0% found this document useful (0 votes)

105 views

FortiOS 7.0.9 CLI Reference

Uploaded by

Qnubiz57 RETRO

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

105 views

FortiOS 7.0.9 CLI Reference

Uploaded by

Qnubiz57 RETRO

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2105

CLI Reference

FortiOS 7.0.9
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

December 06, 2022

FortiOS 7.0.9 CLI Reference
01-709-709094-20221206
TABLE OF CONTENTS

Change Log 19
FortiOS CLI reference 20
Availability of commands and options 20
Command tree 20
CLI configuration commands 22
alertemail 23
config alertemail setting 23
antivirus 30
config antivirus profile 30
config antivirus quarantine 58
config antivirus settings 63
application 65
config application custom 65
config application group 66
config application list 67
config application name 76
config application rule-settings 78
authentication 79
config authentication rule 79
config authentication scheme 81
config authentication setting 83
certificate 86
config certificate ca 86
config certificate crl 87
config certificate local 89
config certificate remote 92
dlp 94
config dlp filepattern 94
config dlp fp-doc-source 97
config dlp sensitivity 100
config dlp sensor 101
config dlp settings 106
dnsfilter 108
config dnsfilter domain-filter 108
config dnsfilter profile 109
dpdk 115
config dpdk cpus 115
config dpdk global 116
emailfilter 119
config emailfilter block-allow-list 119
config emailfilter bword 121
config emailfilter dnsbl 123
config emailfilter fortishield 124
config emailfilter iptrust 125

FortiOS 7.0.9 CLI Reference 3

Fortinet Inc.
config emailfilter mheader 126
config emailfilter options 128
config emailfilter profile 128
endpoint-control 136
config endpoint-control fctems 136
extender 141
config extender extender-info 141
config extender lte-carrier-by-mcc-mnc 141
config extender lte-carrier-list 142
config extender modem-status 142
config extender session-info 142
config extender sys-info 142
extender-controller 144
config extender-controller dataplan 144
config extender-controller extender-profile 147
config extender-controller extender 158
file-filter 162
config file-filter profile 162
firewall 165
config firewall DoS-policy 167
config firewall DoS-policy6 169
config firewall access-proxy-ssh-client-cert 172
config firewall access-proxy-virtual-host 174
config firewall access-proxy 175
config firewall access-proxy6 196
config firewall acl 217
config firewall acl6 219
config firewall address 220
config firewall address6-template 225
config firewall address6 227
config firewall addrgrp 230
config firewall addrgrp6 232
config firewall auth-portal 234
config firewall central-snat-map 234
config firewall city 237
config firewall country 237
config firewall decrypted-traffic-mirror 238
config firewall dnstranslation 239
config firewall identity-based-route 240
config firewall interface-policy 241
config firewall interface-policy6 244
config firewall internet-service-addition 247
config firewall internet-service-append 248
config firewall internet-service-botnet 249
config firewall internet-service-custom-group 249
config firewall internet-service-custom 250
config firewall internet-service-definition 251
config firewall internet-service-extension 253
config firewall internet-service-group 256

FortiOS 7.0.9 CLI Reference 4

Fortinet Inc.
config firewall internet-service-ipbl-reason 257
config firewall internet-service-ipbl-vendor 257
config firewall internet-service-list 258
config firewall internet-service-name 258
config firewall internet-service-owner 259
config firewall internet-service-reputation 260
config firewall internet-service-sld 260
config firewall internet-service 261
config firewall ip-translation 263
config firewall ipmacbinding setting 263
config firewall ipmacbinding table 264
config firewall ippool 265
config firewall ippool6 269
config firewall iprope appctrl list 270
config firewall iprope appctrl status 271
config firewall iprope list 271
config firewall ipv6-eh-filter 271
config firewall ldb-monitor 273
config firewall local-in-policy 275
config firewall local-in-policy6 277
config firewall multicast-address 279
config firewall multicast-address6 280
config firewall multicast-policy 281
config firewall multicast-policy6 284
config firewall policy 286
config firewall profile-group 304
config firewall profile-protocol-options 306
config firewall proute 330
config firewall proute6 331
config firewall proxy-address 331
config firewall proxy-addrgrp 334
config firewall proxy-policy 336
config firewall region 343
config firewall schedule group 344
config firewall schedule onetime 345
config firewall schedule recurring 346
config firewall security-policy 347
config firewall service category 354
config firewall service custom 355
config firewall service group 359
config firewall shaper per-ip-shaper 360
config firewall shaper per-ip 362
config firewall shaper traffic-shaper 362
config firewall shaper traffic 364
config firewall shaping-policy 365
config firewall shaping-profile 369
config firewall sniffer 371
config firewall ssh host-key 377
config firewall ssh local-ca 379

FortiOS 7.0.9 CLI Reference 5

