass {enable | disable}
end
200
Variable
Description
Default
<icap_profile_name>
Enter the ICAP profile name.
request {enable | disable}
Enable to send requests to an ICAP server.
request-failure
{bypass | error}
Select the action to take if an ICAP server cannot be reached
when processing an HTTP request.
request-path <uri_str>
Enter the path component of the ICAP URI that identifies the null
HTTP request processing service.
disable
request-server <server_str> Enter the request-server name.
null
response {enable | disable} Enable to send HTTP responses to an ICAP server.
disable
response-failure
Select the action to take if an ICAP server cannot be reached
when processing an HTTP response.
response-path
Enter the path component of the ICAP URI that identifies the
HTTP response processing service.
response-server
Enter the name of the ICAP server to use for HTTP
responses.
streaming-content-bypass
{enable | disable}
Enable to bypass the ICAP server for streaming content.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
icap
server
server
Use this command to configure Internet Content Adaptation Protocol (ICAP) servers.
Syntax
config icap server
edit <icap_server_name>
set ip-version {4 | 6}
set ip-address <server_ipv4>
set ip6-address <server_ipv6>
set max-connections <int>
set port <port_int>
end
Variable
Description
<icap_server_name>
Enter the ICAP profile name.
ip-version {4 | 6}
Select IPv4 or IPv6 addressing.
4
ip-address <server_ipv4>
Enter the ICAP server IP address (IPv4).
0.0.0.0
ip6-address <server_ipv6>
Enter the ICAP server IP address (IPv6).
::
max-connections <int>
Enter the maximum permitted number of concurrent
connections to the ICAP server. Range: 1-65 535.
100
port <port_int>
Enter the ICAP server port number.
1344
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
201
server
202
icap
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
imp2p
Use imp2p commands to configure user access to Instant Messaging and Peer-to-Peer applications, and to
configure a global policy for unknown users who might use these applications.
This chapter contains the following sections:
aim-user
icq-user
msn-user
old-version
policy
yahoo-user
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
203
aim-user
imp2p
aim-user
Use this command to permit or deny a specific user the use of AOL Instant Messenger.
Syntax
config imp2p aim-user
edit <name_str>
set action {deny | permit}
end
204
Variable
Description
Default
name_str
The name of the AIM user.
action {deny | permit}
Permit or deny the use of AOL Instant Messenger by this user. deny
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
imp2p
icq-user
icq-user
Use this command to permit or deny a specific user the use of ICQ Instant Messenger.
Syntax
config imp2p icq-user
edit <name_str>
set action {deny | permit}
end
Variable
Description
name_str
The name of the ICQ user.
action {deny | permit}
Permit or deny the use of the ICQ Instant Messenger by this
user.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
deny
205
msn-user
imp2p
msn-user
Use this command to permit or deny a specific user the use of MSN Messenger.
Syntax
config imp2p msn-user
edit <name_str>
set action {deny | permit}
end
206
Variable
Description
Default
name_str
The name of the MSN user.
action {deny | permit}
Permit or deny the use of MSN Messenger by this user.
deny
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
imp2p
old-version
old-version
Some older versions of IM protocols are able to bypass file blocking because the message types are not recognized.
The following command provides the option to disable these older IM protocol versions. Supported IM protocols
include:
• MSN 6.0 and above
• ICQ 4.0 and above
• AIM 5.0 and above
• Yahoo 6.0 and above
Syntax
config imp2p old-version
set aim {best-effort |
set icq {best-effort |
set msn {best-effort |
set yahoo {best-effort
end
block}
block}
block}
| block}
Variable
Description
Default
aim {best-effort | block}
Enter block to block the session if the version is too old.
Enter best-effort to inspect the session based on the policy.
block
icq {best-effort | block}
Enter block to block the session if the version is too old.
Enter best-effort to inspect the session based on the policy.
block
msn {best-effort | block}
Enter block to block the session if the version is too old.
Enter best-effort to inspect the session based on the policy.
block
yahoo {best-effort
| block}
Enter block to block the session if the version is too old.
Enter best-effort to inspect the session based on the policy.
block
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
207
policy
imp2p
policy
Use this command to create a global policy for instant messenger applications. If an unknown user attempts to use
one of the applications, the user can either be permitted use and added to a white list, or be denied use and added to
a black list.
In FortiOS 4.0, the imp2p settings are now part of Application Control. When creating a new
VDOM, the default imp2p policy settings are set to allow, thereby permitting the settings in
Application Control to drive the configuration.
Syntax
config imp2p policy
set aim {allow | deny}
set icq {allow | deny}
set msn {allow | deny}
set yahoo {allow | deny}
end
208
Variable
Description
Default
aim {allow | deny}
Allow an unknown user and add the user to the white list.
Deny an unknown user and add the user to the black list.
allow
icq {allow | deny}
Allow an unknown user and add the user to the white list.
Deny an unknown user and add the user to the black list.
allow
msn {allow | deny}
Allow an unknown user and add the user to the white list.
Deny an unknown user and add the user to the black list.
allow
yahoo {allow | deny}
Allow an unknown user and add the user to the white list.
Deny an unknown user and add the user to the black list.
allow
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
imp2p
yahoo-user
yahoo-user
Use this command to permit or deny a specific user the use of Yahoo Messenger.
Syntax
config imp2p yahoo-user
edit <name_str>
set action {deny | permit}
end
Variable
Description
name_str
The name of the Yahoo user.
action {deny | permit}
Permit or deny the use of Yahoo Messenger by this user.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
deny
209
yahoo-user
210
imp2p
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
ips
Use ips commands to configure IPS sensors to define which signatures are used to examine traffic and what actions
are taken when matches are discovered. DoS sensors can also be defined to examine traffic for anomalies
This chapter contains the following sections:
DoS
custom
decoder
global
rule
sensor
setting
If the IPS test can’t find the destination MAC address, the peer interface will be used. To ensure
packets get IPS inspection, there must be a Peer Interface. Both interfaces must be in the same
VDOM, and one interface cannot be both the peer and original interface. For information on how
to set the Peer Interface see “interface” on page 465.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
211
DoS
ips
DoS
FortiGate Intrusion Protection uses Denial of Service (DoS) sensors to identify network traffic anomalies that do not fit
known or preset traffic patterns. Four statistical anomaly types for the TCP, UDP, and ICMP protocols can be
identified.
Flooding
If the number of sessions targeting a single destination in one second is over a threshold, the
destination is experiencing flooding.
Scan
If the number of sessions from a single source in one second is over a threshold, the source
is scanning.
Source
session limit
If the number of concurrent sessions from a single source is over a threshold, the source
session limit is reached.
Destination
session limit
If the number of concurrent sessions to a single destination is over a threshold, the
destination session limit is reached.
Enable or disable logging for each anomaly, and select the action taken in response to detecting an anomaly.
Configure the anomaly thresholds to detect traffic patterns that could represent an attack.
It is important to estimate the normal and expected traffic on the network before changing the
default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting
the thresholds too high could allow some attacks.
The list of anomalies can be updated only when the FortiGate firmware image is upgraded.
config limit
Access the config limit subcommand using the config ips anomaly <name_str> command. Use this
command for session control based on source and destination network address. This command is available for
tcp_src_session, tcp_dst_session, icmp_src_session, icmp_dst_session, udp_src_session,
udp_dst_session.
The default entry cannot be edited. Addresses are matched from more specific to more general. For example, if
thresholds are defined for 192.168.100.0/24 and 192.168.0.0/16, the address with the 24 bit netmask is matched
before the entry with the 16 bit netmask.
Syntax
config ips DoS
edit <sensor_str>
set comment <comment_str>
config anomaly
edit <anomaly_str>
set status {enable | disable}
set log {enable | disable}
set action {block | pass}
set quarantine {attacker | both | interface | none}
set quarantine-log {enable | disable}
set threshold <threshold_int>
end
end
212
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
ips
DoS
Variable
Description
<sensor_str>
Enter the name of the sensor you want to configure. Enter a
new name to create a sensor.
comment <comment_str>
Enter a description of the DoS sensor. This is displayed in the
DoS sensor list. Descriptions with spaces must be enclosed in
quotation marks.
<anomaly_str>
Enter the name of the anomaly you want to configure. Display
a list of the available anomaly types by entering ‘?’.
status {enable | disable}
Enable or disable the specified anomaly in the current DoS
sensor.
disable
log {enable | disable}
Enable or disable logging of the specified anomaly in the
current DoS sensor.
disable
action {block | pass}
Pass or block traffic in which the specified anomaly is
detected.
pass
quarantine {attacker |
both | interface | none}
To prevent the attacker from continuing to attack the FortiGate none
unit, you can quarantine the attacker to the banned user list in
one of three ways.
• Enter attacker to block all traffic sent from the attacker’s
IP address. The attacker’s IP address is also added to the
banned user list. The target’s address is not affected.
• Enter both to block all traffic sent from the attacker’s IP
address to the target (victim’s) IP address. Traffic from the
attacker’s IP address to addresses other than the victim’s
IP address is allowed. The attacker’s and target’s IP
addresses are added to the banned user list as one entry.
• Enter interface to block all traffic from connecting to the
FortiGate unit interface that received the attack. The
interface is added to the banned user list.
• Enter none to disable the adding of addresses to the
quarantine but the current DoS sensor.
quarantine-log {enable |
disable}
Enable NAC quarantine logging. NAC quarantine logging is
only available when quarantine is set something other than
none.
disable
threshold <threshold_int>
Enter the number of times the specified anomaly must be
detected in network traffic before the action is triggered.
Range 1 to 2 147 483 647.
varies by
anomaly
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
213
custom
ips
custom
Create custom IPS signatures and add them to IPS sensors.
Custom signatures provide the power and flexibility to customize FortiGate Intrusion Protection for diverse network
environments. The FortiGate predefined signatures cover common attacks. If an unusual or specialized application or
an uncommon platform is being used, add custom signatures based on the security alerts released by the application
and platform vendors.
Use custom signatures to block or allow specific traffic.
The custom signature settings are configured when it is defined as a signature override in an IPS sensor. This way, a
single custom signature can be used in multiple sensors with different settings in each.
Custom signatures are an advanced feature. This document assumes the user has previous
experience writing intrusion detection signatures.
Syntax
config ips custom
edit <sig_str>
set signature <signature_str>
end
214
Variable
Description
Default
sig_str
The name of the custom signature.
signature <signature_str>
Enter the custom signature. The signature must be enclosed
in single quotes.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
ips
decoder
decoder
The Intrusion Protection system looks for certain types of traffic on specific ports. Using the decoders command, you
can change ports if your configuration uses non-standard ports.
Syntax
config ips decoder <decoder_str>
set port_list <port_int>
end
Variable
Description
<decoder_str>
Enter the name of the decoder. Enter ‘?’ for a list.
port_list <port_int>
Enter the ports which the decoder will examine. Multiple ports
can be specified by separating them with commas and
enclosing the list in quotes.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
varies by
decoder
215
global
ips
global
Use this command to set IPS operating parameters.
Syntax
config ips global
set algorithm {engine-pick | high | low}
set anomaly-mode {continuous | periodical}
set engine-count <integer>
set fail-open {enable | disable}
set ignore-session-bytes <byte_integer>
set session-limit-mode {accurate | heuristic}
set socket-size <ips_buffer_size>
set traffic-submit {enable | disable}
end
216
Variable
Description
Default
algorithm {engine-pick
| high | low}
The IPS engine has two methods to determine whether traffic
matches signatures.
• high is a faster method that uses more memory
• low is a slower method that uses less memory
• engine-pick allows the IPS engine to choose the best
method on the fly.
enginepick
anomaly-mode {continuous
| periodical}
Enter continuous to start blocking packets once attack starts.
Enter periodical to allow configured number of packets per
second.
continuous
engine-count <integer>
Enter the number of intrusion protection engines to run. Multiprocessor FortiGate units can more efficiently process traffic
with multiple engines running. When set to the default value of
0, the FortiGate unit determines the optimal number of intrusion
protection engines.
0
fail-open
{enable | disable}
If for any reason the IPS should cease to function, it will fail open
by default. This means that crucial network traffic will not be
blocked and the Firewall will continue to operate while the
problem is resolved.
enable
ignore-session-bytes
<byte_integer>
Set the number of bytes after which the session is ignored.
You can set this field to 0 for unlimited scanning.
204800
session-limit-mode
{accurate | heuristic}
Enter accurate to accurately count the concurrent sessions.
This option demands more resources. Enter heuristic to
heuristically count the concurrent sessions.
heuristic
socket-size
<ips_buffer_size>
Set intrusion protection buffer size. The default value is correct
in most cases.
modeldependent
traffic-submit
{enable | disable}
Submit attack characteristics to FortiGuard Service
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
ips
rule
rule
The IPS sensors use signatures to detect attacks. These signatures can be listed with the rules command. Details
about the default settings of each signature can also be displayed.
Syntax
config ips rule <rule_str>
get
set tags <tags_str>
Variable
Description
<rule_str>
Enter the name of a signature. For a complete list of the
predefined signatures, enter ‘?’ instead of a signature name.
tags <tags_str>
Enter object tags applied to this rule. Separate tag names with
spaces.
Default
null
Example
This example shows how to display the current configuration of the Apache.Long.Header.DoS signature.
# config ips rule Apache.Long.Header.DoS
(Apache.Long.He~d) # get
name
: Apache.Long.Header.DoS
status
: enable
log
: enable
log-packet
: disable
action
: pass
group
: web_server
severity
: medium
location
: server
os
: Windows, Linux, BSD, Solaris
application
: Apache
service
: TCP, HTTP
rule-id
: 11206
rev
: 2.335
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
217
sensor
ips
sensor
The IPS sensors use signatures to detect attacks. IPS sensors are made up of filters and override rules. Each filter
specifies a number of signature attributes and all signatures matching all the specified attributes are included in the
filter. Override rules allow you to override the settings of individual signatures.
Syntax
config ips sensor
edit <sensor_str>
get
set comment <comment_str>
set log {disable | enable}
config entries
edit <filter_int>
set location {all | client | server}
set severity {all | info low medium high critical}
set protocol <protocol_str>
set os {all | other windows linux bsd solaris macos}
set application <app_str>
set status {default | enable | disable}
set tags <tags_str>
set log {default | enable | disable}
set log-packet {disable | enable}
set action {block | default | pass | reject}
set quarantine {attacker | both | interface | none}
set quarantine-log {disable | enable}
set rule [<rule1_int> <rule2_int> ... ]
get
end
end
218
Variable
Description
Default
<sensor_str>
Enter the name of an IPS sensor. For a list of the IPS sensors,
enter ‘?’ instead of an IPS sensor name. Enter a new name to
create a sensor.
get
The complete syntax of this command is:
config ips sensor
edit <sensor_str>
get
end
This get command returns the following information about the
sensor:
• name is the name of this sensor.
• comment is the comment entered for this sensor.
• count-enabled is the number of enabled signatures in
this IPS sensor. Disabled signatures are not included.
• count-pass is the number of enabled signatures
configured with the pass action.
• count-block is the number of enabled signatures
configured with the block action.
• count-reset is the number of enabled signatures
configured with the reset action.
• filter lists the filters in this IPS sensor.
• override lists the overrides in the IPS sensor.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
ips
sensor
Variable
Description
comment <comment_str>
Enter a description of the IPS sensor. This description will
appear in the ISP sensor list. Descriptions with spaces must be
enclosed in quotes.
log {disable | enable}
Enable or disable IPS logging.
<filter_int>
Enter the ID number of a filter. For a list of the IDs in the IPS
sensor, enter ‘?’ instead of an ID. Enter a new ID to create a
filter.
location {all | client |
server}
Specify the type of system to be protected.
• client selects signatures for attacks against client
computers.
• server selects signatures for attacks against servers.
• all selects both client and server signatures.
all
severity {all | info low
medium high critical}
Specify the severity level or levels.
Specify all to include all severity levels.
all
protocol <protocol_str>
Specify the protocols to be examined. Enter ‘?’ to display a list
of the available protocols. All will include all protocols.
Other will include all unlisted protocols.
all
os {all | other windows
linux bsd solaris macos}
Specify the operating systems to be protected. All will
include all operating systems. Other will include all unlisted
operating systems.
all
application <app_str>
Specify the applications to be protected. Enter ‘?’ to display a
list of the available applications. All will include all
applications. Other will include all unlisted applications.
all
status {default | enable
| disable}
Specify the status of the signatures included in the filter.
• enable will enable the filter.
• disable will disable the filter.
• default will enable the filter and only use the filters with a
default status of enable. Filters with a default status of
disable will not be used.
default
tags <tags_str>
Enter object tags applied to this filter. Separate tag names with
spaces.
null
log {default | enable |
disable}
Specify the logging status of the signatures included in the
filter.
• enable will enable logging.
• disable will disable logging.
• default will enable logging for only the filters with a
default logging status of enable. Filters with a default
logging status of disable will not be logged.
default
log-packet {disable |
enable}
When enabled, packet logging will save the packet that
triggers the filter. You can download the packets in pcap format
for diagnostic use. This feature is only available in FortiGate
units with internal hard drives.
disable
action {block | default |
pass | reject}
Specify what action is taken with traffic in which signatures ar
detected.
• block will drop the session with the offending traffic.
• pass will allow the traffic.
• reject will reset the session.
• default will either pass or drop matching traffic,
depending on the default action of each signature.
default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
enable
219
sensor
220
ips
Variable
Description
Default
quarantine {attacker |
both | interface | none}
To prevent the attacker from continuing to attack the FortiGate
unit, you can quarantine the attacker to the banned user list in
one of three ways.
• Enter attacker to block all traffic sent from the attacker’s
IP address. The attacker’s IP address is also added to the
banned user list. The target’s address is not affected.
• Enter both to block all traffic sent from the attacker’s IP
address to the target (victim’s) IP address. Traffic from the
attacker’s IP address to addresses other than the victim’s
IP address is allowed. The attacker’s and target’s IP
addresses are added to the banned user list as one entry.
• Enter interface to block all traffic from connecting to the
FortiGate unit interface that received the attack. The
interface is added to the banned user list.
• Enter none to disable the adding of addresses to the
quarantine but the current DoS sensor.
none
quarantine-log {disable |
enable}
Enable or disable writing a log message when a user is
quarantined.
rule [<rule1_int>
<rule2_int> ... ]
To add a predefined or custom IPS signatures, specify the rule
IDs of the signatures.
get
The complete syntax of this command is:
config ips sensor
edit <sensor_str>
config filter
edit <filter_str>
get
end
This get command returns the following information about the
filter:
• name is the name of this filter.
• count is the total number of signatures in this filter. Both
enabled and disabled signatures are included.
• location is type of system targeted by the attack. The
locations are client and server.
• severity is the relative importance of the signature, from
info to critical.
• protocol is the type of traffic to which the signature
applies. Examples include HTTP, POP3, H323, and DNS.
• os is the operating systems to which the signature applies.
• application is the program affected by the signature.
• status displays whether the signature state is enabled,
disabled, or default.
• log displays the logging status of the signatures included
in the filter. Logging can be set to enabled, disabled, or
default.
• action displays what the FortiGate does with traffic
containing a signature. The action can be set to pass all,
block all, reset all, or default.
• quarantine displays how the FortiGate unit will
quarantine attackers.
null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
ips
setting
setting
Use the IPS settings command to configure settings for IPS packet logging.
Syntax
config ips settings
set ips-packet-quota <MB_int>
set packet-log-history <packets_int>
set packet-log-memory <KB_int>
set packet-log-post-attack <packets_int>
end
Variable
Description
Default
ips-packet-quota <MB_int>
Enter the maximum amount of disk space to use for logged
packets when logging to disk. The acceptable range is from 0 to
4294967295 megabytes. This command affects only logging to
disk.
0
packet-log-history
<packets_int>
Enter the number of packets to capture before and including the
one in which the IPS signature is detected.
If the value is more than 1, the packet containing the signature is
saved in the packet log, as well as those preceding it, with the
total number of logged packets equalling the
packet-log-history setting. For example, if
packet-log-history is set to 7, the FortiGate unit will save
the packet containing the IPS signature match and the six before
it.
The acceptable range for packet-log-history is from 1 to
255. The default is 1.
Setting packet-log-history to a value larger than 1 can
affect the performance of the FortiGate unit because network
traffic must be buffered. The performance penalty depends on
the model, the setting, and the traffic load.
1
packet-log-memory <KB_int>
Enter the maximum amount of memory to use for logged packets
when logging to memory. The acceptable range is from 64 to
8192 kilobytes. This command affects only logging to memory.
256
packet-log-post-attack
<packets_int>
Enter how many packets are logged after the one in which the
IPS signature is detected. For example, if packet-log-postattack is set to 10, the FortiGate unit will save the ten packets
following the one containing the IPS signature match.
The acceptable range for packet-log-post-attack is from 0
to 255. The default is 0.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
221
setting
222
ips
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
log
Use the config log commands to set the logging type, the logging severity level, and the logging location for the
FortiGate unit.
In Transparent mode, certain log settings and options may not be available because certain
features do not support logging or are not available in this mode. For example, SSL VPN events
are not available in Transparent mode.
custom-field
{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd |
syslogd2 | syslogd3 | webtrends | fortiguard} filter
disk setting
eventfilter
{fortianalyzer | syslogd} override-filter
fortianalyzer override-setting
{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting
fortiguard setting
gui
memory setting
memory global-setting
syslogd override-setting
{syslogd | syslogd2 | syslogd3} setting
trafficfilter
webtrends setting
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
223
custom-field
log
custom-field
Use the following command to customize the log fields with a name and/or value. The custom name and/or value will
appear in the log message.
Syntax
config log custom-field
edit id <integer>
set name <name>
set value <integer>
end
224
Variable
Description
Default
id <integer>
Enter the identification number for the log field.
No default
name <name>
Enter a name to identify the log. You can use letters,
numbers, (‘_‘), but no characters such as the number symbol
(#). The name cannot exceed 16 characters.
No default
value <integer>
Enter a firewall policy number to associate a firewall policy
with the logs.
No default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 | syslogd3 | webtrends | fortiguard} filter
{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd |
syslogd2 | syslogd3 | webtrends | fortiguard} filter
Use this command to configure log filter options. Log filters define the types of log messages sent to each log
location. Use the ? command to view each filter setting since not all filter settings display for each device.
Filter settings for fortiguard are only available when FortiGuard Analysis and Management Service is enabled.
Filter settings for disk is available only for FortiGate units with hard disks.
Syntax
config log {disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 |memory | syslogd
| syslogd2 | syslogd3 | webtrends | fortiguard} filter
set allowed {disable | enable}
set amc-intf-bypass {disable | enable}
set anomaly {disable | enable}
set app-crtl {disable | enable}
set app-crtl-all {disable | enable}
set attack {disable | enable}
set blocked {disable | enable}
set dlp {disable | enable}
set dlp-all {disable | enable}
set dlp-archive {disable | enable}
set email {disable | enable}
set email-log-imap {disable | enable}
set email-log-pop3 {disable | enable}
set email-log-smtp {disable | enable}
set endpoint-bwl {disable | enable}
set explicit-proxy-traffic {disable | enable}
set extended-traffic-log {disable | enable}
set ftgd-wf-block {disable | enable}
set ftgd-wf-errors {disable | enable}
set mass-mms {disable | enable}
set gtp {disable | enable}
set infected {disable | enable}
set oversized {disable | enable}
set scanerror {disable | enable}
set severity {alert | critical | debug | emergency | error | information |
notification | warning}
set signature {disable | enable}
set traffic {disable | enable}
set url-filter {disable | enable}
set violation {disable | enable}
set virus {disable | enable}
set vip-ssl {disable | enable}
set web {disable | enable}
set web-content {disable | enable}
set web-filter-activex {disable | enable}
set web-filter-applet {disable | enable}
set web-filter-cookie {disable | enable}
set web-filter-ftgd-quota {disable | enable}
set web-filter-ftgd-quota-counting {disable | enable}
set web-filter-ftgd-quota-expired {disable | enable}
set webcache-traffic {disable | enable}
end
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
225
{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 | syslogd3 | webtrends | fortiguard} filter
226
Variable
Description
Default
allowed
{disable | enable}
Enable or disable logging all traffic that is allowed according to the
firewall policy settings in the traffic log. This field is available when
traffic is enabled.
enable
amc-intf-bypass
{disable | enable}
Enable or disable logging of an AMC interface entering bypass mode.
enable
anomaly
{disable | enable}
Enable or disable logging all detected and prevented attacks based on
unknown or suspicious traffic patterns, and the action taken by the
FortiGate unit in the attack log. This field is available when attack is
enabled.
enable
app-crtl
{disable | enable}
Enable or disable logging of application control logs.
enable
app-crtl-all
{disable | enable}
Enable or disable logging of the sub-category of application control logs.
disable
attack
{disable | enable}
Enable or disable the attack log.
enable
blocked
{disable | enable}
Enable or disable logging all instances of blocked files.
enable
dlp
{disable | enable}
Enable or disable logging of data leak prevention events.
enable
dlp-all
{disable | enable}
Enable or disable logging of all data leak prevention subcategories.
disable
dlp-archive
{disable | enable}
Enable or disable logging of data leak prevention content archive events. enable
email
{disable | enable}
Enable or disable the spam filter log.
enable
email-log-imap
{disable | enable}
Enable or disable logging of spam detected in IMAP traffic. email
enable only.
enable
email-log-pop3
{disable | enable}
Enable or disable logging of spam detected in POP3 traffic. email
enable only.
enable
email-log-smtp
{disable | enable}
Enable or disable logging of spam detected in SMTP traffic. email
enable only.
enable
endpoint-bwl
{disable | enable}
Enable or disable FortiOS Carrier logging of End-point filter block
messages.
enable
explicit-proxytraffic
{disable | enable}
Enable or disable logging of explicit web proxy traffic.
enable
extended-traffic-log
{disable | enable}
Enable or disable ICSA compliant logs. This setting is independent from
the traffic setting. Traffic log entries include generating traffic logs:
• for all dropped ICMP packets
• for all dropped invalid IP packets (see “check-protocol-header
{loose | strict}” on page 449, “anti-replay {disable | loose | strict}” on
page 447, and “check-reset-range {disable | strict}” on page 449.
• for session start and on session deletion
This setting is not rate limited. A large volume of invalid packets can
dramatically increase the number of log entries.
enable
ftgd-wf-block
{disable | enable}
Enable or disable logging of web pages blocked by FortiGuard category
filtering in the web filter log. This field is available when web is enabled.
enable
log
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 | syslogd3 | webtrends | fortiguard} filter
Variable
Description
Default
ftgd-wf-errors
{disable | enable}
Enable or disable logging all instances of FortiGuard category filtering
rating errors. This field is available when web is enabled.
enable
mass-mms
{disable | enable}
Enable or disable FortiOS Carrier logging of a large amount of MMS
blocked messages.
enable
gtp
{disable | enable}
Enable or disable FortiOS Carrier logging for GTP messages.
enable
infected
{disable | enable}
Enable or disable logging of all virus infections in the antivirus log. This
field is available when virus is enabled.
enable
oversized
{disable | enable}
Enable or disable logging of oversized files in the antivirus log. This field
is available when virus is enabled.
enable
scanerror
{disable | enable}
Enable or disable logging of antivirus error messages.
enable
severity
{alert | critical |
debug | emergency |
error | information |
notification |
warning}
Select the logging severity level. The FortiGate unit logs all messages at
and above the logging severity level you select. For example, if you
select error, the unit logs error, critical, alert and emergency
level messages.
emergency - The system is unusable.
alert - Immediate action is required.
critical - Functionality is affected.
error - An erroneous condition exists and functionality is probably
affected.
warning - Functionality might be affected.
notification - Information about normal events.
information - General information about system operations.
debug - Information used for diagnosing or debugging the FortiGate
unit.
informa
tion
signature
{disable | enable}
Enable or disable logging of detected and prevented attacks based on
the attack signature, and the action taken by the FortiGate unit, in the
attack log. This field is available when attack is enabled.
enable
traffic
{disable | enable}
Enable or disable the traffic log.
enable
url-filter
{disable | enable}
Enable or disable logging of blocked URLs (specified in the URL block
list) in the web filter log. This field is available when web is enabled.
enable
violation
{disable | enable}
Enable or disable logging of all traffic that violates the firewall policy
settings in the traffic log. This field is available when traffic is
enabled.
enable
virus
{disable | enable}
Enable or disable the antivirus log.
enable
vip-ssl
{disable | enable}
Enable or disable logging of VIP SSL messages.
enable
web
{disable | enable}
Enable or disable the web filter log.
enable
web-content
{disable | enable}
Enable or disable logging of blocked content (specified in the banned
words list) in the web filter log. This field is available when web is
enabled.
enable
web-filter-activex
{disable | enable}
Enable or disable the logging of Active X block messages.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
227
{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 | syslogd3 | webtrends | fortiguard} filter
228
Variable
Description
Default
web-filter-applet
{disable | enable}
Enable or disable the logging of java applet block messages.
enable
web-filter-cookie
{disable | enable}
Enable or disable the logging of cookie block messages.
enable
web-filter-ftgd-quota
{disable | enable}
Enable or disable logging FortiGuard quota levels.
enable
web-filter-ftgdquota-counting
{disable | enable}
Enable or disable logging FortiGuard quota counting messages.
enable
web-filter-ftgdquota-expired
{disable | enable}
Enable or disable logging FortiGuard quota expired messages.
enable
webcache-traffic
{disable | enable}
Enable or disable WAN optimization web cache traffic logging.
enable
log
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
disk setting
disk setting
Use this command to configure log settings for logging to the local disk. Disk logging is only available for FortiGate
units with an internal hard disk. You can also use this command to configure the FortiGate unit to upload current log
files to an FTP server every time the log files are rolled.
If you have an AMC disk installed on your FortiGate unit, you can use disk setting to configure logging of traffic to
the AMC disk. The AMC disk behaves as a local disk after being inserted into the FortiGate unit and the FortiGate unit
rebooted. You can view logs from Log&Report > Log Access > Disk when logging to an AMC disk.
You can also use this command to enable SQL logs for different log types. SQL logs are stored in an SQLlite database
format. The main advantage of SQL log format is that it supports enhanced reports. For information about the report
commands, see “report” on page 267:
AMC disk is supported on all FortiGate units that have single-width AMC slots.
Syntax
config log disk setting
set status {enable | disable}
set diskfull {nolog | overwrite}
set dlp-archive-quota <integer>
set drive-standby-time <0-19800>
set full-first-warning threshold
set full-second-warning threshold
set full-final-warning threshold
set ips-archive {enable | disable}
set log-quota <integer>
set max-log-file-size <integer max>
set ms-per-transaction <int>
set report-quota <integer>
set roll-schedule {daily | weekly}
set roll-time <hh:mm>
set rows-per-transaction <int>
set source-ip <address_ipv4>
set sql-max-size <lsize>
set sql-max-size-action {overwrite | nolog}
set storage <name>
set sql-oldest-entry <days>
set upload {enable | disable}
set upload-delete-files {enable | disable}
set upload-destination {fortianalyzer | ftp-server}
set upload-format {compact | text}
set upload-ssl-conn {default | high | low | disable}
set uploaddir <dir_name_str>
set uploadip <class_ip>
set uploadpass <passwd>
set uploadport <port_integer>
set uploadsched {disable | enable}
set uploadtime <hour_integer>
set uploadtype {attack event im spamfilter traffic virus voip webfilter}
set uploaduser <user_str>
set uploadzip {disable | enable}
config sql-logging
set app-ctr {disable | enable}
set attack {disable | enable}
set dlp {disable | enable}
set event {disable | enable}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
229
disk setting
log
set
set
set
set
end
end
230
spam {disable | enable}
traffic {disable | enable}
virus {disable | enable}
webfilter {disable | enable}
Variable
Description
Default
status
{enable | disable}
Enter to either enable or disable logging to the local disk.
disable
diskfull
{nolog | overwrite}
Enter the action to take when the local disk is full. When you enter
nolog, the FortiGate unit will stop logging; overwrite will begin
overwriting the oldest file once the local disk is full.
overwrite
dlp-archive-quota
<integer>
Enter the amount (in MB) of disk space allocated for DLP logs.
0
drive-standby-time
<0-19800>
Set the power management for the hard disk. Enter the number of
seconds, up to 19800. If there is no hard disk activity within the
defined time frame, the hard disk will spin down to conserve
energy. Setting the value to 0 disables the setting.
0
full-first-warning
threshold
Enter to configure the first warning before reaching the threshold.
You can enter a number between 1 and 100.
75
full-second-warning
threshold
Enter to configure the second warning before reaching the
threshold. You can enter a number between 1 and 100.
90
full-final-warning
threshold
Enter to configure the final warning before reaching the threshold.
You can enter a number between 1 and 100.
95
ips-archive
{enable | disable}
Enable IPS packet archive logs.
enable
log-quota <integer>
Enter the amount (in MB) of disk space allocated for disk logging.
0
max-log-file-size
<integer max>
Enter the maximum size of the log file (in MB) that is saved to the
local disk.
When the log file reaches the specified maximum size, the
FortiGate unit saves the current log file and starts a new active log
file. The default minimum log file size is 1 MB and the maximum log
file size allowed is 1024MB.
100
ms-per-transaction
<int>
Enter the time in milliseconds after which the logs are committed.
Range 10 to 60 000.
1000
report-quota <integer>
Enter the amount (in MB) of disk space allocated for report logs.
0
roll-schedule
{daily | weekly}
Enter the frequency of log rolling. When set, the FortiGate unit will
roll the log event if the maximum size has not been reached.
daily
roll-time
<hh:mm>
Enter the time of day, in the format hh:mm, when the FortiGate unit
saves the current log file and starts a new active log file.
00:00
rows-per-transaction
<int>
Enter the number of log entries that triggers a log commit. Range
1-10 000.
1000
source-ip
<address_ipv4>
Enter the source IP address of the disk log uploading.
0.0.0.0
sql-max-size <lsize>
Set maximum size of SQL logs. Range 1 to 65 536.
100
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
disk setting
Variable
Description
Default
sql-max-size-action
{overwrite | nolog}
Select action when maximum log size is reached:
overwrite — Overwrite oldest logs first
nolog — Discontinue logging
overwrite
storage <name>
Enter a name for the storage log file. This option is only available
when the current vdom is the management vdom.
sql-oldest-entry
<days>
Enter number of days to keep log entries. Use 0 to keep
indefinitely.
0
upload
{enable | disable}
Enable or disable uploading log files to a remote directory. Enable
upload to upload log files to an FTP server whenever a log file
rolls.
Use the uploaddir, uploadip, uploadpass, uploadport, and
uploaduser fields to add this information required to connect to
the FTP server and upload the log files to a specific location on the
server.
Use the uploadtype field to select the type of log files to upload.
Use the upload-delete-files field to delete the files from the
hard disk once the FortiGate unit completes the file transfer.
All upload fields are available after enabling the upload command.
disable
upload-delete-files
{enable | disable}
Enable or disable the removal of the log files once the FortiGate
unit has uploaded the log file to the FTP server.
enable
upload-destination
{fortianalyzer
| ftp-server}
Select to upload log files directly to a FortiAnalyzer unit or to an
FTP server. When you select to upload log files directly to a
FortiAnalyzer unit, you can also schedule when to upload the log
files, when the log file rolls, and so on.
disable
upload-format
{compact | text}
Select the upload format for the logs.
text means the logs will be in plain text format.
compact means the logs will be compressed to save space.
compact
upload-ssl-conn
{default | high | low
| disable}
Set encryption strength for communications between the FortiGate default
unit and FortiAnalyzer. Available when upload-destination is
fortianalyzer.
high — use SSL with 128-bit and larger key length algorithms:
DHE-RSA-AES256-SHA, AES256-SHA,
EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5,
DHE-RSA-AES128-SHA, AES128-SHA
low — use SSL with 64-bit or 56-bit key length algorithms without
export restrictions: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA,
DES-CBC-MD5
default — use SSL with high strength algorithms and these
medium-strength 128-bit key length algorithms: RC4-SHA,
RC4-MD5, RC4-MD
disable — disable the use of SSL.
uploaddir
<dir_name_str>
Enter the name of the path on the FTP server where the log files will
be transferred to. If you do not specify a remote directory, the log
files are uploaded to the root directory of the FTP server.
No default
uploadip <class_ip>
Enter the IP address of the FTP server. This is required.
0.0.0.0
uploadpass <passwd>
Enter the password required to connect to the FTP server. This is
required.
No default
uploadport
<port_integer>
Enter the port number used by the FTP server. The default port is
21. Port 21 is the standard FTP port.
21
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
231
disk setting
log
Variable
Description
Default
uploadsched
{disable | enable}
Enable log uploads at a specific time of the day. When set to
disable, the FortiGate unit uploads the logs when the logs are
rolled.
disable
uploadtime
<hour_integer>
Enter the time of day (hour only) when the FortiGate unit uploads
the logs. The uploadsched setting must first be set to enable.
0
uploadtype {attack
event im spamfilter
traffic virus voip
webfilter}
Select the log files to upload to the FTP server. You can enter one
or more of the log file types separated by spaces. Use a space to
separate the log file types. If you want to remove a log file type
from the list or add a log file type to the list, you must retype the list
with the log file type removed or added.
traffic
event
spamfilter
virus
webfilter
voip im
uploaduser <user_str>
Enter the user account for the upload to the FTP server. This is
required.
No default.
uploadzip
{disable | enable}
Enter enable to compress the log files after uploading to the FTP
server. If disable is entered, the log files are uploaded to the FTP
server in plain text format.
disable
config sql-logging fields
SQL logging saves logs to disk in SQL format and SQL reports of the data can be created.
Enable any of the following types.
232
app-ctr
{disable | enable}
Enable or disable application control SQL logs.
enable
attack
{disable | enable}
Enable or disable attack SQL logs.
enable
dlp {disable | enable}
Enable or disable DLP SQL logs.
enable
event
{disable | enable}
Enable or disable event SQL logs.
enable
spam
{disable | enable}
Enable or disable email filter SQL logs.
enable
traffic
{disable | enable}
Enable or disable traffic SQL logs.
enable
virus
{disable | enable}
Enable or disable antivirus SQL logs.
enable
webfilter
{disable | enable}
Enable or disable webfilter SQL logs.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
eventfilter
eventfilter
Use this command to configure event logging.
Syntax
config log eventfilter
set event {enable | disable}
set admin {enable | disable}
set amc-intf-bypass {enable | disable}
set auth {enable | disable}
set cpu-memory-usage {enable | disable}
set dhcp {enable | disable}
set dns {enable | disable}
set ha {enable | disable}
set ipsec {enable | disable}
set ldb-monitor {enable | disable}
set nac-quarantine {enable | disable}
set pattern {enable | disable}
set ppp {enable | disable}
set sslvpn-log-adm {enable | disable}
set sslvpn-log-auth {enable | disable}
set sslvpn-log-session {enable | disable}
set system {enable | disable}
set vip-ssl {enable | disable}
set voip {enable | disable}
set wan-opt {enable | disable}
set wireless-activity {enable | disable}
end
Variable
Description
Default
event
{enable | disable}
Log event messages. Must be enabled to make the following fields
available.
enable
admin
{enable | disable}
Log admin login/logout messages.
enable
amc-intf-bypass
{enable | disable}
Log AMC interface entering bypass mode messages.
enable
auth {enable | disable} Log firewall authentication messages.
enable
cpu-memory-usage
{enable | disable}
disable
Log CPU & memory usage every 5 minutes.
dhcp {enable | disable} Log DHCP service messages.
enable
dns {enable | disable}
Log DNS lookups.
disable
ha {enable | disable}
Log HA activity messages.
enable
ipsec
{enable | disable}
Log IPSec negotiation messages.
enable
ldb-monitor
{enable | disable}
Log VIP realserver health monitoring messages.
enable
nac-quarantine
{enable | disable}
Log nac-quarantine messages.
enable
pattern
{enable | disable}
Log pattern update messages.
enable
ppp {enable | disable}
Log L2TP/PPTP/PPPoE messages.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
233
eventfilter
234
log
Variable
Description
Default
sslvpn-log-adm
{enable | disable}
Log ssl administration.
enable
sslvpn-log-auth
{enable | disable}
Log ssl user authentication.
enable
sslvpn-log-session
{enable | disable}
Log ssl session.
enable
system
{enable | disable}
Log system activity messages.
enable
vip-ssl
{enable | disable}
log VIP SSL messages.
enable
voip {enable | disable} Log VOIP messages.
enable
wan-opt
{enable | disable}
Log WAN optimization messages.
enable
wireless-activity
{enable | disable}
Log wireless activity.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
{fortianalyzer | syslogd} override-filter
{fortianalyzer | syslogd} override-filter
Use this command within a VDOM to override the global configuration created with the config log
{fortianalyzer | syslogd} filter command. The filter determines which types of log messages are sent to
the FortiAnalyzer unit or syslog server. For syntax and descriptions, see “{disk | fortianalyzer | fortianalyzer2 |
fortianalyzer3 | memory | syslogd | syslogd2 | syslogd3 | webtrends | fortiguard} filter” on page 225.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
235
fortianalyzer override-setting
log
fortianalyzer override-setting
Use this command within a VDOM to override the global configuration created with the config log
fortianalyzer setting command. These settings configure the connection to the FortiAnalyzer unit. For syntax
and descriptions, see “{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting” on page 237.
236
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting
{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting
Use this command to configure the FortiGate unit to send log files to a FortiAnalyzer unit.
FortiAnalyzer units are network appliances that provide integrated log collection, analysis tools and data storage.
Detailed log reports provide historical as well as current analysis of network and email activity to help identify security
issues and reduce network misuse and abuse.
Using the CLI, you can send logs to up to three different FortiAnalyzer units for maximum fail-over protection of log
data. After configuring logging to FortiAnalyzer units, the FortiGate unit will send the same log packets to all
configured FortiAnalyzer units. Additional FortiAnalyzer units are configured using the fortianalyzer2 and
fortianalyzer3 commands.
The FortiAnalyzer CLI commands are not cumulative. Using a syntax similar to the following is not
valid: config log fortianalyzer fortianalyzer2 fortianalyzer3 setting
Syntax
config log {fortianalyzer |fortianalyzer2 | fortianalyzer3} setting
set status {enable | disable}
set address-mode {auto-discovery | static}
set buffer-max-send <size_int>
set conn-timeout <seconds>
set encrypt {enable | disable}
set enc-algorithm {default | high | low | disable}
set fdp-device <serial_number>
set fdp-interface <int_str>
set gui-display {enable | disable}
set ips-archive {enable | disable}
set localid <identifier>
set max-buffer-size <size_int>
set monitor-keepalive-period <int_seconds>
set monitor-failure-retry-period <int_seconds>
set psksecret <pre-shared_key>
set server <fortianalyzer_ipv4>
set source-ip <address_ipv4>
set upload-option {store-and-upload | realtime}
set upload-interval {daily | weekly | monthly}
set upload-day <1-31> | {sunday | monday | tuesday | wednesday | thursday | friday
| saturday}
set upload-time <hh:mm>
end
Variable
Description
Default
status {enable | disable}
Enable or disable communication with the FortiAnalyzer unit. disable
The other fields are available only if status is set to enable.
address-mode
{auto-discovery | static}
Select auto-discovery to automatically detect a
FortiAnalyzer unit. Select static to enter the IP address of
the FortiAnalyzer unit. Not available for fortianalyzer2
and fortianalyzer3.
static
buffer-max-send <size_int> Enter a maximum amount of data to send from the buffer to
the FortiAnalyzer unit. This controls the logging rate. Range:
20-20 000.
conn-timeout <seconds>
Enter the number of seconds before the FortiAnalyzer
connection times out.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
10
237
{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting
Variable
Description
Default
encrypt {enable | disable} Enable to use IPSec VPN tunnel for communication.
Disable to send data as plain text.
disable
enc-algorithm
{default | high | low
| disable}
238
log
default
Set encryption strength for communications between the
FortiGate unit and FortiAnalyzer.
high — use SSL with 128-bit and larger key length
algorithms: DHE-RSA-AES256-SHA, AES256-SHA,
EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA,
DES-CBC3-MD5, DHE-RSA-AES128-SHA, AES128-SHA
low — use SSL with 64-bit or 56-bit key length algorithms
without export restrictions: EDH-RSA-DES-CDBC-SHA,
DES-CBC-SHA, DES-CBC-MD5
default — use SSL with high strength algorithms and these
medium-strength 128-bit key length algorithms: RC4-SHA,
RC4-MD5, RC4-MD
disable — disable the use of SSL.
fdp-device <serial_number> Enter the serial number of the Fortianalyzer unit to connect to.
This field is only available when address-mode is set to
auto-discovery. Not available for fortianalyzer2 and
fortianalyzer3.
No default
fdp-interface <int_str>
Enter the interface on which the FortiGate unit will
automatically detect FortiAnalyzer units.
No default
gui-display {enable |
disable}
Enable to display FortiAnalyzer Reports on the web-based
manager.
disable
ips-archive
{enable | disable}
Enable IPS packet archive.
enable
localid <identifier>
Enter an identifier up to 64 characters long. You must use the
same identifier on the FortiGate unit and the FortiAnalyzer
unit.
No default.
max-buffer-size <size_int> Enter a number between 1 and 1024MB for the maximum
buffer size for the FortiAnalyzer unit. The number 0 disables
the maximum buffer size. This option is available for FortiGate
units with hard disks.
1
monitor-keepalive-period
<int_seconds>
Enter the interval in seconds between OFTP keepalive
transmissions (for status and log buffer). Range 1 to 120.
5
monitor-failure-retryperiod <int_seconds>
Enter the time in seconds between connection retries (for
status and log buffer). Range 1 to 2 147 483 647.
5
psksecret <pre-shared_key> Enter the pre-shared key for the IPSec VPN tunnel.
This is needed only if encrypt is set to enable.
No default.
server
<fortianalyzer_ipv4>
Enter the IP address of the FortiAnalyzer unit.
This field is only available when address-mode is set to
static.
0.0.0.0
source-ip <address_ipv4>
Enter the source IP address for the FortiAnalyzer,
FortiAnalyzer2 and FortiAnalyzer3 units.
0.0.0.0
upload-option
{store-and-upload
| realtime}
Choose how logs are uploaded to a FortiAnalyzer unit:
realtime — Send logs directly to the FortiAnalyzer unit.
store-and-upload — Log to hard disk, then upload on the
schedule defined by upload-interval, upload-day and
upload-time.
store-andupload
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting
Variable
Description
Default
upload-interval {daily |
weekly | monthly}
Select how frequently logs are uploaded. This is available
when upload-option is store-and-upload.
daily
upload-day <1-31> |
{sunday | monday | tuesday
| wednesday | thursday
| friday | saturday}
When upload-interval is monthly, enter the day of the
month to upload logs.
When upload-interval is weekly, select the day of the
week for log uploads.
This is available when upload-option is
store-and-upload.
No default.
upload-time <hh:mm>
Enter the time of day for log uploads. This is available when
upload-option is store-and-upload.
00:59
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
239
fortiguard setting
log
fortiguard setting
Use this command for configuring FortiGuard Analysis Service settings.
The fortiguard setting command is only available when FortiGuard Analysis and
Management Service subscription-based services are enabled. The storage space is a specified
amount, and varies, depending on the services requested.
Syntax
config log fortiguard setting
set enc-algorithm {default | high | low | disable}
set quotafull {nolog | overwrite}
set status {disable | enable}
end
Variable
Description
Default
enc-algorithm
{default | high | low
| disable}
default
Set encryption strength for communications between the
FortiGate unit and FortiAnalyzer.
high — use SSL with 128-bit and larger key length
algorithms: DHE-RSA-AES256-SHA, AES256-SHA,
EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA,
DES-CBC3-MD5, DHE-RSA-AES128-SHA, AES128-SHA
low — use SSL with 64-bit or 56-bit key length algorithms
without export restrictions: EDH-RSA-DES-CDBC-SHA,
DES-CBC-SHA, DES-CBC-MD5
default — use SSL with high strength algorithms and these
medium-strength 128-bit key length algorithms: RC4-SHA,
RC4-MD5, RC4-MD
disable — disable the use of SSL.
quotafull {nolog
| overwrite}
Enter the action to take when the specified storage space on
the FortiGuard Analysis server is full. When you enter nolog,
the FortiGate unit will stop logging, and overwrite will
begin overwriting the oldest file.
status {disable | enable} Enable or disable the FortiGuard Analysis service.
240
overwrite
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
gui
gui
Use this command to select the device from which logs are displayed in the web-based manager.
Syntax
config log gui
set log-device {memory | disk | fortianalyzer}
end
Variable
Description
log-device {memory | disk Select the device from which logs are displayed in the web| fortianalyzer}
based manager.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
disk
241
memory setting
log
memory setting
Use this command to configure log settings for logging to the FortiGate system memory.
The FortiGate system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not
stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by
default, the FortiGate unit begins to overwrite the oldest messages. All log entries are deleted when the FortiGate unit
restarts.
Syntax
config log memory setting
set diskfull {overwrite}
set ips-archive {enable | disable}
set status {disable | enable}
end
Variable
Description
Default
diskfull {overwrite}
Enter the action to take when the memory is reaching its
capacity. The only option available is overwrite, which
means that the FortiGate unit will begin overwriting the oldest
file.
overwrite
ips-archive
{enable | disable}
Enable IPS packet archive logs.
enable
status {disable | enable} Enter enable to enable logging to the FortiGate system
memory.
242
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
memory global-setting
memory global-setting
Use this command to configure log threshold warnings, as well as the maximum buffer lines, for the FortiGate system
memory.
The FortiGate system memory has a limited capacity and displays only the most recent log entries. Traffic logs are not
stored in the memory buffer, due to the high volume of traffic information. After all available memory is used, by
default, the FortiGate unit begins to overwrite the oldest log messages. All log entries are deleted when the FortiGate
unit restarts.
Syntax
config log memory global-setting
set full-final-warning-threshold
set full-first-warning-threshold
set full-second-warning-threshold
set max-size <int>
end
Defaul
t
Variable
Description
full-final-warning-threshold
Enter to configure the final warning before reaching the
threshold. You can enter a number between 3 and 100.
95
full-first-warning-threshold
Enter to configure the first warning before reaching the
threshold. You can enter a number between 1 and 98.
75
full-second-warning-threshold
Enter to configure the second warning before reaching the
threshold. You can enter a number between 2 and 99.
90
max-size <int>
Enter the maximum size of the memory buffer log, in bytes.
98304
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
243
syslogd override-setting
log
syslogd override-setting
Use this command within a VDOM to override the global configuration created with the config log syslogd
setting command. These settings configure the connection to a syslog server.
Syntax
config log {syslogd | syslogd2 | syslogd3} override-setting
set override {enable | disable}
set status {disable | enable}
set csv {disable | enable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp
| kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6
| local7 | lpr | mail | news | ntp | syslog | user | uucp}
set port <port_integer>
set reliable {disable | enable}
set server <address_ipv4>
set source-ip <address_ipv4>
end
244
Variable
Description
Default
override
{enable | disable}
Enable to use the override settings below. Disable to use the
global configuration created with the config log syslogd
setting command.
disable
status {disable | enable} Enter enable to enable logging to a remote syslog server.
disable
csv {disable | enable}
Enter enable to enable the FortiGate unit to produce the log in
Comma Separated Value (CSV) format. If you do not enable CSV
format the FortiGate unit produces plain text files.
disable
facility
| auth |
| cron |
| kernel
| local1
| local3
| local5
| local7
| news |
| user |
Enter the facility type. facility identifies the source of the log
message to syslog. You might want to change facility to
distinguish log messages from different FortiGate units. Available
facility types are:
• alert: log alert
• audit: log audit
• auth: security/authorization messages
• authpriv: security/authorization messages (private)
• clock: clock daemon
• cron: cron daemon performing scheduled commands
• daemon: system daemons running background system
processes
• ftp: File Transfer Protocol (FTP) daemon
• kernel: kernel messages
• local0 – local7: reserved for local use
• lpr: line printer subsystem
• mail: email system
• news: network news subsystem
• ntp: Network Time Protocol (NTP) daemon
• syslog: messages generated internally by the syslog
daemon
local7
port <port_integer>
Enter the port number for communication with the syslog server.
514
reliable
{disable | enable}
Enable reliable delivery of syslog messages to the syslog server.
When enabled, the FortiGate unit implements the RAW profile of
RFC 3195, sending log messages using TCP protocol.
disable
{alert | audit
authpriv | clock
daemon | ftp
| local0
| local2
| local4
| local6
| lpr | mail
ntp | syslog
uucp}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
syslogd override-setting
Variable
Description
Default
server <address_ipv4>
Enter the IP address of the syslog server that stores the logs.
No default.
source-ip <address_ipv4>
Enter source IP address for syslogd, syslog2 and syslog3
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
245
{syslogd | syslogd2 | syslogd3} setting
log
{syslogd | syslogd2 | syslogd3} setting
Use this command to configure log settings for logging to a remote syslog server. You can configure the FortiGate
unit to send logs to a remote computer running a syslog server.
Using the CLI, you can send logs to up to three different syslog servers. Configure additional syslog servers using
syslogd2 and syslogd3 commands and the same fields outlined below.
Syslog CLI commands are not cumulative. Using a syntax similar to the following is not valid:
config log syslogd syslogd2 syslogd3 setting
Syntax
config log {syslogd | syslogd2 | syslogd3} setting
set status {disable | enable}
set csv {disable | enable}
set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp
| kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6
| local7 | lpr | mail | news | ntp | syslog | user | uucp}
set port <port_integer>
set reliable {disable | enable}
set server <address_ipv4>
set source-ip <address_ipv4>
end
Variable
Description
status {disable | enable} Enter enable to enable logging to a remote syslog server.
disable
csv {disable | enable}
Enter enable to enable the FortiGate unit to produce the log in
Comma Separated Value (CSV) format. If you do not enable CSV
format the FortiGate unit produces plain text files.
disable
facility
| auth |
| cron |
| kernel
| local1
| local3
| local5
| local7
| news |
| user |
Enter the facility type. facility identifies the source of the log
message to syslog. You might want to change facility to
distinguish log messages from different FortiGate units. Available
facility types are:
• alert: log alert
• audit: log audit
• auth: security/authorization messages
• authpriv: security/authorization messages (private)
• clock: clock daemon
• cron: cron daemon performing scheduled commands
• daemon: system daemons running background system
processes
• ftp: File Transfer Protocol (FTP) daemon
• kernel: kernel messages
• local0 – local7: reserved for local use
• lpr: line printer subsystem
• mail: email system
• news: network news subsystem
• ntp: Network Time Protocol (NTP) daemon
• syslog: messages generated internally by the syslog
daemon
local7
Enter the port number for communication with the syslog server.
514
{alert | audit
authpriv | clock
daemon | ftp
| local0
| local2
| local4
| local6
| lpr | mail
ntp | syslog
uucp}
port <port_integer>
246
Default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
{syslogd | syslogd2 | syslogd3} setting
Variable
Description
Default
reliable
{disable | enable}
Enable reliable delivery of syslog messages to the syslog server.
When enabled, the FortiGate unit implements the RAW profile of
RFC 3195, sending log messages using TCP protocol.
disable
server <address_ipv4>
Enter the IP address of the syslog server that stores the logs.
No default.
source-ip <address_ipv4>
Enter source IP address for syslogd, syslog2 and syslog3
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
247
trafficfilter
log
trafficfilter
Use this command to configure the following global settings for traffic logging:
• resolve IP addresses to host names
• display the port number or service (protocol) in the log message
Syntax
config log trafficfilter
set display {name | port}
set resolve {disable | enable}
end
248
Variable
Description
Default
display {name | port}
Enter name to enable the display of the service name in the
traffic log messages. Enter port to display the port number
used by traffic in traffic log messages.
port
resolve
{disable | enable}
Enter enable to enable resolving IP addresses to host names
in traffic log messages.
Note: Delays caused by unresolvable IP addresses might
cause some log records to be missed.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
log
webtrends setting
webtrends setting
Use this command to configure log settings for logging to a remote computer running a NetIQ WebTrends firewall
reporting server.
FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with NetIQ
WebTrends Security Reporting Center and Firewall Suite 4.1.
Syntax
config log webtrends setting
set server <address_ipv4>
set status {disable | enable}
end
Variable
Description
Default
server <address_ipv4>
Enter the IP address of the WebTrends server that stores the
logs.
No default.
status {disable | enable} Enter enable to enable logging to a WebTrends server.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
disable
249
webtrends setting
250
log
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
netscan
Use these commands to configure the Endpoint network vulnerability scanner.
assets
settings
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
251
assets
netscan
assets
Use this command to define assets (network devices and networks) to run network vulnerability scans on.
Syntax
config netscan assets
edit <asset_id_int>
set addr-type {ip | range}
set auth-unix (disable | enable}
set auth-windows (disable | enable}
set mode {discovery | scan}
set name <string>
set scheduled {enable | disable}
set start-ip <address_ipv4>
set end-ip <address_ipv4>
set unix-password <pass_str>
set unix-username <id_str>
set win-password <pass_str>
set win-username <id_str>
end
252
Variables
Description
Default
<asset_id_int>
Enter the unique ID number for this asset.
addr-type {ip |
range}
Select ip to scan a single IP address.
Select range to scan a range of IP addresses.
Note: You cannot specify authentication parameters for an address range.
auth-unix (disable
| enable}
Enable to allow the FortiGate unit to authenticate with a unix host during the disable
vulnerability scan. If you enable this option you must enter a unixusername and a unix-password.
auth-windows
(disable | enable}
Enable to allow the FortiGate unit to authenticate with a Windows host
during the vulnerability scan. If you enable this option you must enter a
win-username and a win-password.
disable
mode {discovery |
scan}
Select discovery to find assets with the specified IP address or address
range.
scan
name <string>
Enter an name of the asset.
scheduled
{enable | disable}
Enable or disable including this asset in scheduled scans.
enable
start-ip
<address_ipv4>
Enter the IP address of the asset to scan. If addr-type is set to range
enter the first IP address in the IP address range to scan.
0.0.0.0
end-ip
<address_ipv4>
If addr-type is set to range enter the last IP address in the IP address
range to scan.
0.0.0.0
unix-password
<pass_str>
Enter the password the FortiAnalyzer uses to authenticate with the UNIX
host.
This command appears only when auth is set to unix.
unix-username
<id_str>
Enter the username the FortiAnalyzer uses to authenticate with the UNIX
host.
This command appears only when auth is set to unix.
win-password
<pass_str>
Enter the password the FortiAnalyzer uses to authenticate with the
Windows host.
win-username
<id_str>
Enter the username the FortiAnalyzer uses to authenticate with the
Windows host.
ip
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
netscan
settings
settings
Use this command to configure network vulnerability scanner settings that control when scans are run.
Syntax
config netscan settings
set day-of-month <day_int>
set day-of-week {monday | tuesday | wednesday | thursday | friday | saturday
| sunday}
set os-detection {enable | disable | default}
set pause-from <time_str>
set pause-to <time_str>
set recurrence {daily | monthly | weekly}
set scan-mode {full | quick | standard}
set scheduled-pause {enable | disable | default}
set service-detection {enable | disable | default}
set tcp-scan {enable | disable | default}
set time <hh:mm>
set ucp-scan {enable | disable | default}
end
Variables
Description
day-of-month <day_int>
Enter the day of the month on which to run scans. You can 1
only select one day. This option is only available if
schedule is enabled and recurrence is monthly.
day-of-week {monday | tuesday
| wednesday | thursday | friday
| saturday | sunday}
Select the day of the week on which to run scans. You can sunday
only select one day. This option is only available if
schedule is enabled and recurrence is weekly.
os-detection {enable | disable
| default}
Enable or disable host operating system detection, or use default
default setting.
pause-from <time_str>
Enter the time, in hh:mm format, when network scanning
pause begins.
00:00
pause-to <time_str>
Enter the time, in hh:mm format, when network scanning
pause ends.
00:00
recurrence {daily | monthly
| weekly}
Set scheduled scans to run once a day, once a month, or
once a week.
weekly
scan-mode {full | quick
| standard}
Specify the scan mode to use:
full scan all TCP and UDP ports
quick perform a quick scan of commonly used TCP and
UDP ports
standard perform a standard scan of more ports than
the quick scan but not all ports.
quick
scheduled-pause
{enable | disable | default}
Enable or disable scheduled pause in network scanning,
or use default setting.
default
service-detection
{enable | disable | default}
Enable or disable explicit service detection, or use default default
setting.
tcp-scan {enable | disable
| default}
Enable or disable TCP scan, or use default setting.
default
time <hh:mm>
Enter the time of day on which to start a scan.
00:00
ucp-scan {enable | disable
| default}
Enable or disable UDP scan, or use default setting.
default
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
253
settings
254
netscan
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
pbx
Use the config pbx command to configure PBX feature of the FortiGate Voice unit.
This chapter describes the following command:
dialplan
did
extension
global
ringgrp
voice-menu
sip-trunk
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
255
dialplan
pbx
dialplan
Use this command to add a dial plan and add rules to the dial plan. A dial plan rule indicates an outgoing destination
to send calls to. You can add multiple rules to a dial plan. You add dial plans to extensions to control how to handle
outgoing calls from the extension.
Syntax
config pbx dialplan
edit <pbx_dialplan_name>
set comments <comment_string>
config rule
edit <rule_name_str>
set action {allow | block}
set callthrough {fxo1 | fxo2 | fxo3 | fx04 | <voip_providers>}
set outgoing-prefix <pattern_str>
set phone-no-beginwith <patern_str>
set prepend <pattern_str>
set use-global-outgoing-prefix {no | yes}
end
end
256
Variables
Description
Default
edit
<pbx_dialplan_name>
Enter the name for the dial plan. If you entering an existing dial plan,
select Tab to get to the dial plan that you want to edit.
No default
comments
<comment_string>
Optionally enter a description of the dial plan.
No default
config rule
Configure a new dial plan rule.
No default
edit <rule_name_str> Enter the name of the dial plan rule to configure.
No default
action {allow |
block}
Set the action to allow if this dial plan rule should allow a call. Set the
action to block if the dial plan should block a call. For example, if you
want to block international calls you could set the Phone Number begin
with to 011 and set the action to block.
No default
callthrough {fxo1
| fxo2 | fxo3 | fx04
| <voip_providers>}
Select one or more destinations that the dial plan rule sends outgoing
calls to. fxo1, fxo2, fxo3, and fx04 are the 4 PSTN interfaces.
<voip_providers> are the VoIP providers added to the FortiGate
Voice. A dial plan rule can send calls to one or more destinations.
No default
outgoing-prefix
<pattern_str>
If you set use-global-outgoing-prefix to no you can enter a
different outgoing prefix for this dial plan.
null
phone-no-beginwith
<patern_str>
Enter the leading digits of the phone number that this dial plan rule
should match with. For example, a dial plan rule for toll free numbers in
North America should begin with 18. The FortiGate Voice uses a best
match to match a dialed number with a dial plan. So each dial plan
should have a different Phone number Begin with setting. But you should
plan your dial plan to make sure that unexpected matches do not occur.
null
prepend
<pattern_str>
Add digits that should be prepended or added to the beginning of the
dialed number before the call is forwarded to its destination. You can
prepend digits at the beginning of a call of special dialing is required to
reach and external phone system.
null
use-globaloutgoing-prefix
{no | yes}
Select yes if the dial plan rule should use the default outgoing prefix
(usually 9). Select no to add a different outgoing-prefix.
yes
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
pbx
did
did
Use this command to configure Direct Inward Dialing (DID). DID allows calls from external phone systems to dial
directly to extensions added to the FortiGate Voice unit.
Syntax
config pbx did
edit <pbx_did_name>
set external-line {fxo1 | fxo2 | fxo3 | fx04 | <voip_providers>}
set cid-number <phone_number>
set extension <extension_number>
set comment <comment_string>
end
Variables
Description
Default
edit <pbx_did_name>
Enter the name for the Direct Inward Dial.
No default
external-line {fxo1
| fxo2 | fxo3 | fx04
| <voip_providers>}
Select one external system that can dial directly to an extension. fxo1,
fxo2, fxo3, and fx04 are the 4 PSTN interfaces. <voip_providers>
are the VoIP providers added to the FortiGate Voice.
null
cid-number
<phone_number>
Enter the phone number dialed by a caller on the external system.
null
extension
<extension_number>
Enter the FortiGate Voice extension number the call is directed to.
null
comment
<comment_string>
Enter a description, if applicable, about the direct inward dial
configuration.
null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
257
extension
pbx
extension
Use this command to add SIP phone extensions to the FortiGate Voice unit. You can add new extensions or
reconfigure the existing ones. For example, you can label an extension by user name, or you can add an extension
and set it as a host for conference calls, or you can get FortiGate Voice unit to send email notifications to the users
when they receive new voicemail messages.
FortiGate Voice unit uses the alertmail settings to access an SMTP server and send email
notifications. Alertmail can be configured through config system alertmail command. For
more information about alertmail CLI command configuration refer to FortiGate CLI Reference.
Syntax
config pbx extension
edit <extension_number>
set attach {enable | disable}
set auto-delete {enable | disable}
set conference-host <extension_number>
set dialplan <dialplan_name>
set email <user_email>
set email-notify {enable | disable}
set first-name <first_name>
set host-pin <host_password>
set last-name <surname_name>
set macaddress <mac_address>
set max-msg <max_messages_allowed>
set nat {no | yes}
set recordable-flag {enable | disable}
set secret <user_password>
set type {conference | sip-phone}
set video {enable | disable}
set vm-secret <user_password>
set voicemail {enable | disable}
end
258
Variables
Description
Default
edit
<extension_number>
Enter the extension number. The extension number has to match the
config pbx global extension pattern.
No default
attach
{enable | disable}
Enable the voicemail message as an attachment in an email.
disable
auto-delete
{enable | disable}
Enable to automatically delete voice mail.
disable
conference-host
<extension_number>
Enter the extension number that will host the conference.
null
dialplan
<dialplan_name>
Enter the dial plan that you want to use for the extension.
null
email <user_email>
Enter the user’s email address. This email address can be used to
notify the user when they have a new voicemail message.
null
email-notify
{enable | disable}
Enable email notification. When email notification is enabled the user disable
gets notified of each new voicemail messages.
first-name
<first_name>
Enter the person’s first name.
null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
pbx
extension
Variables
Description
Default
host-pin
<host_password>
Enter the password for the conference call. The password must
contain only numbers. The users need to enter this password to join
the conference call.
last-name
<surname_name>
Enter the surname of the person.
macaddress
<mac_address>
Enter the MAC address of the SIP phone for the current extension. A 00:00:00:
00:00:00
typical MAC address consists of six double digit alpha-numeric
characters separated by colons. Colons must be used when entering
the MAC address.
null
max-msg
Enter the maximum number of voicemail messages that are allowed
<max_messages_allowed> in a user’s voicemail inbox.
50
nat {no | yes}
Enter to indicate that the phone is behind a NAT device.
no
recordable-flag
{enable | disable}
Enable conference recording. When enabled the conference call are
recorded on FortiGate Voice unit’s hard drive.
disable
secret <user_password> Enter the user’s password for voicemail.
No default
type {conference
| sip-phone}
Enter the type of extension to configure.
• sip-phone to configure a SIP phone extension
• conference to add a conference bridge. Multiple users can call
the conference bridge extension number enter the secret and
have a conference call. A conference bridge only requires an
extension number and a secret.
sip-phone
video
{enable | disable}
Enable video conferencing.
disable
vm-secret
<user_password>
Enter the user’s password for accessing their voicemail inbox.
No default
voicemail
{enable | disable}
Enable the extension to have voicemail.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
259
global
pbx
global
Use this command to configure voicemail settings such as limiting the length of voicemail messages, as well as the
country and the extension pattern of the user.
Syntax
config pbx global
set atxfer-dtmf <str>
set blindxfer-dtmf <str>
set block-blacklist {enable | disable}
set code-callpark <str>
set country-area <country_name>
set country-code <country_code>
set dtmf-callpark <str>
set efax-check-interval <integer>
set extension-pattern <extension_pattern>
set fax-admin-email <email_address>
set ftgd-voice-server <server_address>
set local-area-code <code_string>
set max-voicemail <max_length_seconds>
set outgoing-prefix <pattern_str>
set parking-slots <int>
set parking-time <int>
set ring-timeout <time_int>
set rtp-hold-timeout <time_int>
set rtp-timeout <time_int>
set voicemail-extension <access_number>
end
260
Variables
Description
Default
atxfer-dtmf <str>
The DTMF command to trigger an attended transfer.
*2
blindxfer-dtmf <str>
The DTMF command to trigger a blind transfer.
#1
block-blacklist
{enable | disable}
Enable to block blacklist IP addresses.
enable
code-callpark <str>
Enter this numeric code to park the current call.
700
country-area
<country_name>
Enter the name of the country in which the FortiGate Voice unit is
installed.
USA
country-code
<country_code>
Enter the country code in which the FortiGate Voice unit is installed.
1
dtmf-callpark <str>
The DTMF command to trigger a call park.
#72
efax-check-interval
<integer>
Enter the efax polling interval from FortiGuard fax server. The value
range is 5 to 120 in minutes.
5
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
pbx
global
Variables
Description
Default
extension-pattern
<extension_pattern>
Enter a pattern that defines the valid extensions that can be added to
the FortiGate Voice configuration. The pattern can include numbers
that must be in every extension and upper case Xs to indicate the
number of digits. The extension range can only contain numbers and
the letter X.
• If you add numbers to the extension range, all extensions added
to this FortiGate Voice unit must include the same numbers in the
same location in the extension number. For example, if you
include a 6 as the first digit, all extensions added this FortiGate
Voice unit must begin with the number 6.
• The Xs indicate the number of digits in addition to the required
number that each extension must have. For example, 6XXX
indicates the extensions must start with the number 6 and be
followed by any three numbers.
Usually you would add one or two numbers to the start of the
extension range to identify the extensions for this PBX and follow this
with enough Xs to be able to add the required number of extensions.
The extension range should not begin with the same number as the
outgoing prefix.
null
fax-admin-email
<email_address>
Enter the email address of the fax administrator.
null
ftgd-voice-server
<server_address>
Enter the FortiGuard voice server address.
service.for
tivoice.com
local-area-code
<code_string>
Enter the local area code for the country or region in which you are
installing the FortiGate Voice unit.
408
max-voicemail
<max_length_seconds>
Limit the length of voicemail messages in seconds. Set to 0 for no
limit.
60
outgoing-prefix
<pattern_str>
9
The number that PBX users must dial to get an outside line. For
example, if users should dial 9 to get an outside line, add 9 to this
field. The outgoing prefix should not be the same as the first number
of the extension range.
parking-slots <int>
The maximum number of calls that can be parked at the same time.
parking-time <int>
45
The length of time, in seconds, a call can be parked. If this time
expires without the call being answered, the parked call will ring back
to the extension from which it was parked.
ring-timeout
<time_int>
The number of seconds that an extension should be allowed to ring
before going to voicemail.
rtp-hold-timeout
<time_int>
The amount of time in seconds that the extension will wait on hold for 0
RTP packets before hanging up the call. 0 means no time limit.
rtp-timeout
<time_int>
The amount of time in seconds during an active call that the
extension will wait for RTP packets before hanging up the call. 0
means no time limit.
60
voicemail-extension
<access_number>
Enter the voicemail extension number that a user will use to access
their voicemail inbox.
*97
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
20
20
261
ringgrp
pbx
ringgrp
Use this command to add and configure the extension groups. An extension group here is referred to a ring group
and is a group of extensions that can be called using one number. You can configure the ring group to call all of the
extensions in the group at the same time or to call the extensions one at a time until someone answers.
The order in which the members are added to the ring group does not match the order in which
the FortiGate Voice unit calls them.
Syntax
config pbx ringgrp
edit <ring_group_name>
set description <description_str>
set member <acd_group_member>
set no-answer-action {hangup | ivr | voicemail}
set strategy {ring-all | sequential}
set voicemail-of-extension <extension_number>
end
Variables
Description
Default
edit <ring_group_name> Enter the name for the group.
No default.
description
<description_str>
A description of the extension group.
null
member
<acd_group_member>
Enter the ACD member for the group.
No default
no-answer-action
{hangup | ivr
| voicemail}
Enter the action that will be taken when none of the extensions in
the ring group answers:
• hangup — hang up and end the call.
• ivr — return the caller to the attendant where they can try
another extension.
• voicemail — the caller is directed to the voicemail system
where they can leave a message.
voicemail
strategy {ring-all
| sequential}
sequential
Control how the extensions in the group are called by the ring
group.
• ring-all calls all of the extensions in the group at the same
time.
• sequential calls the extensions in the group one at a time in
the order in which they have been added to the group.
voicemail-of-extension Enter the extension number to use for voicemail if no one answers
<extension_number>
the call and no-answer-action is set to voicemail.
262
null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
pbx
voice-menu
voice-menu
Use this command to configure the menu that callers will access when they call. The variable config press<number> configures the settings for the type of ring group and the type of group associated with that number.
Syntax
config pbx voice-menu
set comment <comment_string>
set password <ext_password>
set recorder-exten <extension_str>
config [press-0 | press-1 | press-2 | press-3 | press-4 | press-5 | press-6
| press-7 | press-8 | press-9]
set type {directory | none | ring-group | voicemail}
set ring-group <group_string>
end
end
Variables
Description
Default
comment
<comment_string>
Enter a description of the voice-menu settings, if applicable.
No default
password
<ext_password>
Enter the password to access recording a new IVR message.
null
recorder-exten
<extension_str>
Enter the extension number for recording a new IVR message.
*30
config [press-0
| press-1 | press-2
| press-3 | press-4
| press-5 | press-6
| press-7 | press-8
| press-9]
Use this command when configuring what action each number on the
phone’s keypad will take.
For example, you want the personnel directory to come up every time
someone presses 1; config press-1 variable would have the type
directory selected in type.
No default
type {directory
| none | ring-group
| voicemail}
Enter the type of action that is associated with the specific number on
the phone’s keypad. For example, the office phone directory is heard
when a caller presses 0 because config press-0 has directory as its
type.
No default
ring-group
<group_string>
Enter to include a specific ring-group if you have select ring-group in
type. This variable appears only when ring-group is selected in
type.
null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
263
sip-trunk
pbx
sip-trunk
Use this command to configure SIP server providers for the PBX. If your FortiGate Voice unit is installed in North
America and the Country Code is set to 1 then you can use the FortiGuard Voice service as your SIP service provider.
(The default Country Code is 1, see “global” on page 260 for changing county code.) The FortiGuard Voice service is
supported only in North America. If you install the FortiGate Voice unit elsewhere in the world and change the Country
Code, the FortiGuard Voice Service configuration is replaced by the SIP trunk configuration. You can use the SIP
trunk configuration to add one or more SIP service providers to the FortiGate Voice configuration.
Syntax
config pbx voip-provider
edit <provider_name>
set user <user_name>
set domain {<VoIP_provider_address_ipv4> | <VoIP_provider_domain> }
set secret <password>
set authuser <authuser>
set display-name <display_name>
set reigstration-interval <refresh_interval>
set account-type {static | dynamic}
set dtmf-metod {auto | inband | info | rfc2833}
set codec {alaw | g729 |none | ulaw}
set codec1 {alaw | g729 |none | ulaw}
set codec2 {alaw | g729 |none | ulaw}
set video {enable | disable}
end
264
Variables
Description
Default
edit <provider_name>
Enter the VoIP provider’s name.
No default
user <user_name>
Enter the user name for the provider. You can enter the phone
number registered with this provider instead.
No default
secret <password>
Enter the password associated with the provider.
No default
domain
The VoIP provider’s domain name or IP address. For example,
{<VoIP_provider_address 172.20.120.11 or voip.example.com.
_ipv4> |
<VoIP_provider_domain>
}
No default
authuser <authuser>
Enter the authentication user for the account.
No default
display-name
<display_name>
Enter the name that will be used as the caller ID name if the provider
supports this feature.
No default
reigstration-interval
<refresh_interval>
Enter a number for the refresh interval.
No default
account-type
{static | dynamic}
Enter to define the type of account.
No default.
dtmf-metod {auto |
inband | info |
rfc2833}
Enter the DTMF method that will be used.
No default
codec {alaw | g729
|none | ulaw}
Enter the most preferred Codec for the VoIP provider.
ulaw
codec1 {alaw | g729
|none | ulaw}
Enter the second most preferred Codec for the VoIP provider.
none
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
pbx
sip-trunk
Variables
Description
Default
codec2 {alaw | g729
|none | ulaw}
Enter the third most preferred Codec for the VoIP provider.
none
video {enable |
disable}
Enable video capability if the provider supports this feature.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
265
sip-trunk
266
pbx
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
report
Use these commands to configure SQL reports. You can use the get report database schema to display the
FortiGate SQL reporting database schema.
The command descriptions in this chapter have not been updated for FortiOS 4.0 MR2. This
chapter will be updated for a future version of this document.
chart
dataset
layout
style
summary
theme
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
267
chart
report
chart
Use the following command to configure a chart or widget. You can edit the settings of existing widgets or you can
add new widgets. To add a new widget you need to have a dataset for it as well as a title. You can also configure the
widget to be a graph in various formats or a table and you can also optionally configure details about the appearance
of the graph or table.
As you change chart format settings you can go to the Executive Summary page of the web-based manager and view
the chart. Refresh your browser to see format changes. You must use the end command to exit from the config
report chart command to view your changes in the widget.
Charts are called widgets in the Executive Summary on the web-based manager. In the web-based
manager each widget has a name which is set using the comments field of the config report chart
command. When you edit a chart you specify a chart name that is only used in the CLI. To determine the
widget name of a chart you must edit it and view the comments setting.
Syntax
Due to the complexity and duplication in the chart command, the set commands are listed in
simple alphabetical order.
config report chart
edit <chart_name>
config category-series
config column
edit <column_number>
config mapping
edit <id>
config value-series
config x-series
config y-series
end
set background <color_hex>
set caption <caption_str>
set caption-font-size <size_int>
set color-palette <palette_hex>
set comments <comment_str>
set databind <value_expr_str>
set dataset <dataset_name>
set detail-unit <unit_str>
set detail-value <value-str>
set dimension {2D | 3D}
set displayname <name_str>
set drill-down-chart <chart-name>
set extra-databind <value_expr_str>
set extra-y {disable |enable)
set extra-y-legend <legend_string>
set font-size <size_int>
set footer-unit <string>
set footer-value <value-str>
set graph-type {bar | flow | line | none | pie}
set group <group_str>
set header-value <string>
set is-category {no | yes}
set label-angle {45-degree | vertical | horizontal}
set legend {enable | disable}
set legend-font-size <size_int>
268
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
report
chart
set op {equal | greater | greater-equal | less | less-equal | none}
set period {last24 | last7d}
set scale-format {YYYY-MM-DD-HH-MM | YYYY-MM-DD | HH | YYYY-MM-DD | YYYY-MM
| YYYY | HH-MM | MM-DD}
set scale-number-of-step <steps_int>
set scale-origin {max | min}
set scale-start {now | hh:mm yyyy/mm/dd}
set scale-step <step_int>
set scale-type datetime
set scale-unit {day | hour | minute | month | year}
set style {auto | manual}
set title <title_str>
set title-font-size <size_int>
set type {graph | table}
set unit <unit_str>
set value-type {integer | string}
set value1 {<value_int> | <value_str>}
set value2 {<value_int> | <value_str>}
set y-legend <legend_str>
end
Variable
Description
Default
config category-series Configure the category settings required for a pie chart.
config column
Configure columns for a table. To configure these settings style
must be manual and type must be table. You can add multiple
columns to the table and configure settings for each column.
config mapping
Configure mapping for a table.
config value-series
Configure the value settings required for a pie chart.
config x-series
Configure settings for the x axis of a bar or line graph. To configure
these settings style must be manual and type must be graph.
config y-series
Configure settings for the y axis of a bar or line graph. To configure
these settings style must be manual and type must be graph.
<chart_name>
Enter the name of a new or existing chart. The <chart_name> only
appears in the CLI. The web-based manager includes widget
names that are set using the comments field.
<column_number>
Enter the number of the column to configure. Columns are
numbered from the left starting at 1.
<id>
Identifies a mapping instance.
background <color_hex> Enter the hexidecimal value for an HTML color to set the
background color for a graph. The color value should begin with
0x. For example, the color 0xff0000 results in a red background.
caption <caption_str>
Add a caption text string.
caption-font-size
<size_int>
Set the size of the font used to display a caption. 0 means the font 0
size is set automatically. The font size range is 5 to 20.
color-palette
<palette_hex>
Enter the hexidecimal value for an HTML color palette. The color
palette value should begin with 0x.
comments <comment_str> Enter the name of the widget. You use this name to select the
widget when adding it to the Executive Summary from the
web-based manager. This name appears at the top of the widget
when it is displayed in the Executive Summary.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
269
chart
report
Variable
Description
Default
databind
<value_expr_str>
Enter an SQL databind value expression for binding data to the
series being configured.
dataset <dataset_name> Enter the name of the dataset that provides the data for this chart.
Use the config report dataset command to add or edit data
sets. The default configuration includes a number of pre-configured
data sets.
No default.
detail-unit <unit_str> Enter an abbreviation to display for the measurement unit, “MB”,
for example.
detail-value
<value-str>
Define the value to appear in each column of a table.
dimension {2D | 3D}
Define whether bar and pie graphs will have a 2D or 3D display.
3D
displayname <name_str> Set the name to be displayed for a mapping.
drill-down-chart
<chart-name>
Enter the chart name to drill down into.
extra-databind
<value_expr_str>
Enter an SQL databind value expression for binding extra data to
the series being configured.
extra-y {disable
|enable)
Enable or disable adding a second or extra set of data to the y-axis disable
of a graph.
extra-y-legend
<legend_string>
Add a name to a second or extra set of data added to the y-axis of
a graph.
font-size <size_int>
Set the size of the font used to display a title. 0 means the font size 0
is set automatically. The font size range is 5 to 20.
footer-unit <string>
Enter an abbreviation to display for the footer unit, “MB”, for
example.
footer-value
<value-str>
Define the value to appear in the footer of a table.
graph-type {bar | flow
| line | none | pie}
If type is set to graph select the type of graph used to display
information in the widget.
group <group_str>
Enter a group string.
header-value <string>
Define the value to appear in the header of a table.
none
is-category {no | yes} Specify whether an x axis of a graph displays categories or a series no
of values.
270
label-angle {45-degree
| vertical |
horizontal}
Select the angle for displaying the x or y axis label.
Varies
depending on
the chart and
series.
legend {enable |
disable}
Enable or disable the generation and display of a data legend.
enable
legend-font-size
<size_int>
Set the size of the font used to display a legend. 0 means the font
size is set automatically. The font size range is 5 to 20.
0
op {equal | greater
| greater-equal
| less | less-equal
| none}
Set the mapping option
none
period
{last24 | last7d}
Select the chart report period: last 24 hours or last seven days.
last7d
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
report
chart
Variable
Description
Default
scale-format
{YYYY-MM-DD-HH-MM
| YYYY-MM-DD | HH
| YYYY-MM-DD | YYYY-MM
| YYYY | HH-MM
| MM-DD}
Set the format for displaying the date and time on the x-axis of a
graph.
YYYY-MM-DD
-HH-MM
scale-number-of-step
<steps_int>
Set the number of steps on the horizontal axis of the graph. The
range is 1 to 31.
0
scale-origin
{max | min}
max
Set the time start point and direction of time on the x-axis of the
graph:
• max along the x-axis time is displayed in reverse starting at the
origin of the graph with the scale-start time.
• min along the x-axis time is displayed in the forward direction
starting at the origin of the graph with the scale-start time.
scale-start {now
| hh:mm yyyy/mm/dd}
Set the start time for the x-axis. now sets the start time to the time
that the graph was generated. You can also specify a time and
date. The year range is 2001-2050.
now
scale-step <step_int>
The number of scale-units in each x-axis scale step.
0
scale-type datetime
Only the datetime scale type is supported. Sets the x-axis to
display dates and times.
datetime
scale-unit {day | hour
| minute | month
| year}
The units of the scale-step on the x-axis.
day
style {auto | manual}
By default style is set to auto which means the appearance of
the graph or chart in the widget is configured automatically. You
can set style to manual to manually configure details about the
appearance of the chart or graph in the widget.
auto
title <title_str>
Enter the title of the graph or table. The title is optional and appears
inside the widget above the graph or chart. This is not the name of
the widget. Use the comments field to add the title or name of the
widget.
title-font-size
<size_int>
Set the size of the font used to display the title. 0 means the font
size is set automatically. The font size range is 5 to 20.
type {graph | table}
Configure whether this widget presents information in a graphical graph
form as a graph or as a table of values. If you select graph use the
graph-type field to configure the type of graph.
unit <unit_str>
Enter the name of the units to be displayed on the x-axis.
value-type {integer |
string}
Configure the mapping value to be an integer or a text string.
value1 {<value_int>
| <value_str>}
Set the first mapping value.
value2 {<value_int>
| <value_str>}
Set a second mapping value if required.
y-legend <legend_str>
Add a name for the data included on the y-axis of a graph.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
0
integer
271
dataset
report
dataset
Use the following command to configure report data sets. You can configure existing data sets or add new ones.
Expert knowledge of SQL is required to write and edit data set queries.
Syntax
config report dataset
edit <report_dataset>
set query <SQL_statement>
config field
edit <field-id>
set displayname <string>
set type {text | integer | date | ip}
end
end
272
Variable
Description
Default
edit <report_dataset>
Enter the name of an existing dataset or a new name. Press ? to
view the list of existing datasets.
query <SQL_statement>
Enter the SQL statement that retrieves the required data from the
database. Comprehensive knowledge of SQL queries is required.
See the existing datasets for example SQL queries.
config field
You should configure fields only to modify the type or displayed
name of the column for use in a table or chart.
edit <field-id>
Enter a field id from 1 to the number of SQL result fields in the SQL
query.
displayname <string>
Enter the name for the field to be displayed in tables and charts.
type {text | integer
| date | ip}
Select the type of data in the field. All options are not available for
all fields.
text
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
report
layout
layout
Use this command configure report layouts. Layouts help you define the content of your reports. You can create substyles for page headers, page footers and the body section of the report. You can also schedule a reporting cycle and
set a specific time and day for generating reports. You can select a layout from a pre-defined list or you can create
your own report layout. Once you have all layout parameters set, you can save it and use it in any report. You can use
the following options to customize layouts or create new layouts.
Syntax
config report layout
edit <layout name>
set title <text>
set cache-time-out <seconds_int>
set cutoff-option {run-time | custom}
set cutoff-time <time_str>
set description <text>
set email-recipients <recipients_str>
set email-send {enable | disable}
set format {html | pdf}
set schedule-type {demand | daily | weekly}
set time <HH:MM>
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set style-theme <theme name>
set options {include-table-of-contents | auto-numbering-heading
| view-chart-as-heading | show-html-navbar-before-heading}
config page
set paper{A4|letter}
set column-break-before {heading1 | heading2 | heading3}
set options {header-on-first-page | footer-on-first-page}
set style <style name>
config header
set style <style name>
config header-item
set edit <item_id>
set style <style name>
set type {text | image}
set content <text>
set description <text>
set img-src <text>
config footer
set style <style name>
config footer-item
set edit <item_id>
set style <style name>
set type {text | image}
set content <text>
set description <text>
set img-src <text>
end
config body-item
set edit <item_id>
set type {text | image | chart | misc}
set description <text>
set style <style name>
set text-component {heading1 | heading2 | heading3 | normal text}
set content <text>
set img-src <text>
set chart <chart name>
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
273
layout
report
set chart-options {hide-title | include-no-data | show-caption}
set misc-component {hline | page-break | column-break}
set parameter1 <value_str>
end
end
end
Variable
Description
Default
edit <layout name>
Enter the name of an existing layout or a new name. Press ? to
view the list of existing layouts.
title <text>
Enter a title for the current report layout.
cache-time-out
<seconds_int>
Enter the timeout period in seconds for cached datasets.
Range 0 to 86 400. Default is 604 800 seconds (1 week).
86400
cutoff-option
{run-time | custom}
Select the end of the report period:
run-time—the report period ends when the report is run.
custom—the report period ends at cutoff-time.
run-time
cutoff-time <time_str>
Enter the end of the report period in hh:mm format. This field is 00:00
available when cutoff-option is custom.
description <text>
Enter a description for the current layout.
email-recipients
<recipients_str>
Enter the email addresses of report recipients separated by
semicolons. Available if email-send is enable.
Null
email-send
{enable | disable}
Enable or disable sending of reports by email.
disable
format {html | pdf}
Select the layout format.
html
schedule-type {demand
| daily | weekly}
Select the schedule type for the report layout.
daily
time <HH:MM>
Enter the time for the report to be run.
• HH: Hour value in two digit format 0-23
• MM: Minute value 0-59.
schedule-type must be set in order for time option to be
available.
00:00
day {sunday | monday
| tuesday | wednesday
| thursday | friday
| saturday}
Select the day of the week for report to be run. day option is
only available when schedule-type is set to weekly.
sunday
style-theme <theme name>
Enter the name of an existing style theme or a new style theme
name. More detail on style themes can be found in theme
section of this chapter.
options
{include-table-of-contents
| auto-numbering-heading
| view-chart-as-heading
| show-html-navbar-beforeheading}
Use following options to configure the report page design;
• include-table-of-contents — select this option to
include table of contents in the report.
• auto-numbering-heading — select this option to
include page numbers in the heading.
• view-chart-as-heading — select this option to add
heading for each chat automatically.
• show-html-navbar-before-heading — select this
option to show html navigation bar before each heading.
config page
paper{A4|letter}
274
Select the standard paper size.
A4
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
report
layout
Variable
Description
column-break-before
{heading1 | heading2
| heading3}
Select the heading type which will include a column break in
front of it.
options
{header-on-first-page
| footer-on-first-page}
Select one of these options to have the header or the footer on
the first page of the report.
Default
config header
style <style name>
Enter the name of an existing style or a new name. Press ? to
view the list of existing styles.
config header-item
edit <item_id>
Enter the id of an existing report item or a new id. Press ? to
view the list of existing report item ids.
style <style name>
Enter the name of an existing style or a new name. Press ? to
view the list of existing styles.
type {text | image}
Select the report header item type.
content <text>
Enter the content material for the header item. This option only
available when type is set to text.
description <text>
Enter the description of the image file. This option is only
available when type is set to image.
img-src <text>
Enter the name of the header item image file. For example
image.jpg. This option is only available when type is set to
image.
text
config footer
style <style name>
Enter the name of an existing style or a new name. Press ? to
view the list of existing styles.
config footer-item
edit <item_id>
Enter the id of an existing report item or a new id. Press ? to
view the list of existing report item ids.
style <style name>
Enter the name of an existing style or a new name. Press ? to
view the list of existing styles.
type {text | image}
Select the report footer item type.
content <text>
Enter the content material for the footer item. This option only
available when type is set to text.
description <text>
Enter the description of the image file. This option is only
available when type is set to image.
img-src <text>
Enter the name of the footer item image file. For example
image.jpg. This option is only available when type is set to
image.
text
config body-item
edit <item_id>
Enter the id of an existing report body item or a new id. Press ?
to view the list of existing report body item ids.
type {text | image | chart
| misc}
Select the body item type.
description <text>
Enter the content material for the body item. This option only
available when type is set to text or misc.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
text
275
layout
276
report
Variable
Description
Default
style <style name>
Enter the name of an existing style or a new name. Press ? to
view the list of existing styles.
text-component {heading1
| heading2 | heading3
| normal text}
Select the text component type.
content <text>
Enter the content material for the text component. Headings
are limited to only one line.
img-src <text>
Enter the name of the body item image file. For example
image.jpg. This option is only available when type is set to
image.
chart <chart name>
Enter the report item chart name. This option is only available
when type is set to chart.
chart-options {hide-title
| include-no-data
| show-caption}
Select one of the following options to customize the chart.
• hide-title: Hide chart title.
• include-no-data: Include the chart with no data.
• show-caption: Show chart caption.
misc-component {hline
| page-break
| column-break}
Select one of the following options to add a separator
component to your report.
• hline — add a horizontal line
• page-break — add a page break
• column-break — add a column break
parameter1 <value_str>
Enter the parameter value for this body item.
text
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
report
style
style
Use this command configure the report styles. Report styles help you configure font, paragraph and page properties
of your reports. For example you can set the font type, size and color as well as page background color and page
margins. You can select a style from a pre-defined list or you can create your own report style. Once you have all style
parameters set, you can save it and use it on any reports. You can use the following options to customize or create
report styles.
Syntax
config report style
edit <style name>
set options {font | text | color | align | size | margin | border | padding
| column}
set font-family {Verdana | Arial | Helvetica | Courier | Times}
set font-style {normal|italic}
set font-weight {normal | bold}
set font-size {xx-small | x-small | small | medium | large | x-large | xx-large}
| 5-28
set line-height <integer | percentage>
set fg-color {aqua | black | blue | fuchsia | gray | green | lime | maroon
| navy | olive | purple | red | silver | teal | white | yellow
| <color-value>}
set bg-color {aqua | black | blue | fuchsia | gray | green | lime | maroon
| navy | olive | purple | red | silver | teal | white | yellow
| <color-value>}
set align {left | center | right | justify}
set height <integer | percentage>
set width <integer | percentage>
set margin-top <integer>
set margin-bottom <integer>
set margin-left <integer>
set margin-right <integer>
set border-top <topwidth_int> {none | dotted | dashed | solid} {aqua | black
| blue | fuchsia | gray | green | lime | maroon | navy | olive | purple | red
| silver | teal | white | yellow | <color-value>}
set border-bottom <bottomwidth_int> {none | dotted | dashed | solid}
{aqua | black | blue | fuchsia | gray | green | lime | maroon | navy | olive
| purple | red | silver | teal | white | yellow | <color-value>}
set border-left <leftwidth_int> {none | dotted | dashed | solid} {aqua | black
| blue | fuchsia | gray | green | lime | maroon | navy | olive | purple | red
| silver | teal | white | yellow | <color-value>
set border-right <rightwidth_int> {none | dotted | dashed | solid} {aqua | black
| blue| fuchsia | gray | green | lime | maroon | navy | olive | purple | red
| silver | teal | white | yellow | <color-value>
set padding-top <integer>
set padding-bottom <integer>
set padding-left <integer>
set padding-right <integer>
set column-span {none|all}
set column-gap <integer>
end
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
277
style
278
report
Variable
Description
Default
edit <style name>
Enter the name of an existing style or a new name. Press ? to view
the list of existing styles.
options {font | text
| color | align | size
| margin | border
| padding | column}
Select report style feature for customization. For example, set
font allows you to customize font properties.
font-family {Verdana
| Arial | Helvetica
| Courier | Times}
Select one of the pre-defined font families for the current report
style.
font-style
{normal|italic}
Select the style of the font.
normal
font-weight
{normal | bold}
Select the weight of the font.
normal
font-size {xx-small
| x-small | small
| medium | large
| x-large | xx-large}
| 5-28
Select one of the pre-defined font size options or enter a number
between 5 and 28 which sets the font size in pixels.
line-height
<integer | percentage>
Set the line height in pixels or percentage. For example 10 or
120%.
fg-color {aqua |
| blue | fuchsia
| green | lime |
| navy | olive |
| red | silver |
| white | yellow
| <color-value>}
black
| gray
maroon
purple
teal
Select the foreground color from one of the pre-defined colors or
enter 6 digit hex color code. For example 0033CC is for blue.
bg-color {aqua |
| blue | fuchsia
| green | lime |
| navy | olive |
| red | silver |
| white | yellow
| <color-value>}
black
| gray
maroon
purple
teal
Select the background color from one of the pre-defined colors or
enter 6 digit hex color code. For example FF0000 is for red.
align {left | center
| right | justify}
Select one of the text alignment options.
height
<integer | percentage>
Enter the height of the report in pixels or percentage. For example
10 or 120%.
width
<integer | percentage>
Enter the height of the report in pixels or percentage. For example
10 or 120%.
margin-top <integer>
Enter the top margin size in pixels.
margin-bottom <integer>
Enter the bottom margin size in pixels.
margin-left <integer>
Enter the left margin size in pixels.
margin-right <integer>
Enter the right margin size in pixels.
left
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
report
style
Variable
Description
Default
border-top <topwidth_int>
{none | dotted | dashed
| solid} {aqua | black
| blue | fuchsia | gray
| green | lime | maroon
| navy | olive | purple
| red | silver | teal
| white | yellow
| <color-value>}
Enter the top border width in pixels followed by the border style
and the border color. Border color can be entered by name or 6
digit hex color code.
none
border-bottom
<bottomwidth_int>
{none | dotted | dashed
| solid} {aqua | black
| blue | fuchsia | gray
| green | lime | maroon
| navy | olive | purple
| red | silver | teal
| white | yellow
| <color-value>}
Enter the bottom border width in pixels followed by the border
style and the border color. Border color can be entered by name
or 6 digit hex color code.
none
border-left
<leftwidth_int>
{none | dotted |
| solid} {aqua |
| blue | fuchsia
| green | lime |
| navy | olive |
| red | silver |
| white | yellow
| <color-value>
Enter the left border width in pixels followed by the border style
and the border color. Border color can be entered by name or 6
digit hex color code.
none
border-right
<rightwidth_int>
{none | dotted | dashed
| solid} {aqua | black
| blue| fuchsia | gray
| green | lime | maroon
| navy | olive | purple
| red | silver | teal
| white | yellow
| <color-value>
Enter the right border width in pixels followed by the border style
and the border color. Border color can be entered by name or 6
digit hex color code.
none
padding-top <integer>
Enter the top padding size in pixels.
padding-bottom <integer>
Enter the bottom padding size in pixels.
padding-left <integer>
Enter the left padding size in pixels.
padding-right <integer>
Enter the right padding size in pixels.
column-span {none|all}
Select all for span across all columns or none for no span
column-gap <integer>
Enter the column gap size in pixels.
dashed
black
| gray
maroon
purple
teal
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
none
279
summary
report
summary
Use this command to add widgets (also called charts) to the Executive Summary and to configure the schedule for
updating the data displayed by the widget. The data is updated by executing the SQL query in the widget and
refreshing the information displayed in the widget.
Syntax
config report summary
edit id <integer>
set column {1 | 2}
set day {sunday | monday | tuesday | wednesday | thursday | friday | saturday}
set schedule {daily | weekly}
set time <hh:mm>
set widget <widget_name>
end
280
Variable
Description
Default
id <integer>
Enter the identification number for the log field.
column {1 | 2}
Select the column of the Executive Summary to display the
widget in.
1
day {sunday | monday
| tuesday | wednesday
| thursday | friday
| saturday}
Set the day of the week to update the widget. Available if
schedule is weekly.
sunday
schedule {daily | weekly} Schedule the widget to update once a day or once a week.
daily
time <hh:mm>
Set the time of day to update the widget. You can set the time of
day for weekly or daily updates.
00:00
widget <widget_name>
Select the name of the widget.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
report
theme
theme
Use this command configure themes for your reports. Themes help you configure some of the main characteristics of
your report outlook. For example you can configure the page orientation of the report or create sub-styles for title
headings. You can select a theme from a pre-defined list or you can create your own report theme. Once you have all
theme parameters set, you can save it and use it on any reports. You can use the following options to customize or
create report themes.
Syntax
config report theme
edit <theme name>
set page-orient {portrait|landscape}
set column-count {1 | 2 | 3}
set default-html-style <style_name>
set default-pdf-style <style_name>
set page-style <style_name>
set page-header-style <style_name>
set page-footer-style <style name>
set report-title-style <style name>
set report-subtitle-style <style_name>
set heading1-style <style_name>
set heading2-style <style_name>
set heading3-style <style_name>
set heading4-style <style_name>
set toc-title-style <style_name>
set toc-heading1-style <style_name>
set toc-heading2-style <style_name>
set toc-heading3-style <style_name>
set toc-heading4-style <style_name>
set normal-text-style <style_name>
set bullet-text-style <style_name>
set numbered-text-style <style_name>
set image-style <style_name>
set hline-style <style_name>
set graph-chart-style <style_name>
set table-chart-style <style_name>
set table-chart-caption-style <style_name>
set table-chart-head-style <style_name>
set table-chart-odd-row-style <style_name>
set table-chart-even-row-style <style_name>
end
Variable
Description
edit <theme name>
Enter the name of an existing theme or a new name. Press ? to
view the list of existing themes.
page-orient
{portrait|landscape}
Select the page orientation for the current report theme.
portrait
column-count {1 | 2 | 3}
Enter the number of columns for the current report theme. The
maximum value is 3.
1
default-html-style
<style_name>
Enter the default html style name. Press ? to view the list of
existing html styles.
default-pdf-style
<style_name>
Enter the default pdf style name. Press ? to view the list of existing
pdf styles.
page-style <style_name>
Enter the default page style name. Press ? to view the list of
existing page styles.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
281
theme
282
report
Variable
Description
Default
page-header-style
<style_name>
Enter the default page header style name. Press ? to view the list
of existing page header styles.
page-footer-style
<style name>
Enter the default footer style name. Press ? to view the list of
existing footer styles.
report-title-style
<style name>
Enter the default report title style name. Press ? to view the list of
existing report title styles.
report-subtitle-style
<style_name>
Enter the default report subtitle style name. Press ? to view the list
of existing report subtitle styles.
heading1-style
<style_name>
Enter the default heading1 style name. Press ? to view the list of
existing heading1 styles.
heading2-style
<style_name>
Enter the default heading2 style name. Press ? to view the list of
existing heading2 styles.
heading3-style
<style_name>
Enter the default heading3 style name. Press ? to view the list of
existing heading3 styles.
heading4-style
<style_name>
Enter the default html style name. Press ? to view the list of
existing html styles.
toc-title-style
<style_name>
Enter the default table of contents style name. Press ? to view the
list of existing table of contents styles.
toc-heading1-style
<style_name>
Enter the default table of contents heading1 style name. Press ?
to view the list of existing table of contents heading1 styles.
toc-heading2-style
<style_name>
Enter the default table of contents heading2 style name. Press ?
to view the list of existing table of contents heading2 styles.
toc-heading3-style
<style_name>
Enter the default table of contents heading3 style name. Press ?
to view the list of existing table of contents heading3 styles.
toc-heading4-style
<style_name>
Enter the default table of contents heading4 style name. Press ?
to view the list of existing table of contents heading4 styles.
normal-text-style
<style_name>
Enter the default normal text style name. Press ? to view the list of
existing normal text styles.
bullet-text-style
<style_name>
Enter the default bullet text style name. Press ? to view the list of
existing bullet text styles.
numbered-text-style
<style_name>
Enter the default numbered text style name. Press ? to view the
list of existing numbered text styles.
image-style <style_name>
Enter the default image style name. Press ? to view the list of
existing image styles.
hline-style <style_name>
Enter the default horizontal line style name. Press ? to view the list
of existing horizontal line styles.
graph-chart-style
<style_name>
Enter the default graph chart style name. Press ? to view the list of
existing graph chart styles.
table-chart-style
<style_name>
Enter the default table chart style name. Press ? to view the list of
existing table chart styles.
table-chart-captionstyle <style_name>
Enter the default table chart caption style name. Press ? to view
the list of existing table chart caption styles.
table-chart-head-style
<style_name>
Enter the default table chart header style name. Press ? to view
the list of existing table chart header styles.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
report
theme
Variable
Description
table-chart-odd-rowstyle <style_name>
Enter the default table chart odd row style name. Press ? to view
the list of existing table chart odd row styles.
table-chart-even-rowstyle <style_name>
Enter the default table chart even row style name. Press ? to view
the list of existing table chart even row styles.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
283
theme
284
report
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
router
Routers move packets from one network segment to another towards a network destination. When a packet reaches
a router, the router uses data in the packet header to look up a suitable route on which to forward the packet to the
next segment. The information that a router uses to make routing decisions is stored in a routing table. Other factors
related to the availability of routes and the status of the network may influence the route selection that a router makes
when forwarding a packet to the next segment.
The FortiGate unit supports many advanced routing functions and is compatible with industry standard Internet
routers. The FortiGate unit can communicate with other routers to determine the best route for a packet.
The following router commands are available to configure options related to FortiGate unit router communications
and packet forwarding:
access-list, access-list6
aspath-list
auth-path
bgp
community-list
gwdetect
isis
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
key-chain
multicast
multicast-flow
ospf
ospf6
policy
prefix-list, prefix-list6
rip
ripng
route-map
setting
static
static6
285
access-list, access-list6
router
access-list, access-list6
Use this command to add, edit, or delete access lists. Access lists are filters used by FortiGate unit routing
processes. For an access list to take effect, it must be called by a FortiGate unit routing process (for example, a
process that supports RIP or OSPF). Use access-list6 for IPv6 routing.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or
deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.
If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0 can
not be exactly matched with an access-list. A prefix-list must be used for this purpose. For more
information, see “prefix-list, prefix-list6” on page 352.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. If it finds
a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny.
Syntax
config router access-list, access-list6
edit <access_list_name>
set comments <string>
config rule
edit <access_list_id>
set action {deny | permit}
set exact-match {enable | disable}
set prefix { <prefix_ipv4mask> | any }
set prefix6 { <prefix_ipv6mask> | any }
set wildcard <address_ipv4> <wildcard_mask>
end
end
The action and prefix fields are required. The exact-match field is optional.
Variable
Description
Default
edit <access_list_name>
Enter a name for the access list. An access list and a prefix list
cannot have the same name.
No default.
comments <string>
Enter a descriptive comment. The max length is 127 characters. No default.
config rule variables
edit <access_list_id>
Enter an entry number for the rule. The number must be an
integer.
No default.
action {deny | permit}
Set the action to take for this prefix.
permit
exact-match
{enable | disable}
By default, access list rules are matched on the prefix or any
more specific prefix. Enable exact-match to match only the
configured prefix.
disable
prefix {
Enter the prefix for this access list rule. Enter either:
<prefix_ipv4mask> | any } • IPv4 address and network mask
• any — match any prefix.
286
any
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
access-list, access-list6
Variable
Description
Default
prefix6 {
Enter the prefix for this IPv6 access list rule. Enter either:
<prefix_ipv6mask> | any } • IPv6 address and network mask
• any — match any prefix.
This variable is only used with config access-list6.
any
wildcard <address_ipv4>
<wildcard_mask>
No default.
Enter the IP address and reverse (wildcard) mask to process.
The value of the mask (for example, 0.0.255.0) determines
which address bits to match. A value of 0 means that an exact
match is required, while a binary value of 1 indicates that part of
the binary network address does not have to match. You can
specify discontinuous masks (for example, to process “even” or
“odd” networks according to any network address octet).
For best results, do not specify a wildcard attribute unless
prefix is set to any.
This variable is only used with config access-list.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
287
aspath-list
router
aspath-list
Use this command to set or unset BGP AS-path list parameters. By default, BGP uses an ordered list of Autonomous
System (AS) numbers to describe the route that a packet takes to reach its destination. A list of these AS numbers is
called the AS path. You can filter BGP routes using AS path lists.
When the FortiGate unit receives routing updates from other autonomous systems, it can perform operations on
updates from neighbors and choose the shortest path to a destination. The shortest path is determined by counting
the AS numbers in the AS path. The path that has the least AS numbers is considered the shortest AS path.
Use the config router aspath-list command to define an access list that examines the AS_PATH attributes of
BGP routes to match routes. Each entry in the AS-path list defines a rule for matching and selecting routes based on
the setting of the AS_PATH attribute. The default rule in an AS path list (which the FortiGate unit applies last) denies
the matching of all routes.
Syntax
config router aspath-list
edit <aspath_list_name>
config rule
edit <as_rule_id>
set action {deny | permit}
set regexp <regexp_str>
end
end
The action and regexp fields are required.
Variable
Description
Default
edit <aspath_list_name>
Enter a name for the AS path list.
No default.
edit <as_rule_id>
Enter an entry number for the rule. The number must be an
integer.
No default.
action {deny | permit}
Deny or permit operations on a route based on the value of the
route’s AS_PATH attribute.
No default.
regexp <regexp_str>
Specify the regular expression that will be compared to the
AS_PATH attribute (for example, ^730$).
The value is used to match AS numbers. Delimit a complex
regexp_str value using double-quotation marks.
Null
config rule variables
288
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
auth-path
auth-path
Authentication based routing allows firewall policies to direct network traffic flows.
This command configures a RADIUS object on your FortiGate unit. The same object is required to be configured on
the RADIUS server.
To configure authentication based routing on your FortiGate unit
1
2
3
4
5
6
Configure your FortiGate unit to communicate with a RADIUS authentication server.
Configure a user that uses the RADIUS server.
Add that user to a user group configured to use the RADIUS server.
Configure the router auth-path object.
Configure a custom service for RADIUS traffic.
Configure a service group that includes RADIUS traffic along with other types of traffic that will be allowed to pass
through the firewall.
7 Configure a firewall policy that has route based authentication enabled.
The Fortinet Knowledge Base has an article on authentication based routing that provides a sample configuration for
these steps.
The auth-path command is not available when the FortiGate unit is in Transparent mode.
Syntax
config router auth-path
edit <aspath_list_name>
set device <interface>
set gateway <gway_ipv4>
end
Variable
Description
Default
edit <auth_path_name>
Enter a name for the authentication path.
No default.
device <interface>
Specify the interface for this path.
No default.
gateway <gway_ipv4>
Specify the gateway IP address for this path.
Null.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
289
bgp
router
bgp
Use this command to set or unset BGP-4 routing parameters. BGP can be used to perform Classless Interdomain
Routing (CIDR) and to route traffic between different autonomous systems or domains using an alternative route if a
link between a FortiGate unit and a BGP peer (such as an ISP router) fails. FortiOS BGP4 complies with RFC 1771
and supports IPv4 addressing.
FortiOS supports IPv6 over BGP4 via the BGP4+ protocol defined in RFC 2545, and RFC 2858. IPv6 configuration for
BGP is accomplished with the aggregate-address6, network6, and redistribute6 variables. Also almost
every variable in config neighbour has an IPv4 and IPv6 version such as activate and activate6. Any
variable ending with a “6” is an IPv6 variable.
When BGP is enabled, the FortiGate unit sends routing table updates to the upstream ISP router whenever any part
of the routing table changes. The update advertises which routes can be used to reach the FortiGate unit. In this way,
routes are made known from the border of the internal network outwards (routes are pushed forward) instead of
relying on upstream routers to propagate alternative paths to the FortiGate unit.
FortiGate unit BGP supports the following extensions to help manage large numbers of BGP peers:
• Communities — The FortiGate unit can set the COMMUNITY attribute of a route to assign the route to predefined
paths (see RFC 1997). The FortiGate unit can examine the COMMUNITY attribute of learned routes to perform
local filtering and/or redistribution.
• Internal BGP (IBGP) route reflectors — The FortiGate unit can operate as a route reflector or participate as a client
in a cluster of IBGP peers (see RFC 1966).
• External BGP (EBGP) confederations — The FortiGate unit can operate as a confederation member, using its AS
confederation identifier in all transactions with peers that are not members of its confederation (see RFC 3065).
Bi-directional Forwarding Detection (BFD) is a protocol used by BGP, and OSPF. It is used to quickly locate hardware
failures in the network. Routers running BFD send unicast messages to each other, and if a timer runs out, meaning
no messages have been received, on a connection then that unresponsive router is declared down. BFD then
communicates this information to the routing protocol and the routing information is updated. BFD support can only
be configured through the CLI.
Syntax
config router bgp
set always-compare-med {enable | disable}
set as <local_as_id>
set bestpath-as-path-ignore {enable | disable}
set bestpath-cmp-confed-aspath {enable | disable}
set bestpath-cmp-routerid {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set client-to-client-reflection {enable | disable}
set cluster-id <address_ipv4>
set confederation-identifier <peerid_integer>
set dampening {enable | disable}
set dampening-max-suppress-time <minutes_integer>
set dampening-reachability-half-life <minutes_integer>
set dampening-reuse <reuse_integer>
set dampening-route-map <routemap-name_str>
set dampening-suppress <limit_integer>
set dampening-unreachability-half-life <minutes_integer>
set default-local-preference <preference_integer>
set deterministic-med {enable | disable}
set distance-external <distance_integer>
set distance-internal <distance_integer>
set distance-local <distance_integer>
set enforce-first-as {disable | enable}
set fast-external-failover {disable | enable}
set graceful-restart {disable | enable}
set graceful-restart-time <restart_time>
set graceful-stalepath-time <stalepath_time>
290
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
bgp
set graceful-update-delay <delay_time>
set holdtime-timer <seconds_integer>
set ignore_optional_capability {disable | enable}
set keepalive-timer <seconds_integer>
set log-neighbor-changes {disable | enable}
set network-import-check {disable | enable}
set router-id <address_ipv4>
set scan-time <seconds_integer>
set synchronization {enable | disable}
config admin-distance
edit <route_entry_id>
set distance <integer>
set neighbor-prefix <ip_and_netmask>
set route-list <string>
end
config aggregate-address, config aggregate-address6
edit <aggr_addr_id>
set as-set {enable | disable}
set prefix <address_ipv4mask>
set summary-only {enable | disable}
end
config aggregate-address, config aggregate-address6
edit <aggr_addr_id>
set as-set {enable | disable}
set prefix6 <address_ipv6mask>
set summary-only {enable | disable}
end
config neighbor
edit <neighbor_address_ipv4>
set activate {enable | disable}
set activate6 {enable | disable}
set advertisement-interval <seconds_integer>
set allowas-in <max_num_AS_integer>
set allowas-in6 <max_num_AS_integer>
set allowas-in-enable {enable | disable}
set allowas-in-enable6 {enable | disable}
set as-override {enable | disable}
set as-override6 {enable | disable}
set attribute-unchanged [as-path] [med] [next-hop]
set attribute-unchanged6 [as-path] [med] [next-hop]
set bfd {enable | disable}
set capability-default-originate {enable | disable}
set capability-default-originate6 {enable | disable}
set capability-dynamic {enable | disable}
set capability-graceful-restart {enable | disable}
set capability-graceful-restart6 {enable | disable}
set capability-orf {both | none | receive | send}
set capability-orf6 {both | none | receive | send}
set capability-route-refresh {enable | disable}
set connect-timer <seconds_integer>
set default-originate-routemap <routemap_str>
set default-originate-routemap6 <routemap_str>
set description <text_str>
set distribute-list-in <access-list-name_str>
set distribute-list-in6 <access-list-name_str>
set distribute-list-out <access-list-name_str>
set distribute-list-out6 <access-list-name_str>
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
291
bgp
router
set ebgp-multihop-ttl <seconds_integer>
set filter-list-in <aspath-list-name_str>
set filter-list-in6 <aspath-list-name_str>
set filter-list-out <aspath-list-name_str>
set filter-list-out6 <aspath-list-name_str>
set holdtime-timer <seconds_integer>
set interface <interface-name_str>
set keep-alive-timer <seconds_integer>
set maximum-prefix <prefix_integer>
set maximum-prefix6 <prefix_integer>
set maximum-prefix-threshold <percentage_integer>
set maximum-prefix-threshold6 <percentage_integer>
set maximum-prefix-warning-only {enable | disable}
set maximum-prefix-warning-only6 {enable | disable}
set next-hop-self {enable | disable}
set next-hop-self6 {enable | disable}
set override-capability {enable | disable}
set passive {enable | disable}
set password <string>
set prefix-list-in <prefix-list-name_str>
set prefix-list-in6 <prefix-list-name_str>
set prefix-list-out <prefix-list-name_str>
set prefix-list-out6 <prefix-list-name_str>
set remote-as <id_integer>
set remove-private-as {enable | disable}
set remove-private-as6 {enable | disable}
set retain-stale-time <seconds_integer>
set route-map-in <routemap-name_str>
set route-map-in6 <routemap-name_str>
set route-map-out <routemap-name_str>
set route-map-out6 <routemap-name_str>
set route-reflector-client {enable | disable}
set route-reflector-client6 {enable | disable}
set route-server-client {enable | disable}
set route-server-client6 {enable | disable}
set send-community {both | disable | extended | standard}
set send-community6 {both | disable | extended | standard}
set shutdown {enable | disable}
set soft-reconfiguration {enable | disable}
set strict-capability-match {enable | disable}
set unsuppress-map <route-map-name_str>
set update-source <interface-name_str>
set weight <weight_integer>
end
config network, config network6
edit <network_id>
set backdoor {enable | disable}
set prefix <address_ipv4mask>
set route-map <routemap-name_str>
end
config network, config network6
edit <network_id>
set backdoor {enable | disable}
set prefix6 <address_ipv6mask>
set route-map <routemap-name_str>
end
config redistribute, config redistribute6 {connected | static | rip | ospf}
set status {enable | disable}
set route-map <route-map-name_str>
292
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
bgp
end
config redistribute, config redistribute6 {connected | static | rip | ospf}
set status {enable | disable}
set route-map <route-map-name_str>
end
end
config router bgp
Use this command to enable a Border Gateway Protocol version 4 (BGP-4) process on the FortiGate unit, define the
interfaces making up the local BGP network (see “config network, config network6” on page 304), and set operating
parameters for communicating with BGP neighbors (see “config neighbor” on page 297).
When multiple routes to the FortiGate unit exist, BGP attributes determine the best route and the FortiGate unit
communicates this information to its BGP peers. The best route is added to the IP routing table of the BGP peer,
which in turn propagates this updated routing information to upstream routers.
FortiGate units maintain separate entries in their routing tables for BGP routes. See “Using route maps with BGP” on
page 370. To reduce the size of the BGP routing table and conserve network resources, you can optionally aggregate
routes to the FortiGate unit. An aggregate route enables the FortiGate unit to advertise one block of contiguous IP
addresses as a single, less-specific address. You can implement aggregate routing either by redistributing an
aggregate route (see “config redistribute, config redistribute6” on page 305) or by using the conditional aggregate
routing feature (see “config aggregate-address, config aggregate-address6” on page 296).
In the following table, the as and router-id fields are required. All other fields are optional.
Variable
Description
Default
always-compare-med
{enable | disable}
Enable or disable the comparison of MULTI_EXIT_DISC (Multi
Exit Discriminator or MED) attributes for identical destinations
advertised by BGP peers in different autonomous systems.
disable
as <local_as_id>
Enter an integer to specify the local autonomous system (AS)
number of the FortiGate unit. The range is from 1 to
4 294 967 295. A value of 0 disables BGP. When the
local_as_id number is different than the AS number of the
specified BGP neighbor (see “remote-as <id_integer>” on
page 302), an External BGP (EBGP) session is started.
Otherwise, an Internal BGP (IBGP) session is started.
0
bestpath-as-path-ignore
{enable | disable}
Enable or disable the inclusion of an AS path in the selection
algorithm for choosing a BGP route.
disable
bestpath-cmp-confed-aspath
{enable | disable}
Enable or disable the comparison of the
AS_CONFED_SEQUENCE attribute, which defines an ordered
list of AS numbers representing a path from the FortiGate unit
through autonomous systems within the local confederation.
disable
bestpath-cmp-routerid
{enable | disable}
Enable or disable the comparison of the router-ID values for
identical EBGP paths.
disable
bestpath-med-confed
{enable | disable}
Enable or disable the comparison of MED attributes for routes
advertised by confederation EBGP peers.
disable
bestpath-med-missing-asworst {enable | disable}
This field is available when bestpath-med-confed is set to
enable.
When bestpath-med-confed is enabled, treat any
confederation path with a missing MED metric as the least
preferred path.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
293
bgp
294
router
Variable
Description
Default
client-to-clientreflection
{enable | disable}
Enable or disable client-to-client route reflection between IBGP
peers. If the clients are fully meshed, route reflection may be
disabled.
enable
cluster-id <address_ipv4>
Set the identifier of the route-reflector in the cluster ID to which
the FortiGate unit belongs. If 0 is specified, the FortiGate unit
operates as the route reflector and its router-id value is used
as the cluster-id value. If the FortiGate unit identifies its own
cluster ID in the CLUSTER_LIST attribute of a received route,
the route is ignored to prevent looping.
0.0.0.0
confederation-identifier
<peerid_integer>
Set the identifier of the confederation to which the FortiGate unit
belongs. The range is from 1 to 65 535.
0
dampening {enable |
disable}
Enable or disable route-flap dampening on all BGP routes. See
RFC 2439. (A flapping route is unstable and continually
transitions down and up.) If you set dampening, you may
optionally set dampening-route-map or define the associated
values individually using the dampening-* fields.
disable
dampening-max-suppresstime <minutes_integer>
This field is available when dampening is set to enable.
Set the maximum time (in minutes) that a route can be
suppressed. The range is from 1 to 255. A route may continue to
accumulate penalties while it is suppressed. However, the route
cannot be suppressed longer than minutes_integer.
60
dampening-reachabilityhalf-life
<minutes_integer>
This field is available when dampening is set to enable.
Set the time (in minutes) after which any penalty assigned to a
reachable (but flapping) route is decreased by half. The range is
from 1 to 45.
15
dampening-reuse
<reuse_integer>
This field is available when dampening is set to enable.
Set a dampening-reuse limit based on accumulated penalties.
The range is from 1 to 20 000. If the penalty assigned to a
flapping route decreases enough to fall below the specified
reuse_integer, the route is not suppressed.
750
dampening-route-map
<routemap-name_str>
This field is available when dampening is set to enable.
Specify the route-map that contains criteria for dampening. You
must create the route-map before it can be selected here. See
“route-map” on page 368 and “Using route maps with BGP” on
page 370.
Null.
dampening-suppress
<limit_integer>
This field is available when dampening is set to enable.
Set a dampening-suppression limit. The range is from 1 to
20 000. A route is suppressed (not advertised) when its penalty
exceeds the specified limit.
2 000
dampening-unreachabilityhalf-life
<minutes_integer>
This field is available when dampening is set to enable.
Set the time (in minutes) after which the penalty on a route that
is considered unreachable is decreased by half. The range is
from 1 to 45.
15
default-local-preference
<preference_integer>
Set the default local preference value. A higher value signifies a
preferred route. The range is from 0 to 4 294 967 295.
100
deterministic-med
{enable | disable}
Enable or disable deterministic comparison of the MED
attributes of routes advertised by peers in the same AS.
disable
distance-external
<distance_integer>
Set the administrative distance of EBGP routes. The range is
from 1 to 255. If you set this value, you must also set values for
distance-internal and distance-local.
20
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
bgp
Variable
Description
Default
distance-internal
<distance_integer>
This field is available when distance-external is set.
Set the administrative distance of IBGP routes. The range is
from 1 to 255.
200
distance-local
<distance_integer>
This field is available when distance-external is set.
Set the administrative distance of local BGP routes. The range is
from 1 to 255.
200
enforce-first-as
{disable | enable}
Enable or disable the addition of routes learned from an EBGP
peer when the AS number at the beginning of the route’s
AS_PATH attribute does not match the AS number of the EBGP
peer.
disable
fast-external-failover
{disable | enable}
Immediately reset the session information associated with BGP
external peers if the link used to reach them goes down.
enable
graceful-restart
{disable | enable}
Enable or disable BGP support for the graceful restart feature.
Graceful restart limits the effects of software problems by
allowing forwarding to continue when the control plane of the
router fails. It also reduces routing flaps by stabilizing the
network.
disable
graceful-restart-time
<restart_time>
Set the time in seconds needed for neighbors to restart after a
graceful restart. The range is 1 to 3600 seconds. Available when
graceful-restart is enabled.
120
graceful-stalepath-time
<stalepath_time>
Set the time in seconds to hold stale paths of restarting
neighbors. The range is 1 to 3600 seconds. Available when
graceful-restart is enabled.
360
graceful-update-delay
<delay_time>
Route advertisement and selection delay in seconds after a
graceful restart. The range is 1 to 3600 seconds. Available when
graceful-restart is enabled.
120
holdtime-timer
<seconds_integer>
The maximum amount of time in seconds that may expire
before the FortiGate unit declares any BGP peer down. A
keepalive message must be received every seconds_integer
seconds, or the peer is declared down. The value can be 0 or an
integer in the 3 to 65 535 range.
180
ignore_optional_capability
{disable | enable}
Don’t send unknown optional capability notification message.
disable
keepalive-timer
<seconds_integer>
The frequency (in seconds) that a keepalive message is sent
from the FortiGate unit to any BGP peer. The range is from 0 to
65 535. BGP peers exchange keepalive messages to maintain
the connection for the duration of the session.
60
log-neighbor-changes
{disable | enable}
Enable or disable the logging of changes to BGP neighbor
status.
disable
network-import-check
{disable | enable}
Enable or disable the advertising of the BGP network in IGP (see
“config network, config network6” on page 304).
enable
router-id <address_ipv4>
Specify a fixed identifier for the FortiGate unit. A value of
0.0.0.0 is not allowed.
If router-id is not explicitly set, the highest IP address of the
VDOM will be used as the default router-id.
0.0.0.0
scan-time
<seconds_integer>
Configure the background scanner interval (in seconds) for
next-hop route scanning. The range is from 5 to 60.
60
synchronization
{enable | disable}
Only advertise routes from iBGP if routes are present in an
interior gateway protocol (IGP) such as RIP or OSPF.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
295
bgp
router
Example
The following example defines the number of the AS of which the FortiGate unit is a member. It also defines an EBGP
neighbor at IP address 10.0.1.2.
config router bgp
set as 65001
set router-id 172.16.120.20
config neighbor
edit 10.0.1.2
set remote-as 65100
end
end
config admin-distance
Use this subcommand to set administrative distance modifications for bgp routes.
Variable
Description
Default
edit <route_entry_id>
Enter an ID number for the entry. The number must be an integer. No default.
distance <integer>
The administrative distance to apply to the route. This value can
be from 1 to 255.
No default.
neighbor-prefix
<ip_and_netmask>
Neighbor address prefix. This variable must be a valid IP address
and netmask.
No default.
route-list <string>
The list of routes this distance will be applied to.
The routes in this list can only come from the access-list which
can be viewed at config router access-list.
No default.
Example
This example shows how to manually adjust the distance associated with a route. It shows adding 25 to the weight of
the route, that it will apply to neighbor routes with an IP address of 192.168.0.0 and a netmask of 255.255.0.0, that
are also permitted by the access-list “downtown_office”.
config router bgp
config admin-distance
edit 1
set distance 25
set neighbour-prefix 192.168.0.0 255.255.0.0
set route-list downtown_office
next
end
end
config aggregate-address, config aggregate-address6
Use this subcommand to set or unset BGP aggregate-address table parameters. The subcommand creates a BGP
aggregate entry in the FortiGate unit routing table. Use config aggregate-address6 for IPv6 routing.
When you aggregate routes, routing becomes less precise because path details are not readily available for routing
purposes. The aggregate address represents addresses in several autonomous systems. Aggregation reduces the
length of the network mask until it masks only the bits that are common to all of the addresses being summarized.
The prefix field is required. All other fields are optional.
296
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
bgp
Variable
Description
Default
edit <aggr_addr_id>
Enter an ID number for the entry. The number must be an integer. No default.
as-set {enable | disable}
Enable or disable the generation of an unordered list of AS
numbers to include in the path information. When as-set is
enabled, a set-atomic-aggregate value (see “Using route
maps with BGP” on page 370) does not have to be specified.
disable
prefix <address_ipv4mask>
Set an aggregate prefix. Include the IP address and netmask.
0.0.0.0
0.0.0.0
prefix6 <address_ipv6mask> Set an aggregate IPv6 prefix. Include the IP address and
netmask.
::/0
summary-only
{enable | disable}
disable
Enable or disable the advertising of aggregate routes only (the
advertising of specific routes is suppressed).
Example
This example shows how to define an aggregate prefix of 192.168.0.0/16. The as-set command enables the
generation of an unordered list of AS numbers to include in the path information.
config router bgp
config aggregate-address
edit 1
set prefix 192.168.0.0/16
set as-set enable
end
end
config neighbor
Use this subcommand to set or unset BGP neighbor configuration settings. The subcommand adds a BGP neighbor
configuration to the FortiGate unit.
You can add up to 1000 BGP neighbors, and optionally use MD5 authentication to password protect BGP sessions
with those neighbors. (see RFC 2385)
You can clear all or some BGP neighbor connections (sessions) using the execute router clear bgp command
(see “router clear bgp” on page 786).
The remote-as field is required. All other fields are optional.
Variable
Description
Default
edit <neighbor_address_ipv4>
Enter the IP address of the BGP neighbor.
You can have up to 1000 configured neighbors.
No default.
activate {enable | disable}
Enable or disable the address family for the BGP neighbor. enable
activate6 {enable | disable}
Enable or disable the address family for the BGP neighbor
(IPv6).
enable
advertisement-interval
<seconds_integer>
Set the minimum amount of time (in seconds) that the
FortiGate unit waits before sending a BGP routing update
to the BGP neighbor. The range is from 0 to 600.
30
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
297
bgp
298
router
Variable
Description
Default
allowas-in
<max_num_AS_integer>
This field is available when allowas-in-enable is set to
enable.
Set the maximum number of occurrences your AS number
is allowed in.
When allowas-in-enable is disabled, your AS number
is only allowed to appear once in an AS_PATH.
.
unset
allowas-in6
<max_num_AS_integer>
This field is available when allowas-in-enable6 is set
to enable.
When allowas-in-enable6 is disabled, your AS
number is only allowed to appear once in an AS_PATH.
Set the maximum number of occurrences your AS number
is allowed in.
unset
allowas-in-enable
{enable | disable}
Enable or disable the readvertising of all prefixes
containing duplicate AS numbers. Set the amount of time
that must expire before readvertising through the
allowas-in field.
disable
allowas-in-enable6
{enable | disable}
Enable or disable the readvertising of all prefixes
containing duplicate AS numbers. Set the amount of time
that must expire before readvertising through the
allowas-in6 field.
disable
as-override {enable | disable}
Enable or disable BGP AS override (for IPv4 traffic).
disable
as-override6
{enable | disable}
Enable or disable BGP AS override (for IPv6 traffic).
disable
attribute-unchanged [as-path]
[med] [next-hop]
Propagate unchanged BGP attributes to the BGP
neighbor.
• To advertise unchanged AS_PATH attributes, select
as-path.
• To advertise unchanged MULTI_EXIT_DISC attributes,
select med.
• To advertise the IP address of the next-hop router
interface (even when the address has not changed),
select next-hop.
• An empty set is a supported value.
Empty set.
attribute-unchanged6 [as-path]
[med] [next-hop]
Propagate unchanged BGP attributes to the BGP
neighbor.
• To advertise unchanged AS_PATH attributes, select
as-path.
• To advertise unchanged MULTI_EXIT_DISC attributes,
select med.
• To advertise the IP address of the next-hop router
interface (even when the address has not changed),
select next-hop.
• An empty set is a supported value.
Empty set.
bfd {enable | disable}
Enable to turn on Bi-Directional Forwarding Detection
(BFD) for this neighbor. This indicates that this neighbor is
using BFD.
disable
capability-default-originate
{enable | disable}
Enable or disable the advertising of the default route to
BGP neighbors.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
bgp
Variable
Description
Default
capability-default-originate6
{enable | disable}
Enable or disable the advertising of the default route to
IPv6 BGP neighbors.
disable
capability-dynamic
{enable | disable}
Enable or disable the advertising of dynamic capability to
BGP neighbors.
disable
capability-graceful-restart
{enable | disable}
Enable or disable the advertising of graceful-restart
capability to BGP neighbors.
disable
capability-graceful-restart6
{enable | disable}
Enable or disable the advertising of graceful-restart
capability to IPv6 BGP neighbors.
disable
capability-orf {both | none |
receive | send}
Enable advertising of Outbound Routing Filter (ORF)
prefix-list capability to the BGP neighbor. Choose one of:
both — enable send and receive capability.
receive — enable receive capability.
send — enable send capability.
none — disable the advertising of ORF prefix-list
capability.
•
disable
capability-orf6 {both | none |
receive | send}
Enable advertising of IPv6 ORF prefix-list capability to the
BGP neighbor. Choose one of:
both — enable send and receive capability.
receive — enable receive capability.
send — enable send capability.
none — disable the advertising of IPv6 ORF prefix-list
capability.
disable
capability-route-refresh
{enable | disable}
Enable or disable the advertising of route-refresh
capability to the BGP neighbor.
enable
connect-timer
<seconds_integer>
Set the maximum amount of time (in seconds) that the
FortiGate unit waits to make a connection with a BGP
neighbor before the neighbor is declared unreachable. The
range is from 0 to 65 535.
-1 (not set)
default-originate-routemap
<routemap_str>
Advertise a default route out from the FortiGate unit to this
neighbor using a route_map named <routemap_str>.
The route_map name can be up to 35 characters long and
is defined using the config router route_map command.
For more information, see “router route-map” on
page 368.
Null.
default-originate-routemap6
<routemap_str>
Advertise a default route out from the FortiGate unit to this
neighbor using a route_map named <routemap_str>. The
route_map name can be up to 35 characters long and is
defined using the config router route_map command.
Null.
description <text_str>
Enter a one-word (no spaces) description to associate with
the BGP neighbor configuration settings.
Null.
distribute-list-in
<access-list-name_str>
Limit route updates from the BGP neighbor based on the
Network Layer Reachability Information (NLRI) defined in
the specified access list. You must create the access list
before it can be selected here. See “access-list, accesslist6” on page 286.
Null.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
299
bgp
300
router
Variable
Description
Default
distribute-list-in6
<access-list-name_str>
Limit route updates from the IPv6 BGP neighbor based on
the Network Layer Reachability Information (NLRI) defined
in the specified access list. You must create the access list
before it can be selected here. See “access-list, accesslist6” on page 286.
Null
distribute-list-out
<access-list-name_str>
Limit route updates to the BGP neighbor based on the
NLRI defined in the specified access list. You must create
the access list before it can be selected here. See
“access-list, access-list6” on page 286.
Null.
distribute-list-out6
<access-list-name_str>
Limit route updates to the IPv6 BGP neighbor based on
the NLRI defined in the specified access list. You must
create the access list before it can be selected here. See
“access-list, access-list6” on page 286.
Null
dont-capability-negotiate
{enable | disable}
Enable or disable capability negotiations with the BGP
neighbor.
disable
ebgp-enforce-multihop
{enable | disable}
Enable or disable the enforcement of Exterior BGP (EBGP)
multihops.
disable
ebgp-multihop-ttl
<seconds_integer>
This field is available when ebgp-enforce-multihop is
set to enable.
Define a TTL value (in hop counts) for BGP packets sent to
the BGP neighbor. The range is from 1 to 255.
255
filter-list-in
<aspath-list-name_str>
Limit inbound BGP routes according to the specified ASpath list. You must create the AS-path list before it can be
selected here. See “aspath-list” on page 288.
Null.
filter-list-in6
<aspath-list-name_str>
Limit inbound IPv6 BGP routes according to the specified
AS-path list. You must create the AS-path list before it can
be selected here. See config router aspath-list.
Null
filter-list-out
<aspath-list-name_str>
Limit outbound BGP routes according to the specified AS- Null.
path list. You must create the AS-path list before it can be
selected here. See “router aspath-list” on page 288.
filter-list-out6
<aspath-list-name_str>
Limit outbound IPv6 BGP routes according to the
specified AS-path list. You must create the AS-path list
before it can be selected here. See config router
aspath-list.
Null
holdtime-timer
<seconds_integer>
The amount of time (in seconds) that must expire before
the FortiGate unit declares the BGP neighbor down. This
value overrides the global holdtime-timer value (see
“holdtime-timer <seconds_integer>” on
page 295). A keepalive message must be received every
seconds_integer from the BGP neighbor or it is
declared down. The value can be 0 or an integer in the 3 to
65 535 range.
This field is available when graceful-restart is set to
enabled.
-1 (not set)
interface <interface-name_str>
Specify a descriptive name for the BGP neighbor
interface.
Null.
keep-alive-timer
<seconds_integer>
The frequency (in seconds) that a keepalive message is
sent from the FortiGate unit to the BGP neighbor. This
value overrides the global keep-alive-timer value (see
“keepalive-timer <seconds_integer>” on
page 295). The range is from 0 to 65 535.
-1 (not set)
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
bgp
Variable
Description
Default
maximum-prefix
<prefix_integer>
Set the maximum number of NLRI prefixes to accept from
the BGP neighbor. When the maximum is reached, the
FortiGate unit disconnects the BGP neighbor. The range is
from 1 to 4 294 967 295.
Changing this value on the FortiGate unit does not
disconnect the BGP neighbor. However, if the neighbor
goes down because it reaches the maximum number of
prefixes and you increase the maximum-prefix value
afterward, the neighbor will be reset.
unset
maximum-prefix6
<prefix_integer>
Set the maximum number of NLRI prefixes to accept from
the IPv6 BGP neighbor. When the maximum is reached,
the FortiGate unit disconnects the BGP neighbor. The
range is from 1 to 4 294 967 295.
Changing this value on the FortiGate unit does not
disconnect the BGP neighbor. However, if the neighbor
goes down because it reaches the maximum number of
prefixes and you increase the maximum-prefix value
afterward, the neighbor will be reset.
unset
maximum-prefix-threshold
<percentage_integer>
This field is available when maximum-prefix is set.
Specify the threshold (as a percentage) that must be
exceeded before a warning message about the maximum
number of NLRI prefixes is displayed. The range is from 1
to 100.
75
maximum-prefix-threshold6
<percentage_integer>
This field is available when maximum-prefix6 is set.
Specify the threshold (as a percentage) that must be
exceeded before a warning message about the maximum
number of NLRI prefixes is displayed. The range is from 1
to 100.
75
maximum-prefix-warning-only
{enable | disable}
This field is available when maximum-prefix is set.
Enable or disable the display of a warning when the
maximum-prefix-threshold has been reached.
disable
maximum-prefix-warning-only6
{enable | disable}
This field is available when maximum-prefix6 is set.
Enable or disable the display of a warning when the
maximum-prefix-threshold6 has been reached.
disable
next-hop-self
{enable | disable}
Enable or disable advertising of the FortiGate unit’s IP
address (instead of the neighbor’s IP address) in the
NEXT_HOP information that is sent to IBGP peers.
disable
next-hop-self6
{enable | disable}
Enable or disable advertising of the FortiGate unit’s IP
address (instead of the neighbor’s IP address) in the
NEXT_HOP information that is sent to IBGP peers.
disable
override-capability
{enable | disable}
Enable or disable IPv6 addressing for a BGP neighbor that
does not support capability negotiation.
disable
passive {enable | disable}
Enable or disable the sending of Open messages to BGP
neighbors.
disable
password <string>
Enter password used in MD5 authentication to protect
BGP sessions. (RFC 2385)
Null.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
301
bgp
302
router
Variable
Description
Default
prefix-list-in
<prefix-list-name_str>
Limit route updates from a BGP neighbor based on the
Network Layer Reachability Information (NLRI) in the
specified prefix list. The prefix list defines the NLRI prefix
and length advertised in a route. You must create the
prefix list before it can be selected here. See “router
prefix-list, prefix-list6” on page 352.
Null.
prefix-list-in6
<prefix-list-name_str>
Limit route updates from an IPv6 BGP neighbor based on
the Network Layer Reachability Information (NLRI) in the
specified prefix list. The prefix list defines the NLRI prefix
and length advertised in a route. You must create the
prefix list before it can be selected here. See “router
prefix-list, prefix-list6” on page 352.
Null
prefix-list-out
<prefix-list-name_str>
Limit route updates to a BGP neighbor based on the NLRI
in the specified prefix list. The prefix list defines the NLRI
prefix and length advertised in a route. You must create
the prefix list before it can be selected here. See “router
prefix-list, prefix-list6” on page 352.
Null.
prefix-list-out6
<prefix-list-name_str>
Limit route updates to an IPv6 BGP neighbor based on the
NLRI in the specified prefix list. The prefix list defines the
NLRI prefix and length advertised in a route. You must
create the prefix list before it can be selected here. See
“router prefix-list, prefix-list6” on page 352.
Null
remote-as <id_integer>
Adds a BGP neighbor to the FortiGate unit configuration
and sets the AS number of the neighbor. The range is from
1 to 65 535. If the number is identical to the FortiGate unit
AS number, the FortiGate unit communicates with the
neighbor using internal BGP (IBGP). Otherwise, the
neighbor is an external peer and the FortiGate unit uses
EBGP to communicate with the neighbor.
unset
remove-private-as
{enable | disable}
Remove the private AS numbers from outbound updates
to the BGP neighbor.
disable
remove-private-as6
{enable | disable}
Remove the private AS numbers from outbound updates
to the IPv6 BGP neighbor.
disable
restart_time <seconds_integer>
Sets the time until a restart happens. The time until the
restart can be from 0 to 3600 seconds.
0
retain-stale-time
<seconds_integer>
This field is available when capability-gracefulrestart is set to enable.
Specify the time (in seconds) that stale routes to the BGP
neighbor will be retained. The range is from 1 to 65 535. A
value of 0 disables this feature.
0
route-map-in
<routemap-name_str>
Limit route updates or change the attributes of route
updates from the BGP neighbor according to the specified
route map. You must create the route-map before it can be
selected here. See “route-map” on page 368 and “Using
route maps with BGP” on page 370.
Null.
route-map-in6
<routemap-name_str>
Limit route updates or change the attributes of route
updates from the IPv6 BGP neighbor according to the
specified route map. You must create the route-map
before it can be selected here.
Null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
bgp
Variable
Description
Default
route-map-out
<routemap-name_str>
Limit route updates or change the attributes of route
updates to the BGP neighbor according to the specified
route map. You must create the route-map before it can be
selected here. See “route-map” on page 368 and “Using
route maps with BGP” on page 370.
Null.
route-map-out6
<routemap-name_str>
Limit route updates or change the attributes of route
updates to the IPv6 BGP neighbor according to the
specified route map. You must create the route-map
before it can be selected here.
Null
route-reflector-client
{enable | disable}
This field is available when remote-as is identical to the
FortiGate unit AS number (see “as <local_as_id>” on
page 293).
Enable or disable the operation of the FortiGate unit as a
route reflector and identify the BGP neighbor as a routereflector client.
Inbound routes for route reflectors can change the nexthop, local-preference, med, and as-path
attributes of IBGP routes for local route selection, while
outbound IBGP routes do not take into effect these
attributes.
disable
route-reflector-client6
{enable | disable}
This field is available when remote-as is identical to the
FortiGate unit AS number.
Enable or disable the operation of the FortiGate unit as a
route reflector and identify the BGP neighbor as a routereflector client.
Inbound routes for route reflectors can change the nexthop, local-preference, med, and as-path
attributes of IBGP routes for local route selection, while
outbound IBGP routes do not take into effect these
attributes.
disable
route-server-client
{enable | disable}
Enable or disable the recognition of the BGP neighbor as
route-server client.
disable
route-server-client6
{enable | disable}
Enable or disable the recognition of the IPv6 BGP
neighbor as route-server client.
disable
send-community {both | disable
| extended | standard}
Enable sending the COMMUNITY attribute to the BGP
neighbor. Choose one of:
standard — advertise standard capabilities.
extended — advertise extended capabilities.
both — advertise extended and standard capabilities.
disable — disable the advertising of the COMMUNITY
attribute.
both
send-community6 {both |
disable | extended | standard}
Enable sending the COMMUNITY attribute to the IPv6
BGP neighbor. Choose one of:
standard — advertise standard capabilities
extended — advertise extended capabilities
both — advertise extended and standard capabilities
disable — disable the advertising of the COMMUNITY
attribute.
both
shutdown {enable | disable}
Administratively enable or disable the BGP neighbor.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
303
bgp
router
Variable
Description
Default
soft-reconfiguration
{enable | disable}
Enable or disable the FortiGate unit to store unmodified
updates from the BGP neighbor to support inbound softreconfiguration.
disable
soft-reconfiguration6
{enable | disable}
Enable or disable the FortiGate unit to store unmodified
updates from the IPv6 BGP neighbor to support inbound
soft-reconfiguration.
disable
strict-capability-match
{enable | disable}
Enable or disable strict-capability negotiation matching
with the BGP neighbor.
disable
unsuppress-map
<route-map-name_str>
Null.
Specify the name of the route-map to selectively
unsuppress suppressed routes. You must create the routemap before it can be selected here. See “route-map” on
page 368 and “Using route maps with BGP” on page 370.
unsuppress-map6
<route-map-name_str>
Specify the name of the route-map to selectively
unsuppress suppressed IPv6 routes. You must create the
route-map before it can be selected here.
Null
update-source
<interface-name_str>
Specify the name of the local FortiGate unit interface to
use for TCP connections to neighbors. The IP address of
the interface will be used as the source address for
outgoing updates.
Null.
weight <weight_integer>
Apply a weight value to all routes learned from a neighbor.
A higher number signifies a greater preference. The range
is from 0 to 65 535.
unset
Example
This example shows how to set the AS number of a BGP neighbor at IP address 10.10.10.167 and enter a descriptive
name for the configuration.
config router bgp
config neighbor
edit 10.10.10.167
set remote-as 2879
set description BGP_neighbor_Site1
end
end
config network, config network6
Use this subcommand to set or unset BGP network configuration parameters. The subcommand is used to advertise
a BGP network (that is, an IP prefix) — you specify the IP addresses making up the local BGP network. Use config
network6 for IPv6 routing.
When you enable the network-import-check attribute on the FortiGate unit (see “network-import-check
{disable | enable}” on page 295) and you specify a BGP network prefix through the config network command,
the FortiGate unit searches its routing table for a matching entry. If an exact match is found, the prefix is advertised. A
route-map can optionally be used to modify the attributes of routes before they are advertised.
The prefix field is required. All other fields are optional.
304
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
bgp
Variable
Description
Default
edit <network_id>
Enter an ID number for the entry. The number must be an integer.
No default.
backdoor
{enable | disable}
Enable or disable the route as a backdoor, which causes an
administrative distance of 200 to be assigned to the route.
Backdoor routes are not advertised to EBGP peers.
disable
prefix <address_ipv4mask> Enter the IP address and netmask that identifies the BGP network
to advertise.
0.0.0.0
0.0.0.0
prefix6
<address_ipv6mask>
Enter the IP address and netmask that identifies the BGP network
to advertise.
::/0
route-map
<routemap-name_str>
Specify the name of the route-map that will be used to modify the
attributes of the route before it is advertised. You must create the
route-map before it can be selected here. See “route-map” on
page 368 and “Using route maps with BGP” on page 370.
Null.
Example
This example defines a BGP network at IP address 10.0.0.0/8. A route map named BGP_rmap1 is used to modify
the attributes of the local BGP routes before they are advertised.
config router bgp
config network
edit 1
set prefix 10.0.0.0/8
set route-map BGP_rmap1
end
end
config router route-map
edit BGP_rmap1
config rule
edit 1
set set-community no-export
end
end
config redistribute, config redistribute6
Use this subcommand to set or unset BGP redistribution table parameters. Use config redistribute6 for IPv6
routing. You can enable BGP to provide connectivity between connected, static, RIP, and/or OSPF routes. BGP
redistributes the routes from one protocol to another. When a large internetwork is divided into multiple routing
domains, use the subcommand to redistribute routes to the various domains. As an alternative, you can use the
config network subcommand to advertise a prefix to the BGP network (see “config network, config network6” on
page 304).
The BGP redistribution table contains four static entries. You cannot add entries to the table. The entries are defined
as follows:
• connected — Redistribute routes learned from a direct connection to the destination network.
• isis — Redistribute routes learned from ISIS.
• static — Redistribute the static routes defined in the FortiGate unit routing table.
• rip — Redistribute routes learned from RIP.
• ospf — Redistribute routes learned from OSPF.
When you enter the subcommand, end the command with one of the four static entry names (that is, config
redistribute {connected | isis | static | rip | ospf}).
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
305
bgp
router
The status and route-map fields are optional.
Variable
Description
Default
status {enable | disable} Enable or disable the redistribution of connected, static, RIP, or
OSPF routes.
disable
route-map
<route-map-name_str>
Null
Specify the name of the route map that identifies the routes to
redistribute. You must create the route map before it can be
selected here. See “route-map” on page 368 and “Using route
maps with BGP” on page 370. If a route map is not specified, all
routes are redistributed to BGP.
Example
The following example changes the status and route-map fields of the connected entry.
config router bgp
config redistribute connected
set status enable
set route-map rmap1
end
end
Related topics
•
•
•
•
•
306
router aspath-list
router community-list
router route-map
Using route maps with BGP
router key-chain
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
community-list
community-list
Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997). Each entry in
the community list defines a rule for matching and selecting routes based on the setting of the COMMUNITY
attribute. The default rule in a community list (which the FortiGate unit applies last) denies the matching of all routes.
You add a route to a community by setting its COMMUNITY attribute. A route can belong to more than one
community. A route may be added to a community because it has something in common with the other routes in the
group (for example, the attribute could identify all routes to satellite offices).
When the COMMUNITY attribute is set, the FortiGate unit can select routes based on their COMMUNITY attribute
values.
Syntax
config router community-list
edit <community_name>
set type {standard | expanded}
config rule
edit <community_rule_id>
set action {deny | permit}
set match <criteria>
set regexp <regular_expression>
end
end
The action field is required. All other fields are optional.
Variable
Description
Default
edit <community_name>
Enter a name for the community list.
No default.
type {standard | expanded}
Specify the type of community to match. If you select
expanded, you must also specify a config rule regexp
value. See “regexp <regular_expression>” on
page 308.
standard
edit <community_rule_id>
Enter an entry number for the rule. The number must be an
integer.
No default.
action {deny | permit}
Deny or permit operations on a route based on the value of
the route’s COMMUNITY attribute.
No default.
config rule variables
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
307
community-list
308
router
Variable
Description
Default
match <criteria>
This field is available when set type is set to standard.
Specify the criteria for matching a reserved community.
• Use decimal notation to match one or more COMMUNITY
attributes having the syntax AA:NN, where AA represents
an AS, and NN is the community identifier. Delimit complex
expressions with double-quotation marks (for example,
“123:234 345:456”).
• To match all routes in the Internet community, type
internet.
• To match all routes in the LOCAL_AS community, type
local-AS. Matched routes are not advertised locally.
• To select all routes in the NO_ADVERTISE community,
type no-advertise. Matched routes are not advertised.
• To select all routes in the NO_EXPORT community, type
no-export. Matched routes are not advertised to EBGP
peers. If a confederation is configured, the routes are
advertised within the confederation.
Null.
regexp
<regular_expression>
This field is available when set type is set to expanded.
Specify an ordered list of COMMUNITY attributes as a regular
expression. The value or values are used to match a
community. Delimit a complex regular_expression value
using double-quotation marks.
Null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
gwdetect
gwdetect
Use this command to verify a valid connection with one or more servers.
Dead gateway detection, or interface status detection, consists of the unit confirming that packets sent from an
interface result in a response from a server. You can use up to three different protocols to confirm that an interface
can connect to the server. Usually the server is the next-hop router that leads to an external network or the Internet.
Interface status detection sends a packet using the configured protocols. If a response is received from the server,
the unit assumes the interface can connect to the network. If a response is not received, the unit assumes that the
interface cannot connect to the network.
Syntax
config router gwdetect
edit <interface_name>
set server <servername1_string>
set source-ip <ipv4_addr>
set protocol {ping |tcp-echo | udp-echo}
set interval <seconds_int>
set failtime <attempts_int>
set ha-priority <priority_int>
end
The action field is required. All other fields are optional.
Variable
Description
Default
edit <interface_name>
Select an interface connected to the server that will be
checked.
No default.
server
<servername1_string>
Enter one or more server addresses
No default.
source-ip <ipv4_addr>
Enter the IP address that is checking the gateway.
If none is selected, one will be automatically selected from
the interface
0.0.0.0
protocol {ping |tcpecho | udp-echo}
Select the protocol to be used when contacting the server.
ping
interval <seconds_int>
Enter the seconds between attempts to contact the server.
5
failtime <attempts_int>
Enter the number of failed attempts to contact the server for
declaring the ping server lost.
5
ha-priority <priority_int>
Select the HA election priority. Valid range is 1 to 50.
The default is 1.
1
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
309
isis
router
isis
IS-IS is described in RFC 1142. You can enable and configure IS-IS on your FortiGate unit if this routing protocol is in
use on your network.
For each routing protocol, you can also use a redistribute command to redistribute IS-IS
routes with the other protocol. For example, to redistribute IS-IS routes over OSFP enter:
config router ospf
config redistribute isis
set status enable
end
end
config router isis
set adjacency-check {disable | enable}
set auth-keychain-l1 <keychain_str>
set auth-keychain-l2 <keychain_str>
set auth-mode-l1 {md5 | password}
set auth-mode-l2 {md5 | password}
set auth-password-l1 <password>
set auth-password-l2 <password>
set auth-sendonly-l1 {disable | enable}
set auth-sendonly-l2 {disable | enable}
set default-originate {disable | enable}
set dynamic-hostname {disable | enable}
set ignore-lsp-errors {disable | enable}
set is-type {level-1 | level-1-2 | level-2-only}
set lsp-gen-interval-l1 <interval_int>
set lsp-gen-interval-l2 <interval_int>
set lsp-refresh-interval <interval_int>
set max-lsp-lifetime <lifetime_int>
set metric-style {narrow | narrow-transition | narrow-transition-l1 | narrowtransition-l2 | transition | transition-l1 | transition-l2 | wide | wide-l1 |
wide-l2 | wide-transition | wide-transition-l1 | wide-transition-l2}
set overload-bit {disable | enable}
set overload-bit-on-startup
set overload-bit-suppress external interlevel
set redistribute-l1 {disable | enable}
set redistribute-l1-list <access_list_str>
set redistribute-l2 {disable | enable}
set redistribute-l2-list <access_list_str>
set spf-interval-exp-l1 <min_delay_int> <max_delay_int>
set spf-interval-exp-l2 <min_delay_int> <max_delay_int>
config isis-interface
edit <interface_str>
set auth-keychain-l1 <keychain_str>
set auth-keychain-l2 <keychain_str>
set auth-mode-l1 {md5 | password}
set auth-mode-l2 {md5 | password}
set auth-password-l1 <password>
set auth-password-l2 <password>
set auth-send-only-l1 {disable | enable}
set auth-send-only-l2 {disable | enable}
set circuit-type {level-1 | level-1-2 | level-2-only}
set csnp-interval-l1 <interval_int>
set csnp-interval-l2 <interval_int>
set hello-interval-l1 <interval_int>
set hello-interval-l2 <interval_int>
310
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
isis
set hello-multiplier-l1 <multipler_int>
set hello-multiplier-l2 <multipler_int>
set hello-padding {disable | enable}
set lsp-interval <interval_int>
set lsp-retransmit-interval <interval_int>
set mesh-group {disable | enable}
set mesh-group-id <id_int>
set metric-l1 <metric_int>
set metric-l2 <metric_int>
set network-type {broadcast | point-to-point}
set priority-l1 <priority_int>
set priority-l2 <priority_int>
set status {disable | enable}
set wide-metric-l1 <metric_int>
set wide-metric-l2 <metric_int>
config isis-net
edit <id>
set net <user_defined>
config redistribute {bgp | connected | ospf | rip | static}
set status {disable | enable}
set metric <metric_int>
set metric-type {external | internal}
set level {level-1 | level-1-2 | level-2}
set routemap <routmap_name>
config summary-address
edit <id>
set level {level-1 | level-1-2 | level-2}
set prefix <prefix_ipv4> <prefix_mask>
end
end
Variable
Description
Default
adjacency-check
{disable | enable}
Enable to check neighbor protocol support.
disable
auth-keychain-l1
<keychain_str>
Authentication key-chain for level 1 PDUs. Available when auth-mode-l1
is set to md5.
auth-keychain-l2
<keychain_str>
Authentication key-chain for level 2 PDUs. Available when auth-mode-l2
is set to md5.
auth-mode-l1 {md5 |
password}
Level 1 authentication mode.
password
auth-mode-l2 {md5 |
password}
Level 2 authentication mode.
password
auth-password-l1
<password>
Authentication password for level 1 PDUs. Available when authkeychain-11 is set to password.
auth-password-l2
<password>
Authentication password for level 2 PDUs. Available when authkeychain-12 is set to password.
auth-sendonly-l1
{disable | enable}
Level 1 authentication send-only.
disable
auth-sendonly-l2
{disable | enable}
Level 2 authentication send-only.
disable
default-originate
{disable | enable}
Control distribution of default information.
disable
dynamic-hostname
{disable | enable}
Enable dynamic hostname.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
311
isis
312
router
Variable
Description
Default
ignore-lsp-errors
{disable | enable}
Enable to ignore LSPs with bad checksums.
disable
is-type {level-1 |
level-1-2 |
level-2-only}
Set the ISIS level to use. IS-IS routers are designated as being: Level 1
(intra-area); Level 2 (inter area); or Level 1-2 (both).
level-1-2
lsp-gen-interval-l1
<interval_int>
Minimum interval for level 1 link state packet (LSP) regenerating. Range
1 to 120.
30
lsp-gen-interval-l2
<interval_int>
Minimum interval for level 2 LSP regenerating. Range 1 to 120.
30
lsp-refresh-interval
<interval_int>
LSP refresh time in seconds. Range 1 to 65535 seconds.
900
max-lsp-lifetime
<lifetime_int>
Maximum LSP lifetime in seconds. Range 350 to 65535 seconds.
1200
metric-style {narrow
| narrow-transition
| narrow-transitionl1 | narrowtransition-l2 |
transition |
transition-l1 |
transition-l2 | wide
| wide-l1 | wide-l2 |
wide-transition |
wide-transition-l1 |
wide-transition-l2}
narrow
Use old-style (ISO 10589) or new-style packet formats.
• narrow Use old style of TLVs with narrow metric.
• narrow-transition narrow, and accept both styles of TLVs
during transition.
• narrow-transition-l1 narrow-transition level-1 only.
• narrow-transition-l2 narrow-transition level-2 only.
• transition Send and accept both styles of TLVs during transition.
• transition-l1 transition level-1 only.
• transition-l2 transition level-2 only.
• wide Use new style of TLVs to carry wider metric.
• wide-l1 wide level-1 only.
• wide-l2 wide level-2 only.
• wide-transition wide, and accept both styles of TLVs during
transition.
• wide-transition-l1 wide-transition level-1 only.
• wide-transition-l2 wide-transition level-2 only.
overload-bit
{disable | enable}
Signal other routers not to use us in SPF.
disable
overload-bit-onstartup
Set overload-bit only temporarily after reboot. Range is 5-86400
seconds. Enter unset overload-bit-on-startup to disable.
Entering set overload-bit-on-startup 0 is invalid.
0
overload-bitsuppress external
interlevel
Suppress overload-bit for the specific prefixes. You can suppress the
overload-bit for external prefixes, internal prefixes or both. Enter unset
overload-bit-suppress to disable.
redistribute-l1
{disable | enable}
Redistribute level 1 routes into level 2. If enabled, configure
redistribute-l1-list.
disable
redistribute-l1-list
<access_list_str>
Access-list for redistribute l1 to l2. Available if redistribute-l1
enabled.
(null)
redistribute-l2
{disable | enable}
Redistribute level 2 routes into level 1. If enabled, configure
redistribute-l2-list.
disable
redistribute-l2-list
<access_list_str>
Access-list for redistribute l2 to l1. Available if redistribute-l2
enabled.
(null)
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
isis
Variable
Description
Default
spf-interval-exp-l1
<min_delay_int>
<max_delay_int>
Level 1 SPF calculation delay in milliseconds. Enter the maximum and
maximum delay between receiving a change to the level 1 SPF
calculation in milliseconds.
500 50000
spf-interval-exp-l2
<min_delay_int>
<max_delay_int>
Level 2 SPF calculation delay. Enter the maximum and maximum delay
between receiving a change to the level 2 SPF calculation in
milliseconds.
500 50000
config isis-interface
Configure and enable FortiGate unit interfaces for IS-IS.
Variable
Description
edit <interface_str>
Edit an IS-IS interface.
auth-keychain-l1
<keychain_str>
Authentication key-chain for level 1 PDUs. Available when auth-mode-l1
is set to md5.
auth-keychain-l2
<keychain_str>
Authentication key-chain for level 2 PDUs. Available when auth-mode-l2
is set to md5.
auth-mode-l1 {md5 |
password}
Level 1 authentication mode.
password
auth-mode-l2 {md5 |
password}
Level 2 authentication mode.
password
auth-password-l1
<password>
Authentication password for level 1 PDUs. Available when authkeychain-11 is set to password.
auth-password-l2
<password>
Authentication password for level 2 PDUs. Available when authkeychain-12 is set to password.
auth-send-only-l1
{disable | enable}
Level 1 authentication send-only.
disable
auth-send-only-l2
{disable | enable}
Level 2 authentication send-only.
disable
circuit-type
{level-1 | level-1-2
| level-2-only}
level-1-2
Set the ISIS circuit type to use for the interface. IS-IS routers are
designated as being: Level 1 (intra-area); Level 2 (inter area); or Level 1-2
(both).
csnp-interval-l1
<interval_int>
Level 1 CSNP interval. The range is 1-65535 seconds.
10
csnp-interval-l2
<interval_int>
Level 2 CSNP interval. The range is 1-65535 seconds.
10
hello-interval-l1
<interval_int>
Level 1 hello interval. The range is 1-65535 seconds. Set to 0 for a one- 10
second hold time.
hello-interval-l2
<interval_int>
Level 2 hello interval. The range is 1-65535 seconds. Set to 0 for a one- 10
second hold time.
hello-multiplier-l1
<multipler_int>
Level 1 multiplier for Hello holding time. The range is 2 to 100.
3
hello-multiplier-l2
<multipler_int>
Level 2 multiplier for Hello holding time. The range is 2 to 100.
3
hello-padding
{disable | enable}
Enable or disable adding padding to IS-IS hello packets.
disable
lsp-interval
<interval_int>
LSP transmission interval (milliseconds). The range is 1-4294967295.
33
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
313
isis
router
Variable
Description
Default
lsp-retransmitinterval
<interval_int>
LSP retransmission interval (seconds). The range is 1-65535.
5
mesh-group {disable
| enable}
Enable IS-IS mesh group.
disable
mesh-group-id
<id_int>
Mesh group ID. The range is 0-4294967295. A value of 0 means the
mesh group is blocked.
0
metric-l1
<metric_int>
Level 1 metric for interface. The range is 1-63.
10
metric-l2
<metric_int>
Level 2 metric for interface. The range is 1-63.
10
network-type
{broadcast | pointto-point}
Set the IS-IS interface's network type.
priority-l1
<priority_int>
Level 1 priority. The range is 0-127.
64
priority-l2
<priority_int>
Level 2 priority. The range is 0-127.
64
status {disable |
enable}
Enable the interface for IS-IS.
disable
wide-metric-l1
<metric_int>
Level 1 wide metric for the interface. The range is 1-16777214.
10
wide-metric-l2
<metric_int>
Level 2 wide metric for the interface. The range is 1-16777214.
10
config isis-net
Add IS-IS networks.
Variable
Description
Default
edit <id>
Add the ID number of the IS-IS network
net <user_defined>
Enter a user defined IS-IS network in the form xx.xxxx. ... .xxxx.xx.
:
config redistribute {bgp | connected | ospf | rip | static}
Redistribute routes from other routing protocols using IS-IS.
314
Variable
Description
Default
status {disable |
enable}
Enable or disable redistributing the selected protocol’s routes.
disable
protocol {bgp |
connected | ospf |
rip | static}
The name of the protocol that to redistribute ISIS routes to.
metric <metric_int>
Set the metric. Range is 0-4261412864.
0
metric-type
{external |
internal}
Set the metric type.
internal
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
isis
Variable
Description
Default
level {level-1 |
level-1-2 | level-2}
level-2
Set the ISIS level type to use for distributing routes. IS-IS routers are
designated as being: Level 1 (intra-area); Level 2 (inter area); or Level 1-2
(both).
routemap
<routmap_name>
Enter a routemap name.
(null)
config summary-address
Add IS-IS summary addresses.
Variable
Description
edit <id>
Add the ID number of the summary address.
level {level-1 |
level-1-2 | level-2}
level-2
Set the ISIS level to use for the summary database. IS-IS routers are
designated as being: Level 1 (intra-area); Level 2 (inter area); or Level 1-2
(both).
prefix <prefix_ipv4>
<prefix_mask>
The summary address prefix and netmask.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
0.0.0.0
0.0.0.0
315
key-chain
router
key-chain
Use this command to manage RIP version 2 authentication keys. You can add, edit or delete keys identified by the
specified key number.
RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable.
For authentication to work, both the sending and receiving routers must be set to use authentication, and must be
configured with the same keys.
A key chain is a list of one or more keys and the send and receive lifetimes for each key. Keys are used for
authenticating routing packets only during the specified lifetimes. The FortiGate unit migrates from one key to the
next according to the scheduled send and receive lifetimes. The sending and receiving routers should have their
system dates and times synchronized, but overlapping the key lifetimes ensures that a key is always available even if
there is some difference in the system times. For how to to ensure that the FortiGate unit system date and time are
correct, see “config system global” on page 243 .
Syntax
config router key-chain
edit <key_chain_name>
config key
edit <key_id>
set accept-lifetime <start> <end>
set key-string <password>
set send-lifetime <start> <end>
end
end
The accept-lifetime, key-string, and send-lifetime fields are required.
Variable
Description
Default
edit <key_chain_name>
Enter a name for the key chain list.
No default.
edit <key_id>
Enter an ID number for the key entry. The number must be
an integer.
No default.
accept-lifetime <start> <end>
Set the time period during which the key can be received.
The start time has the syntax hh:mm:ss day month
year. The end time provides a choice of three settings:
hh:mm:ss day month year
<integer> — a duration from 1 to 2147483646 seconds
infinite — for a key that never expires
The valid settings for hh:mm:ss day month year are:
hh — 0 to 23
mm — 0 to 59
ss — 0 to 59
day — 1 to 31
month — 1 to 12
year — 1993 to 2035
Note: A single digit will be accepted for hh, mm, ss, day,
or month fields.
No default.
config key variables
316
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
key-chain
Variable
Description
Default
key-string <password>
The <password_str> can be up to 35 characters long.
No default.
send-lifetime <start> <end>
Set the time period during which the key can be sent. The
start time has the syntax hh:mm:ss day month year.
The end time provides a choice of three settings:
hh:mm:ss day month year
<integer> — a duration from 1 to 2147483646 seconds
infinite — for a key that never expires
The valid settings for hh:mm:ss day month year are:
hh — 0 to 23
mm — 0 to 59
ss — 0 to 59
day — 1 to 31
month — 1 to 12
year — 1993 to 2035
Note: A single digit will be accepted for hh, mm, ss, day,
or month fields.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
317
multicast
router
multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router. FortiGate units support PIM
sparse mode (RFC 4601) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the
network segment to which a FortiGate unit interface is connected. Multicast routing is not supported in Transparent
mode (TP mode).
To support PIM communications, the sending/receiving applications and all connecting PIM
routers in between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or
BGP to forward multicast packets to their destinations. To enable source-to-destination packet
delivery, either sparse mode or dense mode must be enabled on the PIM-router interfaces. Sparse
mode routers cannot send multicast messages to dense mode routers. In addition, if a FortiGate
unit is located between a source and a PIM router, two PIM routers, or is connected directly to a
receiver, you must create a firewall policy manually to pass encapsulated (multicast) packets or
decapsulated data (IP traffic) between the source and destination.
A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one Boot
Strap Router (BSR), and if sparse mode is enabled, a number of Rendezvous Points (RPs) and Designated Routers
(DRs). When PIM is enabled on a FortiGate unit, the FortiGate unit can perform any of these functions at any time as
configured.
Sparse mode
Initially, all candidate BSRs in a PIM domain exchange bootstrap messages to select one BSR to which each RP
sends the multicast address or addresses of the multicast group(s) that it can service. The selected BSR chooses one
RP per multicast group and makes this information available to all of the PIM routers in the domain through bootstrap
messages. PIM routers use the information to build packet distribution trees, which map each multicast group to a
specific RP. Packet distribution trees may also contain information about the sources and receivers associated with
particular multicast groups.
When a FortiGate unit interface is configured as a multicast interface, sparse mode is enabled on
it by default to ensure that distribution trees are not built unless at least one downstream receiver
requests multicast traffic from a specific source. If the sources of multicast traffic and their
receivers are close to each other and the PIM domain contains a dense population of active
receivers, you may choose to enable dense mode throughout the PIM domain instead.
An RP represents the root of a non-source-specific distribution tree to a multicast group. By joining and pruning the
information contained in distribution trees, a single stream of multicast packets (for example, a video feed) originating
from the source can be forwarded to a certain RP to reach a multicast destination.
Each PIM router maintains a Multicast Routing Information Base (MRIB) that determines to which neighboring PIM
router join and prune messages are sent. An MRIB contains reverse-path information that reveals the path of a
multicast packet from its source to the PIM router that maintains the MRIB.
To send multicast traffic, a server application sends IP traffic to a multicast group address. The locally elected DR
registers the sender with the RP that is associated with the target multicast group. The RP uses its MRIB to forward a
single stream of IP packets from the source to the members of the multicast group. The IP packets are replicated only
when necessary to distribute the data to branches of the RP’s distribution tree.
To receive multicast traffic, a client application can use Internet Group Management Protocol (IGMP) version 1 (RFC
1112), 2 (RFC 2236), or 3 (RFC 3376) control messages to request the traffic for a particular multicast group. The
locally elected DR receives the request and adds the host to the multicast group that is associated with the
connected network segment by sending a join message towards the RP for the group. Afterward, the DR queries the
hosts on the connected network segment continually to determine whether the hosts are active. When the DR no
longer receives confirmation that at least one member of the multicast group is still active, the DR sends a prune
message towards the RP for the group.
318
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
multicast
Dense mode
The packet organization used in sparse mode is also used in dense mode. When a multicast source begins to send IP
traffic and dense mode is enabled, the closest PIM router registers the IP traffic from the multicast source (S) and
forwards multicast packets to the multicast group address (G). All PIM routers initially broadcast the multicast
packets throughout the PIM domain to ensure that all receivers that have requested traffic for multicast group
address G can access the information if needed.
To forward multicast packets to specific destinations afterward, the PIM routers build distribution trees based on the
information in multicast packets. Upstream PIM routers depend on prune/graft messages from downstream PIM
routers to determine if receivers are actually present on directly connected network segments. The PIM routers
exchange state refresh messages to update their distribution trees. FortiGate units store this state information in a
Tree Information Base (TIB), which is used to build a multicast forwarding table. The information in the multicast
forwarding table determines whether packets are forwarded downstream. The forwarding table is updated whenever
the TIB is modified.
PIM routers receive data streams every few minutes and update their forwarding tables using the source (S) and
multicast group (G) information in the data stream. Superfluous multicast traffic is stopped by PIM routers that do not
have downstream receivers—PIM routers that do not manage multicast groups send prune messages to the
upstream PIM routers. When a receiver requests traffic for multicast address G, the closest PIM router sends a graft
message upstream to begin receiving multicast packets.
For more information on Multicast routing, see the FortiGate Multicast Technical Note.
Syntax
config router multicast
set igmp-state-limit <limit_integer>
set multicast-routing {enable | disable}
set route-limit <limit_integer>
set route-threshold <threshold_integer>
config interface
edit <interface_name>
set cisco-exclude-genid {enable | disable}
set dr-priority <priority_integer>
set hello-holdtime <holdtime_integer>
set hello-interval <hello_integer>
set multicast-flow <flowname>
set neighbour-filter <access_list_name>
set passive {enable | disable}
set pim-mode {sparse-mode | dense-mode}
set propagation-delay <delay_integer>
set rp-candidate {enable | disable}
set rp-candidate-group <access_list_name>
set rp-candidate-interval <interval_integer>
set rp-candidate-priority <priority_integer>
set state-refresh-interval <refresh_integer>
set static-group <flowname>
set ttl-threshold <ttl_integer>
end
config join-group
edit address <address_ipv4>
end
config igmp
set access-group <access_list_name>
set immediate-leave-group <access_list_name>
set last-member-query-count <count_integer>
set last-member-query-interval <interval_integer>
set query-interval <interval_integer>
set query-max-response-time <time_integer>
set query-timeout <timeout_integer>
set router-alert-check { enable | disable }
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
319
multicast
router
set version {1 | 2 | 3}
end
end
config pim-sm-global
set accept-register-list <access_list_name>
set bsr-allow-quick-refresh {enable | disable}
set bsr-candidate {enable | disable}
set bsr-priority <priority_integer>
set bsr-interface <interface_name>
set bsr-hash <hash_integer>
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <access_list_name>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set message-interval <interval_integer>
set register-rate-limit <rate_integer>
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <interface_name>
set register-source-ip <address_ipv4>
set register-suppression <suppress_integer>
set rp-register-keepalive <keepalive_integer>
set spt-threshold {enable | disable}
set spt-threshold-group <access_list_name>
set ssm {enable | disable}
set ssm-range <access_list_name>
config rp-address
edit <rp_id>
set ip-address <address_ipv4>
set group <access_list_name>
end
end
config router multicast
You can configure a FortiGate unit to support PIM using the config router multicast CLI command. When PIM
is enabled, the FortiGate unit allocates memory to manage mapping information. The FortiGate unit communicates
with neighboring PIM routers to acquire mapping information and if required, processes the multicast traffic
associated with specific multicast groups.
The end-user multicast client-server applications must be installed and configured to initiate
Internet connections and handle broadband content such as audio/video information.
Client applications send multicast data by registering IP traffic with a PIM-enabled router. An end-user could type in a
class D multicast group address, an alias for the multicast group address, or a call-conference number to initiate the
session.
Rather than sending multiple copies of generated IP traffic to more than one specific IP destination address, PIMenabled routers encapsulate the data and use the one multicast group address to forward multicast packets to
multiple destinations. Because one destination address is used, a single stream of data can be sent. Client
applications receive multicast data by requesting that the traffic destined for a certain multicast group address be
delivered to them— end-users may use phone books, a menu of ongoing or future sessions, or some other method
through a user interface to select the address of interest.
A class D address in the 224.0.0.0 to 239.255.255.255 range may be used as a multicast group address, subject to
the rules assigned by the Internet Assigned Numbers Authority (IANA). All class D addresses must be assigned in
advance. Because there is no way to determine in advance if a certain multicast group address is in use, collisions
may occur (to resolve this problem, end-users may switch to a different multicast address).
320
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
multicast
To configure a PIM domain
1
2
3
4
5
6
7
If you will be using sparse mode, determine appropriate paths for multicast packets.
Make a note of the interfaces that will be PIM-enabled. These interfaces may run a unicast routing protocol.
If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs, record the IP
addresses of the PIM-enabled interfaces on those RPs.
Enable PIM version 2 on all participating routers between the source and receivers. On FortiGate units, use the
config router multicast command to set global operating parameters.
Configure the PIM routers that have good connections throughout the PIM domain to be candidate BSRs.
If sparse mode is enabled, configure one or more of the PIM routers to be candidate RPs.
If required, adjust the default settings of PIM-enabled interface(s).
All fields are optional.
Variable
Description
Default
igmp-state-limit
<limit_integer>
If memory consumption is an issue, specify a limit on the
number of IGMP states (multicast memberships) that the
FortiGate unit will store.
This value represents the maximum combined number of
IGMP states (multicast memberships) that can be handled by
all interfaces. Traffic associated with excess IGMP
membership reports is not delivered. The range is from 96 to
64 000.
3200
multicast-routing
{enable | disable}
Enable or disable PIM routing.
disable
route-limit
<limit_integer>
If memory consumption is an issue, set a limit on the number
of multicast routes that can be added to the FortiGate unit
routing table. The range is from 1 to 2 147 483 674.
2147483674
route-threshold
<threshold_integer>
Specify the number of multicast routes that can be added to
the FortiGate unit’s routing table before a warning message
is displayed. The route-threshold value must be lower
than the route-limit value. The range is from 1 to
2 147 483 674.
2147483674
config interface
Use this subcommand to change interface-related PIM settings, including the mode of operation (sparse or dense).
Global settings do not override interface-specific settings.
All fields are optional.
Variable
Description
Default
edit <interface_name>
Enter the name of the FortiGate unit interface on which to enable
PIM protocols.
No default.
cisco-exclude-genid
{enable | disable}
This field applies only when pim-mode is sparse-mode.
Enable or disable including a generation ID in hello messages
sent to neighboring PIM routers. A GenID value may be included
for compatibility with older Cisco IOS routers.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
321
multicast
322
router
Variable
Description
Default
dr-priority
<priority_integer>
This field applies only when pim-mode is sparse-mode.
Assign a priority to FortiGate unit Designated Router (DR)
candidacy. The range is from 1 to 4 294 967 294. The value is
compared to that of other DR interfaces connected to the same
network segment, and the router having the highest DR priority is
selected to be the DR. If two DR priority values are the same, the
interface having the highest IP address is selected.
1
hello-holdtime
<holdtime_integer>
Specify the amount of time (in seconds) that a PIM neighbor may
consider the information in a hello message to be valid. The
range is from 1 to 65 535.
If the hello-interval attribute is modified and the helloholdtime attribute has never been set explicitly, the helloholdtime attribute is automatically set to 3.5 x hellointerval.
105
hello-interval
<hello_integer>
Set the amount of time (in seconds) that the FortiGate unit waits
between sending hello messages to neighboring PIM routers.
The range is from 1 to 65 535.
Changing the hello-interval attribute may automatically
update the hello-holdtime attribute .
30
multicast-flow <flowname>
Connect the named multicast flow to this interface. Multicast
flows are defined in the router multicast-flow command.
No default.
neighbour-filter
<access_list_name>
Establish or terminate adjacency with PIM neighbors having the
IP addresses given in the specified access list. For more
information on access lists, see “access-list, access-list6” on
page 286.
Null
passive {enable |
disable}
Enable or disable PIM communications on the interface without
affecting IGMP communications.
disable
pim-mode {sparse-mode |
dense-mode}
Select the PIM mode of operation. Choose one of:
sparse-mode — manage PIM packets through distribution trees
and multicast groups.
dense-mode — enable multicast flooding.
sparsemode
propagation-delay
<delay_integer>
This field is available when pim-mode is set to dense-mode.
Specify the amount of time (in milliseconds) that the FortiGate
unit waits to send prune-override messages. The range is from
100 to 5 000.
500
rp-candidate {enable |
disable}
This field is available when pim-mode is set to sparse-mode.
Enable or disable the FortiGate unit interface to offer
Rendezvous Point (RP) services.
disable
rp-candidate-group
<access_list_name>
RP candidacy is advertised to certain multicast groups. These
groups are based on the multicast group prefixes given in the
specified access list. For more information on access lists, see
“access-list, access-list6” on page 286.
This field is available when rp-candidate is set to enable and
pim-mode is set to sparse-mode.
Null
rp-candidate-interval
<interval_integer>
This field is available when rp-candidate is set to enable and 60
pim-mode is set to sparse-mode.
Set the amount of time (in seconds) that the FortiGate unit waits
between sending RP announcement messages. The range is
from 1 to 16 383.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
multicast
Variable
Description
Default
rp-candidate-priority
<priority_integer>
This field is available when rp-candidate is set to enable and
pim-mode is set to sparse-mode.
Assign a priority to FortiGate unit Rendezvous Point (RP)
candidacy. The range is from 0 to 255. The BSR compares the
value to that of other RP candidates that can service the same
multicast group, and the router having the highest RP priority is
selected to be the RP for that multicast group. If two RP priority
values are the same, the RP candidate having the highest IP
address on its RP interface is selected.
192
state-refresh-interval
<refresh_integer>
This field is available when pim-mode is set to dense-mode.
This attribute is used when the FortiGate unit is connected
directly to the multicast source. Set the amount of time (in
seconds) that the FortiGate unit waits between sending staterefresh messages. The range is from 1 to 100. When a staterefresh message is received by a downstream router, the prune
state on the downstream router is refreshed.
60
static-group <flowname>
Statically join this interface to the named multicast group. The
interface does not need to have seen any IGMP joins from any
host. Multicast flows are defined in the router multicast-flow
command.
No default.
ttl-threshold
<ttl_integer>
Specify the minimum Time-To-Live (TTL) value (in hops) that an
outbound multicast packet must have in order to be forwarded
from this interface. The range is from 0 to 255.
Specifying a high value (for example, 195) prevents PIM packets
from being forwarded through the interface.
1
Cause the FortiGate unit interface to activate (IGMP join) the
multicast group associated with the specified multicast group
address.
No default.
access-group
<access_list_name>
Specify which multicast groups that hosts on the connected
network segment may join based on the multicast addresses
given in the specified access list. For more information on
access lists, see “access-list, access-list6” on page 286.
Null.
immediate-leave-group
<access_list_name>
This field applies when version is set to 2 or 3.
Configure a FortiGate unit DR to stop sending traffic and IGMP
queries to receivers after receiving an IGMP version 2 groupleave message from any member of the multicast groups
identified in the specified access list. For more information on
access lists, see “access-list, access-list6” on page 286.
Null.
last-member-query-count
<count_integer>
This field applies when version is set to 2 or 3.
Specify the number of times that a FortiGate unit DR sends an
IGMP query to the last member of a multicast group after
receiving an IGMP version 2 group-leave message.
2
config join-group variables
edit address
<address_ipv4>
config igmp variables
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
323
multicast
router
Variable
Description
Default
last-member-queryinterval
<interval_integer>
This field applies when version is set to 2 or 3.
Set the amount of time (in milliseconds) that a FortiGate unit DR
waits for the last member of a multicast group to respond to an
IGMP query. The range is from 1000 to 25 500. If no response is
received before the specified time expires and the FortiGate unit
DR has already sent an IGMP query last-member-querycount times, the FortiGate unit DR removes the member from
the group and sends a prune message to the associated RP.
1000
query-interval
<interval_integer>
Set the amount of time (in seconds) that a FortiGate unit DR
waits between sending IGMP queries to determine which
members of a multicast group are active. The range is from 1 to
65 535.
125
query-max-response-time
<time_integer>
Set the maximum amount of time (in seconds) that a FortiGate
unit DR waits for a member of a multicast group to respond to an
IGMP query. The range is from 1 to 25. If no response is received
before the specified time expires, the FortiGate unit DR removes
the member from the group.
10
query-timeout
<timeout_integer>
Set the amount of time (in seconds) that must expire before a
FortiGate unit begins sending IGMP queries to the multicast
group that is managed through the interface. The range is from
60 to 300. A FortiGate unit begins sending IGMP queries if it
does not receive regular IGMP queries from another DR through
the interface.
255
router-alert-check {
enable | disable }
Enable to require the Router Alert option in IGMP packets.
disabled
version {1 | 2 | 3}
Specify the version number of IGMP to run on the interface. The
value can be 1, 2, or 3. The value must match the version used
by all other PIM routers on the connected network segment.
3
config pim-sm-global
These global settings apply only to sparse mode PIM-enabled interfaces. Global PIM settings do not override
interface-specific PIM settings.
If sparse mode is enabled, you can configure a DR to send multicast packets to a particular RP by specifying the IP
address of the RP through the config rp-address variable. The IP address must be directly accessible to the DR.
If multicast packets from more than one multicast group can pass through the same RP, you can use an access list to
specify the associated multicast group addresses.
To send multicast packets to a particular RP using the config rp-address subcommand, the
ip-address field is required. All other fields are optional.
324
Variable
Description
Default
accept-register-list
<access_list_name>
Cause a FortiGate unit RP to accept or deny register packets
from the source IP addresses given in the specified access list.
For more information on access lists, see “access-list, accesslist6” on page 286.
Null
bsr-allow-quick-refresh
{enable | disable}
Enable or disable accepting BSR quick refresh packets from
neighbors.
disable
bsr-candidate {enable |
disable}
Enable or disable the FortiGate unit to offer its services as a
Boot Strap Router (BSR) when required.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
multicast
Variable
Description
bsr-priority
<priority_integer>
This field is available when bsr-candidate is set to enable. 0
Assign a priority to FortiGate unit BSR candidacy. The range is
from 0 to 255. This value is compared to that of other BSR
candidates and the candidate having the highest priority is
selected to be the BSR. If two BSR priority values are the same,
the BSR candidate having the highest IP address on its BSR
interface is selected.
bsr-interface
<interface_name>
This field is available when bsr-candidate is set to enable.
Specify the name of the PIM-enabled interface through which
the FortiGate unit may announce BSR candidacy.
bsr-hash <hash_integer>
This field is available when bsr-candidate is set to enable. 10
Set the length of the mask (in bits) to apply to multicast group
addresses in order to derive a single RP for one or more
multicast groups. The range is from 0 to 32. For example, a
value of 24 means that the first 24 bits of the group address are
significant. All multicast groups having the same seed hash
belong to the same RP.
cisco-crp-prefix {enable
| disable}
Enable or disable a FortiGate unit RP that has a group prefix
number of 0 to communicate with a Cisco BSR. You may
choose to enable the attribute if required for compatibility with
older Cisco BSRs.
cisco-ignore-rp-setpriority {enable |
disable}
Enable or disable a FortiGate unit BSR to recognize Cisco RP- disable
SET priority values when deriving a single RP for one or more
multicast groups. You may choose to enable the attribute if
required for compatibility with older Cisco RPs.
cisco-register-checksum
{enable | disable}
Enable or disable performing a register checksum on entire PIM disable
packets. A register checksum is performed on the header only
by default. You may choose to enable register checksums on
the whole packet for compatibility with older Cisco IOS routers.
cisco-register-checksumgroup <access_list_name>
This field is available when cisco-register-checksum is
set to enable.
Identify on which PIM packets to perform a whole-packet
register checksum based on the multicast group addresses in
the specified access list. For more information on access lists,
see “access-list, access-list6” on page 286. You may choose to
register checksums on entire PIM packets for compatibility with
older Cisco IOS routers.
message-interval
<interval_integer>
60
Set the amount of time (in seconds) that the FortiGate unit
waits between sending periodic PIM join/prune messages
(sparse mode) or prune messages (dense mode). The value
must be identical to the message interval value set on all other
PIM routers in the PIM domain. The range is from 1 to 65 535.
register-rate-limit
<rate_integer>
0
Set the maximum number of register messages per (S,G) per
second that a FortiGate unit DR can send for each PIM entry in
the routing table. The range is from 0 to 65 535, where 0
means an unlimited number of register messages per second.
register-rp-reachability
{enable | disable}
Enable or disable a FortiGate unit DR to check if an RP is
accessible prior to sending register messages.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
Null
disable
Null
enable
325
multicast
326
router
Variable
Description
Default
register-source {disable
| interface | ip-address}
If the FortiGate unit acts as a DR, enable or disable changing
the IP source address of outbound register packets to one of
the following IP addresses. The IP address must be accessible
to the RP so that the RP can respond to the IP address with a
Register-Stop message. Choose one of:
disable — retain the IP address of the FortiGate unit DR
interface that faces the RP.
interface — change the IP source address of a register packet
to the IP address of a particular FortiGate unit interface. The
register-source-interface attribute specifies the
interface name.
ip-address — change the IP source address of a register
packet to a particular IP address. The register-source-ip
attribute specifies the IP address.
ip-address
register-source-interface
<interface_name>
Enter the name of the FortiGate unit interface.
This field is only available when register-source is set to
interface.
Null
register-source-ip
<address_ipv4>
This field is available when register-source is set to
address.
Enter the IP source address to include in the register message.
0.0.0.0
register-suppression
<suppress_integer>
Enter the amount of time (in seconds) that a FortiGate unit DR
waits to start sending data to an RP after receiving a RegisterStop message from the RP. The range is from 1 to 65 535.
60
rp-register-keepalive
<keepalive_integer>
185
If the FortiGate unit acts as an RP, set the frequency (in
seconds) with which the FortiGate unit sends keepalive
messages to a DR. The range is from 1 to 65 535. The two
routers exchange keepalive messages to maintain a link for as
long as the source continues to generate traffic.
If the register-suppression attribute is modified on the RP
and the rp-register-keepalive attribute has never been
set explicitly, the rp-register-keepalive attribute is set to
(3 x register-suppression) + 5 automatically.
spt-threshold {enable |
disable}
Enable or disable the FortiGate unit to build a Shortest Path
Tree (SPT) for forwarding multicast packets.
enable
spt-threshold-group
<access_list_name>
Build an SPT only for the multicast group addresses given in
the specified access list. For more information on access lists,
see “access-list, access-list6” on page 286.
This field is only available when spt-threshold is set to
enable.
Null.
ssm {enable | disable}
enable
This field is available when the IGMP version is set to 3.
Enable or disable Source Specific Multicast (SSM) interactions
(see RFC 3569).
ssm-range
<access_list_name>
Enable SSM only for the multicast addresses given in the
specified access list. For more information on access lists, see
“access-list, access-list6” on page 286.
By default, multicast addresses in the 232.0.0.0 to
232.255.255.255 (232/8) range are used to support SSM
interactions.
This field is only available when ssm is set to enable.\
Null.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
multicast
Variable
Description
config rp-address variables
Only used when pim-mode is sparse-mode.
edit <rp_id>
Enter an ID number for the static RP address entry. The number
must be an integer.
No default.
ip-address <address_ipv4>
Specify a static IP address for the RP.
0.0.0.0
group <access_list_name>
Configure a single static RP for the multicast group addresses
given in the specified access list. For more information on
access lists, see “access-list, access-list6” on page 286.
If an RP for any of these group addresses is already known to
the BSR, the static RP address is ignored and the RP known to
the BSR is used instead.
Null.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
327
multicast-flow
router
multicast-flow
Use this command to configure the source allowed for a multicast flow when using PIM-SM or PIM-SSM.
Syntax
config router multicast-flows
edit <flowname_str>
set comments <comment_str>
config flows
edit <id>
set group-addr <group_ipv4>
set source-addr <src_ipv4>
end
end
328
Variable
Description
Default
edit <flowname_str>
Enter a name for this flow.
comments <comment_str>
Optionally, enter a descriptive comment.
edit <id>
Enter the ID number for this flow.
group-addr <group_ipv4>
Enter the multicast group IP address.
Range 224.0.0.0 - 239.255.255.255
0.0.0.0
source-addr <src_ipv4>
Enter the source IP address.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf
ospf
Use this command to configure Open Shortest Path First (OSPF) protocol settings on the FortiGate unit. More
information on OSPF can be found in RFC 2328.
OSPF is a link state protocol capable of routing larger networks than the simpler distance vector RIP protocol. An
OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A router
connected to more than one area is an area border router (ABR). Routing information is contained in a link state
database. Routing information is communicated between routers using link state advertisements (LSAs).
Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly locate hardware
failures in the network. Routers running BFD communicate with each other, and if a timer runs out on a connection
then that router is declared down. BFD then communicates this information to the routing protocol and the routing
information is updated. BFD support can only be configured through the CLI.
Syntax
config router ospf
set abr-type {cisco | ibm | shortcut | standard}
set auto-cost-ref-bandwidth <mbps_integer>
set bfd {enable | disable | global}
set database-overflow {enable | disable}
set database-overflow-max-lsas <lsas_integer>
set database-overflow-time-to-recover <seconds_integer>
set default-information-metric <metric_integer>
set default-information-metric-type {1 | 2}
set default-information-originate {always | disable | enable}
set default-information-route-map <name_str>
set default-metric <metric_integer>
set distance <distance_integer>
set distance-external <distance_integer>
set distance-inter-area <distance_integer>
set distance-intra-area <distance_integer>
set distribute-list-in <access_list_name>
set passive-interface <name_str>
set restart-mode {graceful-restart | lls | none}
set restart-period
set rfc1583-compatible {enable | disable}
set router-id <address_ipv4>
set spf-timers <delay_integer> <hold_integer>
config area
edit <area_address_ipv4>
set authentication {md5 | none | text}
set default-cost <cost_integer>
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <metric>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
set nssa-translator-role {always | candidate | never}
set shortcut {default | disable | enable}
set stub-type {no-summary | summary}
set type {nssa | regular | stub}
config filter-list
edit <filter-list_id>
set direction {in | out}
set list <name_str>
end
config range
edit <range_id>
set advertise {enable | disable}
set prefix <address_ipv4mask>
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
329
ospf
router
set substitute <address_ipv4mask>
set substitute-status {enable | disable}
end
config virtual-link
edit <vlink_name>
set authentication {md5 | none | text}
set authentication-key <password_str>
set dead-interval <seconds_integer>
set hello-interval <seconds_integer>
set md5-key <id_integer><key_str>
set peer <address_ipv4>
set retransmit-interval <seconds_integer>
set transmit-delay <seconds_integer>
end
end
config distribute-list
edit <distribute-list_id>
set access-list <name_str>
set protocol {connected | rip | static}
end
end
config neighbor
edit <neighbor_id>
set cost <cost_integer>
set ip <address_ipv4>
set poll-interval <seconds_integer>
set priority <priority_integer>
end
end
config network
edit <network_id>
set area <id-address_ipv4>
set prefix <address_ipv4mask>
end
end
config ospf-interface
edit <ospf_interface_name>
set authentication {md5 | none | text}
set authentication-key <password_str>
set cost <cost_integer>
set database-filter-out {enable | disable}
set dead-interval <seconds_integer>
set hello-interval <seconds_integer>
set interface <name_str>
set ip <address_ipv4>
set md5-key <id_integer> <key_str>
set mtu <mtu_integer>
set mtu-ignore {enable | disable}
set network-type <type>
set priority <priority_integer>
set resync-timeout <integer>
set retransmit-interval <seconds_integer>
set status {enable | disable}
set transmit-delay <seconds_integer>
end
end
config redistribute {bgp | connected | static | rip}
set metric <metric_integer>
set metric-type {1 | 2}
330
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf
set routemap <name_str>
set status {enable | disable}
set tag <tag_integer>
end
config summary-address
edit <summary-address_id>
set advertise {enable | disable}
set prefix <address_ipv4mask>
set tag <tag_integer>
end
end
end
config router ospf
Use this command to set the router ID of the FortiGate unit. Additional configuration options are supported.
The router-id field is required. All other fields are optional.
Variable
Description
Default
abr-type {cisco | ibm |
shortcut | standard}
Specify the behavior of a FortiGate unit acting as an
OSPF area border router (ABR) when it has multiple
attached areas and has no backbone connection.
Selecting the ABR type compatible with the routers on
your network can reduce or eliminate the need for
configuring and maintaining virtual links. For more
information, see RFC 3509.
standard
auto-cost-ref-bandwidth
<mbps_integer>
Enter the Mbits per second for the reference
bandwidth. Values can range from 1 to 65535.
1000
bfd {enable | disable | global} Select one of the Bidirectional Forwarding Detection
(BFD) options for this interface.
• enable - start BFD on this interface
• disable - stop BFD on this interface
• global - use the global settings instead of explicitly
setting BFD per interface.
For the global settings see “system bfd
{enable | disable}” on page 549.
disable
database-overflow
{enable | disable}
Enable or disable dynamically limiting link state
database size under overflow conditions. Enable this
command for FortiGate units on a network with routers
that may not be able to maintain a complete link state
database because of limited resources.
disable
database-overflow-max-lsas
<lsas_integer>
If you have enabled database-overflow, set the limit 10000
for the number of external link state advertisements
(LSAs) that the FortiGate unit can keep in its link state
database before entering the overflow state. The
lsas_integer must be the same on all routers
attached to the OSPF area and the OSPF backbone.
The valid range for lsas_integer is 0 to 4294967294.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
331
ospf
332
router
Variable
Description
Default
database-overflow-time-torecover <seconds_integer>
Enter the time, in seconds, after which the FortiGate
unit will attempt to leave the overflow state. If
seconds_integer is set to 0, the FortiGate unit will
not leave the overflow state until restarted. The valid
range for seconds_integer is 0 to 65535.
300
default-information-metric
<metric_integer>
Specify the metric for the default route set by the
default-information-originate command. The
valid range for metric_integer is 1 to 16777214.
10
default-information-metrictype {1 | 2}
Specify the OSPF external metric type for the default
route set by the default-information-originate
command.
2
default-information-originate
{always | disable | enable}
Enter enable to advertise a default route into an OSPF
routing domain.
Use always to advertise a default route even if the
FortiGate unit does not have a default route in its
routing table.
disable
default-information-route-map
<name_str>
If you have set default-information-originate
to always, and there is no default route in the routing
table, you can configure a route map to define the
parameters that OSPF uses to advertise the default
route.
Null
default-metric <metric_integer> Specify the default metric that OSPF should use for
redistributed routes. The valid range for
metric_integer is 1 to 16777214.
10
distance <distance_integer>
Configure the administrative distance for all OSPF
routes. Using administrative distance you can specify
the relative priorities of different routes to the same
destination. A lower administrative distance indicates a
more preferred route. The valid range for
distance_integer is 1 to 255.
110
distance-external
<distance_integer>
Change the administrative distance of all external
OSPF routes. The range is from 1 to 255.
110
distance-inter-area
<distance_integer>
Change the administrative distance of all inter-area
OSPF routes. The range is from 1 to 255.
110
distance-intra-area
<distance_integer>
Change the administrative distance of all intra-area
OSPF routes. The range is from 1 to 255.
110
distribute-list-in
<access_list_name>
Limit route updates from the OSPF neighbor based on Null
the Network Layer Reachability Information (NLRI)
defined in the specified access list. You must create the
access list before it can be selected here. See “accesslist, access-list6” on page 286.
passive-interface <name_str>
OSPF routing information is not sent or received
through the specified interface.
No default.
restart-mode {graceful-restart
| lls | none}
Select the restart mode from:
• graceful-restart - (also known as hitless restart)
when FortiGate unit goes down it advertises to
neighbors how long it will be down to reduce traffic
• lls - Enable Link-local Signaling (LLS) mode
• none - hitless restart (graceful restart) is disabled
none
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf
Variable
Description
Default
restart-period <time_int>
Enter the time in seconds the restart is expected to
take.
120
rfc1583-compatible
{enable | disable}
Enable or disable RFC 1583 compatibility. RFC 1583
compatibility should be enabled only when there is
another OSPF router in the network that only supports
RFC 1583.
When RFC 1583 compatibility is enabled, routers
choose the path with the lowest cost. Otherwise,
routers choose the lowest cost intra-area path through
a non-backbone area.
disable
router-id <address_ipv4>
Set the router ID. The router ID is a unique number, in IP
address dotted decimal format, that is used to identify
an OSPF router to other OSPF routers within an area.
The router ID should not be changed while OSPF is
running.
A router ID of 0.0.0.0 is not allowed.
0.0.0.0
spf-timers <delay_integer>
<hold_integer>
Change the default shortest path first (SPF) calculation
delay time and frequency.
The delay_integer is the time, in seconds, between
when OSPF receives information that will require an
SPF calculation and when it starts an SPF calculation.
The valid range for delay_integer is 0 to
4294967295.
The hold_integer is the minimum time, in seconds,
between consecutive SPF calculations. The valid range
for hold_integer is 0 to 4294967295.
OSPF updates routes more quickly if the SPF timers are
set low; however, this uses more CPU. A setting of 0 for
spf-timers can quickly use up all available CPU.
5 10
Example
This example shows how to set the OSPF router ID to 1.1.1.1 for a standard area border router:
config router ospf
set abr-type standard
set router-id 1.1.1.1
end
config area
Use this subcommand to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing
domain are organized into logical groupings called areas. Areas are linked together by area border routers (ABRs).
There must be a backbone area that all areas can connect to. You can use a virtual link to connect areas that do not
have a physical connection to the backbone. Routers within an OSPF area maintain link state databases for their own
areas.
FortiGate units support the three main types of areas—stub areas, Not So Stubby areas (NSSA), and regular areas. A
stub area only has a default route to the rest of the OSPF routing domain. NSSA is a type of stub area that can import
AS external routes and send them to the backbone, but cannot receive AS external routes from the backbone or
other areas. All other areas are considered regular areas.
You can use the config filter-list subcommand to control the import and export of LSAs into and out of an
area. For more information, see “config filter-list variables” on page 335.
You can use access or prefix lists for OSPF area filter lists. For more information, see “access-list, access-list6” on
page 286 and “prefix-list, prefix-list6” on page 352.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
333
ospf
router
You can use the config range subcommand to summarize routes at an area boundary. If the network numbers in
an area are contiguous, the ABR advertises a summary route that includes all the networks within the area that are
within the specified range. See “config range variables” on page 335.
You can configure a virtual link using the config virtual-link subcommand to connect an area to the backbone
when the area has no direct connection to the backbone (see “config virtual-link variables” on page 336). A virtual link
allows traffic from the area to transit a directly connected area to reach the backbone. The transit area cannot be a
stub area. Virtual links can only be set up between two ABRs.
If you define a filter list, the direction and list fields are required. If you define a range, the
prefix field is required. If you define a virtual link, the peer field is required. All other fields are
optional.
If you configure authentication for interfaces, the authentication configured for the area is
overridden.
334
Variable
Description
Default
edit <area_address_ipv4>
Type the IP address of the area. An address of 0.0.0.0 indicates
the backbone area.
No default.
authentication {md5 |
none | text}
Define the authentication used for OSPF packets sent and
received in this area. Choose one of:
none — no authentication is used.
text — the authentication key is sent as plain text.
md5 — the authentication key is used to generate an MD5 hash.
Both text mode and MD5 mode only guarantee the authenticity
of the OSPF packet, not the confidentiality of the information in
the packet.
In text mode the key is sent in clear text over the network, and is
only used to prevent network problems that can occur if a
misconfigured router is mistakenly added to the area.
Authentication passwords or keys are defined per interface. For
more information, see “config ospf-interface” on page 339.
none
default-cost
<cost_integer>
Enter the metric to use for the summary default route in a stub
area or not so stubby area (NSSA). A lower default cost indicates
a more preferred route.
The valid range for cost_integer is 1 to 16777214.
10
nssa-default-informationoriginate
{enable | disable}
Enter enable to advertise a default route in a not so stubby
area. Affects NSSA ABRs or NSSA Autonomous System
Boundary Routers only.
disable
nssa-default-informationoriginate-metric <metric>
Specify the metric (an integer) for the default route set by the
nssa-default-information-originate field.
10
nssa-default-informationoriginate-metric-type
{1 | 2}
Specify the OSPF external metric type for the default route set
by the nssa-default-information-originate field.
2
nssa-redistribution
{enable | disable}
Enable or disable redistributing routes into a NSSA area.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf
Variable
Description
Default
nssa-translator-role
{always | candidate |
never}
A NSSA border router can translate the Type 7 LSAs used for
external route information within the NSSA to Type 5 LSAs used
for distributing external route information to other parts of the
OSPF routing domain. Usually a NSSA will have only one NSSA
border router acting as a translator for the NSSA.
You can set the translator role to always to ensure this
FortiGate unit always acts as a translator if it is in a NSSA, even if
other routers in the NSSA are also acting as translators.
You can set the translator role to candidate to have this
FortiGate unit participate in the process for electing a translator
for a NSSA.
You can set the translator role to never to ensure this FortiGate
unit never acts as the translator if it is in a NSSA.
candidate
shortcut {default |
disable | enable}
Use this command to specify area shortcut parameters.
disable
stub-type
{no-summary | summary}
Enter no-summary to prevent an ABR sending summary LSAs
into a stub area. Enter summary to allow an ABR to send
summary LSAs into a stub area.
summary
type
{nssa | regular | stub}
Set the area type:
• Select nssa for a not so stubby area.
• Select regular for a normal OSPF area.
• Select stub for a stub area.
For more information, see “config area” on page 333.
regular
edit <filter-list_id>
Enter an ID number for the filter list. The number must be an
integer.
No default.
direction {in | out}
Set the direction for the filter. Enter in to filter incoming packets.
Enter out to filter outgoing packets.
out
list <name_str>
Enter the name of the access list or prefix list to use for this filter
list.
Null.
edit <range_id>
Enter an ID number for the range. The number must be an
integer in the 0 to 4 294 967 295 range.
No default.
advertise
{enable | disable}
Enable or disable advertising the specified range.
enable
prefix <address_ipv4mask>
Specify the range of addresses to summarize.
0.0.0.0
0.0.0.0
substitute
<address_ipv4mask>
Enter a prefix to advertise instead of the prefix defined for the
range. The prefix 0.0.0.0 0.0.0.0 is not allowed.
0.0.0.0
0.0.0.0
substitute-status {enable
| disable}
Enable or disable using a substitute prefix.
disable
config filter-list variables
config range variables
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
335
ospf
router
Variable
Description
Default
edit <vlink_name>
Enter a name for the virtual link.
No default.
authentication
{md5 | none | text}
Define the type of authentication used for OSPF packets sent
and received over this virtual link. Choose one of:
none — no authentication is used.
text — the authentication key is sent as plain text.
md5 — the authentication key is used to generate an MD5 hash.
Both text mode and MD5 mode only guarantee the authenticity
of the OSPF packet, not the confidentiality of the information in
the packet.
In text mode the key is sent in clear text over the network, and is
only used only to prevent network problems that can occur if a
misconfigured router is mistakenly added to the area.
none
authentication-key
<password_str>
Enter the password to use for text authentication. The
maximum length for the authentication-key is 15
characters.
The authentication-key used must be the same on both
ends of the virtual link.
This field is only available when authentication is set to
text.
*
(No default.)
dead-interval
<seconds_integer>
The time in seconds to wait for a hello packet before declaring a
router down. The value of the dead-interval should be four
times the value of the hello-interval.
Both ends of the virtual link must use the same value for deadinterval.
The valid range for seconds_integer is 1 to 65535.
40
hello-interval
<seconds_integer>
10
The time, in seconds, between hello packets.
Both ends of the virtual link must use the same value for hellointerval.
The value for dead-interval should be four times larger than
the hello-interval value.
The valid range for seconds_integer is 1 to 65535.
md5-key
<id_integer><key_str>
This field is available when authentication is set to md5.
Enter the key ID and password to use for MD5 authentication.
Both ends of the virtual link must use the same key ID and key.
The valid range for id_integer is 1 to 255. key_str is an
alphanumeric string of up to 16 characters.
No default.
peer <address_ipv4>
The router id of the remote ABR.
0.0.0.0 is not allowed.
0.0.0.0
config virtual-link variables
336
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf
Variable
Description
Default
retransmit-interval
<seconds_integer>
The time, in seconds, to wait before sending a LSA
retransmission. The value for the retransmit interval must be
greater than the expected round-trip delay for a packet. The
valid range for seconds_integer is 1 to 65535.
5
transmit-delay
<seconds_integer>
The estimated time, in seconds, required to send a link state
update packet on this virtual link.
OSPF increments the age of the LSAs in the update packet to
account for transmission and propagation delays on the virtual
link.
Increase the value for transmit-delay on low speed links.
The valid range for seconds_integer is 1 to 65535.
1
Example
This example shows how to configure a stub area with the id 15.1.1.1, a stub type of summary, a default cost of 20,
and MD5 authentication.
config router ospf
config area
edit 15.1.1.1
set type stub
set stub-type summary
set default-cost 20
set authentication md5
end
end
This example shows how to use a filter list named acc_list1 to filter packets entering area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
config filter-list
edit 1
set direction in
set list acc_list1
end
end
This example shows how to set the prefix for range 1 of area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
config range
edit 1
set prefix 1.1.0.0 255.255.0.0
end
end
This example shows how to configure a virtual link.
config router ospf
config area
edit 15.1.1.1
config virtual-link
edit vlnk1
set peer 1.1.1.1
end
end
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
337
ospf
router
config distribute-list
Use this subcommand to filter the networks for routing updates using an access list. Routes not matched by any of
the distribution lists will not be advertised.
You must configure the access list that you want the distribution list to use before you configure the distribution list.
To configure an access list, see “access-list, access-list6” on page 286.
The access-list and protocol fields are required.
Variable
Description
Default
edit <distribute-list_id>
Enter an ID number for the distribution list. The number must be
an integer.
No default.
access-list <name_str>
Enter the name of the access list to use for this distribution list. Null
protocol
{connected | rip | static}
Advertise only the routes discovered by the specified protocol
and that are permitted by the named access list.
connected
Example
This example shows how to configure distribution list 2 to use an access list named acc_list1 for all static routes.
config router ospf
config distribute-list
edit 2
set access-list acc_list1
set protocol static
end
end
config neighbor
Use this subcommand to manually configure an OSPF neighbor on non-broadcast networks. OSPF packets are
unicast to the specified neighbor address. You can configure multiple neighbors.
The ip field is required. All other fields are optional.
338
Variable
Description
Default
edit <neighbor_id>
Enter an ID number for the OSPF neighbor. The number must be
an integer.
No default.
cost <cost_integer>
Enter the cost to use for this neighbor. The valid range for
cost_integer is 1 to 65535.
10
ip <address_ipv4>
Enter the IP address of the neighbor.
0.0.0.0
poll-interval
<seconds_integer>
Enter the time, in seconds, between hello packets sent to the
neighbor in the down state. The value of the poll interval must
be larger than the value of the hello interval. The valid range for
seconds_integer is 1 to 65535.
10
priority
<priority_integer>
Enter a priority number for the neighbor. The valid range for
priority_integer is 0 to 255.
1
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf
Example
This example shows how to manually add a neighbor.
config router ospf
config neighbor
edit 1
set ip 192.168.21.63
end
end
config network
Use this subcommand to identify the interfaces to include in the specified OSPF area. The prefix field can define
one or multiple interfaces.
The area and prefix fields are required.
Variable
Description
Default
edit <network_id>
Enter an ID number for the network. The number must be an
integer.
No default.
area <id-address_ipv4>
The ID number of the area to be associated with the prefix.
0.0.0.0
prefix <address_ipv4mask> Enter the IP address and netmask for the OSPF network.
0.0.0.0
0.0.0.0
Example
Use the following command to enable OSPF for the interfaces attached to networks specified by the IP address
10.0.0.0 and the netmask 255.255.255.0 and to add these interfaces to area 10.1.1.1.
config router ospf
config network
edit 2
set area 10.1.1.1
set prefix 10.0.0.0 255.255.255.0
end
end
config ospf-interface
Use this subcommand to configure interface related OSPF settings.
The interface field is required. All other fields are optional.
If you configure authentication for the interface, authentication for areas is not used.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
339
ospf
340
router
Variable
Description
Default
edit
<ospf_interface_name>
Enter a descriptive name for this OSPF interface configuration. To
apply this configuration to a FortiGate unit interface, set the
interface <name_str> attribute.
No default.
authentication
{md5 | none | text}
Define the authentication used for OSPF packets sent and received none
by this interface. Choose one of:
none — no authentication is used.
text — the authentication key is sent as plain text.
md5 — the authentication key is used to generate an MD5 hash.
Both text mode and MD5 mode only guarantee the authenticity of
the update packet, not the confidentiality of the routing information
in the packet.
In text mode the key is sent in clear text over the network, and is
only used only to prevent network problems that can occur if a
misconfigured router is mistakenly added to the network.
All routers on the network must use the same authentication type.
authentication-key
<password_str>
This field is available when authentication is set to text.
Enter the password to use for text authentication.
The authentication-key must be the same on all neighboring
routers.
The maximum length for the authentication-key is 15
characters.
bfd {enable | disable}
Select to enable Bi-directional Forwarding Detection (BFD). It is
used to quickly detect hardware problems on the network.
This command enables this service on this interface.
cost <cost_integer>
Specify the cost (metric) of the link. The cost is used for shortest
path first calculations.
10
database-filter-out
{enable | disable}
Enable or disable flooding LSAs out of this interface.
disable
dead-interval
<seconds_integer>
The time, in seconds, to wait for a hello packet before declaring a
router down. The value of the dead-interval should be four
times the value of the hello-interval.
All routers on the network must use the same value for deadinterval.
The valid range for seconds_integer is 1 to 65535.
40
hello-interval
<seconds_integer>
10
The time, in seconds, between hello packets.
All routers on the network must use the same value for hellointerval.
The value of the dead-interval should be four times the value of
the hello-interval.
The valid range for seconds_integer is 1 to 65535.
interface <name_str>
Enter the name of the interface to associate with this OSPF
configuration. The interface might be a virtual IPSec or GRE
interface.
ip <address_ipv4>
0.0.0.0
Enter the IP address of the interface named by the interface
field.
It is possible to apply different OSPF configurations for different IP
addresses defined on the same interface.
*
(No default.)
Null.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf
Variable
Description
Default
md5-key
<id_integer> <key_str>
This field is available when authentication is set to md5.
Enter the key ID and password to use for MD5 authentication
You can add more than one key ID and key pair per interface.
However, you cannot unset one key without unsetting all of the
keys.
The key ID and key must be the same on all neighboring routers.
The valid range for id_integer is 1 to 255. key_str is an
alphanumeric string of up to 16 characters.
No default.
mtu <mtu_integer>
Change the Maximum Transmission Unit (MTU) size included in
database description packets sent out this interface. The valid
range for mtu_integer is 576 to 65535.
1500
mtu-ignore
{enable | disable}
Use this command to control the way OSPF behaves when the
Maximum Transmission Unit (MTU) in the sent and received
database description packets does not match.
When mtu-ignore is enabled, OSPF will stop detecting
mismatched MTUs and go ahead and form an adjacency.
When mtu-ignore is disabled, OSPF will detect mismatched
MTUs and not form an adjacency.
mtu-ignore should only be enabled if it is not possible to
reconfigure the MTUs so that they match on both ends of the
attempted adjacency connection.
disable
network-type <type>
broadcast
Specify the type of network to which the interface is connected.
OSPF supports four different types of network. This command
specifies the behavior of the OSPF interface according to the
network type. Choose one of:
broadcast
non-broadcast
point-to-multipoint
point-to-point
If you specify non-broadcast, you must also configure neighbors
using “config neighbor” on page 338.
priority
<priority_integer>
1
Set the router priority for this interface.
Router priority is used during the election of a designated router
(DR) and backup designated router (BDR).
An interface with router priority set to 0 can not be elected DR or
BDR. The interface with the highest router priority wins the election.
If there is a tie for router priority, router ID is used.
Point-to-point networks do not elect a DR or BDR; therefore, this
setting has no effect on a point-to-point network.
The valid range for priority_integer is 0 to 255.
resync-timeout
<integer>
Enter the synchronizing timeout for graceful restart interval in
seconds. This is the period for this interface to synchronize with a
neighbor.
retransmit-interval
<seconds_integer>
The time, in seconds, to wait before sending a LSA retransmission. 5
The value for the retransmit interval must be greater than the
expected round-trip delay for a packet. The valid range for
seconds_integer is 1 to 65535.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
40
341
ospf
router
Variable
Description
Default
status
{enable | disable}
Enable or disable OSPF on this interface.
enable
transmit-delay
<seconds_integer>
The estimated time, in seconds, required to send a link state
update packet on this interface.
OSPF increments the age of the LSAs in the update packet to
account for transmission and propagation delays on the interface.
Increase the value for transmit-delay on low speed links.
The valid range for seconds_integer is 1 to 65535.
1
Example
This example shows how to assign an OSPF interface configuration named test to the interface named internal
and how to configure text authentication for this interface.
config router ospf
config ospf-interface
edit test
set interface internal
set ip 192.168.20.3
set authentication text
set authentication-key a2b3c4d5e
end
end
config redistribute
Use this subcommand to redistribute routes learned from BGP, RIP, static routes, or a direct connection to the
destination network.
The OSPF redistribution table contains four static entries. You cannot add entries to the table. The entries are defined
as follows:
• bgp — Redistribute routes learned from BGP.
• connected — Redistribute routes learned from a direct connection to the destination network.
• isis — Redistribute routes learned from ISIS.
• static — Redistribute the static routes defined in the FortiGate unit routing table.
• rip — Redistribute routes learned from RIP.
When you enter the subcommand, end the command with one of the four static entry names (that is, config
redistribute {bgp | connected | isis | static | rip}).
All fields are optional.
342
Variable
Description
Default
metric <metric_integer>
Enter the metric to be used for the redistributed routes. The
metric_integer range is from 1 to 16777214.
10
metric-type {1 | 2}
Specify the external link type to be used for the redistributed
routes.
2
routemap <name_str>
Enter the name of the route map to use for the redistributed routes.
For information on how to configure route maps, see “route-map”
on page 368.
Null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf
Variable
Description
Default
status {enable | disable} Enable or disable redistributing routes.
disable
tag <tag_integer>
0
Specify a tag for redistributed routes.
The valid range for tag_integer is 0 to 4294967295.
Example
This example shows how to enable route redistribution from RIP, using a metric of 3 and a route map named rtmp2.
config router ospf
config redistribute rip
set metric 3
set routemap rtmp2
set status enable
end
config summary-address
Use this subcommand to summarize external routes for redistribution into OSPF. This command works only for
summarizing external routes on an Autonomous System Boundary Router (ASBR). For information on summarization
between areas, see “config range variables” on page 335. By replacing the LSAs for each route with one aggregate
route, you reduce the size of the OSPF link-state database.
The prefix field is required. All other fields are optional.
Variable
Description
Default
edit <summary-address_id> Enter an ID number for the summary address. The number must
be an integer.
No default.
advertise
{enable | disable}
enable
Advertise or suppress the summary route that matches the
specified prefix.
prefix <address_ipv4mask> Enter the prefix (IP address and netmask) to use for the summary
route. The prefix 0.0.0.0 0.0.0.0 is not allowed.
0.0.0.0
0.0.0.0
tag <tag_integer>
0
Specify a tag for the summary route.
The valid range for tag_integer is 0 to 4294967295.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
343
ospf6
router
ospf6
Use this command to configure OSPF routing for IPv6 traffic.
IP version 6 for OSPF is supported through Open Shortest Path First version 3 (OSPFv3) defined in RFC 2740. This
includes the Authentication/Confidentiality for OSPFv3.
For more information on OSPF features in general, see “config router ospf” on page 331.
Syntax
config router ospf6
set abr-type {cisco | ibm | standard}
set auto-cost-ref-bandwidth <mbps_integer>
set default-metric <metric_integer>
set passive-interface <name_str>
set router-id <address_ipv6>
set spf-timers <delay_integer> <hold_integer>
config area
edit <area_address_ipv6>
set default-cost <cost_integer>
set nssa-default-information-originate {enable | disable}
set nssa-default-information-originate-metric <metric>
set nssa-default-information-originate-metric-type {1 | 2}
set nssa-redistribution {enable | disable}
set nssa-translator-role {always | candidate | never}
set stub-type {no-summary | summary}
set type {regular | stub | nssa}
end
config ospf-interface
edit <ospf_interface_name>
set authentication {md5 | none | text}
set cost <cost_integer>
set dead-interval <seconds_integer>
set hello-interval <seconds_integer>
set interface <name_str>
set priority <priority_integer>
set retransmit-interval <seconds_integer>
set status {enable | disable}
set transmit-delay <seconds_integer>
end
end
config redistribute {bgp | connected | rip | static}
set metric <metric_integer>
set metric-type {1 | 2}
set routemap <name_str>
set status {enable | disable}
end
end
344
Variable
Description
Default
abr-type {cisco | ibm |
standard}
Specify the behavior of a FortiGate unit acting as an OSPF
area border router (ABR) when it has multiple attached areas
and has no backbone connection. Selecting the ABR type
compatible with the routers on your network can reduce or
eliminate the need for configuring and maintaining virtual
links. For more information, see RFC 3509.
standard
auto-cost-ref-bandwidth
<mbps_integer>
Enter the Mbits per second for the reference bandwidth.
Values can range from 1 to 65535.
1000
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf6
Variable
Description
Default
default-metric
<metric_integer>
Specify the default metric that OSPF should use for
redistributed routes. The valid range for metric_integer
is 1 to 16777214.
10
passive-interface <name_str> OSPF routing information is not sent or received through the
specified interface.
No default.
router-id <address_ipv6>
Set the router ID. The router ID is a unique number, in IP
address dotted decimal format, that is used to identify an
OSPF router to other OSPF routers within an area. The router
ID should not be changed while OSPF is running.
A router ID of 0.0.0.0 is not allowed.
::
spf-timers <delay_integer>
<hold_integer>
Change the default shortest path first (SPF) calculation delay
time and frequency.
The delay_integer is the time, in seconds, between when
OSPF receives information that will require an SPF
calculation and when it starts an SPF calculation. The valid
range for delay_integer is 0 to 4294967295.
The hold_integer is the minimum time, in seconds,
between consecutive SPF calculations. The valid range for
hold_integer is 0 to 4294967295.
OSPF updates routes more quickly if the SPF timers are set
low; however, this uses more CPU. A setting of 0 for spftimers can quickly use up all available CPU.
5 10
config area
Use this subcommand to set OSPF area related parameters. Routers in an OSPF autonomous system (AS) or routing
domain are organized into logical groupings called areas. Areas are linked together by area border routers (ABRs).
There must be a backbone area that all areas can connect to. You can use a virtual link to connect areas that do not
have a physical connection to the backbone. Routers within an OSPF area maintain link state databases for their own
areas.
You can use the config range subcommand to summarize routes at an area boundary. If the network numbers in
an area are contiguous, the ABR advertises a summary route that includes all the networks within the area that are
within the specified range. See “config range variables” on page 335.
You can configure a virtual link using the config virtual-link subcommand to connect an area to the backbone
when the area has no direct connection to the backbone (see “config virtual-link variables” on page 336). A virtual link
allows traffic from the area to transit a directly connected area to reach the backbone. The transit area cannot be a
stub area. Virtual links can only be set up between two ABRs.
Variable
Description
Default
edit <area_address_ipv6>
Type the IP address of the area. An address of :: indicates the
backbone area.
No default.
default-cost
<cost_integer>
Enter the metric to use for the summary default route in a stub
area or not so stubby area (NSSA). A lower default cost indicates
a more preferred route.
The valid range for cost_integer is 1 to 16777214.
10
nssa-default-informationoriginate
{enable | disable}
Enter enable to advertise a default route in a not so stubby
area. Affects NSSA ABRs or NSSA Autonomous System
Boundary Routers only.
disable
nssa-default-informationoriginate-metric <metric>
Specify the metric (an integer) for the default route set by the
nssa-default-information-originate field.
Range 0-16 777 214.
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
345
ospf6
router
Variable
Description
Default
nssa-default-informationoriginate-metric-type
{1 | 2}
Specify the OSPF external metric type for the default route set by
the nssa-default-information-originate field.
2
nssa-redistribution
{enable | disable}
Enable or disable redistributing routes into a NSSA area.
enable
nssa-translator-role
{always | candidate |
never}
A NSSA border router can translate the Type 7 LSAs used for
external route information within the NSSA to Type 5 LSAs used
for distributing external route information to other parts of the
OSPF routing domain. Usually a NSSA will have only one NSSA
border router acting as a translator for the NSSA.
You can set the translator role to always to ensure this FortiGate
unit always acts as a translator if it is in a NSSA, even if other
routers in the NSSA are also acting as translators.
You can set the translator role to candidate to have this
FortiGate unit participate in the process for electing a translator
for a NSSA.
You can set the translator role to never to ensure this FortiGate
unit never acts as the translator if it is in a NSSA.
candidate
stub-type
{no-summary | summary}
Select the type of communication with the stub area.
Choose one of:
no-summary — prevent an ABR sending summary LSAs into a
stub area.
summary — allow an ABR to send summary LSAs into a stub
area.
summary
type
{regular | stub | nssa}
For the type of area, choose one of:
regular — for a normal OSPF area.
stub — for a stub area that has limited connections to other
areas.
nssa — for a not so stubby area
regular
edit <range_id>
Enter an ID number for the range. The number must be an
integer in the 0 to 4 294 967 295 range.
No default.
advertise
{enable | disable}
Enable or disable advertising the specified range.
enable
prefix6
<address_ipv6mask>
Specify the range of addresses to summarize.
::/0
edit <vlink_name>
Enter a name for the virtual link.
No default.
dead-interval
<seconds_integer>
The time, in seconds, to wait for a hello packet before declaring a
router down. The value of the dead-interval should be four
times the value of the hello-interval.
Both ends of the virtual link must use the same value for deadinterval.
The valid range for seconds_integer is 1 to 65535.
40
hello-interval
<seconds_integer>
10
The time, in seconds, between hello packets.
Both ends of the virtual link must use the same value for hellointerval.
The valid range for seconds_integer is 1 to 65535.
config range Variables
config virtual-link Variables
346
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ospf6
Variable
Description
Default
peer <address_ipv4>
The router id of the remote ABR.
0.0.0.0 is not allowed.
0.0.0.0
retransmit-interval
<seconds_integer>
The time, in seconds, to wait before sending a LSA
retransmission. The value for the retransmit interval must be
greater than the expected round-trip delay for a packet. The valid
range for seconds_integer is 1 to 65535.
5
transmit-delay
<seconds_integer>
The estimated time, in seconds, required to send a link state
update packet on this virtual link.
OSPF increments the age of the LSAs in the update packet to
account for transmission and propagation delays on the virtual
link.
Increase the value for transmit-delay on low speed links.
The valid range for seconds_integer is 1 to 65535.
1
config ospf6-interface
Use this subcommand to change interface related OSPF settings.
The interface field is required. All other fields are optional.
Variable
Description
Default
edit
Enter a descriptive name for this OSPF interface configuration. To
<ospf6_interface_name> apply this configuration to a FortiGate unit interface, set the
interface <name_str> attribute.
No default.
area-id <ip4_addr>
Enter the area ID in A.B.C.D IPv4 format.
0.0.0.0
cost <cost_integer>
Specify the cost (metric) of the link. The cost is used for shortest
path first calculations. Range 1 to 65 535. Use 0 for auto-cost.
0
dead-interval
<seconds_integer>
The time, in seconds, to wait for a hello packet before declaring a
router down. The value of the dead-interval should be four times
the value of the hello-interval.
All routers on the network must use the same value for deadinterval.
The valid range for seconds_integer is 1 to 65535.
40
hello-interval
<seconds_integer>
The time, in seconds, between hello packets.
All routers on the network must use the same value for hellointerval.
The valid range for seconds_integer is 1 to 65535.
10
interface <name_str>
Enter the name of the interface to associate with this OSPF
configuration. The interface might be a virtual IPSec or GRE
interface.
Null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
347
ospf6
router
Variable
Description
Default
priority
<priority_integer>
Set the router priority for this interface.
Router priority is used during the election of a designated router (DR)
and backup designated router (BDR).
An interface with router priority set to 0 can not be elected DR or
BDR. The interface with the highest router priority wins the election.
If there is a tie for router priority, router ID is used.
Point-to-point networks do not elect a DR or BDR; therefore, this
setting has no effect on a point-to-point network.
The valid range for priority_integer is 0 to 255.
1
retransmit-interval
<seconds_integer>
The time, in seconds, to wait before sending a LSA retransmission.
The value for the retransmit interval must be greater than the
expected round-trip delay for a packet. The valid range for
seconds_integer is 1 to 65535.
5
status
{enable | disable}
Enable or disable OSPF on this interface.
enable
transmit-delay
<seconds_integer>
The estimated time, in seconds, required to send a link state update
packet on this interface.
OSPF increments the age of the LSAs in the update packet to
account for transmission and propagation delays on the interface.
Increase the value for transmit-delay on low speed links.
The valid range for seconds_integer is 1 to 65535.
1
config redistribute
Use this subcommand to redistribute routes learned from BGP, RIP, static routes, or a direct connection to the
destination network.
The OSPF redistribution table contains four static entries. You cannot add entries to the table. The entries are defined
as follows:
• bgp — Redistribute routes learned from BGP.
• connected — Redistribute routes learned from a direct connection to the destination network.
• isis — Redistribute routes learned from ISIS.
• static — Redistribute the static routes defined in the FortiGate unit routing table.
• rip — Redistribute routes learned from RIP.
When you enter the subcommand, end the command with one of the four static entry names (that is, config
redistribute {bgp | connected | isis | rip | static}).
All fields are optional.
Variable
Description
Default
metric <metric_integer>
Enter the metric to be used for the redistributed routes. The
metric_integer range is from 1 to 16777214.
10
metric-type {1 | 2}
Specify the external link type to be used for the redistributed
routes.
2
routemap <name_str>
Enter the name of the route map to use for the redistributed routes.
Null.
status {enable | disable} Enable or disable redistributing routes.
348
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
policy
policy
Use this command to add, move, edit or delete a route policy. When you create a policy route, any packets that
match the policy are forwarded to the IP address of the next-hop gateway through the specified outbound interface.
You can configure the FortiGate unit to route packets based on:
• a source address
• a protocol, service type, or port range
• the inbound interface
• type of service (TOS)
When the FortiGate unit receives a packet, it starts at the top of the policy routing list and attempts to match the
packet with a policy in ascending order. If no packets match the policy route, the FortiGate unit routes the packet
using the routing table. Route policies are processed before static routing. You can change the order of policy routes
using the move command.
For static routing, any number of static routes can be defined for the same destination. When
multiple routes for the same destination exist, the FortiGate unit chooses the route having the
lowest administrative distance. Route redundancy is not available for policy routing: any packets
that match a route policy are forwarded according to the route specified in the policy.
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how the IP datagram should be
delivered, with such criteria as delay, priority, reliability, and minimum cost. Each quality helps gateways determine
the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The lowest priority
TOS is 0, the highest is 7 - when bits 3, 4, and 5 are all set to 1. The router tries to match the TOS of the datagram to
the TOS on one of the possible routes to the destination. If there is no match, the datagram is sent over a zero TOS
route. Using increased quality may increase the cost of delivery because better performance may consume limited
network resources. For more information see RFC 791 and RFC 1349.
Table 1: The role of each bit in the IP header TOS 8-bit field
bits 0, 1, 2
Precedence
Some networks treat high precedence traffic as more important traffic.
Precedence should only be used within a network, and can be used differently
in each network. Typically you do not care about these bits.
bit 3
Delay
When set to 1, this bit indicates low delay is a priority. This is useful for such
services as VoIP where delays degrade the quality of the sound.
bit 4
Throughput
When set to 1, this bit indicates high throughput is a priority. This is useful for
services that require lots of bandwidth such as video conferencing.
bit 5
Reliability
When set to 1, this bit indicates high reliability is a priority. This is useful when a
service must always be available such as with DNS servers.
bit 6
Cost
When set to 1, this bit indicates low cost is a priority. Generally there is a higher
delivery cost associated with enabling bits 3,4, or 5, and bit 6 indicates to use
the lowest cost route.
bit 7
Reserved for
future use
Not used at this time.
The two fields tos and tos-mask enable you to configure type of service support on your FortiGate unit. tos-mask
enables you to only look at select bits of the 8-bit TOS field in the IP header. This is useful as you may only care about
reliability for some traffic, and not about the other TOS criteria.
The value in tos is used to match the pattern from tos-mask. If it matches, then the rest of the policy is applied. If
the mask doesn’t match, the next policy tries to match if its configured, and eventually default routing is applied if
there are no other matches.
You need to use tos-mask to remove bits from the pattern you don’t care about, or those bits will
prevent a match with your tos pattern.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
349
policy
router
Syntax
config router policy
move <seq-num1> {before | after} <seq-num2>
edit <policy_integer>
set dst <dest-address_ipv4mask>
set end-port <port_integer>
set gateway <address_ipv4>
set input-device <interface-name_str>
set output-device <interface-name_str>
set protocol <protocol_integer>
set src <source-address_ipv4mask>
set start-port <port_integer>
set tos <hex_mask>
set tos-mask <hex_mask>
end
The input-device field is required. All other fields are optional.
350
Variable
Description
Default
move <seq-num1>
{before | after} <seq-num2>
Move policy <seq-num1> to before or after policy. <seqnum2>.
No default.
edit <policy_integer>
Enter an ID number for the route policy. The number must
be an integer.
No default.
dst <dest-address_ipv4mask>
Match packets that have this destination IP address and
netmask.
0.0.0.0
0.0.0.0
end-port <port_integer>
The end port number of a port range for a policy route.
Match packets that have this destination port range. You
must configure both the start-port and end-port
fields for destination-port-range matching to take effect. To
specify a range, the start-port value must be lower
than the end-port value. To specify a single port, the
start-port value must be identical to the end-port
value. The port_integer range is 0 to 65 535.
For protocols other than 6 (TCP), 17 (UDP), and 132 (SCTP)
the port number is ignored.
65 535
gateway <address_ipv4>
Send packets that match the policy to this next hop router. 0.0.0.0
input-device
<interface-name_str>
Match packets that are received on this interface.
Null
output-device
<interface-name_str>
Send packets that match the policy out this interface.
Null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
policy
Variable
Description
Default
protocol <protocol_integer>
To perform policy routing based on the value in the
protocol field of the packet, enter the protocol number to
match. The Internet Protocol Number is found in the IP
packet header. RFC 5237 describes protocol numbers and
you can find a list of the assigned protocol numbers here.
The range is from 0 to 255. A value of 0 disables the
feature.
0
Commonly used protocol settings include 6 to route
TCP sessions, 17 for UDP sessions, 1 for ICMP
sessions, 47 for GRE sessions, and 92 for multicast
sessions.
For protocols other than 6 (TCP), 17 (UDP), and 132 (SCTP)
the port number is ignored.
src
<source-address_ipv4mask>
Match packets that have this source IP address and
netmask.
0.0.0.0
0.0.0.0
start-port <port_integer>
The start port number of a port range for a policy route.
Match packets that have this destination port range. You
must configure both the start-port and end-port
fields for destination-port-range matching to take effect. To
specify a range, the start-port value must be lower
than the end-port value. To specify a single port, the
start-port value must be identical to the end-port
value. The port_integer range is 0 to 65 535.
For protocols other than 6 (TCP), 17 (UDP), and 132 (SCTP)
the port number is ignored.
1
tos <hex_mask>
The type of service (TOS) mask to match after applying the Null
tos-mask. This is an 8-bit hexadecimal pattern that can
be from “00” to “FF”.
The tos mask attempts to match the quality of service for
this profile. Each bit in the mask represents a different
aspect of quality. A tos mask of “0010” would indicate
reliability is important, but with normal delay and
throughput. The hex mask for this pattern would be “04”.
tos-mask <hex_mask>
Null
This value determines which bits in the IP header’s TOS
field are significant. This is an 8-bit hexadecimal mask that
can be from “00” to “FF”.
Typically, only bits 3 through 6 are used for TOS, so it is
necessary to mask out the other bits. To mask out
everything but bits 3 through 6, the hex mask would be
“1E”.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
351
prefix-list, prefix-list6
router
prefix-list, prefix-list6
Use this command to add, edit, or delete prefix lists. A prefix list is an enhanced version of an access list that allows
you to control the length of the prefix netmask. Prefix lists are called by routing protocols such as RIP or OSPF.
Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny),
and maximum and minimum prefix length settings.
The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the list. If it finds a
match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny. A
prefix-list should be used to match the default route 0.0.0.0/0.
config router setting uses prefix-list to filter the displayed routes. For more information, see “setting” on
page 374.
Syntax
config router prefix-list, prefix-list6
edit <prefix_list_name>
set comments <string>
config rule
edit <prefix_rule_id>
set action {deny | permit}
set ge <length_integer>
set le <length_integer>
set prefix {<address_ipv4mask> | any}
set prefix6 {<address_ipv6mask> | any}
end
end
The action and prefix fields are required. All other fields are optional.
Variable
Description
Default
edit <prefix_list_name>
Enter a name for the prefix list. A prefix list and an access list
cannot have the same name.
No default.
edit <prefix_rule_id>
Enter an entry number for the rule. The number must be an
integer.
No default.
action {deny | permit}
Set the action to take for this prefix.
permit
comments <string>
Enter a description of this access list entry. The description can
be up to 127 characters long.
ge <length_integer>
Match prefix lengths that are greater than or equal to this number.
The setting for ge should be less than the setting for le. The
setting for ge should be greater than the netmask set for
prefix. length_integer can be any number from 0 to 32.
0
le <length_integer>
Match prefix lengths that are less than or equal to this number.
The setting for le should be greater than the setting for ge.
length_integer can be any number from 0 to 32.
32
config rule variables
352
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
prefix-list, prefix-list6
Variable
Description
Default
prefix
Enter the prefix (IPv4 address and netmask) for this prefix list rule
{<address_ipv4mask> | any} or enter any to match any prefix. The length of the netmask
should be less than the setting for ge. If prefix is set to any, ge
and le should not be set.
This variable only available for prefix-list command.
0.0.0.0
0.0.0.0
prefix6
Enter the prefix (IPv6 address and netmask) for this prefix list rule
{<address_ipv6mask> | any} or enter any to match any prefix. The length of the netmask
should be less than the setting for ge. If prefix6 is set to any, ge
and le should not be set.
This variable only available for prefix-list6 command.
::/0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
353
rip
router
rip
Use this command to configure the Routing Information Protocol (RIP) on the FortiGate unit. RIP is a distance-vector
routing protocol intended for small, relatively homogeneous networks. RIP uses hop count as its routing metric. Each
network is usually counted as one hop. The network diameter is limited to 15 hops with 16 hops.
The FortiOS implementation of RIP supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453). RIP
version 2 enables RIP messages to carry more information, and to support simple authentication and subnet masks.
update_timer cannot be larger than timeout_timer and garbage_timer. Attempts to do so
will generate an error.
Syntax
config router rip
set default-information-originate {enable | disable}
set default-metric <metric_integer>
set garbage-timer <timer_integer>
set passive-interface <name_str>
set timeout-timer <timer_integer>
set update-timer <timer_integer>
set version {1 2}
config distance
edit <distance_id>
set access-list <name_str>
set distance <distance_integer>
set prefix <address_ipv4mask>
end
config distribute-list
edit <distribute_list_id>
set direction {in | out}
set interface <name_str>
set listname <access/prefix-listname_str>
set status {enable | disable}
end
config interface
edit <interface_name>
set auth-keychain <name_str>
set auth-mode {none | text | md5}
set auth-string <password_str>
set receive-version {1 2}
set send-version {1 2}
set send-version2-broadcast {enable | disable}
set split-horizon {poisoned | regular}
set split-horizon-status {enable | disable}
end
config neighbor
edit <neighbor_id>
set ip <address_ipv4>
end
config network
edit <network_id>
set prefix <address_ipv4mask>
end
config offset-list
edit <offset_list_id>
set access-list <name_str>
set direction {in | out}
354
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
rip
set interface <name_str>
set offset <metric_integer>
set status {enable | disable}
end
config redistribute {connected | static | ospf | bgp}
set metric <metric_integer>
set routemap <name_str>
set status {enable | disable}
end
config router rip
Use this command to specify RIP operating parameters.
All fields are optional.
Variable
Description
Default
default-information-originate
{enable | disable}
Enter enable to advertise a default static route into RIP.
disable
default-metric
<metric_integer>
For non-default routes in the static routing table and directly
connected networks the default metric is the metric that the
FortiGate unit advertises to adjacent routers. This metric is
added to the metrics of learned routes. The default metric
can be a number from 1 to 16.
1
garbage-timer <timer_integer>
The time in seconds that must elapse after the timeout
interval for a route expires, before RIP deletes the route. If
RIP receives an update for the route after the timeout timer
expires but before the garbage timer expires then the entry
is switched back to reachable.
RIP timer defaults are effective in most configurations. All
routers and access servers in the network should have the
same RIP timer settings.
The update timer interval can not be larger than the garbage
timer interval.
120
passive-interface <name_str>
Block RIP broadcasts on the specified interface. You can
use “config neighbor” on page 359 and the passive interface
command to allow RIP to send unicast updates to the
specified neighbor while blocking broadcast updates on the
specified interface.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
355
rip
router
Variable
Description
Default
timeout-timer <timer_integer>
The time interval in seconds after which a route is declared
unreachable. The route is removed from the routing table.
RIP holds the route until the garbage timer expires and then
deletes the route. If RIP receives an update for the route
before the timeout timer expires, then the timeout-timer is
restarted. If RIP receives an update for the route after the
timeout timer expires but before the garbage timer expires
then the entry is switched back to reachable. The value of
the timeout timer should be at least three times the value of
the update timer.
RIP timer defaults are effective in most configurations. All
routers and access servers in the network should have the
same RIP timer settings.
The update timer interval can not be larger than the timeout
timer interval.
180
update-timer <timer_integer>
The time interval in seconds between RIP updates.
RIP timer defaults are effective in most configurations. All
routers and access servers in the network should have the
same RIP timer settings.
The update timer interval can not be larger than timeout or
garbage timer intervals.
30
version {1 2}
Enable sending and receiving RIP version 1 packets, RIP
version 2 packets, or both for all RIP-enabled interfaces. You
can override this setting on a per interface basis using the
receive-version {1 2}and send-version {1 2} fields described
under “config interface” on page 358.
2
Example
This example shows how to enable the advertising of a default static route into RIP, enable the sending and receiving
of RIP version 1 packets, and raise the preference of local routes in the static routing table (the default metric) from
the default of 1 to 5 - those routes well be less preferred.
config router rip
set default-information-originate enable
set version 1
set default-metric 5
end
config distance
Use this subcommand to specify an administrative distance. When different routing protocols provide multiple routes
to the same destination, the administrative distance sets the priority of those routes. The lowest administrative
distance indicates the preferred route.
If you specify a prefix, RIP uses the specified distance when the source IP address of a packet matches the prefix.
The distance field is required. All other fields are optional.
356
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
rip
Variable
Description
Default
edit <distance_id>
Enter an ID number for the distance. The number must be an
integer.
No default.
access-list <name_str>
Enter the name of an access list. The distances associated with
the routes in the access list will be modified. To create an access
list, see “access-list, access-list6” on page 286.
Null
distance
<distance_integer>
Enter a number from 1 to 255, to set the administrative distance.
This field is required.
0
prefix
<address_ipv4mask>
Optionally enter a prefix to apply the administrative distance to.
0.0.0.0
0.0.0.0
Example
This example shows how to change the administrative distance to 10 for all IP addresses that match the
internal_example access-list.
config router rip
config distance
edit 1
set distance 10
set access-list internal_example
end
end
config distribute-list
Use this subcommand to filter incoming or outgoing updates using an access list or a prefix list. If you do not specify
an interface, the filter will be applied to all interfaces. You must configure the access list or prefix list that you want the
distribution list to use before you configure the distribution list. For more information on configuring access lists and
prefix lists, see “access-list, access-list6” on page 286 and “prefix-list, prefix-list6” on page 352.
The direction and listname fields are required. All other fields are optional.
Variable
Description
Default
edit <distribute_list_id>
Enter an ID number for the distribution list. The number must
be an integer.
No default.
direction {in | out}
Set the direction for the filter.
Enter in to filter incoming packets that originate from other
routers.
Enter out to filter outgoing packets the FortiGate unit is
sending to other routers.
out
interface <name_str>
Enter the name of the interface to apply this distribution list to.
If you do not specify an interface, this distribution list will be
used for all interfaces.
Null
listname
<access/prefixlistname_str>
Enter the name of the access list or prefix list to use for this
distribution list.
The prefix or access list used must be configured before
configuring the distribute-list.
Null
status {enable | disable}
Enable or disable this distribution list.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
357
rip
router
Example
This example shows how to configure and enable a distribution list to use an access list named allowed_routers
for incoming updates on the external interface.
config router rip
config distribute-list
edit 1
set direction in
set interface external
set listname allowed_routers
set status enable
end
end
config interface
Use this subcommand to configure RIP version 2 authentication, RIP version send and receive for the specified
interface, and to configure and enable split horizon.
Authentication is only available for RIP version 2 packets sent and received by an interface. You must set auth-mode
to none when receive-version or send-version are set to 1 or 1 2 (both are set to 1 by default).
A split horizon occurs when a router advertises a route it learns over the same interface it learned it on. In this case
the router that gave the learned route to the last router now has two entries to get to another location. However, if the
primary route fails that router tries the second route to find itself as part of the route and an infinite loop is created. A
poisoned split horizon will still advertise the route on the interface it received it on, but it will mark the route as
unreachable. Any unreachable routes are automatically removed from the routing table. This is also called split
horizon with poison reverse.
All fields are optional.
358
Variable
Description
Default
edit <interface_name>
Type the name of the FortiGate unit interface that is linked to the RIP
network. The interface might be a virtual IPSec or GRE interface.
No default.
auth-keychain
<name_str>
Enter the name of the key chain to use for authentication for RIP
version 2 packets sent and received by this interface. Use key chains
when you want to configure multiple keys. For information on how to
configure key chains, see “key-chain” on page 316.
Null.
auth-mode
{none | text | md5}
none
Use the auth-mode field to define the authentication used for RIP
version 2 packets sent and received by this interface. Choose one of:
none — no authentication is used.
text — the authentication key is sent as plain text.
md5 — the authentication key is used to generate an MD5 hash.
Both text mode and MD5 mode only guarantee the authenticity of the
update packet, not the confidentiality of the routing information in the
packet.
In text mode the key is sent in clear text over the network. Text mode
is usually used only to prevent network problems that can occur if an
unwanted or misconfigured router is mistakenly added to the network.
Use the auth-string field to specify the key.
auth-string
<password_str>
Enter a single key to use for authentication for RIP version 2 packets
sent and received by this interface. Use auth-string when you only
want to configure one key. The key can be up to 35 characters long.
Null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
rip
Variable
Description
Default
receive-version {1 2}
RIP routing messages are UDP packets that use port 520. Choose one
of:
1 — configure RIP to listen for RIP version 1 messages on an interface.
2 — configure RIP to listen for RIP version 2 messages on an interface.
1 2 — configure RIP to listen for both RIP version 1 and RIP version 2
messages on an interface.
No default.
send-version {1 2}
RIP routing messages are UDP packets that use port 520. Choose one
of:
1 — configure RIP to send for RIP version 1 messages on an interface.
2 — configure RIP to send for RIP version 2 messages on an interface.
1 2 — configure RIP to send for both RIP version 1 and RIP version 2
messages on an interface.
No default.
send-version2broadcast
{enable | disable}
Enable or disable sending broadcast updates from an interface
configured for RIP version 2.
RIP version 2 normally multicasts updates. RIP version 1 can only
receive broadcast updates.
disable
split-horizon
{poisoned | regular}
Configure RIP to use either regular or poisoned split horizon on this
interface. Choose one of:
regular — prevent RIP from sending updates for a route back out on
the interface from which it received that route.
poisoned — send updates with routes learned on an interface back
out the same interface but mark those routes as unreachable.
poisoned
split-horizon-status
{enable | disable}
Enable or disable split horizon for this interface. Split horizon is
enabled by default.
Disable split horizon only if there is no possibility of creating a
counting to infinity loop when network topology changes.
enable
Example
This example shows how to configure the external interface to send and receive RIP version 2, to use MD5
authentication, and to use a key chain called test1.
config router rip
config interface
edit external
set receive-version 2
set send-version 2
set auth-mode md5
set auth-keychain test1
end
end
config neighbor
Use this subcommand to enable RIP to send unicast routing updates to the router at the specified address. You can
use the neighbor subcommand and “passive-interface <name_str>” on page 355 to allow RIP to send unicast
updates to the specified neighbor while blocking broadcast updates on the specified interface. You can configure
multiple neighbors.
The ip field is required. All other fields are optional.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
359
rip
router
Variable
Description
Default
edit <neighbor_id>
Enter an ID number for the RIP neighbor. The number must be an integer. No default.
ip <address_ipv4>
Enter the IPv4 address of the neighboring router to which to send unicast
updates.
0.0.0.0
Example
This example shows how to specify that the router at 192.168.21.20 is a neighbor.
config router rip
config neighbor
edit 1
set ip 192.168.21.20
end
end
config network
Use this subcommand to identify the networks for which to send and receive RIP updates. If a network is not
specified, interfaces in that network will not be advertised in RIP updates.
The prefix field is optional.
Variable
Description
Default
edit <network_id>
Enter an entry number for the RIP network. The number must be
an integer.
No default.
prefix <address_ipv4mask> Enter the IPv4 address and netmask for the RIP network.
0.0.0.0
0.0.0.0
Example
Use the following command to enable RIP for the interfaces attached to networks specified by the IP address
10.0.0.0 and the netmask 255.255.255.0.
config router rip
config network
edit 2
set prefix 10.0.0.0 255.255.255.0
end
end
360
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
rip
config offset-list
Use this subcommand to add the specified offset to the metric (hop count) of a route from the offset list.
The access-list, direction, and offset fields are required. All other fields are optional.
Variable
Description
Default
edit <offset_list_id>
Enter an ID number for the offset list. The number must be an
integer.
No default.
access-list <name_str>
Enter the name of the access list to use for this offset list. The
access list is used to determine which routes to add the metric
to. For more information, see “access-list, access-list6” on
page 286.
Null
direction {in | out}
Enter in to apply the specified offset to the metrics of routes
originating on other routers—incoming routes.
Enter out to apply the specified offset to the metrics of routes
leaving from the FortiGate unit—outgoing routes.
out
interface <name_str>
Enter the name of the interface to match for this offset list.
Null
offset <metric_integer>
Enter the offset number to add to the metric. The metric is the
hop count. The metric_integer range is from 1 to 16, with
16 being unreachable.
For example if a route has already has a metric of 5, an offset of
10 will increase the metric to 15 for that route.
0
status {enable | disable} Enable or disable this offset list.
disable
Example
This example shows how to configure and enable offset list ID number 5. This offset list entry adds a metric of 3 to
incoming routes that match the access list named acc_list1 on the external interface.
config router rip
config offset-list
edit 5
set access-list acc_list1
set direction in
set interface external
set offset 3
set status enable
end
end
config redistribute
Use this subcommand to advertise routes learned from OSPF, BGP, static routes, or a direct connection to the
destination network.
The RIP redistribution table contains four static entries. You cannot add entries to the table. The entries are defined as
follows:
• bgp — Redistribute routes learned from BGP.
• connected — Redistribute routes learned from a direct connection to the destination network.
• isis — Redistribute routes learned from ISIS.
• ospf — Redistribute routes learned from OSPF.
• static — Redistribute the static routes defined in the FortiGate unit routing table.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
361
rip
router
When you enter the subcommand, end the command with one of the four static entry names (that is, config
redistribute {bgp | connected | isis | ospf | static}).
All fields are optional.
Variable
Description
Default
metric <metric_integer>
Enter the metric value to be used for the redistributed routes. The
metric_integer range is from 0 to 16.
0
routemap <name_str>
Enter the name of the route map to use for the redistributed
routes. For information on how to configure route maps, see
“route-map” on page 368.
Null.
status {enable | disable} Enable or disable advertising non-RIP routes.
362
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ripng
ripng
Use this command to configure the “next generation” Routing Information Protocol (RIPng) on the FortiGate unit.
RIPng is a distance-vector routing protocol intended for small, relatively homogeneous, IPv6 networks. RIPng uses
hop count as its routing metric. Each network is usually counted as one hop. The network diameter is limited to 15
hops. RIPng is defined in RFC 2080.
Syntax
config router ripng
set default-information-originate {enable | disable}
set default-metric <metric_integer>
set garbage-timer <timer_integer>
set passive-interface <name_str>
set timeout-timer <timer_integer>
set update-timer <timer_integer>
config aggregate-address
edit <entry-id>
set prefix6 <aggregate_prefix>
end
config distribute-list
edit <distribute_list_id>
set direction {in | out}
set interface <name_str>
set listname <access/prefix-listname_str>
set status {enable | disable}
end
config interface
edit <interface_name>
set split-horizon {poisoned | regular}
set split-horizon-status {enable | disable}
end
config neighbor
edit <neighbor_id>
set ip <address_ipv4>
end
config offset-list
edit <offset_list_id>
set access-list <name_str>
set direction {in | out}
set interface <name_str>
set offset <metric_integer>
set status {enable | disable}
end
config redistribute {connected | static | ospf | bgp}
set metric <metric_integer>
set routemap <name_str>
set status {enable | disable}
end
All fields are optional.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
363
ripng
364
router
Variable
Description
Default
default-information-originate
{enable | disable}
Enter enable to advertise a default static route into RIPng.
disable
default-metric
<metric_integer>
For non-default routes in the static routing table and directly
connected networks the default metric is the metric that the
FortiGate unit advertises to adjacent routers. This metric is
added to the metrics of learned routes. The default metric
can be a number from 1 to 16.
1
garbage-timer <timer_integer>
The time in seconds that must elapse after the timeout
interval for a route expires, before RIPng deletes the route. If
RIPng receives an update for the route after the timeout
timer expires but before the garbage timer expires then the
entry is switched back to reachable.
RIP timer defaults are effective in most configurations. All
routers and access servers in the network should have the
same RIP timer settings.
The update timer interval can not be larger than the garbage
timer interval.
Range 5 to 2 147 483 647 seconds.
120
passive-interface <name_str>
Block RIPng broadcasts on the specified interface. You can
use “config neighbor” on page 359 and the passive
interface command to allow RIPng to send unicast updates
to the specified neighbor while blocking broadcast updates
on the specified interface.
No default.
timeout-timer <timer_integer>
The time interval in seconds after which a route is declared
unreachable. The route is removed from the routing table.
RIP holds the route until the garbage timer expires and then
deletes the route. If RIP receives an update for the route
before the timeout timer expires, then the timeout-timer is
restarted. If RIP receives an update for the route after the
timeout timer expires but before the garbage timer expires
then the entry is switched back to reachable. The value of
the timeout timer should be at least three times the value of
the update timer.
RIP timer defaults are effective in most configurations. All
routers and access servers in the network should have the
same RIP timer settings.
The update timer interval can not be larger than the timeout
timer interval.
Range 5 to 2 147 483 647 seconds.
180
update-timer <timer_integer>
The time interval in seconds between RIP updates.
RIP timer defaults are effective in most configurations. All
routers and access servers in the network should have the
same RIP timer settings.
The update timer interval can not be larger than timeout or
garbage timer intervals.
Range 5 to 2 147 483 647 seconds.
30
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ripng
config aggregate-address
Use this subcommand to configure aggregate address prefixes.
Variable
Description
edit <entry-id>
Enter an entry number for the aggregate address list.
prefix6
<aggregate_prefix>
Enter the prefix for the aggregate address.
Default
::/0
config distribute-list
Use this subcommand to filter incoming or outgoing updates using an access list or a prefix list. If you do not specify
an interface, the filter will be applied to all interfaces. You must configure the access list or prefix list that you want the
distribution list to use before you configure the distribution list. For more information on configuring access lists and
prefix lists, see “router access-list, access-list6” on page 286 and “router prefix-list, prefix-list6” on page 352.
The direction and listname fields are required. All other fields are optional.
Variable
Description
Default
edit
<distribute_list_id>
Enter an entry number for the distribution list. The number must be an
integer.
No default.
direction {in | out}
Set the direction for the filter. Enter in to filter incoming packets. Enter
out to filter outgoing packets.
out
interface <name_str>
Enter the name of the interface to apply this distribution list to. If you
do not specify an interface, this distribution list will be used for all
interfaces.
Null
listname
<listname_str>
Enter the name of the access list or prefix list to use for this
distribution list.
Null
status
{enable | disable}
Enable or disable this distribution list.
disable
config interface
Use this subcommand to configure and enable split horizon.
A split horizon occurs when a router advertises a route it learns over the same interface it learned it on. In this case
the router that gave the learned route to the last router now has two entries to get to another location. However, if the
primary route fails that router tries the second route to find itself as part of the route and an infinite loop is created. A
poisoned split horizon will still advertise the route on the interface it received it on, but it will mark the route as
unreachable. Any unreachable routes are automatically removed from the routing table. This is also called split
horizon with poison reverse.
All fields are optional.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
365
ripng
router
Variable
Description
Default
edit <interface_name>
Type the name of the FortiGate unit interface that is linked to the RIP
network. The interface might be a virtual IPSec or GRE interface.
No default.
split-horizon
{poisoned | regular}
Configure RIP to use either regular or poisoned split horizon on this
interface. Choose one of:
regular — prevent RIP from sending updates for a route back out on
the interface from which it received that route.
poisoned — send updates with routes learned on an interface back
out the same interface but mark those routes as unreachable.
poisoned
split-horizon-status
{enable | disable}
Enable or disable split horizon for this interface. Split horizon is
enabled by default.
Disable split horizon only if there is no possibility of creating a
counting to infinity loop when network topology changes.
enable
config neighbor
Use this subcommand to enable RIPng to send unicast routing updates to the router at the specified address. You
can use the neighbor subcommand and “passive-interface <name_str>” on page 355 to allow RIPng to send
unicast updates to the specified neighbor while blocking broadcast updates on the specified interface. You can
configure multiple neighbors.
All fields are required.
Variable
Description
Default
edit <neighbor_id>
Enter an entry number for the RIPng neighbor. The number must be an
integer.
No default.
interface <name>
The interface that connects to the neighbor.
No default.
ip6 <address_ipv6>
Enter the IP address of the neighboring router to which to send unicast
updates.
::
config offset-list
Use this subcommand to add the specified offset to the metric (hop count) of a route from the offset list.
The access-list6, direction, and offset fields are required. All other fields are optional.
366
Variable
Description
Default
edit <offset_list_id>
Enter an entry number for the offset list. The number must be an
integer.
No default.
access-list6 <name_str>
Enter the name of the access list to use for this offset list. The
access list is used to determine which routes to add the metric
to.
Null
direction {in | out}
Enter in to apply the offset to the metrics of incoming routes.
Enter out to apply the offset to the metrics of outgoing routes.
out
interface <name_str>
Enter the name of the interface to match for this offset list.
Null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
ripng
Variable
Description
Default
offset <metric_integer>
Enter the offset number to add to the metric. The metric is the
hop count. The metric_integer range is from 1 to 16, with 16
being unreachable.
0
status {enable | disable} Enable or disable this offset list.
disable
config redistribute
Use this subcommand to redistribute routes learned from OSPF, BGP, static routes, or a direct connection to the
destination network.
The RIPng redistribution table contains four static entries. You cannot add entries to the table. The entries are defined
as follows:
• bgp — Redistribute routes learned from BGP.
• connected — Redistribute routes learned from a direct connection to the destination network.
• isis — Redistribute routes learned from ISIS.
• ospf — Redistribute routes learned from OSPF.
• static — Redistribute the static routes defined in the FortiGate unit routing table.
When you enter the subcommand, end the command with one of the four static entry names (that is, config
redistribute {bgp | connected | isis | ospf | static}).
All fields are optional.
Variable
Description
Default
metric <metric_integer>
Enter the metric value to be used for the redistributed routes. The
metric_integer range is from 0 to 16.
0
routemap <name_str>
Enter the name of the route map to use for the redistributed routes.
Null
status {enable | disable} Enable or disable redistributing routes.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
disable
367
route-map
router
route-map
Use this command to add, edit, or delete route maps. To use the command to limit the number of received or
advertised BGP and RIP routes and routing updates using route maps, see “Using route maps with BGP” on
page 370, and RIP “config redistribute” on page 342.
Route maps provide a way for the FortiGate unit to evaluate optimum routes for forwarding packets or suppressing
the routing of packets to particular destinations. Compared to access lists, route maps support enhanced packetmatching criteria. In addition, route maps can be configured to permit or deny the addition of routes to the FortiGate
unit routing table and make changes to routing information dynamically as defined through route-map rules.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules are examined in ascending
order until one or more of the rules in the route map are found to match one or more of the route attributes:
• When a single matching match-* rule is found, changes to the routing information are made as defined through
the rule’s set-ip-nexthop, set-metric, set-metric-type, and/or set-tag settings.
• If no matching rule is found, no changes are made to the routing information.
• When more than one match-* rule is defined, all of the defined match-* rules must evaluate to TRUE or the
routing information is not changed.
• If no match-* rules are defined, the FortiGate unit makes changes to the routing information only when all of the
default match-* rules happen to match the attributes of the route.
The default rule in the route map (which the FortiGate unit applies last) denies all routes. For a route map to take
effect, it must be called by a FortiGate unit routing process.
Any fields and rules that to not appear here can be found in the BGP route-map section. See
“Using route maps with BGP” on page 370.
Syntax
config router route-map
edit <route_map_name>
set comments <string>
config rule
edit <route_map_rule_id>
set action {deny | permit}
set match-interface <name_str>
set match-ip-address <access/prefix-listname_str>
set match-ip-nexthop <access/prefix-listname_str>
set match-metric <metric_integer>
set match-route-type {1 | 2}
set match-tag <tag_integer>
set set-ip-nexthop <address_ipv4>
set set-metric <metric_integer>
set set-metric-type {1 | 2}
set set-tag <tag_integer>
end
end
All fields are optional.
368
Variable
Description
Default
edit <route_map_name>
Enter a name for the route map.
No default.
comments <string>
Enter a description for this route map name.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
route-map
Variable
Description
Default
edit <route_map_rule_id>
Enter an entry number for the rule. The number must
be an integer.
No default.
action {deny | permit}
Enter permit to permit routes that match this rule.
Enter deny to deny routes that match this rule.
permit
match-interface <name_str>
Enter the name of the local FortiGate unit interface that
will be used to match route interfaces.
Null
match-ip-address
Match a route if the destination address is included in
<access/prefix-listname_str> the specified access list or prefix list.
Null
match-ip6-address
Match a route if the destination IPv6 address is
<access/prefix-listname_str> included in the specified access6 list or prefix6 list.
Null
match-ip-nexthop
Match a route that has a next-hop router address
<access/prefix-listname_str> included in the specified access list or prefix list.
Null
match-ip6-nexthop
Match a route that has a next-hop router address
<access/prefix-listname_str> included in the specified access6 list or prefix6 list.
Null
match-metric
<metric_integer>
Match a route with the specified metric. The metric
can be a number from 1 to 16.
0
match-route-type {1 | 2}
Match a route that has the external type set to 1 or 2.
external-type1
match-tag <tag_integer>
This field is available when set-tag is set.
Match a route that has the specified tag.
0
set-ip-nexthop
<address_ipv4>
Set the next-hop router address for a matched route.
0.0.0.0
set-ip6-nexthop
<address_ipv6>
Set the next-hop router IPv6 address for a matched
route.
::0
set-ip6-nexthop-local
<address_ipv6>
Set the next-hop router local IPv6 address for a
matched route.
::0
set-metric <metric_integer>
Set a metric value of 1 to 16 for a matched route.
0
set-metric-type {1 | 2}
Set the type for a matched route.
external-type1
set-tag <tag_integer>
Set a tag value for a matched route.
0
config rule variables
Example
This example shows how to add a route map list named rtmp2 with two rules. The first rule denies routes that match
the IP addresses in an access list named acc_list2. The second rule permits routes that match a metric of 2 and
changes the metric to 4.
config router route-map
edit rtmp2
config rule
edit 1
set match-ip-address acc_list2
set action deny
next
edit 2
set match-metric 2
set action permit
set set-metric 4
end
end
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
369
route-map
router
Using route maps with BGP
When a connection is established between BGP peers, the two peers exchange all of their BGP route entries.
Afterward, they exchange updates that only include changes to the existing routing information. Several BGP entries
may be present in a route-map table. You can limit the number of received or advertised BGP route and routing
updates using route maps. Use the config router route-map command to create, edit, or delete a route map.
When you specify a route map for the dampening-route-map value through the config
router bgp command (see “dampening-route-map <routemap-name_str>” on page 294),
the FortiGate unit ignores global dampening settings. You cannot set global dampening settings
for the FortiGate unit and then override those values through a route map.
Syntax
config router route-map
edit <route_map_name>
set comments <string>
config rule
edit <route_map_rule_id>
set match-as-path <aspath-list-name_str>
set match-community <community-list-name_str>
set match-community-exact {enable | disable}
set match-origin {egp | igp | incomplete | none}
set set-aggregator-as <id_integer>
set set-aggregator-ip <address_ipv4>
set set-aspath <id_integer> <id_integer> <id_integer> ...
set set-atomic-aggregate {enable | disable}
set set-community-delete <community-list-name_str>
set set-community <criteria>
set set-community-additive {enable | disable}
set set-dampening-reachability-half-life <minutes>
set set-dampening-reuse <reuse_integer>
set set-dampening-suppress <suppress_integer>
set set-dampening-max-suppress <minutes>
set set-dampening-unreachability-half-life <minutes>
set set-extcommunity-rt <AA:NN> <AA:NN> <AA:NN> ...
set set-extcommunity-soo <AA:NN> <AA:NN> <AA:NN> ...
set set-local-preference <preference_integer>
set set-originator-id <address_ipv4>
set set-origin {egp | igp | incomplete | none}
set set-weight <weight_integer>
end
All fields are optional.
Variable
Description
Default
edit <route_map_name>
Enter a name for the route map.
No default.
comments <string>
Enter a description for this route map name.
No default.
edit <route_map_rule_id>
Enter an entry number for the rule. The number must be an
integer.
No default.
match-as-path
<aspath-list-name_str>
Enter the AS-path list name that will be used to match BGP
route prefixes. You must create the AS-path list before it
can be selected here. See “aspath-list” on page 288.
Null
config rule variables
370
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
route-map
Variable
Description
Default
match-community
<community-list-name_str>
Enter the community list name that will be used to match
BGP routes according to their COMMUNITY attributes. You
must create the community list before it can be selected
here. See “community-list” on page 307.
Null
match-community-exact
{enable | disable}
This field is only available when match-community is set.
Enable or disable an exact match of the BGP route
community specified by the match-community field.
disable
match-origin {egp | igp |
incomplete | none}
Enter a value to compare to the ORIGIN attribute of a
routing update:
egp — set the value to the NLRI learned from the Exterior
Gateway Protocol (EGP). The FortiGate unit has the
second-highest preference for routes of this type.
igp — set the value to the NLRI learned from a protocol
internal to the originating AS. The FortiGate unit has the
highest preference for routes learned through Internal
Gateway Protocol (IGP).
incomplete — match routes that were learned some other
way (for example, through redistribution).
none — disable the matching of BGP routes based on the
origin of the route.
none
set-aggregator-as
<id_integer>
Set the originating AS of an aggregated route. The value
specifies at which AS the aggregate route originated. The
range is from 1 to 65 535. The set-aggregator-ip value
must also be set to further identify the originating AS.
unset
set-aggregator-ip
<address_ipv4>
This field is available when set-aggregator-as is set.
Set the IP address of the BGP router that originated the
aggregate route. The value should be identical to the
FortiGate unit router-id value (see “router-id
<address_ipv4>” on page 295).
0.0.0.0
set-aspath
<id_integer> <id_integer>
<id_integer> ...
Modify the FortiGate unit AS_PATH attribute and add to it
the AS numbers of the AS path belonging to a BGP route.
The resulting path describes the autonomous systems
along the route to the destination specified by the NLRI.
The range is from 1 to 65 535.
The set-aspath value is added to the beginning of the
AS_SEQUENCE segment of the AS_PATH attribute of
incoming routes, or to the end of the AS_SEQUENCE
segment of the AS_PATH attribute of outgoing routes.
Enclose all AS numbers in quotes if there are multiple
occurrences of the same id_integer. Otherwise the AS path
may be incomplete.
No default.
set-atomic-aggregate
{enable | disable}
Enable or disable a warning to upstream routers through
the ATOMIC_AGGREGATE attribute that address
aggregation has occurred on an aggregate route. This value
does not have to be specified when an as-set value is
specified in the aggregate-address table (see “config
aggregate-address, config aggregate-address6” on
page 296).
disable
set-community-delete
<community-list-name_str>
Remove the COMMUNITY attributes from the BGP routes
identified in the specified community list. You must create
the community list first before it can be selected here (see
“community-list” on page 307).
Null
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
371
route-map
372
router
Variable
Description
Default
set-community <criteria>
Set the COMMUNITY attribute of a BGP route.
• Use decimal notation to set a specific COMMUNITY
attribute for the route. The value has the syntax AA:NN,
where AA represents an AS, and NN is the community
identifier. Delimit complex expressions with doublequotation marks (for example, “123:234 345:456”).
• To make the route part of the Internet community, select
internet.
• To make the route part of the LOCAL_AS community,
select local-AS.
• To make the route part of the NO_ADVERTISE
community, select no-advertise.
• To make the route part of the NO_EXPORT community,
select no-export.
No default.
set-community-additive
{enable | disable}
This field is available when set-community is set.
Enable or disable the appending of the set-community
value to a BGP route.
disable
set-dampening-reachabilityhalf-life
<minutes>
Set the dampening reachability half-life of a BGP route (in
minutes). The range is from 1 to 45.
0
set-dampening-reuse
<reuse_integer>
Set the value at which a dampened BGP route will be
reused. The range is from 1 to 20 000. If you set setdampening-reuse, you must also set set-dampeningsuppress and set-dampening-max-suppress.
0
set-dampening-suppress
<suppress_integer>
Set the limit at which a BGP route may be suppressed. The
range is from 1 to 20 000. See also “dampeningsuppress <limit_integer>” on page 294.
0
set-dampening-max-suppress
<minutes>
Set maximum time (in minutes) that a BGP route can be
suppressed. The range is from 1 to 255. See also
“dampening-max-suppress-time” in “dampeningmax-suppress-time <minutes_integer>” on
page 294.
0
set-dampeningunreachability-half-life
<minutes>
Set the unreachability half-life of a BGP route (in minutes).
The range is from 1 to 45. See also “dampeningunreachability-half-life <minutes_integer>”
on page 294.
0
set-extcommunity-rt
<AA:NN> <AA:NN> <AA:NN> ...
Set the target extended community (in decimal notation) of
a BGP route. The COMMUNITY attribute value has the
syntax AA:NN, where AA represents an AS, and NN is the
community identifier.
No default.
set-extcommunity-soo
<AA:NN> <AA:NN> <AA:NN> ...
Set the site-of-origin extended community (in decimal
notation) of a BGP route. The COMMUNITY attribute value
has the syntax AA:NN, where AA represents an AS, and NN
is the community identifier.
No default.
set-local-preference
<preference_integer>
Set the LOCAL_PREF value of an IBGP route. The value is
advertised to IBGP peers. The range is from 0 to
4 294 967 295. A higher number signifies a preferred route
among multiple routes to the same destination.
0
set-originator-id
<address_ipv4>
Set the ORIGINATOR_ID attribute, which is equivalent to
0.0.0.0
the router-id of the originator of the route in the local
AS. Route reflectors use this value to prevent routing loops.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
route-map
Variable
Description
Default
set-origin {egp | igp |
incomplete | none}
Set the ORIGIN attribute of a local BGP route. Choose one
of:
egp — set the value to the NLRI learned from the Exterior
Gateway Protocol (EGP).
igp — set the value to the NLRI learned from a protocol
internal to the originating AS.
incomplete — if not egp or igp.
none — disable the ORIGIN attribute.
none
set-weight
<weight_integer>
Set the weight of a BGP route. A route’s weight has the
most influence when two identical BGP routes are
compared. A higher number signifies a greater preference.
The range is from 0 to 2 147 483 647.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
373
setting
router
setting
Use this command to define a prefix list as a filter to show routes.
Command
config router setting
set hostname <name_str>
set show-filter <prefix_list>
end
374
Variable
Description
Default
hostname <name_str>
Enter the hostname for this virtual domain router.
1-14 characters.
show-filter <prefix_list>
Select the prefix-list to use as a filter for showing
routes.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
static
static
Use this command to add, edit, or delete static routes for IPv4 traffic. For IPv6 traffic, use the static6 command at
“static6” on page 377.
You add static routes to manually control traffic exiting the FortiGate unit. You configure routes by specifying
destination IP addresses and network masks and adding gateways for these destination addresses. Gateways are
the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.
You can adjust the administrative distance of a route to indicate preference when more than one route to the same
destination is available. The lower the administrative distance, the greater the preferability of the route. If the routing
table contains several entries that point to the same destination (the entries may have different gateways or interface
associations), the FortiGate unit compares the administrative distances of those entries, selects the entries having the
lowest distances, and installs them as routes in the FortiGate unit forwarding table. Any ties are resolved by
comparing the routes’ priority, with lowest priority being preferred. As a result, the FortiGate unit forwarding table only
contains routes having the lowest distances to every possible destination.If both administrative distance and priority
are tied for two or more routes, an equal cost multi-path (ECMP) situation occurs. ECMP is available to static and
OSPF routing. By default in ECMP, a source IP address hash will be used to determine the selected route. This hash
value is based on the pre-NATed source IP address. This method results in all traffic originating from the same source
IP address always using the same path. This is the Source based ECMP option, with Weighted, and Spill-over being
the other two optional methods. The option is determined by the CLI command set v4-ecmp-mode in config
system setting. Source Based is the default method. Weighted ECMP uses the weight field to direct more traffic
to routes with larger weights. In spill-over or usage-based ECMP, the FortiGate unit distributes sessions among
ECMP routes based on how busy the FortiGate interfaces added to the routes are. For more information on ECMP,
see “system settings” on page 548.
Syntax
config router static
edit <sequence_number>
set blackhole {enable | disable}
set device <interface_name>
set distance <distance>
set dst <destination-address_ipv4mask>
set dynamic-gateway {enable | disable}
set gateway <gateway-address_ipv4>
set priority <integer>
set weight <integer>
end
The dst and gateway fields are required when blackhole is disabled. When blackhole is
enabled, the dst field is required. All other fields are optional.
Variable
Description
Default
edit <sequence_number>
Enter a sequence number for the static route. The sequence
number may influence routing priority in the FortiGate unit
forwarding table.
No default.
blackhole {enable |
disable}
Enable or disable dropping all packets that match this route. This
route is advertised to neighbors through dynamic routing protocols
as any other static route.
disable
device <interface_name>
This field is available when blackhole is set to disable.
Enter the name of the FortiGate unit interface through which to
route traffic. Use ‘?’ to see a list of interfaces.
Null
distance <distance>
Enter the administrative distance for the route. The distance value
may influence route preference in the FortiGate unit routing table.
The range is an integer from 1-255. See also config system
interface “distance <distance_integer>” on page 259.
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
375
static
376
router
Variable
Description
Default
dst <destinationaddress_ipv4mask>
Enter the destination IPv4 address and network mask for this
route.
You can enter 0.0.0.0 0.0.0.0 to create a new static default
route.
0.0.0.0
0.0.0.0
dynamic-gateway {enable |
disable}
When enabled, dynamic-gateway hides the gateway variable for a
dynamic interface, such as a DHCP or PPPoE interface. When the
interface connects or disconnects, the corresponding routing
entries are updated to reflect the change.
disable
gateway <gatewayaddress_ipv4>
This field is available when blackhole is set to disable.
Enter the IPv4 address of the next-hop router to which traffic is
forwarded.
0.0.0.0
priority <integer>
The administrative priority value is used to resolve ties in route
selection. In the case where both routes have the same priority,
such as equal cost multi-path (ECMP), the IP source hash (based
on the pre-NATed IP address) for the routes will be used to
determine which route is selected.The priority range is an integer
from 0 to 4294967295. Lower priority routes are preferred routes.
This field is only accessible through the CLI.
0
weight <integer>
Add weights to ECMP static routes if the ECMP route failover and
load balance method is set to weighted.
Enter weights for ECMP routes. More traffic is directed to routes
with higher weights.
This option is available when the v4-ecmp-mode field of the
config system settings command is set to weight-based.
For more information, see “system settings” on page 548.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
router
static6
static6
Use this command to add, edit, or delete static routes for IPv6 traffic. For IPv4 static routes, see “static” on page 375.
You add static routes to specify the destination of traffic exiting the FortiGate unit. You configure routes by adding
destination IP addresses and network masks and adding gateways for these destination addresses. The gateways
are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded.
You can configure static routes for IPv6 traffic on FortiGate units that run in NAT/Route mode.
Syntax
config router static6
edit <sequence_number>
set device <interface_name>
set distance <distance>
set dst <destination-address_ipv6mask>
set gateway <gateway-address_ipv6>
set priority <integer>
end
The device, dst, and gateway fields are all required.
Variable
Description
Default
edit <sequence_number>
Enter a sequence number for the static route.
No default.
device <interface_name>
The name of the FortiGate unit interface through which to route
traffic.
Null
distance <distance>
Enter the administrative distance for the route. The distance
value may influence route preference in the FortiGate unit
routing table. The range is an integer from 1-255. See also
config system interface “distance <distance_integer>” on
page 259.
10
dst <destinationaddress_ipv6mask>
The destination IPv6 address and netmask for this route.
You can enter ::/0 to create a new static default route for IPv6
traffic.
::/0
gateway
<gateway-address_ipv6>
The IPv6 address of the next-hop router to which traffic is
forwarded.
::
priority <integer>
The administrative priority value is used to resolve ties in route
selection. The priority range is an integer from 0 to
4294967295. Lower priority routes are preferred routes.
This field is only accessible through the CLI.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
377
static6
378
router
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
spamfilter
Use email filter commands to create a banned word list, configure filters based on email addresses, ip addresses,
and MIME headers, and to configure the FortiGuard-Antispam service.
This chapter contains the following sections:
bword
dnsbl
emailbwl
fortishield
ipbwl
iptrust
mheader
options
profile
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
379
bword
spamfilter
bword
Use this command to add or edit and configure options for the email filter banned word list.
The FortiGate email filters are applied in the following order:
For SMTP
1
2
3
4
5
6
7
IP address BWL check - Last hop IP
DNSBL & ORDBL check, IP address FortiGuard check, HELO DNS lookup
E-mail address BWL check
MIME headers check
IP address BWL check (for IPs extracted from “Received” headers)
Return e-mail DNS check, FortiGuard Antispam check (for IPs extracted from “Received” headers, and URLs in
email content)
Banned word check
For POP3 and IMAP
1
2
3
4
E-mail address BWL check
MIME headers check, IP BWL check
Return e-mail DNS check, FortiGuard Antispam check, DNSBL & ORDBL check
Banned word check
For SMTP, POP3, and IMAP
Control spam by blocking email messages containing specific words or patterns. If enabled, the FortiGate unit
searches for words or patterns in email messages. If matches are found, values assigned to the words are totalled. If
a user-defined threshold value is exceeded, the message is marked as spam. If no match is found, the email message
is passed along to the next filter.
Use Perl regular expressions or wildcards to add banned word patterns to the list. Add one or more banned words to
sort email containing those words in the email subject, body, or both. Words can be marked as spam or clear. Banned
words can be one word or a phrase up to 127 characters long.
If a single word is entered, the FortiGate unit blocks all email that contain that word. If a phrase is entered, the
FortiGate unit blocks all email containing the exact phrase. To block any word in a phrase, use Perl regular
expressions.
Perl regular expression patterns are case sensitive for email filter banned words. To make a word
or phrase case insensitive, use the regular expression /i. For example, /bad language/i
blocks all instances of bad language regardless of case. Wildcard patterns are not case
sensitive.
Syntax
config spamfilter bword
edit <list_int>
set name <list_str>
set comment <comment_str>
config entries
edit <banned_word_int>
set action {clear | spam}
set language {french | japanese | korean | simch | spanish | thai | trach
| western}
set pattern <banned_word_str>
set pattern-type {regexp | wildcard}
set score <int>
set status {enable | disable}
set where {all | body | subject}
end
380
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
spamfilter
bword
Variable
Description
<list_int>
A unique number to identify the banned word list.
<list_str>
The name of the banned word list.
<comment_str>
The comment attached to the banned word list.
<banned_word_int>
A unique number to identify the banned word or pattern.
action {clear | spam}
Enter clear to allow the email. Enter spam to apply the spam
action.
spam
language {french
| japanese | korean
| simch | spanish | thai
| trach | western}
Enter the language character set used for the banned word or
phrase. Choose from French, Japanese, Korean, Simplified
Chinese, Thai, Traditional Chinese, or Western.
western
pattern <banned_word_str>
Enter the banned word or phrase pattern using regular
expressions or wildcards.
No default.
pattern-type
{regexp | wildcard}
Enter the pattern type for the banned word (pattern). Choose
from regular expressions or wildcard.
wildcard
score <int>
A numerical weighting applied to the banned word. The score
values of all the matching words appearing in an email message
are added, and if the total is greater than the
spamwordthreshold value, the message is processed
according to the spam action setting. The score for a banned
word is counted once even if the word appears multiple times in
an email message.
10
status {enable | disable}
Enable or disable scanning email for each banned word.
enable
where {all | body
| subject}
Enter where in the email to search for the banned word or phrase. all
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
381
dnsbl
spamfilter
dnsbl
Use this command to configure email filtering using DNS-based Blackhole List (DNSBL) or Open Relay Database List
(ORDBL) servers. DSNBL and ORDBL settings are configured with this command but DSNBL and ORDBL filtering is
enabled within each profile.
The FortiGate email filters are generally applied in the following order:
For SMTP
1
2
3
4
5
6
7
IP address BWL check - Last hop IP
DNSBL & ORDBL check, IP address FortiGuard check, HELO DNS lookup
E-mail address BWL check
MIME headers check
IP address BWL check (for IPs extracted from “Received” headers)
Return e-mail DNS check, FortiGuard Antispam check (for IPs extracted from “Received” headers, and URLs in
email content)
Banned word check
For POP3 and IMAP
1
2
3
4
E-mail address BWL check
MIME headers check, IP BWL check
Return e-mail DNS check, FortiGuard Antispam check, DNSBL & ORDBL check
Banned word check
For SMTP, POP3, and IMAP
The FortiGate unit compares the IP address or domain name of the sender to any database lists configured in
sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed on to the
next email filter.
Some spammers use unsecured third party SMTP servers to send unsolicited bulk email. Using DNSBLs and
ORDBLs is an effective way to tag or reject spam as it enters the network. These lists act as domain name servers
that match the domain of incoming email to a list of IP addresses known to send spam or allow spam to pass
through.
There are several free and subscription servers available that provide reliable access to continually updated DNSBLs
and ORDBLs. Please check with the service being used to confirm the correct domain name for connecting to the
server.
Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL
server, it must be able to look up this name on the DNS server. For information on configuring
DNS, see “system dns” on page 431.
Syntax
config spamfilter dnsbl
edit <list_int>
set name <list_str>
set comment <comment_str>
config entries
edit <server_int>
set action {reject | spam}
set server <fqdn>
set status {enable | disable}
end
382
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
spamfilter
dnsbl
Variable
Description
<list_int>
A unique number to identify the DNSBL list.
<list_str>
The name of the DNSBL header list.
<comment_str>
The comment attached to the DNSBL header list.
<server_int>
A unique number to identify the DNSBL server.
action {reject | spam}
Enter reject to stop any further processing of the current
session and to drop an incoming connection at once. Enter
spam to identify email as spam.
spam
server <fqdn>
Enter the domain name of a DNSBL server or an ORDBL
server.
No default.
status {enable | disable}
Enable or disable querying the server named in the server
string.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
383
emailbwl
spamfilter
emailbwl
Use this command to filter email based on the sender’s email address or address pattern.
The FortiGate email filters are applied in the following order:
For SMTP
1
2
3
4
5
6
7
IP address BWL check - Last hop IP
DNSBL & ORDBL check, IP address FortiGuard check, HELO DNS lookup
E-mail address BWL check
MIME headers check
IP address BWL check (for IPs extracted from “Received” headers)
Return e-mail DNS check, FortiGuard Antispam check (for IPs extracted from “Received” headers, and URLs in
email content)
Banned word check
For POP3 and IMAP
1
2
3
4
E-mail address BWL check
MIME headers check, IP BWL check
Return e-mail DNS check, FortiGuard Antispam check, DNSBL & ORDBL check
Banned word check
For SMTP, POP3, and IMAP
The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the email address
or domain of the sender to the list in sequence. If a match is found, the corresponding action is taken. If no match is
found, the email is passed on to the next email filter.
The FortiGate unit can filter email from specific senders or all email from a domain (such as example.net). Each email
address can be marked as clear or spam.
Use Perl regular expressions or wildcards to add email address patterns to the list.
Syntax
config spamfilter emailbwl
edit <list_int>
set name <list_str>
set comment <comment_str>
config entries
edit <email_int>
set action {clear | spam}
set email-pattern <email_str>
set pattern-type {regexp | wildcard}
set status {enable | disable}
end
384
Variable
Description
Default
<list_int>
A unique number to identify the email black/white list.
<list_str>
The name of the email black/white list.
<comment_str>
The comment attached to the email black/white list.
<email_int>
A unique number to identify the email pattern.
action {clear | spam}
Enter clear to exempt the email from the rest of the spam
filters. Enter spam to apply the spam action configured in the
profile.
spam
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
spamfilter
emailbwl
Variable
Description
email-pattern
<email_str>
Enter the email address pattern using wildcards or Perl regular
expressions.
pattern-type
{regexp | wildcard}
Enter the pattern-type for the email address. Choose from
wildcards or Perl regular expressions.
wildcard
status {enable | disable}
Enable or disable scanning for each email address.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
385
fortishield
spamfilter
fortishield
Use this command to configure the settings for the FortiGuard-Antispam Service.
The FortiGate email filters are applied in the following order:
For SMTP
1
2
3
4
5
6
7
IP address BWL check - Last hop IP
DNSBL & ORDBL check, IP address FortiGuard check, HELO DNS lookup
E-mail address BWL check
MIME headers check
IP address BWL check (for IPs extracted from “Received” headers)
Return e-mail DNS check, FortiGuard Antispam check (for IPs extracted from “Received” headers, and URLs in
email content)
Banned word check
For POP3 and IMAP
1
2
3
4
E-mail address BWL check
MIME headers check, IP BWL check
Return e-mail DNS check, FortiGuard Antispam check, DNSBL & ORDBL check
Banned word check
For SMTP, POP3, and IMAP
FortiGuard-Antispam Service is an antispam system from Fortinet that includes an IP address black list, a URL black
list, and email filtering tools. The IP address black list contains IP addresses of email servers known to be used to
generate Spam. The URL black list contains found in Spam email.
FortiGuard-Antispam Service compiles the IP address and URL list from email captured by spam probes located
around the world. Spam probes are email addresses purposely configured to attract spam and identify known spam
sources to create the antispam IP address and URL list. FortiGuard-Antispam Service combines IP address and URL
checks with other email filter techniques in a two-pass process.
On the first pass, if spamfsip is selected in the profile, FortiGuard-Antispam Service extracts the SMTP mail server
source address and sends the IP address to a FortiGuard-Antispam Service server to see if this IP address matches
the list of known spammers. If spamfsurl is selected in the profile, FortiGuard-Antispam Service checks the body of
email messages to extract any URL links. These URL links will be sent to a FortiGuard-Antispam Service server to see
if any of them is listed. Typically spam messages contain URL links to advertisements (also called spamvertizing).
If an IP address or URL match is found, FortiGuard-Antispam Service terminates the session. If FortiGuard-Antispam
Service does not find a match, the mail server sends the email to the recipient.
As each email is received, FortiGuard-Antispam Service performs the second antispam pass by checking the header,
subject, and body of the email for common spam content. If FortiGuard-Antispam Service finds spam content, the
email is tagged or dropped.
Syntax
config spamfilter fortishield
set spam-submit-force {enable | disable}
set spam-submit-srv <url_str>
set spam-submit-txt2htm {enable | disable}
end
386
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
spamfilter
fortishield
Variable
Description
Default
spam-submit-force
{enable | disable}
Enable or disable force insertion of a new mime entity
for the submission text.
enable
www.nospammer.net
spam-submit-srv <url_str> The host name of the FortiGuard-Antispam Service
server. The FortiGate unit comes preconfigured with
the host name. Use this command only to change the
host name.
spam-submit-txt2htm
{enable | disable}
Enable or disable converting text email to HTML.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
enable
387
ipbwl
spamfilter
ipbwl
Use this command to filter email based on the IP or subnet address.
The FortiGate email filters are generally applied in the following order:
For SMTP
1
2
3
4
5
6
7
IP address BWL check - Last hop IP
DNSBL & ORDBL check, IP address FortiGuard check, HELO DNS lookup
E-mail address BWL check
MIME headers check
IP address BWL check (for IPs extracted from “Received” headers)
Return e-mail DNS check, FortiGuard Antispam check (for IPs extracted from “Received” headers, and URLs in
email content)
Banned word check
For POP3 and IMAP
1
2
3
4
E-mail address BWL check
MIME headers check, IP BWL check
Return e-mail DNS check, FortiGuard Antispam check, DNSBL & ORDBL check
Banned word check
For SMTP, POP3, and IMAP
The FortiGate unit uses the IP address list to filter incoming email. The FortiGate unit compares the IP address of the
sender to the list in sequence. If a match is found, the corresponding action is taken. If no match is found, the email is
passed on to the next email filter.
Enter an IP address and mask in one of two formats:
• x.x.x.x/x.x.x.x, for example 192.168.10.23/255.255.255.0
• x.x.x.x/x, for example 192.168.10.23/24
Configure the FortiGate unit to filter email from specific IP addresses. Mark each IP address as clear, spam, or reject.
Filter single IP addresses, or a range of addresses at the network level by configuring an address and mask.
Syntax
config spamfilter ipbwl
edit <list_int>
set name <list_str>
set comment <comment_str>
config entries
edit <address_int>
set action {clear | reject | spam}
set addr-type {ipv4 | ipv6}
set ip4-subnet {<address_ipv4mask>}
set ip6-subnet {<address_ipv6mask>}
set status {enable | disable}
end
388
Variable
Description
Default
<list_int>
A unique number to identify the IP black/white list.
<list_str>
The name of the IP black/white list.
<comment_str>
The comment attached to the IP black/white list.
<address_int>
A unique number to identify the address.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
spamfilter
ipbwl
Variable
Description
Default
action
{clear | reject | spam}
Enter clear to exempt the email from the rest of the email
filters. Enter reject to drop any current or incoming
sessions. Enter spam to apply the spam action.
spam
addr-type {ipv4 | ipv6}
Select whether IPv4 or IPv6 addresses will be used.
ipv4
ip4-subnet
{<address_ipv4mask>}
The trusted IPv4 IP address and subnet mask in the format
192.168.10.23 255.255.255.0 or
192.168.10.23/24.
No default
ip6-subnet
{<address_ipv6mask>}
The trusted IPv6 IP address.
This is available when addr-type is ipv6.
No default
status {enable | disable}
Enable or disable scanning email for each IP address.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
389
iptrust
spamfilter
iptrust
Use this command to add an entry to a list of trusted IP addresses.
If the FortiGate unit sits behind a company’s Mail Transfer Units, it may be unnecessary to check email IP addresses
because they are internal and trusted. The only IP addresses that need to be checked are those from outside of the
company. In some cases, external IP addresses may be added to the list if it is known that they are not sources of
spam.
Syntax
config spamfilter iptrust
edit <list_int>
set name <list_str>
set comment <comment_str>
config entries
edit <address_int>
set addr-type {ipv4 | ipv6}
set ip4-subnet {<address_ipv4mask>}
set ip6-subnet {<address_ipv6mask>}
set status {enable | disable}
end
390
Variable
Description
Default
addr-type {ipv4 | ipv6}
Select whether IPv4 or IPv6 addresses will be used.
ipv4
<list_int>
A unique number to identify the IP trust list.
<list_str>
The name of the IP trust list.
<comment_str>
The comment attached to the IP trust list.
<address_int>
A unique number to identify the address.
ip4-subnet
{<address_ipv4mask>}
The trusted IPv4 IP address and subnet mask in the format
192.168.10.23 255.255.255.0 or
192.168.10.23/24.
No default
ip6-subnet
{<address_ipv6mask>}
The trusted IPv6 IP address.
This is available when addr-type is ipv6.
No default
status
{enable | disable}
Enable or disable the IP address.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
spamfilter
mheader
mheader
Use this command to configure email filtering based on the MIME header. MIME header settings are configured with
this command but MIME header filtering is enabled within each profile.
The FortiGate email filters are applied in the following order:
For SMTP
1
2
3
4
5
6
7
IP address BWL check - Last hop IP
DNSBL & ORDBL check, IP address FortiGuard check, HELO DNS lookup
E-mail address BWL check
MIME headers check
IP address BWL check (for IPs extracted from “Received” headers)
Return e-mail DNS check, FortiGuard Antispam check (for IPs extracted from “Received” headers, and URLs in
email content)
Banned word check
For POP3 and IMAP
1
2
3
4
E-mail address BWL check
MIME headers check, IP BWL check
Return e-mail DNS check, FortiGuard Antispam check, DNSBL & ORDBL check
Banned word check
For SMTP, POP3, and IMAP
The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. If a match
is found, the corresponding action is taken. If no match is found, the email is passed on to the next email filter.
MIME (Multipurpose Internet Mail Extensions) headers are added to email to describe content type and content
encoding, such as the type of text in the email body or the program that generated the email. Some examples of
MIME headers include:
• X-mailer: outgluck
• X-Distribution: bulk
• Content_Type: text/html
• Content_Type: image/jpg
The first part of the MIME header is called the header key, or just header. The second part is called the value.
Spammers often insert comments into header values or leave them blank. These malformed headers can fool some
spam and virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are
common in spam messages. Mark the email as spam or clear for each header configured.
Use Perl regular expressions or wildcards to add MIME header patterns to the list.
MIME header entries are case sensitive.
Syntax
config spamfilter mheader
edit <list_int>
set name <list_str>
set comment <comment_str>
config entries
edit <mime_int>
set action {clear | spam}
set fieldbody <mime_str>
set fieldname <mime_str>
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
391
mheader
spamfilter
set pattern-type {regexp | wildcard}
set status {enable | disable}
end
end
392
Variable
Description
Default
<list_int>
A unique number to identify the MIME header list.
<list_str>
The name of the MIME header list.
<comment_str>
The comment attached to the MIME header list.
<mime_int>
A unique number to identify the MIME header.
action {clear | spam}
Enter clear to exempt the email from the rest of the email
filters. Enter spam to apply the spam action.
spam
fieldbody <mime_str>
Enter the MIME header (key, header field body) using
wildcards or Perl regular expressions.
No default.
fieldname <mime_str>
Enter the MIME header value (header field name) using
wildcards or Perl regular expressions. Do not include a trailing
colon.
No default.
pattern-type
{regexp | wildcard}
Enter the pattern-type for the MIME header. Choose from
wildcards or Perl regular expressions.
wildcard
status
{enable | disable}
Enable or disable scanning email headers for the MIME header
and header value defined in the fieldbody and fieldname
strings.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
spamfilter
options
options
Use this command to set the spamfilter DNS query timeout.
Syntax
config spamfilter options
set dns-timeout <timeout_int>
end
Variable
Description
Default
dns-timeout <timeout_int>
Set the DNS query timeout in the range 1 to 30 seconds.
7
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
393
profile
spamfilter
profile
Use this command to configure UTM email filtering profiles for firewall policies. Email filtering profiles configure how
Email filtering and FortiGuard Antispam is applied to sessions accepted by a firewall policy that includes the Email
filtering profile.
Syntax
config spamfilter profile
edit <name_str>
set comment <comment_str>
set spam-log {disable | enable}
set spam-bword-threshold <value_int>
set spam-bword-table <index_int>
set spam-emaddr-table <index_int>
set spam-filtering {enable | disable}
set spam-ipbwl-table <index_int>
set spam-iptrust-table <index_int>
set spam-mheader-table <index_int>
set spam-rbl-table <index_int>
set options {bannedword | spamemailbwl | spamfschksum | spamfsip | spamfsphish |
spamfssubmit | spamfsurl | spamhdrcheck | spamipbwl | spamraddrdns | spamrbl}
config {imap | imaps | pop3 | pop3s | smtp | smtps}
set action {discard | pass | tag}
set log {enable | disable}
set tag-type {subject | header} [spaminfo]
set tag-msg <message_str>
set hdrip {disable | enable}
set local-override {enable | disable}
end
config {gmail | msn-hotmail | yahoo-mail}
set log {enable | disable}
end
end
394
Variable
Description
Default
<name_str>
Enter the name of the email filtering profile.
comment
<comment_str>
Optionally enter a description of up to 63 characters of the email
filter profile.
spam-log {disable |
enable}
Enable or disable logging for email filtering.
spam-bwordthreshold
<value_int>
If the combined scores of the banned word patterns appearing in an 10
email message exceed the threshold value, the message will be
processed according to the Spam Action setting.
spam-bword-table
<index_int>
Enter the ID number of the email filter banned word list to be used.
spam-emaddr-table
<index_int>
Enter the ID number of the email filter email address list to be used. 0
spam-filtering
{enable | disable}
Enable or disable spam filtering.
spam-ipbwl-table
<index_int>
Enter the ID number of the email filter IP address black/white list to 0
be used with the profile.
spam-iptrust-table
<index_int>
Enter the ID number of the email filter IP trust list to be used with
the profile.
disable
0
disable
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
spamfilter
profile
Variable
Description
Default
spam-mheader-table
<index_int>
Enter the ID number of the email filter MIME header list to be used
with the profile.
0
spam-rbl-table
<index_int>
Enter the ID number of the email filter DNSBL list to be used with
the profile.
0
options {bannedword
| spamemailbwl |
spamfschksum |
spamfsip |
spamfsphish |
spamfssubmit |
spamfsurl |
spamhdrcheck |
spamipbwl |
spamraddrdns |
spamrbl}
Select actions, if any, the FortiGate unit will perform with email
traffic.
bannedword — block email containing content in the banned word
list.
spamemailbwl — filter email using the email filtering black/white
list.
spamfsphish — detect phishing URLs in email.
spamfsip — filter email using the FortiGuard Antispam filtering IP
address blacklist.
spamfssubmit — add a link to the message body allowing users
to report messages incorrectly marked as spam. If an email
message is not spam, click the link in the message to report the
false positive.
spamfsurl — filter email using the FortiGuard Antispam filtering
URL blacklist.
spamhdrcheck — filter email using the MIME header list.
spamipbwl — filter email using a return email DNS check.
spamaddrdns — filter email using a return email DNS check.
spamrbl — filter email using configured DNS-based Blackhole List
(DNSBL) and Open Relay Database List (ORDBL) servers.
Separate multiple options with a space. To remove an option from
the list or add an option to the list, retype the list with the option
removed or added.
spamfssubmit
config {imap | imaps | pop3 | pop3s | smtp | smtps}
Configure spam filtering options for the IMAP, IMAPS, POP3, POP3S, SMTP, and SMTPS email protocols.
Variable
Description
action {discard
| pass | tag}
discard
Select the action that this profile uses for filtered email. Tagging
appends custom text to the subject or header of email identified as
spam. When scan or streaming mode (also called splice) is
selected, the FortiGate unit can only discard spam email. Discard
immediately drops the connection. Without streaming mode or
scanning enabled, chose to discard, pass, or tag spam.
discard — do not pass email identified as spam.
pass — disable spam filtering.
tag — tag spam email with text configured using the tagmsg
option and the location set using the tag-type option.
log
{enable | disable}
Enable or disable logging.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
disable
395
profile
spamfilter
Variable
Description
Default
tag-type {subject
| header} [spaminfo]
Select to affix the tag to either the MIME header or the subject line,
and whether or not to append spam information to the spam
header, when an email is detected as spam. Also configure tagmsg.
If you select to add the tag to the subject line, the FortiGate unit
will convert the entire subject line, including tag, to UTF-8 by
default. This improves display for some email clients that cannot
properly display subject lines that use more than one encoding.
subject
spaminfo
tag-msg <message_str> Enter a word or phrase (tag) to affix to email identified as spam.
When typing a tag, use the same language as the FortiGate unit’s
current administrator language setting. Tagging text using other
encodings may not be accepted.
To correctly enter the tag, your SSH or telnet client must also
support your language’s encoding. Alternatively, you can use the
web-based manager’s CLI widget to enter the tag.
Tags must not exceed 64 bytes. The number of characters
constituting 64 bytes of data varies by text encoding, which may
vary by the FortiGate administrator language setting.
Tags containing space characters, such as multiple words or
phrases, must be surrounded by quote characters (‘)to be
accepted by the CLI.
Spam
hdrip
{disable | enable}
For smtp and smtps. Select to check header IP addresses for
spamfsip, spamrbl, and spamipbwl filters.
disable
local-override
{enable | disable}
For smtp and smtps. Select to override SMTP or SMTPS remote
check, which includes IP RBL check, IP FortiGuard antispam
check, and HELO DNS check, with the locally defined black/white
antispam list.
disable
config {gmail | msn-hotmail | yahoo-mail}
Configure spam filtering options for GMail, MSN Hotmail, or Yahoo mail.
396
Variable
Description
Default
log {enable | disable}
Enable or disable logging.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
FortiOS Handbook
system
Use system commands to configure options related to the overall operation of the FortiGate unit, including. This
chapter contains the following sections:
3g-modem custom
accprofile
admin
alertemail
amc
arp-table
auto-install
autoupdate clientoverride
autoupdate override
autoupdate push-update
autoupdate schedule
autoupdate tunneling
aux
bug-report
bypass
central-management
console
ddns
dhcp reserved-address
dhcp server
dhcp6 server
dns
dns-database
dns-server
elbc
fips-cc
fortiguard
fortiguard-log
gi-gk
global
gre-tunnel
ha
interface
ipv6-tunnel
mac-address-table
modem
monitors
npu
ntp
object-tag
password-policy
port-pair
proxy-arp
pstn
replacemsg admin
replacemsg alertmail
replacemsg auth
replacemsg ec
replacemsg fortiguard-wf
replacemsg ftp
replacemsg http
replacemsg im
replacemsg mail
replacemsg mm1
replacemsg mm3
replacemsg mm4
replacemsg mm7
replacemsg-group
replacemsg-image
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
replacemsg nac-quar
replacemsg nntp
replacemsg spam
replacemsg sslvpn
replacemsg traffic-quota
replacemsg webproxy
resource-limits
session-helper
session-sync
session-ttl
settings
sit-tunnel
sflow
snmp community
snmp sysinfo
snmp user
sp
storage
switch-interface
tos-based-priority
vdom-dns
vdom-link
vdom-property
vdom-sflow
wccp
zone
397
3g-modem custom
system
3g-modem custom
Use this command to configure the FortiGate unit for an installed 3G wireless PCMCIA modem.
Syntax
config system 3g-modem custom
edit <entry_id>
set vendor <vendor_str>
set model <model_str>
set product-id <pid_hex>
set vendor-id <vid_hex>
set class-id <cid_hex>
set init-str <init_str>
end
398
Variable
Description
Default
vendor <vendor_str>
Enter the vendor name.
model <model_str>
Enter the modem model name.
product-id <pid_hex>
Enter the USB product ID. Valid range is 0x0000 - 0xFFFF.
vendor-id <vid_hex>
Enter the USB vendor ID. Valid range is 0x0000 - 0xFFFF.
class-id <cid_hex>
Enter the USB interface class. Valid range is 0x00 - 0xFF
init-str <init_str>
Enter the initialization string in hexadecimal format, even
length.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
accprofile
accprofile
Use this command to add access profiles that control administrator access to FortiGate features. Each FortiGate
administrator account must include an access profile. You can create access profiles that deny access, allow read
only, or allow both read and write access to FortiGate features.
You cannot delete or modify the super_admin access profile, but you can use the super_admin profile with more than
one administrator account.
Syntax
config system accprofile
edit <profile-name>
set menu-file <filedata>
set scope {global | vdom}
set <access-group> <access-level>
config fwgrp-permission
set address {none | read | read-write}
set others {none | read | read-write}
set policy {none | read | read-write}
set profile {none | read | read-write}
set schedule {none | read | read-write}
set service {none | read | read-write}
end
config loggrp-permission
set config {none | read | read-write}
set data-access {none | read | read-write}
end
config utmgrp-permission
set antivirus {none | read | read-write}
set application-control {none | read | read-write}
set data-loss-prevention {none | read | read-write}
set icap {none | read | read-write}
set ips {none | read | read-write}
set netscan {none | read | read-write}
set spamfilter {none | read | read-write}
set webfilter {none | read | read-write}
end
Variable
Description
Default
edit <profile-name>
Enter a new profile name to create a new profile. Enter an
existing profile name to edit that profile.
No default.
menu-file <filedata>
Enter the name of the base64-encoded file of data to configure
the menu display on the FortiGate unit. For future use.
No default.
scope {global | vdom}
Enter scope administrator access: global or a single VDOM.
vdom
<access-group>
Enter the feature group for which you are configuring access:
No default.
admingrp
administrator accounts and access profiles
authgrp
user authentication, including local users,
RADIUS servers, LDAP servers, and user
groups
endpointcontrol-grp
endpoint control (Endpoint NAC) configuration
fwgrp
firewall configuration
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
399
accprofile
system
Variable
Description
<access-group> (continued) loggrp
<access-level>
Default
log and report configuration including log
settings, viewing logs and alert email settings
execute batch commands
mntgrp
maintenance commands: reset to factory
defaults, format log disk, reboot, restore and
shutdown
netgrp
interfaces, dhcp servers, zones
get system status
get system arp table
config system arp-table
execute dhcp lease-list
execute dhcp lease-clear
routegrp
router configuration
sysgrp
system configuration except accprofile, admin
and autoupdate
updategrp
FortiGuard antivirus and IPS updates, manual
and automatic
utmgrp
UTM configuration
vpngrp
VPN configuration
wanoptgrp
WAN optimization configuration
wifi
WiFi configuration
Enter the level of administrator access to this feature:
custom
configures custom access for fwgrp, loggrp
or utmgrp access selections only
none
no access
read
read-only access
read-write
read and write access
No default.
none
config fwgrp-permission fields. Available if fwgrp is set to custom
address
Enter the level of administrator access to firewall addresses.
{none | read | read-write}
none
others
Enter the level of administrator access to virtual IP
{none | read | read-write} configurations.
none
policy
Enter the level of administrator access to firewall policies.
{none | read | read-write}
none
profile
Enter the level of administrator access to firewall profiles.
{none | read | read-write}
none
schedule
Enter the level of administrator access to firewall schedules.
{none | read | read-write}
none
service
Enter the level of administrator access to firewall service
{none | read | read-write} definitions.
none
config loggrp-permission fields. Available if loggrp is set to custom.
400
config
Enter the level of administrator access to the logging
{none | read | read-write} configuration.
none
data-access
Enter the level of administrator access to the log data.
{none | read | read-write}
none
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
accprofile
Variable
Description
Default
config utmgrp-permission fields. Available if utmgrp is set to custom.
antivirus
Enter the level of administrator access to antivirus configuration
{none | read | read-write} data.
none
application-control
Enter the level of administrator access to application control
{none | read | read-write} data.
none
data-loss-prevention
Enter the level of administrator access to data loss prevention
{none | read | read-write} (DLP) data.
none
icap
Enter the level of administrator access to Internet Content
{none | read | read-write} Adaptation Protocol configuration.
none
ips
Enter the level of administrator access to intrusion prevention (IP)
{none | read | read-write} data.
none
netscan
Enter the level of administrator access to network scans.
{none | read | read-write}
none
spamfilter
Enter the level of administrator access to spamfilter data.
{none | read | read-write}
none
webfilter
Enter the level of administrator access to web filter data.
{none | read | read-write}
none
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
401
admin
system
admin
Use this command to add, edit, and delete administrator accounts. Administrators can control what data modules
appear in the FortiGate unit system dashboard by using the config system admin command. Administrators
must have read and write privileges to make dashboard web-based manager modifications.
Use the default admin account or an account with system configuration read and write privileges to add new
administrator accounts and control their permission levels. Each administrator account except the default admin
must include an access profile. You cannot delete the default super admin account or change the access profile
(super_admin). In addition, there is also an access profile that allows read-only super admin privileges,
super_admin_readonly. The super_admin_readonly profile cannot be deleted or changed, similar to the super_admin
profile. This read-only super-admin may be used in a situation where it is necessary to troubleshoot a customer
configuration without making changes.
You can authenticate administrators using a password stored on the FortiGate unit or you can use a RADIUS server to
perform authentication. When you use RADIUS authentication, you can authenticate specific administrators or you
can allow any account on the RADIUS server to access the FortiGate unit as an administrator.
For users with super_admin access profile, you can reset the password in the CLI.
For a user ITAdmin with the access profile super_admin, to set the password to 123456:
config system admin
edit ITAdmin
set password 123456
end
For a user ITAdmin with the access profile super_admin, to reset the password from 123456 to the
default ‘empty’ or ‘null’:
config system admin
edit ITAdmin
unset password 123456
end
If you type ‘set password ?’ in the CLI, you will have to enter the new password and the old
password in order for the change to be effective. In this case, you will NOT be able to reset the
password to ‘empty’ or ‘null’.
You can configure an administrator to only be allowed to log in at certain times. The default setting allows
administrators to log in any time.
A vdom/access profile override feature supports authentication of administrators via RADIUS. The admin user will be
have access depending on which vdom they are restricted to and their associated access profile. This feature is only
available to wildcard admins. There can only be one vdom-override user per system.
You can define trusted hosts for all of your administrators to increase the security of your network by further
restricting administrative access. When you set trusted hosts for all administrators, the FortiGate unit does not
respond to administrative access attempts from any other hosts. The trusted hosts you define apply both to the webbased manager and to the CLI when accessed through Telnet or SSH. CLI access through the console connector is
not affected.
Syntax
config system admin
edit <name_str>
set accprofile <profile-name>
set accprofile-override {disable | enable}
set allow-remove-admin-session {enable | disable}
set comments <comments_string>
set force-password-change {enable | disable}
set gui-detail-panel-location {bottom | hide | side}
set {ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 | ip6-trusthost4 | ip6trusthost5 | ip6-trusthost6 | ip6-trusthost7 | ip6-trusthost8 | ip6trusthost9 | ip6-trusthost10} <address_ipv6mask>
set password <admin_password>
402
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
admin
set
set
set
set
set
set
set
set
set
set
set
set
set
password-expire <date> <time>
peer-auth {disable | enable}
peer-group <peer-grp>
radius-vdom-override {disable | enable}
remote-auth {enable | disable}
remote-group <name>
schedule <schedule-name>
sms-phone <cell_phone_number>
sms-provider <string>
ssh-public-key1 "<key-type> <key-value>"
ssh-public-key2 "<key-type> <key-value>"
ssh-public-key3 "<key-type> <key-value>"
{trusthost1 | trusthost2 | trusthost3 | trusthost4 | trusthost5 | trusthost6
| trusthost7 | trusthost8 | trusthost9 | trusthost10} <address_ipv4mask>
set two-factor {enable | disable}
set vdom <vdom_name>
set wildcard {enable | disable}
config dashboard
edit <id>
set widget-type <module_name>
set column <column_number>
set status {close | open}
set <custom_options>
end
end
end
Variable
Description
Default
accprofile <profile-name> Enter the name of the access profile to assign to this
administrator account. Access profiles control
administrator access to FortiGate features.
No default.
accprofile-override
{disable | enable}
Enable authentication server override of the administrator
access profile.
disable
allow-remove-adminsession
{enable | disable}
Disable to prevent other administrators from closing the
session. This field is available for accounts with the
super_admin profile.
enable
comments
<comments_string>
Enter the last name, first name, email address, phone
number, mobile phone number, and pager number for this
administrator. Separate each attribute with a comma, and
enclose the string in double-quotes. The total length of the
string can be up to 128 characters. (Optional)
null
force-password-change
{enable | disable}
Enable to require this administrator to change password at disable
next login. Disabling this option does not prevent required
password change due to password policy violation or
expiry.
This is available only if password policy is enabled. See
“system password-policy” on page 495.
gui-detail-panel-location Choose the position of the log detail window.
{bottom | hide | side}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
bottom
403
admin
system
Variable
Description
Default
{ip6-trusthost1 | ip6trusthost2 | ip6trusthost3 | ip6trusthost4 | ip6trusthost5 | ip6trusthost6 | ip6trusthost7 | ip6trusthost8 | ip6trusthost9 | ip6trusthost10}
<address_ipv6mask>
Any IPv6 address and netmask from which the
administrator can connect to the FortiGate unit.
If you want the administrator to be able to access the
FortiGate unit from any address, set the trusted hosts to
::/0.
::/0
password <admin_password> Enter the password for this administrator. It can be up to
256 characters in length.
password-expire <date>
<time>
Enter the date and time that this administrator’s password 0000-00-00
00:00:00
expires. Enter zero values for no expiry.
Date format is YYYY-MM-DD. Time format is HH:MM:SS.
peer-auth
{disable | enable}
Set to enable peer certificate authentication (for HTTPS
admin access).
disable
peer-group <peer-grp>
Name of peer group defined under config user
peergrp or user group defined under config user
group. Used for peer certificate authentication (for HTTPS
admin access).
null
radius-vdom-override
{disable | enable}
Enable RADIUS authentication override for the (wildcard
only) administrator.
disable
remote-auth
{enable | disable}
Enable or disable authentication of this administrator
using a remote RADIUS, LDAP, or TACACS+ server.
disable
remote-group <name>
Enter the administrator user group name, if you are using
RADIUS, LDAP, or TACACS+ authentication.
This is only available when remote-auth is enabled.
No default.
schedule <schedule-name>
Restrict times that an administrator can log in. Defined in
config firewall schedule. Null indicates that the
administrator can log in at any time.
null
sms-phone
<cell_phone_number>
Enter the telephone number of the cellular phone where
the SMS text message will be sent containing the token
code for two-factor authentication.
Typically the format does not include the country code,
but does include the other digits of the cell phone number.
Verify the correct format with the cell phone provider.
null
sms-provider <string>
Select an SMS provider from the list of configured entries.
This is the cell phone service provider, and the list of
providers is configured with the command “user smsprovider” on page 596.
No default.
ssh-public-key1
"<key-type> <key-value>"
You can specify the public keys of up to three SSH clients.
These clients are authenticated without being asked for
the administrator password. You must create the publicprivate key pair in the SSH client application.
<key type> is ssh-dss for a DSA key or ssh-rsa for
an RSA key.
<key-value> is the public key string of the SSH client.
No default.
ssh-public-key2
"<key-type> <key-value>"
ssh-public-key3
"<key-type> <key-value>"
404
null
No default.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
admin
Variable
Description
Default
{trusthost1 | trusthost2
| trusthost3 | trusthost4
| trusthost5 | trusthost6
| trusthost7 | trusthost8
| trusthost9 |
trusthost10}
<address_ipv4mask>
0.0.0.0 0.0.0.0
Any IPv4 address or subnet address and netmask from
which the administrator can connect to the FortiGate unit.
If you want the administrator to be able to access the
FortiGate unit from any address, set the trusted hosts to
0.0.0.0 and the netmask to 0.0.0.0.
two-factor {enable |
disable}
disable
Enable to use two-factor authentication with this admin
account.
When enabled one of FortiToken, email, or SMS text
message to a cellular phone is used as the second factor.
vdom <vdom_name>
Enter the name of the VDOM this account belongs to.
(Optional)
No default.
wildcard
{enable | disable}
Enable wildcard to allow all accounts on the RADIUS
server to log on to the FortiGate unit as administrator.
Disable wildcard if you want to allow only the specified
administrator to log on.
This is available when remote-auth is enabled.
disable
dashboard
Customize the system dashboard and usage widgets for this administrator.
<module_id>
Enter the number of this widget. Use 0 to create a new
widget instance.
widget-type <module_name> Name of the system dashboard or usage widget to
configure. For a list of the available widget types, enter:
set widget-type ?
No default.
column <column_number>
Column in which the dashboard module appears. Values 1
or 2. Available for all dashboard modules.
0
status {close | open}
Set whether the widget is open or closed on the
dashboard.
Depends on widget
<custom_options>
The custom options for the usage and dashboard widgets
are listed below.
Dashboard and usage widget variables
alert
Configure the information displayed on the alert message
console by enabling or disabling the following options:
show-admin-auth — admin authentication failures
show-amc-bypass — AMC interface bypasses
show-conserve-mode — conserve mode alerts
show-device-update — device updates
show-disk-failure — disk failure alerts
show-fds-quota — FortiGuard alerts
show-fds-update — FortiGuard updates
show-firmware-change — firmware images
show-power-supply — power supply alerts
show-system-restart — system restart alerts
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
enable
enable
enable
enable
enable
disable
enable
enable
enable
enable
405
admin
406
system
Variable
Description
Default
app-usage
Configure the operation of the top application usage
widget:
display-format {chart | table}— display data in a chart or
a table.
refresh-interval <interval_int> — set the time interval for
updating the widget display in the range 10 to 240
seconds or 0 to disable
report-by {destination | source}— display application
usage according to the source address or destination
address of the sessions.
resolve-host {disable | enable}— display host names
(instead of IP addresses).
show-auth-use {disable | enable}— include the user
name of authenticated users.
sort-by {bytes | msg-counts}— sort information by data
(bytes) or number of session (msg-counts).
top-n <results_int> — set the number of results to
display. The default value displays the top 10 results.
vdom <vdom_str> — display results for a specific VDOM.
jsconsole
Set the dashboard column and open and closed status of
the CLI console widget.
licinfo
Set the dashboard column and open and closed status of
the License information widget.
protocol-usage
For the top protocol usage widget set the column and
open and closed status and set the following options:
display-format {chart | line}— display data as a bytesper-protocol bar chart or a color-coded bytes-over-time
line graph.
protocols <integer> — select the protocols to display by
entering the sum of the desired protocol values:
•
1 Browsing
•
2 DNS
•
4 Email
•
8 FTP
•
16 Gaming
•
32 Instant Messaging
•
64 Newsgroups
•
128 P2P
•
256 Streaming
•
512 TFTP
•
1024 VoIP
•
2048 Generic TCP
•
4096 Generic UDP
•
8192 Generic ICMP
• 16384 Generic IP
time-period — the time period in minutes that the display
covers. The default is 1440 (24 hours).
chart
0
source
disable
disable
bytes
10
No default.
chart
0
1
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
admin
Variable
Description
sessions
For the top session dashboard widget set the dashboard
column and open and closed status and set the following
options:
display-format {chart | table} — display data in a chart or
a table.
ip-version — set Internet Protocol version of sessions to
display: IPv4, IPv6, or ipboth.
refresh-interval <interval_int> — set the time interval for
updating the widget display in the range 10 to 240
seconds or 0 to disable.
sort-by {bytes | msg-counts} — sort information by the
amount of data (bytes) or the number of session (msgcounts).
top-n <results_int> — set the number of results to
display. The default value displays the top 10 results.
vdom <vdom_str> — display results for a specific VDOM.
sessions-history
Set the dashboard column, chart color, and view-type.
statistics
Set the dashboard column and open and closed status of
the log and archive statistics dashboard widget.
storage
Set the dashboard column and open and closed status of
the log and archive storage dashboard widget.
sysinfo
Set the dashboard column and open and closed status of
the system information dashboard widget.
sysop
Set the dashboard column and open and closed status of
the unit operation dashboard widget.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
chart
ipboth
0
bytes
10
No default.
407
admin
system
Variable
Description
Default
sysres
For the system resources dashboard widget set the
dashboard column and open and closed status and set
the following options:
chart-color <color_int> — select the chart color for the
historical display. Default is 1.
cpu-display-type {average | each} — select display of
each core or average of all cores on multicore processor
models.
view-type {historical | real-time} — select historical
graph or current value dial display.
time-period <minutes_int> — set time period in minutes
for historical display
tr-history
408
For the traffic history dashboard widget set the dashboard
column and open and closed status and set the following
options:
refresh {disable | enable} — enable automatically
refreshing the display
interface <interface_name> — name of interface
monitored for traffic history data.
tr-history-period1, tr-history-period2,
tr-history-period3 — time period (seconds) for each of
the three history graphs. To disable a graph, set its period
to 0.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
alertemail
alertemail
Use this command to configure the FortiGate unit to access an SMTP server to send alert emails. This command is
global in scope.
To configure alertemail settings you must first configure the server, and enable authenticate. Then you will be able to
see all the fields.
You must configure the server setting under config system alertemail before the
commands under config alertemail become accessible. If vdoms are enabled, config
system alertemail is a global command, and config alertemail is per vdom. For more
information on config alertemail, see “alertemail” on page 41.
Syntax
config system alertemail
set authenticate {disable | enable}
set password <password_str>
set port <port_integer>
set server {<name-str> | <address_ipv4>}
set source-ip <address_ipv4>
set username <username_str>
end
Variable
Description
authenticate {disable | enable}
disable
Enable SMTP authentication if the FortiGate unit is
required to authenticate before using the SMTP server.
This variable is accessible only if server is defined.
password <password_str>
Enter the password that the FortiGate unit needs to
access the SMTP server.
This variable is accessible only if authenticate is
enabled and server is defined.
port <port_integer>
25
Change the TCP port number that the FortiGate unit
uses to connect to the SMTP server. The standard
SMTP port is 25. You can change the port number if the
SMTP server has been configured to use a different
port.
server
{<name-str> | <address_ipv4>}
Enter the name of the SMTP server, in the format
smtp.domain.com, to which the FortiGate unit should
send email. Alternately, the IP address of the SMTP
server can be entered. The SMTP server can be located
on any network connected to the FortiGate unit.
No default.
source-ip <address_ipv4>
Enter the SMTP server source IP address.
No default.
username <username_str>
Enter the user name for the SMTP server that the
FortiGate unit uses to send alert emails.
This variable is accessible only if authenticate is
enabled and server is defined.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
No default.
409
amc
system
amc
Use this command to configure AMC ports on your FortiGate unit.
Syntax
config system amc
set {dw1 | dw2} {adm-fb8 | adm-fe8 | adm-xb2 | adm-xd4 | adm-xe2 | auto | none}
set {sw1 | sw2} {asm-ce4 | asm-cx4 | asm-disk | asm-fb4 | asm-et4 | asm-fx2 | auto
| none}
end
410
Variable
Description
Default
{dw1 | dw2}
{adm-fb8
| adm-fe8
| adm-xb2
| adm-xd4
| adm-xe2
| auto | none}
Configure this double width AMC slot for the following type of module.
adm-fb8 — AMC double width 8G NP2 accelerated network interface module
adm-fe8 — AMC double width 8G FE8 accelerated network interface module
adm-xb2 — AMC double width 2XG NP2 accelerated network interface module
adm-xd4 — AMC double width 4XG XD4 accelerated network interface module
adm-xe2 — AMC double width 2XG XE2 accelerated network interface module
auto — support any card that is inserted
none — not configured, disable slot
auto
{sw1 | sw2}
{asm-ce4
| asm-cx4
| asm-disk
| asm-fb4
| asm-et4
| asm-fx2
| auto | none}
Configure this single width AMC port for the following type of card.
asm-ce4 — AMC single width, 4G CE4 accelerated network interface module
asm-cx4 — AMC single width, 4G bypass
asm-disk — AMC Single width SCSI hard disk card, such as ASM-S08
asm-fb4 — AMC single width 4G NP2 accelerated network interface module
asm-et4 — AMC single width T1/E1 network interface module
asm-fx2 — AMC single width, 2G bypass
auto — support any single width card
none — not configured, disable slot
auto
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
arp-table
arp-table
Use this command to manually configure add ARP table entries to the FortiGate unit. ARP table entries consist of a
interface name, an IP address, and a MAC address.
Limits for the number of ARP table entries are software limits set by the FortiGate configuration as documented in the
FortiGate Maximum Values Matrix document.
This command is available per VDOMs.
Syntax
config system arp-table
edit <table_value>
set interface <port>
set ip <address_ipv4>
set mac <mac_address>
end
Variable
Description
Default
interface <port>
Enter the interface this ARP entry is associated with
No default
ip <address_ipv4>
Enter the IP address of the ARP entry.
No default.
mac <mac_address>
Enter the MAC address of the device entered in the table, in
the form of xx:xx:xx:xx:xx:xx.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
411
auto-install
system
auto-install
Use this command to configure automatic installation of firmware and system configuration from a USB disk when
the FortiGate unit restarts. This command is available only on units that have a USB disk connection.
If you set both configuration and firmware image update, both occur on the same reboot. The FortiGate unit will not
reload a firmware or configuration file that is already loaded.
Third-party USB disks are supported; however, the USB disk must be formatted as a FAT16 drive. No other partition
type is supported.
To format your USB Disk when its connected to your FortiGate unit, at the CLI prompt type
“exe usb-disk format”.
To format your USB disk when it is connected to a Windows system, at the command prompt type “format
<drive_letter>: /FS:FAT /V:<drive_label>” where <drive_letter> is the letter of the connected USB
drive you want to format, and <drive_label> is the name you want to give the USB disk volume for identification.
This command is available only when a USB key is installed on the FortiGate unit. Formatting your
USB disk will delete all information on your USB disk.
Syntax
config system auto-install
set auto-install-config {disable | enable}
set auto-install-image {disable | enable}
set default-config-file
set default-image-file
end
412
Variable
Description
Default
auto-install-config
{disable | enable}
Enable or disable automatic loading of the system
configuration from a USB disk on the next reboot.
disable
auto-install-image
{disable | enable}
Enable or disable automatic installation of firmware from a
USB disk on the next reboot.
disable
default-config-file
Enter the name of the configuration file on the USB disk.
fgt_system.conf
default-image-file
Enter the name of the image file on the USB disk.
image.out
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
autoupdate clientoverride
autoupdate clientoverride
Use this command to receive updates on a different interface than the interface connected to the FortiGuard
Distribution Network (FDN). This command changes the source IP address of update requests to the FortiGuard
server, causing it to send the update to the modified source address.
This is useful if your company uses an internal updates server instead of FDN.
Syntax
config system autoupdate clientoverride
set status {enable | disable}
set address <address_ipv4>
end
Variable
Description
Default
status {enable | disable} Enable or disable the ability to override the FDN interface
address.
disable
address <address_ipv4>
No default.
Enter the IP address or fully qualified domain name to receive
updates from.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
413
autoupdate override
system
autoupdate override
Use this command to specify an override FDS server (usually a FortiManager unit).
If you cannot connect to the FortiGuard Distribution Network (FDN) or if your organization provides updates using
their own FortiGuard server, you can specify an override FDS server so that the FortiGate unit connects to this server
instead of the FDN.
If you are unable to connect to the FDS server, even after specifying an override server, it is
possible your ISP is blocking the lower TCP and UDP ports for security reasons. Contact your ISP
to make sure they unblock TCP and UDP ports 1025 to 1035 to enable FDS server traffic. Another
option is to use config global set ip-src-port-range to move the ports used to a higher range
and avoid any possible problems. For more information, see “global” on page 444.
Syntax
config system autoupdate override
set status {enable | disable}
set address <IP_addr:port>
set failover {enable | disable}
end
414
Variable
Description
Default
status {enable | disable}
Enable or disable overriding the default FDS server.
disable
address <IP_addr:port>
Enter the fully qualified domain name or IP address and
port of the override FDS server. For a FortiManager unit, the
port should be 8890.
No default.
failover
{enable | disable}
Enable or disable FDS server failover. With failover enabled,
if the FortiGate unit cannot reach the override FDS server it
fails over to the public FDS servers.
If you are on a closed network (no Internet access), disable
failover.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
autoupdate push-update
autoupdate push-update
Use this command to configure push updates. The FortiGuard Distribution Network (FDN) can push updates to
FortiGate units to provide the fastest possible response to critical situations such as software exploits or viruses. You
must register the FortiGate unit before it can receive push updates.
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to the FDN.
The next time an update is released, the FDN notifies all FortiGate units that are configured for push updates that a
new update is available. Within 60 seconds of receiving a push notification, the FortiGate unit requests an update
from the FDN.
By using this command, you can enable or disable push updates. You can also configure push IP address and port
overrides. If the FDN must connect to the FortiGate unit through a NAT device, you must configure port forwarding on
the NAT device and add the port forwarding information to the push update override configuration.
You cannot receive push updates through a NAT device if the external IP address of the NAT
device is dynamic (for example, set using PPPoE or DHCP).
Syntax
config system autoupdate push-update
set status {enable | disable}
set override {enable | disable}
set address <push_ipv4>
set port <FDN_port>
end
Variable
Description
Default
status {enable | disable} Enable or disable FDN push updates.
disable
override
{enable | disable}
Enable an override of push updates. Select enable if the
FortiGate unit connects to the FDN through a NAT device.
disable
address <push_ipv4>
Enter the External IP address that the FDN connects to if you
want to enable push override. This is the address of the
external interface of your NAT device.
0.0.0.0
port <FDN_port>
Enter the port that the FDN connects to. This can be port 9443
by default or a different port that you assign.
9443
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
415
autoupdate schedule
system
autoupdate schedule
Use this command to enable or disable scheduled FDN updates at regular intervals throughout the day, once a day,
or once a week.
To have your FortiGate unit to update at a random time during a particular hour, select a time that includes 60 minutes
as this will choose a random time during that hour for the scheduled update.
Syntax
config system autoupdate schedule
set status {enable | disable}
set frequency {every | daily | weekly}
set time <hh:mm>
set day <day_of_week>
end
416
Variable
Description
Default
status {enable | disable}
Enable or disable scheduled updates.
disable
frequency
{every | daily | weekly}
Schedule the FortiGate unit to check for updates every hour,
once a day, or once a week. Set interval to one of the
following:
every — Check for updates periodically. Set time to the time
interval to wait between updates.
daily — Check for updates once a day. Set time to the time
of day to check for updates.
weekly — Check for updates once a week. Set day to the
day of the week to check for updates. Set time to the time of
day to check for updates.
every
time <hh:mm>
Enter the time at which to check for updates.
hh — 00 to 23
mm — 00-59, or 60 for random minute
00:00
day <day_of_week>
Enter the day of the week on which to check for updates.
Enter one of: Sunday, Monday, Tuesday, Wednesday,
Thursday, Friday, or Saturday.
This option is available only when frequency is set to
weekly.
Monday
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
autoupdate tunneling
autoupdate tunneling
Use this command to configure the FortiGate unit to use a proxy server to connect to the FortiGuard Distribution
Network (FDN). You must enable tunneling so that you can use the proxy server, and also add the IP address and port
required to connect to the proxy server. If the proxy server requires authentication, add the user name and password
required to connect to the proxy server.
The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in RFC 2616. The
FortiGate unit sends a HTTP CONNECT request to the proxy server (optionally with authentication information)
specifying the IP address and port required to connect to the FDN. The proxy server establishes the connection to the
FDN and passes information between the FortiGate unit and the FDN.
The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers do not allow CONNECT to
connect to any port; proxy servers restrict the allowed ports to the well known ports for HTTPS and perhaps some
other similar services. FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN, so your proxy server
may need to be configured to allow connections on this port.
Syntax
config system autoupdate tunneling
set address <proxy_address>
set password <password>
set port <proxy_port>
set status {enable | disable}
set username <name>
end
Variable
Description
Default
address <proxy_address>
The IP address or fully qualified domain name of the proxy
server.
No default.
password <password>
The password to connect to the proxy server if one is
required.
No default.
port <proxy_port>
The port required to connect to the proxy server.
0
status {enable | disable}
Enable or disable tunneling.
disable
username <name>
The user name used to connect to the proxy server.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
417
aux
system
aux
Use this command to configure the AUX port. You can use a modem connected to the AUX port to remotely connect
to a console session on the FortiGate unit
The main difference between the standard console port and the AUX port is that the standard console port is for local
serial console connections only. An AUX port cannot accept a modem connection to establish a remote console
connection. The AUX console port allows you to establish a local connection, but it has some limitations the standard
console port does not have.
• The AUX port will not display the booting messages that the standard console connection displays.
• The AUX port will send out modem initializing strings (AT strings) that will appear on an AUX console session at
the start.
Syntax
config system aux
set baudrate <baudrate>
end
<baudrate> is the speed of the connection. It can be set to one of the following: 9600, 19200, 38400, 57600, or
115200. The default is 9600.
Ensure devices on both ends of the connection are set to the same baudrate.
418
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
bug-report
bug-report
Use this command to configure a custom email relay for sending problem reports to Fortinet customer support.
Syntax
config system bug-report
set auth {no | yes}
set mailto <email_address>
set password <password>
set server <servername>
set username <name>
set username-smtp <account_name>
end
Variable
Description
Default
auth {no | yes}
Enter yes if the SMTP server requires authentication or no if
it does not.
no
mailto <email_address>
The email address for bug reports. The default is
bug_report@fortinetvirussubmit.com.
See
description.
password <password>
If the SMTP server requires authentication, enter the
password required.
No default.
server <servername>
The SMTP server to use for sending bug report email. The
default server is fortinetvirussubmit.com
See
description.
username <name>
A valid user name on the specified SMTP server. The default
user name is bug_report.
See
description.
username-smtp
<account_name>
A valid user name on the specified SMTP server. The default
user name is bug_report.
See
description.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
419
bypass
system
bypass
Use this command to configure bypass operation on FortiGate models 600C and 1000C. This is available in
transparent mode only.
Syntax
config system bypass
set bypass-timeout {2 | 4 | 6 | 8 | 10 | 12 | 14}
set bypass-watchdog {enable | disable}
set poweroff-bypass {enable | disable}
end
Variable
Description
Default
bypass-timeout {2 | 4 | 6
| 8 | 10 | 12 | 14}
Set the time in seconds to wait before entering bypass
mode after the system becomes unresponsive.
10
bypass-watchdog
{enable | disable}
Enable or disable monitoring for bypass condition.
disable
poweroff-bypass
{enable | disable}
Enable bypass function.
disable
To enable power off bypass, you must enable both bypass-watchdog and poweroff-bypass.
420
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
central-management
central-management
Use this command to configure a central management server for this FortiGate unit. Central management uses a
remote server to backup, restore configuration, and monitor the FortiGate unit. The remote server can be either a
FortiManager or a FortiGuard server.
This command replaces the config system fortimanager command from earlier versions.
Syntax
config system central-management
set mode {normal | backup}
set type { fortiguard | fortimanager }
set schedule-config-restore {enable | disable}
set schedule-script-restore {enable | disable}
set allow-monitor {enable | disable}
set allow-push-configuration {enable | disable}
set allow-pushd-firmware {enable | disable}
set allow-remote-firmware-upgrade {enable | disable}
set enc-algorithm {default | high | low}
set fmg <fmg_ipv4>
set fmg-source-ip <address_ipv4>
set use-elbc-vdom {disable | enable}
set vdom <name_string>
end
Variable
Description
Default
mode {normal | backup}
Select the mode:
normal — normal central management mode
backup — backup central management mode
normal
type { fortiguard |
fortimanager }
Select the type of management server as one of fortiguard or fortimanager. You can enable remote
management from a FortiManager unit or the FortiGuard
Analysis and Management Service.
fortimanager
schedule-config-restore
{enable | disable}
Select to enable scheduling the restoration of your FortiGate disable
unit’s configuration.
schedule-script-restore
{enable | disable}
Select to enable the restoration of your FortiGate unit’s
configuration through scripts.
disable
allow-monitor {enable |
disable}
Select to allow the remote service to monitor your FortiGate
unit.
disable
allow-push-configuration
{enable | disable}
Select to enable firmware image push updates for your
FortiGate unit.
disable
allow-pushd-firmware
{enable | disable}
Select to enable push firmware.
disable
allow-remote-firmwareupgrade {enable |
disable}
Select to allow the remote service to upgrade your FortiGate disable
unit with a new firmware image.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
421
central-management
422
system
Variable
Description
Default
enc-algorithm
{default | high | low}
default
Set encryption strength for communications between the
FortiGate unit and FortiManager or FortiAnalyzer.
high — 128-bit and larger key length algorithms:
DHE-RSA-AES256-SHA, AES256-SHA,
EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA,
DES-CBC3-MD5, DHE-RSA-AES128-SHA, AES128-SHA
low — 64-bit or 56-bit key length algorithms without export
restrictions: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA,
DES-CBC-MD5
default — high strength algorithms and these mediumstrength 128-bit key length algorithms: RC4-SHA, RC4-MD5,
RC4-MD
fmg <fmg_ipv4>
Enter the IP address or FQDN of the remote FortiManager
server.
null
fmg-source-ip
<address_ipv4>
Enter the source IP address to use when connecting to
FortiManager.
null
use-elbc-vdom {disable |
enable}
When enabled, Fortimanager manages FortiGate through
config sync vdom interface.
disable
vdom <name_string>
Enter the name of the vdom to use when communicating with root
the FortiManager unit.
This field is optional.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
console
console
Use this command to set the console command mode, the number of lines displayed by the console, and the baud
rate.
If this FortiGate unit is connected to a FortiManager unit running scripts, output must be set to
standard for scripts to execute properly.
Syntax
config system console
set baudrate <speed>
set mode {batch | line}
set output {standard | more}
end
Description
Default
baudrate <speed>
Variable
Set the console port baudrate. Select one of 9600, 19200,
38400, 57600, or 115200.
9600
mode {batch | line}
Set the console mode to line or batch. Used for autotesting
only.
line
output {standard | more}
Set console output to standard (no pause) or more (pause after more
each screen is full, resume on keypress).
This setting applies to show or get commands only.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
423
ddns
system
ddns
Use this command to configure Dynamic Domain Name Service.
Syntax
config system ddns
edit <index_int>
set ddns-domain <ddns_domain_name>
set ddns-password <ddns_password>
set ddns-server <ddns_service>
set ddns-username <ddns_username>
set monitor-interface <interface>
end
424
Variable
Description
Default
<index_int>
Enter the unique index number for this DDNS entry.
ddns-domain
<ddns_domain_name>
Enter the fully qualified domain name to use for the DDNS.
This is the domain name you have registered with your
DDNS.
This variable is only available when ddns-server is not set
to dnsart.com.
No default.
ddns-password
<ddns_password>
Enter the password to use when connecting to the DDNS
server.
This is only available when ddns is enabled, but ddnsserver is not set to dipdns.net.
No default.
ddns-server
<ddns_service>
Select a DDNS server to use. The client software for these
services is built into the FortiGate firmware. The FortiGate
unit can only connect automatically to a DDNS server for
these supported clients.
dhs.org — supports members.dhs.org and dnsalias.com.
dipdns.net — supports dipdnsserver.dipdns.com.
dyndns.org — supports members.dyndns.org.
dyns.net — supports www.dyns.net.
genericDDNS — supports DDNS server (RFC 2136) defined
in ddns-server-ip
now.net.cn — supports ip.todayisp.com.
ods.org — supports ods.org.
tzo.com — supports rh.tzo.com.
vavic.com — supports ph001.oray.net.
No default.
ddns-username
<ddns_username>
Enter the user name to use when connecting to the DDNS
server.
This is available when ddns-server is not set to
dipdns.net.
No default.
monitor-interface
<interface>
Select the network interface that uses DDNS service.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
dhcp reserved-address
dhcp reserved-address
Use this command to reserve an IP address for a particular client identified by its device MAC address and type of
connection. The DHCP server then always assigns the reserved IP address to the client. You can define up to 200
reserved addresses.
This command is deprecated. Use the config reserved-address subcommand of the system
dhcp server command instead.
For this configuration to take effect, you must configure at least one DHCP server using the
config system dhcp server command, see “dhcp server” on page 426.
Syntax
config system dhcp reserved-address
edit <id_int>
set ip <address_ipv4>
set mac <address_hex>
set type {regular | ipsec}
end
Variable
Description
Default
ip <address_ipv4>
Enter the IPv4 address.
0.0.0.0
mac <address_hex>
Enter the MAC address.
00:00:00:00:00:00
type {regular | ipsec}
Enter the type of the connection to be reserved:
regular — Client connecting through regular Ethernet
IPSec — Client connecting through IPSec VPN
regular
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
425
dhcp server
system
dhcp server
Use this command to add one or more DHCP servers for any FortiGate interface. As a DHCP server, the interface
dynamically assigns IP addresses to hosts on a network connected to the interface.
You can use the config system dhcp reserved command to reserve an address for a specific MAC address.
For more information see “system dhcp reserved-address” on page 425.
This command is available only in NAT/Route mode.
Syntax
config system dhcp server
edit <server_index_int>
set auto-configuration {enable | disable}
set conflicted-ip-timeout <timeout_int>
set default-gateway <address_ipv4>
set dns-service {default | specify}
set domain <domain_name_str>
set enable {enable | disable}
set interface <interface_name>
set lease-time <seconds>
set netmask <mask>
set option1 <option_code> [<option_hex>]
set option2 <option_code> [<option_hex>]
set option3 <option_code> [<option_hex>]
set server-type {ipsec | regular}
set start-ip <address_ipv4>
set wins-server1 <wins_ipv4>
set wins-server2 <wins_ipv4>
set wins-server3 <wins_ipv4>
set dns-server1 <address_ipv4>
set dns-server2 <address_ipv4>
set dns-server3 <address_ipv4>
set ip-mode {range | usrgrp}
set ipsec-lease-hold <release_seconds>
set vci-match {enable | disable}
set vci-string <string>
config exclude-range
edit <excl_range_int>
set end-ip <end_ipv4>
set start-ip <start_ipv4>
config ip-range
edit <ip_range_int>
set end-ip <end_ipv4>
set start-ip <start_ipv4>
config reserved-address
edit <id_int>
set ip <ipv4_addr>
set mac <mac_addr>
end
end
426
Variable
Description
Default
edit <server_index_int>
Enter an integer ID for the DHCP server. The sequence number
may influence routing priority in the FortiGate unit forwarding
table.
auto-configuration
{enable | disable}
Enable or disable automatic configuration.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
dhcp server
Variable
Description
Default
conflicted-ip-timeout
<timeout_int>
Enter the time in seconds to wait after a conflicted IP address is
removed from the DHCP range before it can be reused. Valid
range is from 60 to 8640000 seconds (1 minute to 100 days).
1800
default-gateway
<address_ipv4>
The IP address of the default gateway that the DHCP server
assigns to DHCP clients.
0.0.0.0
dns-service {default |
specify}
Select default to assign DHCP clients the DNS servers added specify
to the FortiGate unit using the config system dns command.
Select specify to specify the DNS servers that this DHCP
server assigns to DHCP clients. Use the dns-server# options
to add DNS servers to this DHCP server configuration.
domain <domain_name_str>
Domain name suffix for the IP addresses that the DHCP server
assigns to DHCP clients.
enable
{enable | disable}
Enable or disable this DHCP server.
interface
<interface_name>
The FortiGate unit interface that this DHCP server can assign IP
addresses from. Devices connected to this interface can get their
IP addresses from this DHCP server. You can only add one
DHCP server to an interface.
lease-time <seconds>
The interval in seconds after which a DHCP client must ask the
DHCP server for new settings. The lease duration must be
between 300 and 864,000 seconds (10 days).
Set lease-time to 0 for an unlimited lease time.
604800
(7 days)
netmask <mask>
The DHCP client netmask assigned by the DHCP server.
0.0.0.0
option1 <option_code>
[<option_hex>]
option2 <option_code>
[<option_hex>]
option3 <option_code>
[<option_hex>]
The first, second, and third custom DHCP options that can be
sent by the DHCP server. option_code is the DHCP option
code in the range 1 to 255. option_hex is an even number of
hexadecimal characters. For detailed information about DHCP
options, see RFC 2132, DHCP Options and BOOTP Vendor
Extensions.
0
server-type {ipsec |
regular}
Enter the type of client to serve:
regular client connects through regular Ethernet
ipsec client connects through IPsec VPN
regular
start-ip <address_ipv4>
The starting IP for the range of IP addresses that this DHCP
server assigns to DHCP clients. The IP range is defined by the
start-ip and the end-ip fields which should both be in the
same subnet.
0.0.0.0
wins-server1 <wins_ipv4>
The IP address of the first WINS server that the DHCP server
assigns to DHCP clients.
0.0.0.0
wins-server2 <wins_ipv4>
The IP address of the second WINS server that the DHCP server 0.0.0.0
assigns to DHCP clients.
wins-server3 <wins_ipv4>
The IP address of the third WINS server that the DHCP server
assigns to DHCP clients.
0.0.0.0
dns-server1
<address_ipv4>
The IP address of the first DNS server that the DHCP server
assigns to DHCP clients. Used if dns-service is set to
specify.
0.0.0.0
dns-server2
<address_ipv4>
The IP address of the second DNS server that the DHCP server
assigns to DHCP clients. Used if dns-service is set to
specify.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
enable
427
dhcp server
428
system
Variable
Description
Default
dns-server3
<address_ipv4>
The IP address of the third DNS server that the DHCP server
assigns to DHCP clients. Used if dns-service is set to
specify.
0.0.0.0
ip-mode {range | usrgrp}
Configure whether an IPsec DHCP server assigns IP addresses
based on the IP address range added to the configuration or
based on the user group of the IPsec VPN user.
Visible only when server-type is set to ipsec.
range
ipsec-lease-hold
<release_seconds>
Set the DHCP lease release delay in seconds for DHCP-overIPSec tunnels when the tunnel goes down.
A value of 0 disables the forced expiry of the DHCP-over-IPSec
leases.
Visible only when server-type is set to ipsec.
60
config exclude-range
Configure a range of IP addresses to exclude from the list of
DHCP addresses that are available.
config ip-range
Configure the range of IP addresses that this DHCP server can
assign to DHCP clients.
edit <excl_range_int>
Enter an integer ID for this exclusion range.
You can add up to 16 exclusion ranges of IP addresses that the
FortiGate DHCP server cannot assign to DHCP clients.
edit <ip_range_int>
Enter an integer ID for this IP address range.
You can add up to 16 ranges of IP addresses that the FortiGate
DHCP server can assign to DHCP clients.
start-ip <start_ipv4>
The start IP address in the exclusion range. The start IP and end 0.0.0.0
IP must be in the same subnet.
end-ip <end_ipv4>
The end IP address in the exclusion range. The start IP and end
IP must be in the same subnet.
0.0.0.0
vci-match
{enable | disable}
Enable to turn on vendor class identifier (VCI) matching. When
enabled only dhcp requests with the matching VCI will be
served.
disable
vci-string <string>
Enter the VCI name to match before serving a device.
config reserved-address
Configure one or more IP addresses that are reserved. These
addresses cannot be given out by the DHCP server.
edit <id_int>
Enter an ID number for this IP address entry.
There can be a maximum of 16 entries.
ip <ipv4_addr>
Enter an IP address to reserve. It will be bound to this MAC
address.
mac <mac_addr>
Enter a MAC address that will be bound to this IP address. If this 00:00:00:0
0:00:00
MAC address comes up in the DHCP list, it will be ignored.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
dhcp6 server
dhcp6 server
Use this command to add one or more IPv6 DHCP servers for any FortiGate interface. As a DHCP server, the
interface dynamically assigns IP addresses to hosts on a network connected to the interface.
This command is available in NAT/Route mode only.
Syntax
config system dhcp6 server
edit <server_index_int>
set dns-service {default | specify}
set dns-server1 <address_ipv6>
set dns-server2 <address_ipv6>
set dns-server3 <address_ipv6>
set domain <domain_name_str>
set enable {enable | disable}
set interface <interface_name>
set lease-time <seconds>
set option1 <option_code> [<option_hex>]
set option2 <option_code> [<option_hex>]
set option3 <option_code> [<option_hex>]
set subnet <mask>
config ip-range
edit <ip_range_int>
set start-ip <address_ipv6>
set end-ip <end_ipv6>
end
end
Variable
Description
edit <server_index_int>
Enter an integer ID for the DHCP server. The sequence number
may influence routing priority in the FortiGate unit forwarding
table.
dns-service {default |
specify}
Select default to assign DHCP clients the DNS servers added specify
to the FortiGate unit using the config system dns command.
Select specify to specify the DNS servers that this DHCP
server assigns to DHCP clients. Use the dns-server# options
to add DNS servers to this DHCP server configuration.
dns-server1 <address_ipv6>
The IP address of the first DNS server that the DHCP server
assigns to DHCP clients. Used if dns-service is set to
specify.
::
dns-server2 <address_ipv6>
The IP address of the second DNS server that the DHCP server
assigns to DHCP clients. Used if dns-service is set to
specify.
::
dns-server3 <address_ipv6>
The IP address of the third DNS server that the DHCP server
assigns to DHCP clients. Used if dns-service is set to
specify.
::
domain <domain_name_str>
Domain name suffix for the IP addresses that the DHCP server
assigns to DHCP clients.
null
enable {enable | disable}
Enable or disable this DHCP server.
enable
interface <interface_name>
The FortiGate unit interface that this DHCP server can assign IP null
addresses from. Devices connected to this interface can get their
IP addresses from this DHCP server. You can only add one
DHCP server to an interface.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
429
dhcp6 server
430
system
Variable
Description
Default
lease-time <seconds>
The interval in seconds after which a DHCP client must ask the
DHCP server for new settings. The lease duration must be
between 300 and 864,000 seconds (10 days).
Set lease-time to 0 for an unlimited lease time.
604800
(7 days)
option1 <option_code>
[<option_hex>]
option2 <option_code>
[<option_hex>]
option3 <option_code>
[<option_hex>]
The first, second, and third custom DHCP options that can be
sent by the DHCP server. option_code is the DHCP option
code in the range 1 to 255. option_hex is an even number of
hexadecimal characters. For detailed information about DHCP
options, see RFC 2132, DHCP Options and BOOTP Vendor
Extensions.
0
subnet <mask>
The DHCP client netmask assigned by the DHCP server.
::/0
config ip-range
Configure the range of IP addresses that this DHCP server can
assign to DHCP clients.
edit <ip_range_int>
Enter an integer ID for this IP address range.
You can add up to 16 ranges of IP addresses that the FortiGate
DHCP server can assign to DHCP clients.
start-ip <address_ipv6>
The starting IP for the range of IP addresses that this DHCP
server assigns to DHCP clients. The IP range is defined by the
start-ip and the end-ip fields which should both be in the
same subnet.
end-ip <end_ipv6>
The end IP address for the range of IP addresses that this DHCP ::
server assigns to DHCP clients. The IP range is defined by the
start-ip and the end-ip fields which should both be in the
same subnet.
::
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
dns
dns
Use this command to set the DNS server addresses. Several FortiGate functions, including sending email alerts and
URL blocking, use DNS.
Syntax
config system dns
set cache-notfound-responses {enable | disable}
set dns-cache-limit <integer>
set dns-cache-ttl <int>
set domain <domain_name>
set ip6-primary <dns_ipv6>
set ip6-secondary <dns_ip6>
set primary <dns_ipv4>
set secondary <dns_ip4>
set source-ip <ipv4_addr>
end
Variable
Description
Default
cache-notfound-responses Enable to cache NOTFOUND responses from the DNS
{enable | disable}
server.
disable
dns-cache-limit
<integer>
Set maximum number of entries in the DNS cache.
5000
dns-cache-ttl <int>
Enter the duration, in seconds, that the DNS cache retains
information.
1800
domain <domain_name>
Set the local domain name (optional).
No default.
ip6-primary <dns_ipv6>
Enter the primary IPv6 DNS server IP address.
::
ip6-secondary <dns_ip6>
Enter the secondary IPv6 DNS server IP address.
::
primary <dns_ipv4>
Enter the primary DNS server IP address.
65.39.139.53
secondary <dns_ip4>
Enter the secondary DNS IP server address.
65.39.139.63
source-ip <ipv4_addr>
Enter the IP address for communications to DNS server.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
431
dns-database
system
dns-database
Use this command to configure the FortiGate DNS database so that DNS lookups from an internal network are
resolved by the FortiGate DNS database. To configure the DNS database you add zones. Each zone has its own
domain name.
You then add entries to each zone. An entry is an host name and the IP address it resolves to. You can also specify if
the entry is an IPv4 address (A), an IPv6 address (AAAA), a name server (NS), a canonical name (CNAME), or a mail
exchange (MX) name.
Syntax
config system dns-database
edit <zone-string>
set allow-transfer <ipv4_addr>
set authoritative {enable | disable}
set contact <email_string>
set domain <domain>
set forwarder <ipv4_addr>
set primary-name <name_string>
set source-ip <ipv4_addr>
set status {enable | disable}
set ttl <int>
set type {master | slave}
set view {public | shadow}
config dns-entry
edit <entry-id>
set canonical-name <canonical_name_string>
set hostname <hostname_string>
set ip <ip_address>
set ipv6 <ipv6_address>
set preference <preference_value>
set status {enable | disable}
set ttl <entry_ttl_value>
set type {A|AAAA|MX|NS|CNAME}
end
end
Variable
432
Description
Default
edit <zone-string>
Enter the DNS zone name. This is significant only on the
FortiGate unit itself.
No default.
allow-transfer
<ipv4_addr>
dns zone transfer ip address list
No default
authoritative
{enable | disable}
Enable to declare this as an authoritative zone.
enable
contact <email_string>
hostmaster
Enter the email address of the administrator for this zone. You
can enter just the username portion of the email address or the
full address. If just the username is used, the domain of the zone
will be used. For example if just the user name of bsmith is
used, and the zone domain is example.com when email is sent
it will be sent to bsmith@example.com.
domain <domain>
Set the domain name here — when matching lookup, use this
zone name to match DNS queries
No default
forwarder <ipv4_addr>
Enter the ip address of the dns zone forwarder.
No default
primary-name
<name_string>
Enter the domain name of the default DNS server for this zone.
dns
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
dns-database
Variable
Description
Default
source-ip <ipv4_addr>
Enter the source IP address to use when forwarding to the DNS
server.
0.0.0.0
status
{enable | disable}
Select to enable this DNS zone entry.
enable
ttl <int>
Set the packet time-to-live in seconds. Range 0 to
2 147 483 647.
86400
type {master | slave}
Select the type of this zone.
master — manage entries directly.
slave — import entries from outside source
master
view {public | shadow}
Select the type of view for this zone to one of public or shadow. shadow
config dns-entry variables
edit <entry-id>
canonical-name
<canonical_name_strin
g>
Enter the canonical name of the host. This is available if type is
CNAME.
Null
hostname
<hostname_string>
Enter the name of the host.
Null
ip <ip_address>
Enter the IP address (IPv4) of the host. This is available if type is 0.0.0.0
A.
ipv6 <ipv6_address>
Enter the IP address (IPv6) of the host. This is available if type is ::
AAAA.
preference
<preference_value>
Enter the preference level. 0 is the highest preference. This is
available if type is MX.
10
status
{enable | disable}
Enable the DNS entry.
enable
ttl <entry_ttl_value>
Optionally, override the zone time-to-live value. Range 0 to
2 147 483 647 seconds.
Set to 0 to use zone ttl value.
0
type
{A|AAAA|MX|NS|CNAME}
A — IPv4 host
AAAA — IPv6 host
CNAME — alias
MX — mail server
NS — name server
A
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
433
dns-server
system
dns-server
Use this command to configure the dns-server on a particular interface.
Syntax
config system dns-server
edit <intf_name>
set mode {forward-only | non-recursive | recursive}
end
434
Variable
Description
Default
mode {forward-only
| non-recursive
| recursive}
Select the mode the dns-server for this interface will use. recursive
forward-only — Forward query to the DNS server
configured for the FortiGate unit.
non-recursive — Look up domain name in local
database. Do not relay the request to the DNS server
configured for the FortiGate unit. See system dnsdatabase on page 367.
recursive — Look up domain name in local database.
If the entry is not found, relay the request to the DNS
server configured for the FortiGate unit.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
elbc
elbc
Use this command to set the chassis load balancing (ELBC) information for the FortiOS unit. Unit must be in
Transparent mode.
A FortiTrunk is a group of backplane slots where the fabric can load balance traffic. In order for this to happen, the
trunk members (the blades) are responsible for sending their heartbeats over the fabric channel to the FortiSwitch. If
blades are standalone each sends a heartbeat, but if they are in a FGCP HA cluster, only one heart beat is sent and
the load balanced traffic is forwarded to the primary HA unit.
Syntax
config system elbc
set mode {none | content-cluster | forti-trunk | service-group}
set graceful-upgrade {enable | disable}
set hb-device <intf_name>
end
Variable
Description
Default
mode {none
| content-cluster
| forti-trunk
| service-group}
Select the ELBC mode to use.
• none — no ELBC operation
• content-cluster — load balance UTM traffic
• forti-trunk — use the FortiTrunk feature.
• service-group — full support of enhanced load
balance cluster
none
graceful-upgrade
{enable | disable}
Enable to upgrade the HA cluster when using ELBCv3. It enable
will upgrade the primary unit after first upgrading the
other units in the cluster.
hb-device <intf_name>
Specify the heartbeat interface for FortiTrunk mode.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
No default.
435
fips-cc
system
fips-cc
Use this command to set the FortiGate unit into FIPS-CC mode.
Enable Federal Information Processing Standards-Common Criteria (FIPS-CC) mode. This is an enhanced security
mode that is valid only on FIPS-CC-certified versions of the FortiGate firmware.
When switching to FIPS-CC mode, you will be prompted to confirm, and you will have to login.
When you enable FIPS-CC mode, all of the existing configuration is lost.
Syntax
config system fips-cc
set status {enable | disable}
end
436
Variable
Description
Default
status
{enable | disable}
Enable to select FIPS-CC mode operation for the
FortiGate unit.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
fortiguard
fortiguard
Use this command to configure communications with the FortiGuard Distribution Network (FDN) for FortiGuard
subscription services such as:
• FortiGuard Antivirus and IPS
• FortiGuard Web Filtering and Antispam
• FortiGuard Analysis and Management Service
For FortiGuard Antivirus and IPS, Web Filtering and Antispam, you can alternatively use this command to configure
the FortiGate unit to communicate with a FortiManager system, which can act as a private FortiGuard Distribution
Server (FDS) for those services.
By default, FortiGate units connect to the FDN using a set of default connection settings. You can override these
settings to use IP addresses and port numbers other than the defaults. For example, if you have a FortiManager unit,
you might download a local copy of FortiGuard service updates to the FortiManager unit, then redistribute those
updates by configuring each FortiGate unit’s server override feature to connect to the FortiManager unit’s private FDS
IP address.
IP address and port number overrides for FortiGuard Analysis and Management Service are configured separately
from other FortiGuard services. For more information, see “system fortiguard-log” on page 442.
If the FortiGate unit is unable to connect to the FDN, verify connectivity on required ports. For a list
of required ports, see the Fortinet Knowledge Center article Traffic Types and TCP/UDP Ports
Used by Fortinet Products.
Remote administration by a FortiManager system is mutually exclusive with remote administration
by FortiGuard Analysis and Management Service. For information about configuring remote
administration by a FortiManager system instead, see “system central-management” on
page 421.
Syntax
config system fortiguard
set hostname <url_str>
set port {53 | 8888}
set srv-ovrd {enable | disable}
set client-override-ip <ovrd_ipv4>
set client-override-status {enable | disable}
set service-account-id <id_str>
set load-balance-servers <number>
set analysis-service {enable | disable}
set antispam-cache {enable | disable}
set antispam-cache-ttl <ttl_int>
set antispam-cache-mpercent <ram_int>
set antispam-expiration
set antispam-force-off {enable | disable}
set antispam-license
set antispam-score-threshold <score_int>
set antispam-timeout <timeout_int>
set avquery-cache {enable | disable}
set avquery-cache-ttl <ttl_int>
set avquery-cache-mpercent <max_int>
set avquery-force-off {enable | disable}
set avquery-license
set avquery-expiration
set avquery-timeout <timeout_int>
set central-mgmt-auto-backup {enable | disable}
set central-mgmt-scheduled-config-restore {enable | disable}
set central-mgmt-scheduled-upgrade {enable | disable}
set central-mgmt-status {enable | disable}
set webfilter-cache {enable | disable}
set webfilter-cache-ttl <ttl_int>
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
437
fortiguard
system
set webfilter-expiration
set webfilter-force-off {enable | disable}
set webfilter-license
set webfilter-timeout <timeout_int>
config srv-ovrd-list
edit <index_int>
set addr-type {ipv6 | ipv4}
set ip <ovrd_ipv4>
set ip6 <ovrd_ipv6>
end
end
end
438
Variable
Description
Default
hostname <url_str>
Enter the host name of the primary FortiGuard server.
FortiGate unit defaults include the host name. Use this
command only when required to change the host name.
Alternatively configure srv-ovrd.
This field is available only if srv-ovrd is disable.
service.
fortiguard
.net
port {53 | 8888}
Enter the port to use for rating queries to the FortiGuard Web
Filtering or FortiGuard Antispam service.
53
srv-ovrd
{enable | disable}
Enable to override the primary FortiGuard server set in
hostname. Specify override server(s) using config
srv-ovrd-list. Alternatively, configure hostname.
hostname is not used and unavailable for configuration when
this field is enable.
disable
client-override-ip
<ovrd_ipv4>
Enter the IP address on this FortiGate unit that will be used to
connect to the FortiGuard servers for webfilter queries and
antispam. This field is available only if client-overridestatus is enable.
No default.
client-override-status
{enable | disable}
Enable to force your FortiGate unit to connect to the FortiGuard
servers using a specific IP address for webfilter queries and
antispam. You must also configure client-override-ip.
disable
service-account-id
<id_str>
Enter the Service Account ID to use with communications with
FortiGuard Analysis Service or FortiGuard Management
Service.
No default.
load-balance-servers
<number>
Enter the number of FortiGuard servers to connect to. By
default, the FortiGate unit always uses the first server in its
FortiGuard server list to connect to the FortiGuard network and
load-balance-servers is set to 1. You can increase this
number up to 20 if you want the FortiGate unit to use a different
FortiGuard server each time it contacts the FortiGuard network.
If you set load-balance-servers to 2, the FortiGate unit
alternates between checking the first two servers in the
FortiGuard server list.
1
analysis-service {enable
| disable}
Enable or disable for the FortiGuard Analysis and Management
Service.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
fortiguard
Variable
Description
antispam-cache
{enable | disable}
Enable or disable caching of FortiGuard Antispam query results, enable
including IP address and URL block list.
Enabling the cache can improve performance because the
FortiGate unit does not need to access the FDN or
FortiManager unit each time the same IP address or URL
appears as the source of an email. When the cache is full, the
least recently used cache entry is replaced.
antispam-cache-ttl
<ttl_int>
Enter a time to live (TTL), in seconds, for antispam cache
entries. When the TTL expires, the cache entry is removed,
requiring the FortiGate unit to query the FDN or FortiManager
unit the next time that item occurs in scanned traffic. Valid TTL
ranges from 300 to 86400 seconds.
1800
antispam-cache-mpercent
<ram_int>
Enter the maximum percentage of memory (RAM) to use for
antispam caching. Valid percentage ranges from 1 to 15.
2
antispam-expiration
N/A
The expiration date of the FortiGuard Antispam service
contract.
This variable can be viewed with the get command, but cannot
be set.
antispam-force-off
{enable | disable}
Enable to stop FortiGuard Antispam service on this FortiGate
unit.
antispam-license
The interval of time between license checks for the FortiGuard 7
Antispam service contract.
This variable can be viewed with the get command, but cannot
be set.
antispam-score-threshold
<score_int>
Enter the FortiGuard antispam score above which the email
message will be blocked.
80
antispam-timeout
<timeout_int>
Enter the FortiGuard Antispam query timeout. Valid timeout
ranges from 1 to 30 seconds.
7
avquery-cache
{enable | disable}
Enable or disable caching of FortiGuard Antivirus query results. enable
Enabling the cache can improve performance because the
FortiGate unit does not need to access the FDN each time the
same IP address or URL appears as the source of an email.
When the cache is full, the least recently used cache entry is
replaced.
avquery-cache-ttl
<ttl_int>
Enter a time to live (TTL), in seconds, for antivirus cache entries. 1800
When the TTL expires, the cache entry is removed, requiring the
FortiGate unit to query the FDN or FortiManager unit the next
time that item occurs in scanned traffic. Valid TTL ranges from
300 to 86400 seconds.
avquery-cache-mpercent
<max_int>
Enter the maximum memory to be used for FortiGuard Antivirus 2
query caching. Valid percentage ranges from 1 to 15.
avquery-force-off
{enable | disable}
Enable to stop FortiGuard Antivirus service on this FortiGate
unit.
avquery-license
The interval of time between license checks for the FortiGuard Unknown
Antivirus service contract.
This variable can be viewed with the get command, but cannot
be set.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
disable
disable
439
fortiguard
440
system
Variable
Description
Default
avquery-expiration
The expiration date of the FortiGuard Antivirus service contract. N/A
This variable can be viewed with the get command, but cannot
be set.
avquery-timeout
<timeout_int>
Enter the time limit in seconds for the FortiGuard Antivirus
service query timeout. Valid timeout ranges from 1 to 30.
central-mgmt-auto-backup
{enable | disable}
Enable automatic backup of the FortiGate unit’s configuration to disable
FortiGuard Analysis and Management Service upon an
administrator’s logout or session timeout.
This field is available only if central-mgmt-status is
enable.
central-mgmt-scheduledconfig-restore
{enable | disable}
Enable scheduled restoration of the FortiGate unit’s
configuration from FortiGuard Analysis and Management
Service.
This field is available only if central-mgmt-status is
enable.
disable
central-mgmt-scheduledupgrade
{enable | disable}
Enable scheduled upgrades of the FortiGate unit’s firmware by
FortiGuard Analysis and Management Service.
This field is available only if central-mgmt-status is
enable.
disable
central-mgmt-status
{enable | disable}
Enable remote administration of the FortiGate unit by
FortiGuard Analysis and Management Service. You must also
configure service-account-id.
For more information about validating or updating the
FortiGuard Analysis and Management contract, see “execute
fortiguard-log update” on page 750.
disable
webfilter-cache
{enable | disable}
enable
Enable or disable caching of FortiGuard Web Filtering query
results, including category ratings for URLs.
Enabling the cache can improve performance because the
FortiGate unit does not need to access the FDN or
FortiManager unit each time the same IP address or URL is
requested. When the cache is full, the least recently used cache
entry is replaced.
webfilter-cache-ttl
<ttl_int>
Enter a time to live (TTL), in seconds, for web filtering cache
entries. When the TTL expires, the cache entry is removed,
requiring the FortiGate unit to query the FDN or FortiManager
unit the next time that item occurs in scanned traffic. Valid TTL
ranges from 300 to 86400 seconds.
3600
webfilter-expiration
The expiration date of the FortiGuard Web Filtering service
contract.
This variable can be viewed with the get command, but cannot
be set.
N/A
webfilter-force-off
{enable | disable}
Enable to stop FortiGuard Webfilter service on this FortiGate
unit.
disable
webfilter-license
The interval of time between license checks for the FortiGuard Unknown
Web Filtering service contract. Initially, this value is unknown,
and is set after contacting the FDN to validate the FortiGuard
Web Filtering license.
This variable can be viewed with the get command, but cannot
be set.
7
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
fortiguard
Variable
Description
Default
webfilter-timeout
<timeout_int>
Enter the FortiGuard Web Filtering query timeout. Valid timeout 15
ranges from 1 to 30 seconds.
config srv-ovrd-list
This command is available only if srv-ovrd is enable.
<index_int>
Enter the index number of a FortiGuard Antivirus and IPS server
override.
No default.
addr-type {ipv6 | ipv4}
Select whether IPv4 or IPv6 addresses will be used.
ipv4
ip <ovrd_ipv4>
0.0.0.0
Enter the IP address that will override the default server IP
address. This may be the IP address of a FortiManager unit or a
specific FDN server.
This is available when addr-type is ipv4.
ip6 <ovrd_ipv6>
::
Enter the IP address that will override the default server IP
address. This may be the IP address of a FortiManager unit or a
specific FDN server.
This is available when addr-type is ipv6.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
441
fortiguard-log
system
fortiguard-log
Use this command to override default ports and IP addresses that the FortiGate unit connects to for FortiGuard
Analysis and Management Service.
Syntax
config system fortiguard-log
set controller-ip <address_ipv4>
set controller-port <port_int>
set override-controller {enable | disable}
set source-ip <ipv4_addr>
end
442
Variable
Description
Default
controller-ip
<address_ipv4>
Enter the IP address of the FortiGuard Analysis and
Management Service controller.
This option appears only if override-controller is
enable.
0.0.0.0
controller-port <port_int>
Enter the port number of the FortiGuard Analysis and
Management Service controller. Valid ports range from 0
to 65535.
This option appears only if override-controller is
enable.
0
override-controller
{enable | disable}
Select to override the default FortiGuard Analysis and
Management Service controller IP address and/or port.
disable
source-ip <ipv4_addr>
Enter the source IP for communications to FAMS.
This is available if override-controller is enabled.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
gi-gk
gi-gk
This command configures the settings for the FortiOS Carrier Gi gateway firewall. This firewall is used in the antioverbilling configuration, and can be enabled on a per interface basis. For more information see “system interface” on
page 465.
Syntax
config system gi-gk
set context <id_integer>
set port <tcp_port>
end
Variable
Description
context <id_integer>
Enter the context ID for the Gi gateway firewall
port <tcp_port>
Enter the TCP port to listen to. Valid range is from 0 to 65535.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
0
443
global
system
global
Use this command to configure global settings that affect various FortiGate systems and configurations.
Runtime-only config mode was introduced in FortiOS v3.0 MR2. This mode allows you to try out commands that may
put your FortiGate unit into an unrecoverable state normally requiring a physical reboot. In runtime-only config mode
you can set a timeout so after a period of no input activity the FortiGate unit will reboot with the last saved
configuration. Another option in runtime-only configuration mode is to manually save your configuration periodically
to preserve your changes. For more information see set cfg-save {automatic | manual | revert}, set
cfg-revert-timeout <seconds>, and execute cfg reload.
Syntax
config system global
set access-banner {enable | disable}
set admin-concurrent {enable | disable}
set admin-https-pki-required {enable | disable}
set admin-lockout-duration <time_int>
set admin-lockout-threshold <failed_int>
set admin-maintainer {enable | disable}
set admin-port <port_number>
set admin-scp {enable | disable}
set admin-server-cert { self-sign | <certificate> }
set admin-sport <port_number>
set admin-ssh-grace-time <time_int>
set admin-ssh-port <port_number>
set admin-ssh-v1 {enable | disable}
set admin-telnet-port <port_number>
set admintimeout <admin_timeout_minutes>
set anti-replay {disable | loose | strict}
set auth-cert <cert-name>
set auth-http-port <http_port>
set auth-https-port <https_port>
set auth-keepalive {enable | disable}
set auth-policy-exact-match {enable | disable}
set av-failopen {idledrop | off | one-shot | pass}
set av-failopen-session {enable | disable}
set batch-cmdb {enable | disable}
set cfg-save {automatic | manual | revert}
set cfg-revert-timeout <seconds>
set check-protocol-header {loose | strict}
set check-reset-range {disable | strict}
set clt-cert-req {enable | disable}
set csr-ca-attribute {enable | disable}
set daily-restart {enable | disable}
set detection-summary {enable | disable}
set dst {enable | disable}
set elbc-status {enable | disable}
set endpoint-control-fds-access {enable | disable}
set endpoint-control-portal-port <endpoint_port>
set explicit-proxy-auth-timeout <seconds_int>
set fds-statistics {enable | disable}
set fds-statistics-period <minutes>
set fgd-alert-subscription {advisory latest-threat latest-virus latest-attack
new-virus-db new-attack-db}
set fmc-xg2-load-balance {disable | enable}
set fwpolicy-implicit log {enable | disable}
set fwpolicy6-implicit log {enable | disable}
set gui-ap-profile {disable | enable}
set gui-central-nat-table {disable | enable}
444
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
global
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
gui-dns-database {disable | enable}
gui-dynamic-profile-display {disable | enable}
gui-icap {disable | enable}
gui-implicit-id-based-policy {disable | enable}
gui-implicit-policy {disable | enable}
gui-ipsec-manual-key {enable | disable}
gui-ipv6 {enable | disable}
gui-lines-per-page <gui_lines>
gui-load-balance {disable | enable}
gui-object-tags {disable | enable}
gui-policy-interface-pairs-view {enable | disable}
gui-voip-profile {disable | enable}
hostname <unithostname>
http-obfuscate {header-only | modified | no-error | none}
ie6workaround {enable | disable}
internal-switch-mode {hub | interface | switch}
internal-switch-speed {100full | 100half | 10full | 10half | auto}
ip-src-port-range <start_port>-<end_port>
ipsec-hmac-offload {disable | enable}
ipv6-accept-dad {0|1|2}
language <language>
lcdpin <pin_number>
lcdprotection {enable | disable}
ldapconntimeout <ldaptimeout_msec>
loglocaldeny {enable | disable}
log-user-in-upper {enable | disable}
management-vdom <domain>
max-sql-log-size <size_int>
num-cpus <int>
optimize {antivirus | throughput}
phase1-rekey {enable | disable}
policy-auth-concurrent {enable | disable}
radius-port <radius_port>
refresh <refresh_seconds>
registration-notification {disable | enable}
remoteauthtimeout <timeout_sec>
reset-sessionless-tcp {enable | disable}
restart-time <hh:mm>
revision-backup-on-logout {enable | disable}
scanunit-count <count_int>
send-pmtu-icmp {enable | disable}
service-expire-notification {disable | enable}
show-backplane-intf {enable | disable}
sql-logging {enable | disable}
sp-load-balance {enable | disable}
strict-dirty-session-check {enable | disable}
strong-crypto {enable | disable}
syncinterval <ntpsync_minutes>
tcp-halfclose-timer <seconds>
tcp-halfopen-timer <seconds>
tcp-option {enable | disable}
tcp-timewait-timer <seconds_int>
timezone <timezone_number>
tos-based-priority {low | medium | high}
tp-mc-skip-policy {enable | disable}
udp-idle-timer <seconds>
user-server-cert <cert_name>
vdom-admin {enable | disable}
vip-arp-range {unlimited | restricted}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
445
global
system
set
set
set
set
set
end
446
wifi-certificate <cert-name>
wifi-ca-certificate <ca_cert-name>
wimax-4g-usb {enable | disable}
wireless-controller-port <port_int>
wireless-mode {ac | client | wtp}
Variable
Description
Default
access-banner
{enable | disable}
Enable to display the admin access disclaimer message.
For more information see “system replacemsg admin” on
page 500.
disable
admin-concurrent
{enable | disable}
Enable to enforce concurrent administrator logins. When
enabled, the FortiGate restricts concurrent access from the
same admin user name but on different IP addresses.
Use policy-auth-concurrent for firewall authenticated
users.
admin-https-pki-required
{enable | disable}
Enable to allow user to login by providing a valid certificate if
PKI is enabled for HTTPS administrative access. Default
setting disable allows admin users to log in by
providing a valid certificate or password.
disable
admin-lockout-duration
<time_int>
Set the administration account’s lockout duration in seconds
for the firewall. Repeated failed login attempts will enable the
lockout. Use admin-lockout-threshold to set the number of
failed attempts that will trigger the lockout.
60
admin-lockout-threshold
<failed_int>
Set the threshold, or number of failed attempts, before the
account is locked out for the admin-lockout-duration.
3
admin-maintainer
{enable | disable}
Enabled by default. Disable for CC.
enable
admin-port <port_number>
Enter the port to use for HTTP administrative access.
80
admin-scp
{enable | disable}
Enable to allow system configuration download by the secure
copy (SCP) protocol.
disable
admin-server-cert {
self-sign | <certificate>
}
Select the admin https server certificate to use. Choices
include self-sign, and the filename of any installed certificates.
Default setting is Fortinet_Factory, if available, otherwise
self-sign.
See definition
under
Description.
admin-sport <port_number>
Enter the port to use for HTTPS administrative access.
443
admin-ssh-grace-time
<time_int>
Enter the maximum time permitted between making an SSH
connection to the FortiGate unit and authenticating. Range is
10 to 3600 seconds.
120
admin-ssh-port
<port_number>
Enter the port to use for SSH administrative access.
22
admin-ssh-v1
{enable | disable}
Enable compatibility with SSH v1.0.
disable
admin-telnet-port
<port_number>
Enter the port to use for telnet administrative access.
23
admintimeout
<admin_timeout_minutes>
Set the number of minutes before an idle administrator times
out. This controls the amount of inactive time before the
administrator must log in again. The maximum admintimeout
interval is 480 minutes (8 hours).
To improve security keep the idle timeout at the default value of
5 minutes.
5
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
global
Variable
Description
anti-replay {disable
| loose | strict}
Set the level of checking for packet replay and TCP sequence strict
checking (or TCP Sequence (SYN) number checking). All TCP
packets contain a Sequence Number (SYN) and an
Acknowledgement Number (ACK). The TCP protocol uses
these numbers for error free end-to-end communications. TCP
sequence checking can also be used to validate individual
packets.
FortiGate units use TCP sequence checking to make sure that
a packet is part of a TCP session. By default, if a packet is
received with sequence numbers that fall out of the expected
range, the FortiGate unit drops the packet. This is normally a
desired behavior, since it means that the packet is invalid. But
in some cases you may want to configure different levels of
anti-replay checking if some of your network equipment uses
non-RFC methods when sending packets. You can set antireplay protection to the following settings:
disable No anti-replay protection.
loose Perform packet sequence checking and ICMP antireplay checking with the following criteria:
• The SYN, FIN, and RST bit can not appear in the same
packet.
• The FortiGate unit does not allow more than 1 ICMP error
packet to go through the FortiGate unit before it receives a
normal TCP or UDP packet.
• If the FortiGate unit receives an RST packet, and checkreset-range is set to strict the FortiGate unit checks
to determine if its sequence number in the RST is within the
un-ACKed data and drops the packet if the sequence
number is incorrect.
strict Performs all of the loose checking but for each new
session also checks to determine of the TCP sequence
number in a SYN packet has been calculated correctly and
started from the correct value for each new session. Strict antireplay checking can also help prevent SYN flooding.
If any packet fails a check it is dropped. If “extended-traffic-log
{disable | enable}” on page 226 is enabled a log message is
written for each packet that fails a check.
auth-cert <cert-name>
HTTPS server certificate for policy authentication.
Self-sign is the built in certificate but others will be listed as
you add them.
self-sign
auth-http-port
<http_port>
Set the HTTP authentication port. <http_port> can be from
1 to 65535.
1000
auth-https-port
<https_port>
Set the HTTPS authentication port. <https_port> can be
from 1 to 65535.
1003
auth-keepalive
{enable | disable}
Enable to extend the authentication time of the session
through periodic traffic to prevent an idle timeout.
disable
auth-policy-exact-match
{enable | disable}
Enable to require traffic to exactly match an authenticated
policy with a policy id and IP address to pass through. When
disabled, only the IP needs to match.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
Default
447
global
448
system
Variable
Description
Default
av-failopen
{idledrop | off |
one-shot | pass}
Set the action to take if the unit is running low on memory or
the proxy connection limit has been reached. Valid options are
idledrop, off, one-shot, and pass.
• idledrop — drop connections based on the clients that
have the most connections open. This is most useful for
Windows applications, and can prevent malicious bots
from keeping an idle connection open to a remote server.
• off — stop accepting new AV sessions when entering
conserve mode, but continue to process current active
sessions.
• one-shot — bypass the antivirus system when memory is
low. You must enter off or pass to restart antivirus
scanning.
• pass — bypass the antivirus system when memory is low.
Antivirus scanning resumes when the low memory
condition is resolved.
pass
av-failopen-session
{enable | disable}
When enabled and a proxy for a protocol runs out of room in
its session table, that protocol goes into failopen mode and
enacts the action specified by av-failopen.
disable
batch-cmdb
{enable | disable}
Enable/disable batch mode.
Batch mode is used to enter a series of commands, and
executing the commands as a group once they are loaded. For
more information, see “execute batch” on page 730.
enable
cfg-save {automatic |
manual | revert}
Set the method for saving the FortiGate system configuration
and enter into runtime-only configuration mode. Methods for
saving the configuration are:
• automatic — automatically save the configuration after
every change.
• manual — manually save the configuration using the
execute cfg save command.
• revert — manually save the current configuration and
then revert to that saved configuration after cfg-reverttimeout expires.
Switching to automatic mode disconnects your session.
This command is used as part of the runtime-only
configuration mode.
See “execute cfg reload” on page 734 for more information.
automatic
cfg-revert-timeout
<seconds>
Enter the timeout interval in seconds. If the administrator
makes a change and there is no activity for the timeout period,
the FortiGate unit will automatically revert to the last saved
configuration. Default timeout is 600 seconds.
This command is available only when cfg-save is set to
revert.
This command is part of the runtime-only configuration mode.
See “execute cfg reload” on page 734 for more information.
600
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
global
Variable
Description
Default
check-protocol-header
{loose | strict}
Select the level of checking performed on protocol headers.
• loose — the FortiGate unit performs basic header
checking to verify that a packet is part of a session and
should be processed. Basic header checking includes
verifying that the layer-4 protocol header length, the IP
header length, the IP version, the IP checksum, IP options
are correct, etc.
• strict — the FortiGate unit does the same checking as
above plus it verifies that ESP packets have the correct
sequence number, SPI, and data length.
If the packet fails header checking it is dropped by the
FortiGate unit and logged if “extended-traffic-log
{disable | enable}” on page 226 is enabled.
loose
check-reset-range
{disable | strict}
disable
Configure ICMP error message verification.
• disable — the FortiGate unit does not validate ICMP error
messages.
• strict — If the FortiGate unit receives an ICMP error
packet that contains an embedded IP(A,B) | TCP(C,D)
header, then if FortiOS can locate the A:C->B:D session it
checks to make sure that the sequence number in the TCP
header is within the range recorded in the session. If the
sequence number is not in range then the ICMP packet is
dropped. If “extended-traffic-log {disable | enable}” on
page 226 is enabled the FortiGate unit logs that the ICMP
packet was dropped. Strict checking also affects how the
anti-replay option checks packets.
clt-cert-req
{enable | disable}
Enable to require a client certificate before an administrator
logs on to the web-based manager using HTTPS.
disable
csr-ca-attribute
{enable | disable}
Enable to use the CA attribute in your certificate. Some CA
servers reject CSRs that have the CA attribute.
enable
daily-restart
{enable | disable}
Enable to restart the FortiGate unit every day.
The time of the restart is controlled by restart-time.
disable
detection-summary
{enable | disable}
Disable to prohibit the collection of detection summary
statistics for FortiGuard.
enable
dst {enable | disable}
Enable or disable daylight saving time.
If you enable daylight saving time, the FortiGate unit adjusts
the system time when the time zone changes to daylight
saving time and back to standard time.
enable
elbc-status
{enable | disable}
This attribute is enabled by default. When enabled the system
will await the base channel heartbeat that will configure the
system into ELBCv3 mode. Disabling this command will not
disable ELBCv3 mode once the FortiGate has already
configured itself for ELBCv3 mode. See “system elbc” on
page 435.
enable
endpoint-control-fdsaccess {enable | disable}
Enable or disable access to FortiGuard servers for noncompliant endpoints.
enable
endpoint-control-portalport <endpoint_port>
Enter the port number from 1 to 65535 for the endpoint control 8009
portal port for FortiClient downloads.
explicit-proxy-authtimeout <seconds_int>
Enter the timeout, in seconds, for idle explicit web proxy
sessions. Range: 1 to 600 seconds.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
300
449
global
450
system
Variable
Description
Default
fds-statistics
{enable | disable}
Enable or disable AV/IPS signature reporting.
If necessary, disable to avoid error messages on HA
subordinate units during an AV/IPS update.
enable
fds-statistics-period
<minutes>
Select the number of minutes in the FDS report period. Range
is 1 to 1440 minutes.
60
fgd-alert-subscription
{advisory latest-threat
latest-virus
latest-attack
new-virus-db
new-attack-db}
null
Select what to retrieve from FortiGuard:
advisory — FortiGuard advisories, report and news alerts
latest-attack — latest FortiGuard attack alerts
latest-threat — latest FortiGuard threats alerts
latest-virus — latest FortiGuard virus alerts
new-antivirus-db — FortiGuard AV database release alerts
new-attack-db — FortiGuard IPS database release alerts.
fmc-xg2-load-balance
{disable | enable}
Enable to start XG2 load balancing.
disable
fwpolicy-implicit log
{enable | disable}
Enable to log when a session uses an implicit policy (IPv4).
disable
fwpolicy6-implicit log
{enable | disable}
Enable to log when a session uses an implicit policy (IPv6).
disable
gui-ap-profile {disable |
enable}
Enable or disable custom AP profile configuration options on
the web-based manager.
enable
gui-central-nat-table
{disable | enable}
Enable or disable central NAT table configuration options and
display on the web-based manager.
disable
gui-dns-database {disable
| enable}
Enable to display the DNS database menu in the web-based
manager interface.
disable
gui-dynamic-profiledisplay {disable |
enable}
Enable to display dynamic profile feature controls in the webbased manager.
enable
gui-icap {disable |
enable}
Enable or disable ICAP configuration options on the webbased manager.
disable
gui-implicit-id-basedpolicy {disable | enable}
Enable or disable identity-based firewall implicit policy
configuration options on the web-based manager.
disable
gui-implicit-policy
{disable | enable}
Enable or disable implicit firewall policy configuration options
on the web-based manager.
enable
gui-ipsec-manual-key
{enable | disable}
Enable to display the IPsec manual key page on the webbased manager.
disable
gui-ipv6
{enable | disable}
Enable or disable IPv6 configuration options on the web-based disable
manager.
gui-lines-per-page
<gui_lines>
Set the number of lines displayed on table lists. Range is from
20 - 1000 lines per page.
50
gui-load-balance
{disable | enable}
Enable or disable display of Load Balance in web-based
manager Firewall Objects menu.
disable
gui-object-tags {disable
| enable}
Enable or disable object tagging and object coloring
configuration options on the web-based manager.
disable
gui-policy-interfacepairs-view
{enable | disable}
Enable to make interface pairs visible in firewall policies. When enable
disabled, all interfaces appear the same.
Interface pairs can be configured for accelerated UTM using
FortiASIC processors.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
global
Variable
Description
Default
gui-voip-profile {disable
| enable}
Enable or disable VoIP profile configuration options on the
web-based manager.
disable
hostname <unithostname>
Enter a name to identify this FortiGate unit. A hostname can
only include letters, numbers, hyphens, and underlines. No
spaces are allowed.
While the hostname can be longer than 16 characters, if it is
longer than 16 characters it will be truncated and end with a
‘‘~” to indicate it has been truncated. This shortened hostname
will be displayed in the CLI, and other locations the hostname
is used.
Some models support hostnames up to 35 characters.
By default the hostname of your FortiGate unit is its serial
number which includes the model.
FortiGate
serial number.
http-obfuscate
{header-only | modified
| no-error | none}
Set the level at which the identity of the FortiGate web server is none
hidden or obfuscated.
none — do not hide the FortiGate web server identity.
header-only — hides the HTTP server banner.
modified — provides modified error responses.
no-error — suppresses error responses.
ie6workaround
{enable | disable}
Enable or disable the work around for a navigation bar freeze disable
issue caused by using the FortiGate web-based manager with
Internet Explorer 6.
internal-switch-mode {hub
| interface | switch}
Set the mode for the internal switch to be one of hub, interface, switch
or switch.
Switch mode combines FortiGate unit interfaces into one
switch with one address. Interface mode gives each internal
interface its own address.
On some FortiGate models you can also select Hub Mode.
Hub mode is similar to switch mode except that in hub mode
the interfaces do not learn the MAC addresses of the devices
on the network they are connected to and may also respond
quicker to network changes in some circumstances. You
should only select Hub Mode if you are having network
performance issues when operating with switch mode. The
configuration of the FortiGate unit is the same whether in
switch mode or hub mode.
Before switching modes, all configuration settings for the
interfaces affected by the switch must be set to defaults.
internal-switch-speed
{100full | 100half
| 10full | 10half | auto}
Set the speed of the switch used for the internal interface.
Choose one of:
100full
100half
10full
10half
auto
100 and 10 refer to 100M or 10M bandwidth. Full and half refer
to full or half duplex.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
auto
451
global
452
system
Variable
Description
Default
ip-src-port-range
<start_port>-<end_port>
Specify the IP source port range used for traffic originating
from the FortiGate unit. The valid range for <start_port>
and <end_port> is from 1 to 65535 inclusive.
You can use this setting to avoid problems with networks that
block some ports, such as FDN ports.
1024-4999
ipsec-hmac-offload
{disable | enable}
Enable to offload IPsec HMAC processing to hardware or
disable to perform IPsec HMAC processing in software.
enable
ipv6-accept-dad {0|1|2}
Configure ipv6 DAD (Duplicate Address Detection) operation:
0 — Disable DAD
1 — Enable DAD
2 — Enable DAD and disable IPv6 operation if MAC-based
duplicate link-local address has been found.
1
language <language>
Set the web-based manager display language. You can set
<language> to one of english, french, japanese,
korean, portuguese, spanish, simch (Simplified Chinese)
or trach (Traditional Chinese).
english
lcdpin <pin_number>
Set the 6 digit PIN administrators must enter to use the LCD
panel. This applies only to models with an LCD panel.
123456
lcdprotection
{enable | disable}
Enable or disable LCD panel PIN protection. This applies only
to models with an LCD panel.
disable
ldapconntimeout
<ldaptimeout_msec>
LDAP connection timeout in msec
500
loglocaldeny
{enable | disable}
Enable or disable logging of failed connection attempts to the
FortiGate unit that use TCP/IP ports other than the TCP/IP
ports configured for management access (443 for https, 22 for
ssh, 23 for telnet, and 80 for HTTP by default).
disable
log-user-in-upper
{enable | disable}
Log username in uppercase letters.
disable
management-vdom <domain>
Enter the name of the management virtual domain.
Management traffic such as FortiGuard traffic originates from
the management VDOM.
root
max-sql-log-size
<size_int>
Enter the maximum size of the SQL log database in MB. Range
512 to 65536.
10240
num-cpus <int>
Enter the number of active CPUs.
optimize
{antivirus | throughput}
Set firmware performance optimization to either antivirus or
throughput.
antivirus
phase1-rekey
{enable | disable}
Enable or disable automatic rekeying between IKE peers
before the phase 1 keylife expires.
enable
policy-auth-concurrent
{enable | disable}
Enable to restrict concurrent logins by firewall authenticated
users to the same IP address.
For admin accounts use admin-concurrent.
radius-port <radius_port>
Change the default RADIUS port. The default port for RADIUS
traffic is 1812. If your RADIUS server is using port 1645 you
can use the CLI to change the default RADIUS port on your
FortiGate unit.
1812
refresh <refresh_seconds>
Set the Automatic Refresh Interval, in seconds, for the
web-based manager System Status Monitor.
Enter 0 for no automatic refresh.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
global
Variable
Description
Default
registration-notification
{disable | enable}
Enable or disable displaying the registration notification on the
web-based manager if the FortiGate unit is not registered.
enable
remoteauthtimeout
<timeout_sec>
The number of seconds that the FortiGate unit waits for
responses from remote RADIUS, LDAP, or TACACS+
authentication servers. The range is 0 to 300 seconds, 0 means
no timeout.
To improve security keep the remote authentication timeout at
the default value of 5 seconds. However, if a RADIUS request
needs to traverse multiple hops or several RADIUS requests
are made, the default timeout of 5 seconds may not be long
enough to receive a response.
5
reset-sessionless-tcp
{enable | disable}
Enabling this option may help resolve issues with a
problematic server, but it can make the FortiGate unit more
vulnerable to denial of service attacks. In most cases you
should leave reset-sessionless-tcp disabled.
The reset-sessionless-tcp command determines what
action the FortiGate unit performs if it receives a TCP packet
but cannot find a corresponding session in its session table.
This happens most often because the session has timed out.
If you disable reset-sessionless-tcp, the FortiGate unit
silently drops the packet. The packet originator does not know
that the session has expired and might re-transmit the packet
several times before attempting to start a new session. This is
normal network operation.
If you enable reset-sessionless-tcp, the FortiGate unit
sends a RESET packet to the packet originator. The packet
originator ends the current session, but it can try to establish a
new session.
This is available in NAT/Route mode only.
disable
restart-time <hh:mm>
Enter daily restart time in hh:mm format (hours and minutes).
This is available only when daily-restart is enabled.
No default.
revision-backup-on-logout
{enable | disable}
Enable or disable back up of the latest configuration revision
when the administrator logs out of the CLI or web-based
manager.
enable
scanunit-count
<count_int>
Tune the number of scanunits. The range and default depend
on the number of CPUs. Only available on FortiGate units with
multiple CPUs. Recommended for advanced users.
depends on
the model
send-pmtu-icmp
{enable | disable}
Select enable to send a path maximum transmission unit
(PMTU) - ICMP destination unreachable packet. Enable if you
need to support PTMUD protocol on your network to reduce
fragmentation of packets.
Disabling this command will likely result PMTUD packets being
blocked by the unit.
enable
service-expirenotification {disable |
enable}
Enable or disable displaying a notification on the web-based
manager 30 days before the FortiGate unit support contract
expires.
enable
show-backplane-intf
{enable | disable}
Select enable to show FortiGate-5000 backplane interfaces as
port9 and port10. Once these backplanes are visible they can
be treated as regular physical interfaces.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
453
global
454
system
Variable
Description
Default
sql-logging
{enable | disable}
Enable for SQL logging. This option is present only on models
that have hard disks rather than SSDs. Report generation on
these models can be slow.
disable
sp-load-balance
{enable | disable}
Enable or disable SP load balancing on models 3950B, 3951B,
or 3140B.
Not available if npu-cascade-cluster is enabled in system
npu.
disable
strict-dirty-sessioncheck {enable | disable}
Enable to delete the session if a routing or policy change
causes the session to no longer match the policy.
disable
strong-crypto
{enable | disable}
Enable to use strong encryption and only allow strong ciphers disable
(AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access.
When strong encryption is enabled, HTTPS is supported by the
following web browsers: Netscape 7.2, Netscape 8.0, Firefox,
and Microsoft Internet Explorer 7.0 (beta).
Note that Microsoft Internet Explorer 5.0 and 6.0 are not
supported in strong encryption.
syncinterval
<ntpsync_minutes>
Enter how often, in minutes, the FortiGate unit should
synchronize its time with the Network Time Protocol (NTP)
server. The syncinterval number can be from 1 to 1440
minutes. Setting to 0 disables time synchronization.
0
tcp-halfclose-timer
<seconds>
Enter how many seconds the FortiGate unit should wait to
close a session after one peer has sent a FIN packet but the
other has not responded. The valid range is from 1 to 86400
seconds.
120
tcp-halfopen-timer
<seconds>
Enter how many seconds the FortiGate unit should wait to
close a session after one peer has sent an open session packet
but the other has not responded. The valid range is from 1 to
86400 seconds.
60
tcp-option
{enable | disable}
Enable SACK, timestamp and MSS TCP options. For normal
operation tcp-option should be enabled. Disable for
performance testing or in rare cases where it impairs
performance.
enable
tcp-timewait-timer
<seconds_int>
Set the length of the TCP TIME-WAIT state in seconds. As
described in RFC 793, the “TIME-WAIT state represents
waiting for enough time to pass to be sure the remote TCP
received the acknowledgment of its connection termination
request”.
Reducing the time of the TIME-WAIT state means the FortiGate
unit can close terminated sessions faster which means more
new sessions can be opened before the session limit is
reached.
The valid range is 0 to 300 seconds. A value of 0 sets the TCP
TIME-WAIT to 0 seconds
120
timezone
<timezone_number>
The number corresponding to your time zone from 00 to 72.
Press ? to list time zones and their numbers. Choose the time
zone for the FortiGate unit from the list and enter the correct
number.
00
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
global
Variable
Description
Default
tos-based-priority
{low | medium | high}
Select the default system-wide level of priority for Type of
Service (TOS). TOS determines the priority of traffic for
scheduling. Typically this is set on a per service type level. For
more information, see “system tos-based-priority” on
page 565.
The value of this field is the default setting for when TOS is not
configured on a per service level.
high
tp-mc-skip-policy
{enable | disable}
Enable to allow skipping of the policy check, and to enable
multicast through.
disable
udp-idle-timer <seconds>
Enter the number of seconds before an idle UDP connection
times out. The valid range is from 1 to 86400 seconds.
180
user-server-cert
<cert_name>
Select the certificate to use for https user authentication.
Default setting is Fortinet_Factory, if available, otherwise
self-sign.
See definition
under
Description.
vdom-admin
{enable | disable}
Enable to configure multiple virtual domains.
disable
vip-arp-range
{unlimited | restricted}
vip-arp-range controls the number of ARP packets the
FortiGate unit sends for a VIP range.
If restricted, the FortiGate unit sends ARP packets for only
the first 8192 addresses in a VIP range.
If unlimited, the FortiGate unit sends ARP packets for every
address in the VIP range.
restricted
wifi-certificate
<cert-name>
Select the certificate to use for WiFi authentication.
No default.
wifi-ca-certificate
<ca_cert-name>
Select the CA certificate that verifies the WiFi certificate.
No default.
wimax-4g-usb
{enable | disable}
Enable to allow access to a WIMAX 4G USB device.
disable
wireless-controller-port
<port_int>
Select the port used for the control channel in wireless
controller mode (wireless-mode is ac). The range is 1024
through 49150. The data channel port is the control channel
port number plus one.
5246
wireless-mode
{ac | client | wtp}
Set the wireless mode (for FortiWiFi units):
ac—Wireless controller with local wireless
client—Wireless client
wtp—Managed wireless terminal. This enables the FortiWiFi
unit to be managed as an access point by another FortiGate
unit’s wireless controller feature.
ac
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
455
gre-tunnel
system
gre-tunnel
Use this command to configure the tunnel for a GRE interface. A new interface of type “tunnel” with the same name is
created automatically as the local end of the tunnel. This command is available only in NAT/Route mode.
To complete the configuration of a GRE tunnel, you need to:
• configure a firewall policy to pass traffic from the local private network to the tunnel interface
• configure a static route to the private network at the remote end of the tunnel using the GRE tunnel “device”
• optionally, define the IP addresses for each end of the tunnel to enable dynamic routing through the tunnel or to
enable pinging of each end of the tunnel for testing
Syntax
config system gre-tunnel
edit <tunnel_name>
set interface <interface_name>
set local-gw <localgw_IP>
set remote-gw <remotegw_IP>
end
456
Variable
Description
Default
edit <tunnel_name>
Enter a name for the tunnel.
No default.
interface <interface_name>
Enter the physical, VLAN, or IPsec VPN interface that
functions as the local end of the tunnel.
local-gw <localgw_IP>
Enter the IP address of the local gateway.
remote-gw <remotegw_IP>
Enter the IP address of the remote gateway.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
ha
ha
Use this command to enable and configure FortiGate high availability (HA) and virtual clustering.
You cannot enable HA mode if one of the FortiGate unit interfaces uses DHCP or PPPoE to acquire an IP address. If
DHCP or PPPoE is configured, the config ha mode keyword is not available.
You also cannot enable HA mode if you have configured standalone session synchronization
(config system session-sync).pingserver-flip-timeout <timeout_integer>
Syntax
config system ha
set arps <arp_integer>
set arps-interval <interval_integer>
set authentication {disable | enable}
set cpu-threshold <weight_int> <low_int> <high_int>
set encryption {disable | enable}
set ftp-proxy-threshold <weight_int> <low_int> <high_int>
set group-id <id_integer>
set group-name <name_str>
set ha-eth-type <type_int>
set ha-mgmt-status {enable | disable}
set ha-mgmt-interface <interface_name>
set ha-mgmt-interface-gateway <gateway_interface>
set ha-uptime-diff-margin <diff_int>
set hb-interval <interval_integer>
set hb-lost-threshold <threshold_integer>
set hbdev <interface_name> <priority_integer> [<interface_name>
<priority_integer>]...
set hc-eth-type <type_int>
set helo-holddown <holddown_integer>
set http-proxy-threshold <weight_int> <low_int> <high_int>
set imap-proxy-threshold <weight_int> <low_int> <high_int>
set l2ep-eth-type <type_int>
set link-failed-signal {disable | enable}
set load-balance-all {disable | enable}
set load-balance-udp {disable | enable}
set memory-threshold <weight_int> <low_int> <high_int>
set mode {a-a | a-p | standalone}
set monitor <interface_names>
set nntp-proxy-threshold <weight_int> <low_int> <high_int>
set override {disable | enable}
set password <password_str>
set pingserver-failover-threshold <threshold_integer>
set pingserver-flip-timeout <timeout_integer>
set pingserver-monitor-interface <interface_names>
set pop3-proxy-threshold <weight_int> <low_int> <high_int>
set priority <priority_integer>
set route-hold <hold_integer>
set route-ttl <ttl_integer>
set route-wait <wait_integer>
set schedule {hub | ip | ipport | leastconnection | none | random | round-robin
| weight-round-robin}
set session-pickup {disable | enable}
set session-pickup-delay {enable | disable}
set session-sync-dev <interface_name> [<interface_name>]...
set smtp-proxy-threshold <weight_int> <low_int> <high_int>
set sync-config {disable | enable}
set uninterruptable-upgrade {disable | enable}
set weight <priority_integer> <weight_integer>
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
457
ha
system
set vdom <vdom_names>
set vcluster2 {disable | enable}
end
config secondary-vcluster
set monitor <interface_names>
set override {disable | enable}
set priority <priority_integer>
set vdom <vdom_names>
set pingserver-failover-threshold <threshold_integer>
set pingserver-monitor-interface <interface_names>
end
end
458
Variable
Description
Default
arps <arp_integer>
Set the number of times that the primary unit sends gratuitous
ARP packets. Gratuitous ARP packets are sent when a cluster
unit becomes a primary unit (this can occur when the cluster is
starting up or after a failover).
The range is 1 to 60.
5
arps-interval
<interval_integer>
Set the number of seconds to wait between sending gratuitous
ARP packets. When a cluster unit becomes a primary unit (this
occurs when the cluster is starting up or after a failover) the
primary unit sends gratuitous ARP packets immediately to inform
connected network equipment of the IP address and MAC
address of the primary unit.
The range is 1 to 20 seconds.
8
authentication
{disable | enable}
Enable/disable HA heartbeat message authentication using
SHA1.
disable
cpu-threshold
<weight_int> <low_int>
<high_int>
Configure dynamic weighted load balancing for CPU usage.
When enabled fewer sessions will be load balanced to the cluster
unit when the CPU usage reaches the high watermark
<high_int>.
This is available when mode is a-a and schedule is weightround-robin and is not synchronized to all cluster units. Default
low and high watermarks of 0 disable the feature.
500
encryption
{disable | enable}
Enable/disable HA heartbeat message encryption using AES-128
for encryption and SHA1 for authentication.
disable
ftp-proxy-threshold
<weight_int> <low_int>
<high_int>
Configure dynamic weighted load balancing for FTP proxy
sessions processed by a cluster unit. When enabled fewer
sessions will be load balanced to the cluster unit when the high
watermark <high_int> is reached.
This is available when mode is a-a and schedule is weightround-robin and is not synchronized to all cluster units. Default
low and high watermarks of 0 disable the feature.
500
group-id <id_integer>
The HA group ID. The group ID range is from 0 to 63. All members
of the HA cluster must have the same group ID. Changing the
Group ID changes the cluster virtual MAC address.
0
group-name <name_str>
The HA group name. All cluster members must have the same
group name. The maximum length of the group name is 32
characters.
FGT-HA
ha-eth-type <type_int>
Set the Ethertype used by HA heartbeat packets for NAT/Route
mode clusters. <type_int> is a 4-digit number.
8890
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
ha
Variable
Description
Default
ha-mgmt-status
{enable | disable}
Enable or disable the HA reserved management interface feature.
disable
ha-mgmt-interface
<interface_name>
Configure the FortiGate interface to be the reserved HA
management interface. You can configure the IP address and
other settings for this interface using the config system interface
command. When you enable the reserved management interface
feature the configuration of the reserved interface is not
synchronized among cluster units.
No default.
ha-mgmt-interfacegateway
<gateway_interface>
Configure the default route for the reserved HA management
interface.
0.0.0.0
ha-uptime-diff-margin
<diff_int>
300
Change the cluster age difference margin (grace period). This
margin is the age difference ignored by the cluster when selecting
a primary unit based on age. Normally the default value of 300
seconds (5 minutes) should not be changed. However, for demo
purposes you can use this option to lower the difference margin.
hb-interval
<interval_integer>
The heartbeat interval is the time between sending heartbeat
packets. The heartbeat interval range is 1 to 20
(100*milliseconds). So an hb-interval of 2 means a heartbeat
packet is sent every 200 milliseconds.
2
hb-lost-threshold
<threshold_integer>
The lost heartbeat threshold is the number of consecutive
heartbeat packets that are not received from another cluster unit
before assuming that the cluster unit has failed. The range is 1 to
60 packets.
6
hbdev <interface_name>
<priority_integer>
[<interface_name>
<priority_integer>]...
Select the FortiGate interfaces to be heartbeat interfaces and set
the heartbeat priority for each interface. The heartbeat interface
with the highest priority processes all heartbeat traffic. If two or
more heartbeat interfaces have the same priority, the heartbeat
interface that with the lowest hash map order value processes all
heartbeat traffic.
By default two interfaces are configured to be heartbeat interfaces
and the priority for both these interfaces is set to 50. The
heartbeat interface priority range is 0 to 512.
You can select up to 8 heartbeat interfaces. This limit only applies
to FortiGate units with more than 8 physical interfaces.
Depends on
the FortiGate
model.
hc-eth-type <type_int>
Set the Ethertype used by HA heartbeat packets for Transparent
mode clusters. <type_int> is a 4-digit number.
8891
helo-holddown
<holddown_integer>
The hello state hold-down time, which is the number of seconds
that a cluster unit waits before changing from hello state to work
state.
The range is 5 to 300 seconds.
20
http-proxy-threshold
<weight_int> <low_int>
<high_int>
5 0 0
Configure dynamic weighted load balancing for HTTP proxy
sessions processed by a cluster unit. When enabled fewer
sessions will be load balanced to the cluster unit when the high
watermark <high_int> is reached.
This is available when mode is a-a and schedule is weightround-robin and is not synchronized to all cluster units. Default
low and high watermarks of 0 disable the feature.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
459
ha
460
system
Variable
Description
Default
imap-proxy-threshold
<weight_int> <low_int>
<high_int>
5 0 0
Configure dynamic weighted load balancing for IMAP proxy
sessions processed by a cluster unit. When enabled fewer
sessions will be load balanced to the cluster unit when the high
watermark <high_int> is reached.
This is available when mode is a-a and schedule is weightround-robin and is not synchronized to all cluster units. Default
low and high watermarks of 0 disable the feature.
l2ep-eth-type
<type_int>
Set the Ethertype used by HA telnet sessions between cluster
units over the HA link. <type_int> is a 4-digit number.
link-failed-signal
{disable | enable}
disable
Enable or disable shutting down all interfaces (except for
heartbeat device interfaces) of a cluster unit with a failed
monitored interface for one second after a failover occurs. Enable
this option if the switch the cluster is connected to does not
update its MAC forwarding tables after a failover caused by a link
failure.
load-balance-all
{disable | enable}
Select the traffic that is load balanced by active-active HA. Enable disable
to load balance TCP sessions and sessions for firewall policies
that include UTM options. Disable to load balance only sessions
for firewall policies that include UTM options.
Available if mode is a-a.
load-balance-udp
{disable | enable}
Load balance UTM traffic between FS-5203B and FG-5001B.
memory-threshold
<weight_int> <low_int>
<high_int>
5 0 0
Configure dynamic weighted load balancing for memory usage.
When enabled fewer sessions will be load balanced to the cluster
unit when the memory usage reaches the high watermark
<high_int>.
This is available when mode is a-a and schedule is weightround-robin and is not synchronized to all cluster units. Default
low and high watermarks of 0 disable the feature.
mode {a-a | a-p |
standalone}
Set the HA mode.
Enter a-p to create an Active-Passive cluster.
Enter a-a to create an Active-Active cluster.
Enter standalone to disable HA.
All members of an HA cluster must be set to the same HA mode.
Not available if a FortiGate interface mode is set to dhcp or
pppoe.
standalone
monitor
<interface_names>
Enable or disable port monitoring for link failure. Port monitoring
(also called interface monitoring) monitors FortiGate interfaces to
verify that the monitored interfaces are functioning properly and
connected to their networks.
Enter the names of the interfaces to monitor. Use a space to
separate each interface name. If you want to remove an interface
from the list or add an interface to the list you must retype the list
with the names changed as required.
You can monitor physical interfaces, redundant interfaces, and
802.3ad aggregated interfaces but not VLAN subinterfaces, IPSec
VPN interfaces, or switch interfaces.
You can monitor up to 16 interfaces. This limit only applies to
FortiGate units with more than 16 physical interfaces. In a multiple
VDOM configuration you can monitor up to 16 interfaces per
virtual cluster.
No default
8893
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
ha
Variable
Description
Default
nntp-proxy-threshold
<weight_int> <low_int>
<high_int>
5 0 0
Configure dynamic weighted load balancing for NNTP proxy
sessions processed by a cluster unit. When enabled fewer
sessions will be load balanced to the cluster unit when the high
watermark <high_int> is reached.
This is available when mode is a-a and schedule is weightround-robin and is not synchronized to all cluster units. Default
low and high watermarks of 0 disable the feature.
override {disable |
enable}
disable
Enable or disable forcing the cluster to renegotiate and select a
new primary unit every time a cluster unit leaves or joins a cluster,
changes status within a cluster, or every time the HA configuration
of a cluster unit changes. The override setting is not synchronized
to all cluster units.
Automatically changes to enable when you enable virtual cluster
2.
password <password_str> Enter a password for the HA cluster. The password must be the
same for all FortiGate units in the cluster. The maximum password
length is 15 characters.
No default
pingserver-failoverthreshold
<threshold_integer>
0
Set the HA remote IP monitoring failover threshold.
The failover threshold range is 0 to 50. Setting the failover
threshold to 0 means that if any ping server added to the HA
remote IP monitoring configuration fails an HA failover will occur.
Set the priority for each remote IP monitoring ping server using
the ha-priority field of the command “router gwdetect” on
page 309.
60
pingserver-flip-timeout Set the HA remote IP monitoring flip timeout in minutes. If HA
<timeout_integer>
remote IP monitoring fails on all cluster units because none of the
cluster units can connect to the monitored IP addresses, the flip
timeout stops a failover from occurring until the timer runs out.
The range is 6 to 2147483647 minutes.
pingserver-monitorinterface
<interface_names>
Enable HA remote IP monitoring by specifying the FortiGate unit
interfaces that will be used to monitor remote IP addresses. You
can configure remote IP monitoring for all types of interfaces
including physical interfaces, VLAN interfaces, redundant
interfaces and aggregate interfaces.
Use a space to separate each interface name. If you want to
remove an interface from the list or add an interface to the list you
must retype the list with the names changed as required.
pop3-proxy-threshold
<weight_int> <low_int>
<high_int>
5 0 0
Configure dynamic weighted load balancing for POP3 proxy
sessions processed by a cluster unit. When enabled fewer
sessions will be load balanced to the cluster unit when the high
watermark <high_int> is reached.
This is available when mode is a-a and schedule is weightround-robin and is not synchronized to all cluster units. Default
low and high watermarks of 0 disable the feature.
priority
<priority_integer>
Change the device priority of the cluster unit. Each cluster unit
can have a different device priority (the device priority is not
synchronized among cluster members). During HA negotiation,
the cluster unit with the highest device priority becomes the
primary unit. The device priority range is 0 to 255.
128
route-hold
<hold_integer>
The minimum time between primary unit updates to the routing
tables of subordinate units in a cluster. The route hold range is 0
to 3600 seconds.
10
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
461
ha
system
Variable
Description
Default
10
route-ttl <ttl_integer> The time to live for routes in a cluster unit routing table.
The time to live range is 0 to 3600 seconds.
The time to live controls how long routes remain active in a cluster
unit routing table after the cluster unit becomes a primary unit.
462
0
route-wait
<wait_integer>
The time the primary unit waits after receiving a routing table
update before attempting to update the subordinate units in the
cluster.
The route-wait range is 0 to 3600 seconds.
schedule {hub | ip
| ipport
| leastconnection |
none | random
| round-robin
| weight-round-robin}
round-robin
Active-active load balancing schedule.
hub load balancing if the cluster interfaces are connected to
hubs. Traffic is distributed to cluster units based on the Source IP
and Destination IP of the packet.
• ip — load balancing according to IP address.
• ipport — load balancing according to IP address and port.
• leastconnection — least connection load balancing.
• none — no load balancing. Use none when the cluster
interfaces are connected to load balancing switches.
• random — random load balancing.
• round-robin — round robin load balancing. If the cluster
units are connected using switches, use round-robin to
distribute traffic to the next available cluster unit.
• weight-round-robin — weighted round robin load
balancing. Similar to round robin, but you can assign weighted
values to each of the units in a cluster.
session-pickup {disable
| enable}
disable
Enable or disable session pickup. Enable session-pickup so
that if the primary unit fails, all sessions are picked up by the new
primary unit.
If you enable session pickup the subordinate units maintain
session tables that match the primary unit session table. If the
primary unit fails, the new primary unit can maintain all active
communication sessions.
If you do not enable session pickup the subordinate units do not
maintain session tables. If the primary unit fails all sessions are
interrupted and must be restarted when the new primary unit is
operating.
session-pickup-delay
{enable | disable}
Enable to synchronize sessions only if they remain active for more disable
than 30 seconds. This option improves performance when
session-pickup is enabled by reducing the number of sessions
that are synchronized.
session-sync-dev
<interface_name>
[<interface_name>]...
Select FortiGate interfaces to be used for session synchronization
between cluster units instead of using the heartbeat interface. You
can select up to 8 session synchronization interfaces. Session
synchronization packets are load balanced among these
interfaces.
slave-switch-standby
{enable | disable}
Enable to force slave FS-5203B into standby mode even though
its weight is non-zero.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
ha
Variable
Description
Default
smtp-proxy-threshold
<weight_int> <low_int>
<high_int>
Configure dynamic weighted load balancing for SMTP proxy
sessions processed by a cluster unit. When enabled fewer
sessions will be load balanced to the cluster unit when the high
watermark <high_int> is reached.
This is available when mode is a-a and schedule is weightround-robin and is not synchronized to all cluster units. Default
low and high watermarks of 0 disable the feature.
500
sync-config {disable |
enable}
Enable or disable automatic synchronization of primary unit
configuration changes to all cluster units.
enable
uninterruptable-upgrade Enable or disable upgrading the cluster without interrupting
enable
{disable | enable}
cluster traffic processing.
If uninterruptable-upgrade is enabled, traffic processing is
not interrupted during a normal firmware upgrade. This process
can take some time and may reduce the capacity of the cluster for
a short time.
If uninterruptable-upgrade is disabled, traffic processing is
interrupted during a normal firmware upgrade (similar to
upgrading the firmware operating on a standalone FortiGate unit).
weight
<priority_integer>
<weight_integer>
The weighted round robin load balancing weight to assign to each
cluster unit in an active-active cluster. When you set schedule to
weight-round-robin you can use the weight field to set the
weight of each cluster unit. The weight is set according to the
priority of the unit in the cluster. A FortiGate HA cluster can
contain up to 16 FortiGate units so you can set up to 16 weights.
The default weight means that the 16 possible units in the cluster
all have the same weight of 40. The cluster units are numbered 0
to 15.
priority_integer is a number from 0 to 15 that identifies the
priority of the cluster unit.
weight-integer is a number between 0 and 255 that is the
weight assigned to the cluster units according to their priority in
the cluster. Increase the weight to increase the number of
connections processed by the cluster unit with that priority.
You enter the weight for each unit separately. For example, if you
have a cluster of 4 FortiGate units you can set the weights for
each unit as follows:
set weight 0 5
set weight 1 10
set weight 2 15
set weight 3 20
40
40
40
40
vdom <vdom_names>
Add virtual domains to virtual cluster 1 or virtual cluster 2. Virtual
cluster 2 is also called the secondary virtual cluster.
In the config system ha shell, use set vdom to add virtual
domains to virtual cluster 1. Adding a virtual domain to virtual
cluster 1 removes that virtual domain from virtual cluster 2.
In the config secondary-vcluster shell, use set vdom to
add virtual domains to virtual cluster 2. Adding a virtual domain to
virtual cluster 2 removes it from virtual cluster 1.
You can use vdom to add virtual domains to a virtual cluster in any
combination. You can add virtual domains one at a time or you
can add multiple virtual domains at a time. For example, entering
set vdom domain_1 followed by set vdom domain_2 has the
same result as entering set vdom domain_1 domain_2.
All virtual
domains are
added to
virtual cluster
1.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
40
40
40
40
40
40
40
40
40
40
40
40
463
ha
464
system
Variable
Description
Default
vcluster2 {disable |
enable}
Enable or disable virtual cluster 2.
When multiple VDOMs are enabled, virtual cluster 2 is enabled by
default. When virtual cluster 2 is enabled you can use config
secondary-vcluster to configure virtual cluster 2.
Disable virtual cluster 2 to move all virtual domains from virtual
cluster 2 back to virtual cluster 1.
Enabling virtual cluster 2 enables override for virtual cluster 1
and virtual cluster 2.
disable
enable when
multiple
VDOMs are
enabled
config secondaryvcluster
Configure virtual cluster 2. You must enable vcluster2. Then
you can use config secondary-vcluster to set monitor,
override, priority, and vdom for virtual cluster 2.
Same defaults
as virtual
cluster 1
except that the
default value
for override
is enable.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
interface
Use this command to edit the configuration of a FortiGate physical interface, VLAN subinterface, IEEE 802.3ad
aggregate interface, redundant interface, or IPSec tunnel interface.
In the following table, VLAN subinterface can be substituted for interface in most places except that you can only
configure VLAN subinterfaces with static IP addresses. Use the edit command to add a VLAN subinterface.
VLAN communication over the backplane interfaces is available for FortiGate-5000 modules
installed in a FortiGate-5020 chassis. The FortiSwitch-5003 does not support VLAN-tagged
packets so VLAN communication is not available over the FortiGate-5050 and FortiGate-5140
chassis backplanes.
Some fields are specific to aggregate interfaces. These appear at the end of the list of commands under “variables for
aggregate and redundant interfaces (some FortiGate models)” on page 483.
Some FortiGate models support switch mode for the internal interfaces. Switch mode allows you to configure each
interface on the switch separately with their own interfaces. A VLAN can not be configured on a switch interface. For
more information, see “global” on page 444.
Using the one-arm intrusion detection system (IDS), you can now configure a FortiGate unit to operate as an IDS
appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets. For more
information, see the ips-sniffer-mode {enable | disable} field.
An interface’s IPv6 address can be included in a Multi Listener Discovery (MLD) report. By default the FortiGate unit
includes no addresses in the MLD report. For more information, see the ip6-send-adv {enable | disable} field.
Syntax
Entering a name string for the edit field that is not the name of a physical interface adds a VLAN subinterface.
config system interface
edit <interface_name>
set allowaccess <access_types>
set alias <name_string>
set arpforward {enable | disable}
set auth-type <ppp_auth_method>
set bfd {enable | disable | global}
set bfd-desired-min-tx <interval_msec>
set bfd-detect-mult <multiplier>
set bfd-required-min-rx <interval_msec>
set broadcast-forward {enable | disable}
set defaultgw {enable | disable}
set description <text>
set dhcp-client-identifier <client_name_str>
set dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}
set dhcp-relay-service {enable | disable}
set dhcp-relay-type {ipsec | regular}
set disc-retry-timeout <pppoe_retry_seconds>
set distance <admin_distance>
set dns-server-override {enable | disable}
set elbc-default-gw <ipv4_addr>
set explicit-ftp-proxy {enable | disable}
set explicit-web-proxy {enable | disable}
set external {enable | disable)
set fail-detect {enable | disable}
set fail-detect-option {link-down | detectserver}
set fail-alert-method {link-down | link-failed-signal}
set fail-alert-interfaces {port1 port2 ...}
set forward-domain <collision_group_number>
set fp-anomaly [...]
set gi-gk {enable | disable}
set icmp-redirect {enable | disable}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
465
interface
system
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
set
466
ident-accept {enable | disable}
idle-timeout <pppoe_timeout_seconds>
inbandwidth <bandwidth_integer>
interface <port_name>
ip <interface_ipv4mask>
ipmac {enable | disable}
ips-sniffer-mode {enable | disable}
ipunnumbered <unnumbered_ipv4>
l2forward {enable | disable}
l2tp-client {enable | disable}
lacp-ha-slave {enable | disable}
lacp-mode {active | passive | static}
lacp-speed {fast | slow}
lcp-echo-interval <lcp_interval_seconds>
lcp-max-echo-fails <missed_echoes>
log {enable | disable}
macaddr <mac_address>
mediatype {serdes-sfp | sgmii-sfp}
member <if_name1> <if_name2> ...
mode <interface_mode>
mtu <mtu_bytes>
mtu-override {enable | disable}
netbios-forward {disable | enable}
nontp-web-proxy {disable | enable}
outbandwidth <bandwidth_integer>
padt-retry-timeout <padt_retry_seconds>
password <pppoe_password>
pbx-user-portal {enable | disable}
phone-auto-provision {enable | disable}
poe {disable | enable}
polling-interval <interval_int>
pppoe-unnumbered-negotiate {disable | enable}
pptp-client {disable | enable}
pptp-user <pptp_username>
pptp-password <pptp_userpassword>
pptp-server-ip <pptp_serverid>
pptp-auth-type <pptp_authtype>
pptp-timeout <pptp_idletimeout>
priority <learned_priority>
remote-ip <ipv4>
sample-direction {both | rx | tx}
sample-rate <rate_int>
secondary-IP {enable | disable}
sflow-sampler {disable | enable}
speed <interface_speed>
spillover-threshold <threshold_int>
status {down | up}
stpforward {enable | disable}
subst {enable | disable}
substitute-dst-mac <destination_mac_addres>
tcp-mss <max_send_bytes>
type {aggregate | hard-switch | hdlc | loopback | physical | redundant |
tunnel | vap-switch | vdom-link | vlan | wireless}
username <pppoe_username>
vdom <vdom_name>
vlanforward {enable | disable}
vlanid <id_number>
voip {enable | disable}
vrrp-virtual-mac {enable | disable}
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
set wccp {enable | disable}
set weight <int>
set wifi-acl {allow | deny}
set wifi-auth {PSK | radius | usergroup}
set wifi-broadcast_ssid {enable | disable}
set wifi-encrypt {AES | TKIP}
set wifi-fragment_threshold <packet_size>
set wifi-key <hex_key>
set wifi-mac-filter {enable | disable}
set wifi-passphrase <pass_str>
set wifi-radius-server <server_name>
set wifi-rts_threshold <integer>
set wifi-security <sec_mode>
set wifi-ssid <id_str>
set wins-ip <wins_server_ip>
config ipv6
set autoconf {enable | disable}
set ip6-address <if_ipv6mask>
set ip6-allowaccess <access_types>
set ip6-default-life <ipv6_life_seconds>
set ip6-hop-limit <ipv6_hops_limit>
set ip6-link-mtu <ipv6_mtu>
set ip6-manage-flag {disable | enable}
set ip6-max-interval <adverts_max_seconds>
set ip6-min-interval <adverts_min_seconds>
set ip6-other-flag {disable | enable}
set ip6-reachable-time <reachable_msecs>
set ip6-retrans-time <retrans_msecs>
set ip6-send-adv {enable | disable}
config ip6-prefix-list
edit <ipv6_prefix>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set preferred-life-time <seconds>
set valid-life-time <seconds>
end
end
config ip6-extra-address
edit <prefix_ipv6>
end
end
config l2tp-client-settings
set auth-type {auto | chap | mschapv1 | mschapv2 | pap}
set defaultgw {enable | disable}
set distance <admin_distance>
set mtu <integer>
set password <password>
set peer-host <ipv4_addr>
set peer-mask <netmask>
set peer-port <port_num>
set priority <integer>
set user <string>
end
config secondaryip
edit <secondary_ip_id>
set allowaccess <access_types>
set ip <interface_ipv4mask>
end
end
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
467
interface
system
config vrrp
edit <VRID_int>
set adv-interval <seconds_int>
set preempt {enable | disable}
set priority <prio_int>
set start-time <seconds_int>
set status {enable | disable}
set vrdst <ipv4_addr>
set vrip <ipv4_addr>
end
config wifi-mac_list
edit <entry_number>
set mac <mac_address>
end
A VLAN cannot have the same name as a zone or a virtual domain.
468
Variable
Description
Default
allowaccess
<access_types>
Enter the types of management access permitted on this
interface or secondary IP address.
Valid types are: http https ping snmp ssh telnet.
Separate each type with a space.
To add or remove an option from the list, retype the complete
list as required.
Varies for each
interface.
alias <name_string>
Enter an alias name for the interface. Once configured, the
alias will be displayed with the interface name to make it
easier to distinguish. The alias can be a maximum of 25
characters.
This option is only available when interface type is physical.
arpforward
{enable | disable}
Enable or disable forwarding of ARP packets on this interface.
ARP forwarding is required for DHCP relay and MS Windows
Client browsing.
enable
auth-type
<ppp_auth_method>
Select the PPP authentication method for this interface.
Choose one of:
auto — select authentication method automatically
chap — CHAP
mschapv1 — Microsoft CHAP v1
mschapv2 — Microsoft CHAP v2
pap — PAP
This is available only when mode is pppoe, and type of
interface is physical.
auto
bfd {enable | disable |
global}
The status of Bidirectional Forwarding Detection (bfd) on this
interface:
enable — enable BFD and ignore global BFD configuration.
disable — disable BFD on this interface.
global — use the BFD configuration in system settings
for the virtual domain to which this interface belongs.
The BFD-related fields below are available only if bfd is
enabled.
global
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
Variable
Description
Default
bfd-desired-min-tx
<interval_msec>
Enter the minimum desired interval for the BFD transmit
interval. Valid range is from 1 to 100 000 msec.
This is available only if bfd is enable.
50
bfd-detect-mult
<multiplier>
Select the BFD detection multiplier.
This is available only if bfd is enable.
3
bfd-required-min-rx
<interval_msec>
Enter the minimum required interface for the BFD receive
interval. Valid range is from 1 to 100 000 msec.
This is available only if bfd is enable.
50
broadcast-forward
{enable | disable}
Select to enable automatic forwarding of broadcast packets.
Use with caution. Enabling this option may make the FortiGate
unit vulnerable to broadcast-based DoS attacks such as ping
floods.
disable
defaultgw
{enable | disable}
Enable to get the gateway IP address from the DHCP or
PPPoE server.
This is valid only when the mode is one of DHCP or PPPoE.
disable
description <text>
Optionally, enter up to 63 characters to describe this interface. No default.
dhcp-client-identifier
<client_name_str>
Override the default DHCP client identifier used by this
interface.The DHCP client identifier is used by DHCP to
identify individual DHCP clients (in this case individual
FortiGate interfaces).
By default the DHCP client identifier for each FortiGate
interface is created based on the FortiGate model name and
the interface MAC address. In some cases you may want to
specify your own DHCP client identifier using this command.
This is available if mode is set to dhcp.
dhcp-relay-ip
<dhcp_relay1_ipv4> {...
<dhcp_relay8_ipv4>}
Set DHCP relay IP addresses. You can specify up to eight
DHCP relay servers for DHCP coverage of subnets. Replies
from all DHCP servers are forwarded back to the client. The
client responds to the offer it wants to accept.
Do not set dhcp-relay-ip to 0.0.0.0.
No default.
dhcp-relay-service
{enable | disable}
Enable to provide DHCP relay service on this interface. The
DHCP type relayed depends on the setting of dhcp-relaytype.
There must be no other DHCP server of the same type (regular
or ipsec) configured on this interface.
disable
dhcp-relay-type {ipsec |
regular}
Set dhcp_type to ipsec or regular depending on type of
firewall traffic.
regular
disc-retry-timeout
<pppoe_retry_seconds>
Set the initial PPPoE discovery timeout in seconds. This is the 1
time to wait before retrying to start a PPPoE discovery. Set to
0 to disable this feature.
This field is only available in NAT/Route mode when mode is
set to pppoe.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
469
interface
470
system
Variable
Description
Default
distance
<admin_distance>
5
Configure the administrative distance for routes learned
through PPPoE or DHCP. Use the administrative distance to
specify the relative priorities of different routes to the same
destination. A lower administrative distance indicates a more
preferred route. Distance can be an integer from 1-255. For
more information, see router static “distance <distance>” on
page 375
This variable is only available in NAT/Route mode when mode
is set to dhcp or pppoe.
dns-server-override
{enable | disable}
enable
Disable to prevent this interface from using DNS server
addresses it acquires via DHCP or PPPoe.
This variable is only displayed if mode is set to dhcp or pppoe.
edit <interface_name>
Edit an existing interface or create a new VLAN interface.
None.
edit <ipv6_prefix>
Enter the IPv6 prefix you want to configure. For settings, see
the edit <ipv6_prefix> variables section of this table.
None.
edit <secondary_ip_id>
Enter an integer identifier, e.g., 1, for the secondary ip address
that you want to configure.
None.
elbc-default-gw
<ipv4_addr>
Use to add a default gateway to hidden front panel ports in
ELBC mode.
When in ELBC mode the front panel ports are placed in a
secret hidden VDOM. This prevents the user from adding
routes to that interface. Using the elbc-default-gw
attribute present on front panel ports the user can add a
default gateway to these interfaces.
explicit-ftp-proxy
{enable | disable}
Enable explicit FTP proxy on this interface. For more
information, see “explicit” on page 196.
disable
explicit-web-proxy
{enable | disable}
Enable explicit Web proxy on this interface. For more
information, see “explicit” on page 686.
disable
external {enable |
disable)
Enable to indicate that an interface is an external interface
connected to an external network. This option is used for SIP
NAT when the config VoIP profile SIP contact-fixup
option is disabled.
disable
fail-detect
{enable | disable}
Enable interface failure detection.
disable
fail-detect-option
{link-down |
detectserver}
Select whether the FortiGate unit detects interface failure by
port detection (link-down) or ping server (detectserver).
link-down
fail-alert-method
{link-down
| link-failed-signal}
Select the signal that the FortiGate unit uses to signal the link
failure: Link Down or Link Failed.
link-down
fail-alert-interfaces
{port1 port2 ...}
Select the interfaces to which failure detection applies.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
Variable
Description
Default
forward-domain
<collision_group_number>
Specify the collision domain to which this interface belongs.
Layer 2 broadcasts are limited to the same group. By default,
all interfaces are in group 0.
Collision domains prevent the forwarding of ARP packets to all
VLANs on an interface. Without collision domains, duplicate
MAC addresses on VLANs may cause ARP packets to be
duplicated. Duplicate ARP packets can cause some switches
to reset.
This command is only available in Transparent mode.
0
fp-anomaly [...]
No options
Enable NP2 hardware fast path anomaly checking on an
interface and specify whether to drop or allow (pass) different specified
(disabled)
types of anomalies.
When no options are specified, anomaly checking performed
by the network processor is disabled. If pass options are
specified, packets may still be rejected by other anomaly
checks, including policy-required IPS performed using the
FortiGate unit main processing resources.
Log messages are generated when packets are dropped due
to options in this setting.
The fp-anomaly option is available for NP2-enabled interfaces.
gi-gk {enable | disable}
Enable FortiOS Carrier Gi Gatekeeper to enable the Gi firewall
on this interface as part of the anti-overbilling configuration.
icmp-redirect
{enable | disable}
Disable to stop ICMP redirect from sending from this interface. enable
ICMP redirect messages are sent by a router to notify the
original sender of packets that there is a better route available.
ident-accept
{enable | disable}
Enable or disable passing ident packets (TCP port 113) to the
firewall policy. If set to disable, the FortiGate unit sends a TCP
reset packet in response to an ident packet.
disable
idle-timeout
<pppoe_timeout_seconds>
Disconnect if the PPPoE connection is idle for the specified
number of seconds. Set to zero to disable this feature.
This is available when mode is set to pppoe.
0
inbandwidth
<bandwidth_integer>
0
Enter the KB/sec limit for incoming traffic for this interface.
Use this command to configure inbound traffic shaping for an
interface. Inbound traffic shaping limits the bandwidth
accepted by the interface. Limiting inbound traffic takes
precedence over traffic shaping applied by firewall policies.
You can set inbound traffic shaping for any FortiGate unit
interface and it can be active for more than one FortiGate unit
interface at a time. Setting <bandwidth_integer> to 0 (the
default) means unlimited bandwidth or no traffic shaping.
interface <port_name>
Enter the physical interface this virtual interface is linked to.
This is available only when adding virtual interfaces such as
VLANs and VPNs.
None.
ip <interface_ipv4mask>
Enter the interface IP address and netmask.
This is not available if mode is set to dhcp or pppoe. You can
set the IP and netmask, but it will not display.
This is only available in NAT/Route mode.
The IP address cannot be on the same subnet as any other
FortiGate unit interface.
Varies for each
interface.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
disable
471
interface
472
system
Variable
Description
Default
ipmac {enable | disable}
Enable or disable IP/MAC binding for the specified interface.
For information about configuring IP/MAC binding settings,
see “ipmacbinding setting” on page 115 and “ipmacbinding
table” on page 116.
disable
ips-sniffer-mode {enable
| disable}
Enable to configure this interface to operate as a one-armed
sniffer as part of configuring a FortiGate unit to operate as an
IDS appliance by sniffing packets for attacks without actually
receiving and otherwise processing the packets. Once the
interface is enabled for sniffing you cannot use the interface
for other traffic. You must add sniffer policies for the interface
to actually sniff packets.
For more information on one-armed IPS, see “firewall sniffinterface-policy” on page 172 and “firewall sniff-interfacepolicy6” on page 174.
disable
ipunnumbered
<unnumbered_ipv4>
Enable IP unnumbered mode for PPPoE. Specify the IP
address to be borrowed by the interface. This IP address can
be the same as the IP address of another interface or can be
any IP address.
This is only available when mode is pppoe.
The Unnumbered IP may be used for PPPoE interfaces for
which no unique local address is provided. If you have been
assigned a block of IP addresses by your ISP for example, you
can add any of these IP addresses to the Unnumbered IP.
No default.
l2forward
{enable | disable}
Enable to allow layer-2 forwarding for this interface.
If there are layer-2 protocols such as IPX, PPTP or L2TP in use
on your network, you need to configure your FortiGate unit
interfaces to pass these protocols without blocking.
Enabling l2forward may cause packets to repeatedly loop
through the network, much like a broadcast storm. In this case
either disable l2forward, or enable Spanning Tree Protocol
(STP) on your network’s switches and routers.
For more information, see FortiGate VLANs and VDOMs.
disable
l2tp-client
{enable | disable}
Enable or disable this interface as a Layer 2 Tunneling Protocol
(L2TP) client.
Enabling makes config l2tp-client-settings visible.
You may need to enable l2forward on this interface.
This is available only on FortiGate 50 series, 60 series, and
100A.
The interface can not be part of an aggregate interface, and
the FortiGate unit can not be in Transparent mode, or HA
mode. If l2tp-client is enabled on an interface, the
FortiGate unit will not enter HA mode until the L2TP client is
disabled.
disable
lcp-echo-interval
<lcp_interval_seconds>
Set the interval in seconds between PPPoE Link Control
Protocol (LCP) echo requests.
This is available only when mode is pppoe.
5
lcp-max-echo-fails
<missed_echoes>
Set the maximum number of missed LCP echoes before the
PPPoE link is disconnected.
This is only available when mode is pppoe.
3
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
Variable
Description
Default
log {enable | disable}
Enable or disable traffic logging of connections to this
interface. Traffic will be logged only when it is on an
administrative port. All other traffic will not be logged.
Enabling this setting may reduce system performance, and is
normally used only for troubleshooting.
disable
macaddr <mac_address>
Override the factory set MAC address of this interface by
specifying a new MAC address. Use the form
xx:xx:xx:xx:xx:xx.
This is only used for physical interfaces.
Factory set.
mediatype {serdessfp | sgmii-sfp}
serdes-sfp
Some FortiGate SFP interfaces can operate in SerDes
(Serializer/Deserializer) or SGMII (Serial Gigabit Media
Independent Interface) mode. The mode that the interface
operates in depends on the type of SFP transceiver installed.
Use this field to switch the interface between these two
modes.
Set mediatype to:
serdes-sfp if you have installed a SerDes transceiver. In
SerDes mode an SFP interface can only operate at 1000
Mbps.
sgmii-sfp if you have installed an SGMII transceiver. In SGMII
mode the interface can operate at 10, 100, or 1000 Mbps.
This field is available for some FortiGate SFP interfaces. For
example, all FortiGate-ASM-FB4 interfaces and interfaces
port3 to port18 of the FortiGate-3016B support both SerDes
and SGMII mode.
mode <interface_mode>
static
Configure the connection mode for the interface as one of:
static — configure a static IP address for the interface.
dhcp — configure the interface to receive its IP address from
an external DHCP server.
pppoe — configure the interface to receive its IP address from
an external PPPoE server. This is available only in NAT/Route
mode.
eoa — Ethernet over ATM
pppoa — IP over ATM (also known as bridged mode).
This variable is only available in NAT/Route mode.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
473
interface
474
system
Variable
Description
Default
mtu <mtu_bytes>
Set a custom maximum transmission unit (MTU) size in bytes. 1 500
Ideally set mtu to the size of the smallest MTU of all the
networks between this FortiGate unit and the packet
destination.
<mtu_bytes> valid ranges are:
• 68 to 1 500 bytes in static mode
• 576 to 1 500 bytes in dhcp mode
• 576 to 1 492 bytes in pppoe mode
• up to 9 000 bytes for NP2-accelerated interfaces
• over 1 500 bytes on high end FortiGate models on some
interfaces.
If you enter an MTU that is not supported, an error message
informs you of the valid range for this interface.
In Transparent mode, if you change the MTU of an interface,
you must change the MTU of all interfaces to match the new
MTU.
If you configure an MTU size larger than 1 500 on your
FortiGate unit, all other network equipment on the route to the
destination must also support that frame size.
You can set the MTU of a physical interface and some tunnel
interfaces (not IPsec). All virtual interfaces inherit the MTU of
the parent physical interface.
The variable mtu is only available when mtu-override is
enabled.
mtu-override
{enable | disable}
Select enable to use custom MTU size instead of default
(1 500). This is available only for physical interfaces and some
tunnel interfaces (not IPsec).
If you change the MTU size, you must reboot the FortiGate
unit to update the MTU values of the VLANs on this interface.
Some models support MTU sizes larger than the standard
1 500 bytes.
disable
netbios-forward
{disable | enable}
Enable to forward Network Basic Input/Output System
(NetBIOS) broadcasts to a Windows Internet Name Service
(WINS) server. Use wins-ip <wins_server_ip> to set the WINS
server IP address.
This variable is only available in NAT/Route mode.
disable
nontp-web-proxy
{disable | enable}
Enable to turn on web cache support for this interface, such
as accepting HTTP proxies and DNS requests. Web caching
accelerates web applications and web servers by reducing
bandwidth usage, server load, and perceived latency. For
more information, see “web-proxy explicit” on page 686.
This variable is only available when this interface is in
NAT/Route mode.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
Variable
Description
Default
outbandwidth
<bandwidth_integer>
Enter the KB/sec limit for outgoing (egress) traffic for this
interface.
Use this command to configure outbound traffic shaping for
an interface. Outbound traffic shaping limits the bandwidth
accepted by the interface. Limiting outbound traffic takes
precedence over traffic shaping applied by firewall policies.
You can set outbound traffic shaping for any FortiGate
interface and it can be active for more than one FortiGate
interface at a time.
Setting <bandwidth_integer> to 0 (the default) means
unlimited bandwidth or no traffic shaping.
0
padt-retry-timeout
<padt_retry_seconds>
Initial PPPoE Active Discovery Terminate (PADT) timeout in
seconds. Use this timeout to shut down the PPPoE session if
it is idle for this number of seconds. PADT must be supported
by your ISP.
This is available in NAT/Route mode when mode is pppoe.
1
password
<pppoe_password>
Enter the password to connect to the PPPoE server.
This is available in NAT/Route mode when mode is pppoe.
No default.
pbx-user-portal {enable
| disable}
Enable PBX user portal on the interface.
This command is available only on FortiGate Voice units.
disable
phone-auto-provision
{enable | disable}
Enable SIP phone auto-provisioning on the interface.
This command is available only on FortiGate Voice units.
disable
poe {disable | enable}
Enable or disable PoE (Power over Ethernet). This option is
only available on models with PoE feature.
disable
polling-interval
<interval_int>
Set the amount of time in seconds that the sFlow agent waits
between sending collected data to the sFlow collector. The
range is 1 to 255 seconds.
A higher polling-interval means less data is sent across
the network but also means that the sFlow collector’s picture
of the network may be out of date.
20
pppoe-unnumberednegotiate
{disable | enable}
Disable to resolve problems when mode is set to PPPoE, and
ipunnumbered is set. The default configuration may not work
in some regions, such as Japan.
This is only available when mode is pppoe and
ipunnumbered is set.
enable
pptp-client
{disable | enable}
Enable to configure and use a point-to-point tunneling
protocol (PPTP) client.
You may need to enable l2forward on this interface.
This command is not available when in HA mode. If the pptpclient is enabled on an interface, the FortiGate unit will not
enter HA mode until that pptp-client is disabled.
disable
pptp-user
<pptp_username>
Enter the name of the PPTP user.
No default.
pptp-password
<pptp_userpassword>
Enter the password for the PPTP user.
No default.
pptp-server-ip
<pptp_serverid>
Enter the IP address for the PPTP server.
No default.
pptp-auth-type
<pptp_authtype>
Enter the authentication type for the PPTP user.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
475
interface
476
system
Variable
Description
Default
pptp-timeout
<pptp_idletimeout>
Enter the idle timeout in minutes. Use this timeout to shut
down the PPTP user session if it is idle for this number of
seconds. 0 for disabled.
No default.
priority
<learned_priority>
Enter the priority of routes using this interface.
For more information on priority, see “router static” on
page 375.
This is only available when mode is pppoe or dhcp.
No default.
remote-ip <ipv4>
Enter an IP address for the remote end of a tunnel interface.
If you want to use dynamic routing with the tunnel, or be able
to ping the tunnel interface, you must specify an address for
the remote end of the tunnel in remote-ip and an address for
this end of the tunnel in ip.
This is only available if type is tunnel.
No default.
sample-direction {both |
rx | tx}
Configure the sFlow agent to sample traffic received by the
interface (rx) or sent from the interface (tx) or both.
both
sample-rate <rate_int>
Set the sample rate for the sFlow agent added to this
interface. The sample rate defines the average number of
packets to wait between samples. For example, the default
sample-rate of 2000 samples 1 of every 2000 packets. The
sample-rate range is 10 to 99999 packets between
samples.
The lower the sample-rate the higher the number of
packets sampled. Sampling more packets increases the
accuracy of the sampling data but also increases the CPU and
network bandwidth required to support sFlow. The default
sample-rate of 2000 provides high enough accuracy in
most cases.
You can increase the sample-rate to reduce accuracy. You
can also reduce the sample-rate to increase accuracy.
2000
secondary-IP
{enable | disable}
Enable to add a secondary IP address to the interface. This
option must be enabled before configuring a secondary IP
address.
When disabled, the web-based manager interface displays
only the option to enable secondary IP.
disable
sflow-sampler
{disable | enable}
Add an sFlow agent to an interface. You can also configure the
sFlow agent’s sample-rate, polling-interval, and
sample-direction. You can add sFlow agents to any
FortiGate interface, including physical interfaces, VLAN
interfaces, and aggregate interfaces.
After adding the sFlow agent you can configure the sFlow
For more information about sFlow see “system sflow” on
page 553.
disable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
Variable
Description
Default
speed <interface_speed>
The interface speed:
auto — the default speed. The interface uses auto-negotiation
to determine the connection speed. Change the speed only if
the interface is connected to a device that does not support
auto-negotiation.
10full — 10 Mbps, full duplex
10half — 10 Mbps, half duplex
100full — 100 Mbps, full duplex
100half — 100 Mbps, half duplex
1000full — 1000 Mbps, full duplex
1000half — 1000 Mbps, half duplex
Speed options vary for different models and interfaces. Enter a
space and a “?” after the speed field to display a list of
speeds available for your model and interface.
You cannot change the speed for switch interfaces.
Note: XG2 interfaces on models 3140B and 3950B cannot be
configured for 1000Mbps.
auto
spillover-threshold
<threshold_int>
Set the spillover-threshold to limit the amount of
bandwidth processed by the Interface. The range is 016 776 000 Kbps.
Set the spillover-threshold for an interface if the ECMP route
failover and load balance method, configured by the
v4-ecmp-mode field of the config system settings
command is set to usage-based.
The FortiGate unit sends all ECMP-routed sessions to the
lowest numbered interface until the bandwidth being
processed by this interface reaches its spillover threshold. The
FortiGate unit then spills additional sessions over to the next
lowest numbered interface.
0
status {down | up}
Start or stop the interface. If the interface is stopped, it does
not accept or send packets.
If you stop a physical interface, associated virtual interfaces
such as VLAN interfaces will also stop.
up
(down for
VLANs)
stpforward
{enable | disable}
Enable to forward Spanning Tree Protocol (STP) packets
through this interface. STP maps the network to provide the
least-cost-path from point to point while blocking all other
ports for that path. This prevents any loops which would flood
the network.
If your network uses layer-2 protocols, and has looping issues
STP will stop this. For more information, see FortiGate VLANs
and VDOMs.
disable
subst {enable | disable}
Enable to use a substitute destination MAC address for this
address.
This feature may be used with virtual interfaces to prevent
network loops.
disable
substitute-dst-mac
<destination_mac_addres>
Enter the substitute destination MAC address to use when
subst is enabled. Use the xx:xx:xx:xx:xx:xx format.
No default.
tcp-mss <max_send_bytes>
Enter the FortiGate unit’s maximum sending size for TCP
packets.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
477
interface
478
system
Variable
Description
Default
type {aggregate | hardswitch | hdlc |
loopback | physical |
redundant | tunnel |
vap-switch | vdom-link |
vlan | wireless}
Enter the type of interface. Note: Some types are read only,
and are set automatically by hardware.
aggregate — available only on some FortiGate models.
Aggregate links use the 802.3ad standard to group up to 8
interfaces together. For aggregate specific fields, see
“variables for aggregate and redundant interfaces (some
FortiGate models)” on page 483.
hard-switch — used when a switch-interface is configured
and unit electronics provides switch functionality. The switchinterface type field must be set to switch-hardware. For
more information see “switch-interface” on page 563.
hdlc — High-level Data Link Control (HDLC) is a bit-oriented
synchronous data link layer protocol; it operates at Layer-2 of
OSI model. It is an interface that supports T1/E1 connections.
This type of interface is supported by some AMC cards.
loopback — a virtual interface that is always up. This
interface’s status and link status are not affected by external
changes. It is primarily used for blackhole routing - dropping
all packets that match this route. This route is advertised to
neighbors through dynamic routing protocols as any other
static route. loopback interfaces have no dhcp settings, no
forwarding, no mode, or dns settings. You can create a
loopback interface from the CLI or web-based manager.
physical — for reference only. All physical FortiGate interfaces
and only these interfaces have type set to physical and the
type cannot be changed.
redundant — used to group 2 or more interfaces together for
reliability. Only one interface is in use at any given time. If the
first interface fails, traffic continues uninterrupted as it
switches to the next interface in the group. This is useful in HA
configurations. The order interfaces become active in the
group is determined by the order you specify using the set
member field.
tunnel is for reference only - you cannot create tunnel
interfaces using this command. Create GRE tunnels using the
system gre-tunnel command. Create IPSec tunnels using the
vpn ipsec-intf phase1 command.
vap-switch — for a wireless controller virtual access point
(VAP). This type of interface is created automatically when you
configure a VAP.
vdom-link — an internal point-to-point interface object. This
interface object is a link used to join virtual domains. For more
information on vdom-links, see “vdom-link” on page 567.
vlan — a virtual LAN interface. This is the type of interface
created by default on any existing physical interface. VLANs
increase the number of network interfaces beyond the
physical connections on the unit. VLANs cannot be configured
on a switch mode interface in Transparent mode.
wireless — applies only to FortiWiFi models.
vlan for newly
created
interface,
physical
otherwise.
username
<pppoe_username>
Enter the user name used to connect to the PPPoE server.
This is only available in NAT/Route mode when mode is set to
pppoe.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
Variable
Description
Default
vdom <vdom_name>
Enter the name of the virtual domain to which this interface
belongs.
When you change this field, the physical interface moves to
the specified virtual domain. Virtual IP previously added for
this interface are deleted. You should also manually delete any
routes that include this interface as they may now be
inaccessible.
root
vlanforward
{enable | disable}
Enable or disable forwarding of traffic between VLANs on this
interface. When disabled, all VLAN traffic will only be delivered
to that VLAN only.
enable
vlanid <id_number>
Enter a VLAN ID that matches the VLAN ID of the packets to
be received by this VLAN subinterface.
The VLAN ID can be any number between 1 and 4094, as 0
and 4095 are reserved, but it must match the VLAN ID added
by the IEEE 802.1Q-compliant router on the other end of the
connection. Two VLAN subinterfaces added to the same
physical interface cannot have the same VLAN ID. However,
you can add two or more VLAN subinterfaces with the same
VLAN ID to different physical interfaces, and you can add
more multiple VLANs with different VLAN IDs to the same
physical interface.
This is available only when editing an interface with a type of
VLAN.
No default.
voip
{enable | disable}
Enable the VoIP SIP protocol for allowing SIP traffic on the
interface.
This command is available only on FortiGate Voice units.
disable
vrrp-virtual-mac
{enable | disable}
Enable VRRP virtual MAC addresses for the VRRP routers
added to this interface. See RFC 3768 for information about
the VRRP virtual MAC addresses.
disable
wccp {enable | disable}
Enable to WCCP on an interface. This setting specifies the
interface the FortiGate unit sends and receives WCCP packets
and redirected traffic.
disable
weight <int>
Set the default weight for static routes on this interface. This
applies if a route has no weight configured.
0
wins-ip <wins_server_ip>
Enter the IP address of a WINS server to which to forward
NetBIOS broadcasts.
This WINS server address is only used if netbios-forward
is enabled.
This variable is only available in NAT/Route mode.
No default.
WiFi fields
These fields apply to FortiWiFi units when type is wireless.
mac <mac_address>
Enter a MAC address for the MAC filter list. This is used in the
config wifi-mac_list subcommand.
No default.
wifi-acl {allow | deny}
Select whether MAC filter list allows or denies access.
deny
wifi-auth
{PSK | radius | usergrou
p}
Select either Pre-shared Key (PSK) or radius to authenticate
users connecting to this interface. This is available only when
wifi-security is set to WPA.
Select usergroup to add a usergroup with the wifi-usergroup
keyword. This option is only available when wifi-security is set
to wpa-enterprise or wpa2-enterprise.
PSK
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
479
interface
480
system
Variable
Description
Default
wifi-broadcast_ssid
{enable | disable}
Enable if you want FortiWiFi-60 to broadcast its SSID.
disable
wifi-encrypt
{AES | TKIP}
Select either Advanced Encryption Standard (AES) or
Temporal Key Integrity Protocol (TKIP) for encryption on this
WLAN interface.
This is available only when wifi-security is set to WPA.
TKIP
wifi-fragment_threshold
<packet_size>
Set the maximum size of a data packet before it is broken into 2346
smaller packets, reducing the chance of packet collisions. If
the packet size is larger than the threshold, the FortiWiFi unit
will fragment the transmission. If the packet size less than the
threshold, the FortiWiFi unit will not fragment the transmission.
Range 800-2346. A setting of 2346 bytes effectively disables
this option.
This is available in AP mode only.
wifi-key <hex_key>
Enter a WEP key. The WEP key must be 10 or 26 hexadecimal
digits (0-9 a-f). For a 64-bit WEP key, enter 10 hexadecimal
digits. For a 128-bit WEP key, enter 26 hexadecimal digits.
wifi-security must be set to WEP128 or WEP64.
This is available in AP mode only.
No default.
wifi-mac-filter
{enable | disable}
Enable MAC filtering for the wireless interface.
disable
wifi-passphrase
<pass_str>
Enter shared key for WPA_PSK security.
wifi-security must be set to WPA_PSK.
This is available in AP mode only.
fortinet
wifi-radius-server
<server_name>
Set RADIUS server name for WPA_RADIUS security.
wifi-security must be set to WPA_RADIUS.
This is available in AP mode only.
No default.
wifi-rts_threshold
<integer>
The request to send (RTS) threshold is the maximum size, in
bytes, of a packet that the FortiWiFi will accept without
sending RTS/CTS packets to the sending wireless device. In
some cases, larger packets being sent may cause collisions,
slowing data transmissions.
The valid range is 256 to 2346. A setting of 2347 bytes
effectively disables this option.
This is available in AP mode only.
2346
wifi-security <sec_mode>
Enter security (encryption) mode:
none — Communication is not encrypted.
wep64 — WEP 64-bit encryption
wep128 — WEP 128-bit encryption
wpa-personal — WPA or WPA2, personal authentication
(PSK)
wpa-enterprise — WPA or WPA2, enterprise authentication
(802.1x)
wpa2-personal — WPA2 encryption, personal authentication
(PSK)
wpa2-enterprise — WPA or WPA2, enterprise authentication
(802.1x)
wpa_radius — WPA encryption via RADIUS server.
This is available in AP mode only.
wpa-personal
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
Variable
Description
Default
wifi-ssid <id_str>
Change the Service Set ID (SSID) as required.
The SSID is the wireless network name that this FortiWiFi-60A
WLAN broadcasts. Users who wish to use the wireless
network should configure their computers to connect to the
network that broadcasts this network name.
fortinet
config ipv6 variables
autoconf
{enable | disable}
Enable or disable automatic configuration of the IPv6 address. disable
When enabled, and ip6-send-adv is disabled, the FortiGate
unit acts as a stateless address auto-configuration client
(SLAAC).
ip6-address
<if_ipv6mask>
The interface IPv6 address and netmask. The format for IPv6
addresses and netmasks is described in RFC 3513.
This is available in NAT/Route mode only.
::/0
ip6-allowaccess
<access_types>
Enter the types of management access permitted on this IPv6
interface.
Valid types are: fgfm, http, https, ping, snmp, ssh,
and telnet. Separate the types with spaces. If you want to
add or remove an option from the list, retype the list as
required.
Varies for each
interface.
ip6-default-life
<ipv6_life_seconds>
Enter the number, in seconds, to add to the Router Lifetime
field of router advertisements sent from the interface. The valid
range is 0 to 9000.
This is available in NAT/Route mode only.
1800
ip6-hop-limit
<ipv6_hops_limit>
Enter the number to be added to the Cur Hop Limit field in the
router advertisements sent out this interface. Entering 0
means no hop limit is specified. This is available in NAT/Route
mode only.
This is available in NAT/Route mode only.
0
ip6-link-mtu <ipv6_mtu>
Enter the MTU number to add to the router advertisements
options field. Entering 0 means that no MTU options are sent.
This is available in NAT/Route mode only.
0
ip6-manage-flag
{disable | enable}
Enable or disable the managed address configuration flag in
router advertisements.
This is available in NAT/Route mode only.
disable
ip6-max-interval
<adverts_max_seconds>
Enter the maximum time interval, in seconds, between
sending unsolicited multicast router advertisements from the
interface. The valid range is 4 to 1800.
This is available in NAT/Route mode only.
600
ip6-min-interval
<adverts_min_seconds>
Enter the minimum time interval, in seconds, between sending
unsolicited multicast router advertisements from the interface.
The valid range is 4 to 1800.
This is available in NAT/Route mode only.
198
ip6-other-flag
{disable | enable}
Enable or disable the other stateful configuration flag in router
advertisements.
This is available in NAT/Route mode only.
disable
ip6-reachable-time
<reachable_msecs>
Enter the number to be added to the reachable time field in the
router advertisements. The valid range is 0 to 3600. Entering 0
means no reachable time is specified.
This is available in NAT/Route mode only.
0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
481
interface
system
Variable
Description
Default
ip6-retrans-time
<retrans_msecs>
Enter the number to be added to the Retrans Timer field in the
router advertisements. Entering 0 means that the Retrans
Timer is not specified.
This is available in NAT/Route mode only.
0
ip6-send-adv
{enable | disable}
disable
Enable or disable the flag indicating whether or not to send
periodic router advertisements and to respond to router
solicitations.
When enabled, this interface’s address will be added to allrouters group (FF02::02) and be included in an Multi Listener
Discovery (MLD) report. If no interfaces on the FortiGate unit
have ip6-send-adv enabled, the FortiGate unit will only
listen to the all-hosts group (FF02::01) which is explicitly
excluded from MLD reports according to RFC 2710 section 5.
When disabled, and autoconf is enabled, the FortiGate unit
acts as a stateless address auto-configuration client (SLAAC).
This is available in NAT/Route mode only.
edit <ipv6_prefix> variables
autonomous-flag
{enable | disable}
Set the state of the autonomous flag for the IPv6 prefix.
onlink-flag
{enable | disable}
Set the state of the on-link flag ("L-bit") in the IPv6 prefix.
preferred-life-time
<seconds>
Enter the preferred lifetime, in seconds, for this IPv6 prefix.
604800
valid-life-time
<seconds>
Enter the valid lifetime, in seconds, for this IPv6 prefix.
2592000
config ip6-extra-addr
Configure a secondary address for this IPv6 interface.
<prefix_ipv6>
IPv6 address prefix.
disable
config l2tp-client-settings
482
auth-type {auto | chap |
mschapv1 | mschapv2 |
pap}
Select the type of authorization used with this client:
auto — automatically choose type of authorization.
chap — use Challenge-Handshake Authentication Protocol.
mschapv1 — use Microsoft version of CHAP version 1.
mschapv2 — use Microsoft version of CHAP version 2.
pap — use Password Authentication Protocol.
auto
defaultgw
{enable | disable}
Enable to use the default gateway.
disable
distance
<admin_distance>
Enter the administration distance of learned routes.
2
mtu <integer>
Enter the Maximum Transmission Unit (MTU) for L2TP.
1460
password <password>
Enter the password for L2TP.
n/a
peer-host <ipv4_addr>
Enter the IP address of the L2TP host.
n/a
peer-mask <netmask>
Enter the netmask used to connect to L2TP peers connected
to this interface.
255.255.255.255
peer-port <port_num>
Enter the port used to connect to L2TP peers on this interface. 1701
priority <integer>
Enter the priority of routes learned through L2TP. This will be
used to resolve any ties in the routing table.
0
user <string>
Enter the L2TP user name used to connect.
n/a
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
interface
Variable
Description
Default
variables for ADSL interface (some FortiGate models)
gwaddr <IPv4>
Enter the IP address of the gateway for this interface.
mux-type {llc-encaps | vcencaps}
Enter the MUX type as either llc-encaps or vc-encaps.
This information is provided by your ISP
Enter the virtual circuit identification VCI number. Valid
numbers are from 0 to 255. This number is provided by your
ISP.
0
vci <integer>
Enter the virtual circuit identification VPI number. Valid
numbers
are from 0 to 65535. This number is provided by your ISP.
35
vpi <integer>
variables for aggregate and redundant interfaces (some FortiGate models)
These variables are available only when type is aggregate or redundant.
algorithm {L2 | L3 | L4}
Enter the algorithm used to control how frames are distributed
across links in an aggregated interface (also called a Link
Aggregation Group (LAG)). The choice of algorithm determines
what information is used to determine frame distribution. Enter
one of:
L2 — use source and destination MAC addresses.
L3 — use source and destination IP addresses, fall back to L2
algorithm if IP information is not available.
L4 — use TCP, UDP or ESP header information.
L4
lacp-ha-slave
{enable | disable}
This option affects how the aggregate interface participates in
Link Aggregation Control Protocol (LACP) negotiation when
HA is enabled for the VDOM. It takes effect only if ActivePassive HA is enabled and lacp-mode is not static. Enter
enable to participate in LACP negotiation as a slave or
disable to not participate.
enable
lacp-mode {active |
passive | static}
Enter one of active, passive, or static.
active — send LACP PDU packets to negotiate link
aggregation connections. This is the default.
passive — respond to LACP PDU packets and negotiate link
aggregation connections
static — link aggregation is configured statically
active
lacp-speed {fast | slow}
slow — sends LACP PDU packets every 30 seconds to
negotiate link aggregation connections. This is the default.
fast — sends LACP PDU packets every second, as
recommended in the IEEE 802.3ad standard.
This is available only when type is aggregate.
slow
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
483
interface
484
system
Variable
Description
Default
member
<if_name1> <if_name2>
...
No default.
Specify a list of physical interfaces that are part of an
aggregate or redundant group. To modify a list, enter the
complete revised list.
If VDOMs are enabled, then vdom must be set the same for
each interface before you enter the member list.
An interface is available to be part of an aggregate or
redundant group only if
• it is a physical interface, not a VLAN interface
• it is not already part of an aggregated or redundant
interface
• it is in the same VDOM as the aggregated interface
• it has no defined IP address and is not configured for
DHCP or PPPoE
• it has no DHCP server or relay configured on it
• it does not have any VLAN subinterfaces
• it is not referenced in any firewall policy, VIP or multicast
policy
• it is not an HA heartbeat device or monitored by HA
• In a redundant group, failover to the next member interface
happens when the active interface fails or is disconnected.
The order you specify the interfaces in the member list is the
order they will become active in the redundant group. For
example if you enter set member port5 port1, then port5
will be active at the start, and when it fails or is disconnected
port1 will become active.
This is only available when type is aggregate or
redundant.
config vrrp fields
Add one or more VRRP virtual routers to a FortiGate interface.
For information about VRRP, see RFC 3768.
<VRID_int>
VRRP virtual router ID (1 to 255). Identifies the VRRP virtual
router.
adv-interval
<seconds_int>
VRRP advertisement interval (1-255 seconds).
1
preempt
{enable | disable}
Enable or disable VRRP preempt mode. In preempt mode a
higher priority backup unit can preempt a lower priority master
unit.
enable
priority <prio_int>
Priority of this virtual router (1-255). The VRRP virtual router on
a network with the highest priority becomes the master.
100
start-time <seconds_int>
The startup time of this virtual router (1-255 seconds). The
startup time is the maximum time that the backup unit waits
between receiving advertisement messages from the master
unit.
3
status
{enable | disable}
Enable or disable this virtual router.
enable
vrdst <ipv4_addr>
Monitor the route to this destination.
0.0.0.0
vrip <ipv4_addr>
IP address of the virtual router.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
ipv6-tunnel
ipv6-tunnel
Use this command to tunnel IPv4 traffic over an IPv6 network. The IPv6 interface is configured under config
system interface. All subnets between the source and destination addresses must support IPv6.
This command is not available in Transparent mode.
Syntax
config system ipv6-tunnel
edit <tunnel_name>
set destination <remote_IPv6_address>
set interface <name>
set source <local_IPv6_address>
end
Variable
Description
Default
edit <tunnel_name>
Enter a name for the IPv6 tunnel.
No default.
destination
<remote_IPv6_address>
The destination IPv6 address for this tunnel.
0.0.0.0
interface <name>
The interface used to send and receive traffic for this tunnel.
No default.
source
<local_IPv6_address>
The source IPv6 address for this tunnel.
0.0.0.0
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
485
mac-address-table
system
mac-address-table
Use this command to create a static MAC table. The table can hold up to 200 entries.
This command is available in Transparent mode only.
Syntax
config system mac-address-table
edit <mac-address_hex>
set interface <if_name>
end
486
Variable
Description
Default
edit <mac-address_hex>
Enter the MAC address as six pairs of hexadecimal digits
separated by colons, e.g.: 11:22:33:00:ff:aa
No default.
interface <if_name>
Enter the name of the interface to which this MAC table entry
applies.
No default.
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
system
modem
modem
Use this command to configure FortiGate models with dedicated modem interfaces or to configure a serial modem
interface connected using a serial converter to the USB port.
This command is only available in NAT/Route mode. When Transparent mode is enabled, all modem related pages
are hidden in the web-based manager.
Syntax
config system modem
set account-relation {equal | fallback}
set altmode {enable | disable}
set authtype1 {pap chap mschap mschapv2}
set authtype2 {pap chap mschap mschapv2}
set authtype3 {pap chap mschap mschapv2}
set auto-dial {enable | disable}
set connect_timeout <seconds>
set dial-on-demand {enable | disable}
set distance <distance>
set extra-init1, extra-init2, extra-init3 <init_str>
set holddown-timer <seconds>
set idle-timer <minutes>
set interface <name>
set mode {redudant | standalone}
set modem-dev1, modem-dev2, modem-dev3 {internal | pcmcia-wireless}
set passwd1, passwd2, passwd3 <password_str>
set peer_modem1 {actiontec | ascendTNT | generic}
set peer_modem2 {actiontec | ascendTNT | generic}
set peer_modem3 {actiontec | ascendTNT | generic}
set phone1 <phone-number>
set phone2 <phone-number>
set phone3 <phone-number>
set pin-init <init_str>
set ppp-echo-request1 {disable | enable}
set ppp-echo-request2 {disable | enable}
set ppp-echo-request3 {disable | enable}
set priority <integer> {disable | enable}
set redial <tries_integer>
set status {disable | enable}
set username1 <name_str>
set username2 <name_str>
set username3 <name_str>
set wireless-port <port_int>
end
Variable
Description
Default
account-relation {equal |
fallback}
Set the account relationship as either equal or fallback.
equal — Accounts are equal and keep using the first
successful account.
fallback — The first account takes priority, fall back to the
first account if possible
equal
altmode {enable | disable}
Enable for installations using PPP in China.
enable
FortiOS™ Handbook v3 CLI Reference for FortiOS 4.3
01-430-99686-20130225
http://docs.fortinet.com/
487
modem
488
system
Variable
Description
Default
authtype1
{pap chap mschap mschapv2}
authtype2
{pap chap mschap mschapv2}
authtype3
{pap chap mschap mschapv2}
Enter the authentication methods to use for 3G modems as
one of: PAP, CHAP, MS-CHAP, or MS-CHAPv2.
pap chap
mschap
mschapv2
auto-dial
{enable | disable}
Enable to dial the modem automatically if the connection is
lost or the FortiGate unit is restarted.
This is available only when dial-on-demand is set to
disabled, and mode is set to standalone.
disable
connect_timeout <seconds>
Set the connection completion timeout (30 - 255 seconds).
90
dial-on-demand
{enable | disable}
Enable to dial the modem when packets are routed to the
modem interface. The modem disconnects after the
idle-timer period.
This is available only if auto-dial is set to
disabled, and mode is set to standalone.
disable
distance <distance>
Enter the administrative distance (1-255) to use for the
default route that is automatically added when the modem
connects and obtains an IP address. A lower distance
indicates a more preferred route. For more information, see
router static “distance <distance>” on page 375.
This field is useful for configuring redundant routes in which
the modem interface acts as a backup to another interface.
1
extra-init1, extra-init2,
extra-init3 <init_str>
Enter up to three extra initialization strings to send to the
modem.
null
holddown-timer <seconds>
Used only when the modem is configured as a backup for an
interface. Set the time (1-60 seconds) that the FortiGate unit
waits before switching from the modem interface to the
primary interface, after the primary interface has been
restored.
This is available only when mode is set to redundant.
60
idle-timer <minutes>
Set the number of minutes the modem connection can be
idle before it is disconnected.
This is available only if mode is set to standalone.
5
interface <name>
Enter an interface name to associate the modem interface
No default.
with the ethernet interface that you want to either back up
(backup configuration) or replace (standalone configuration).
mode {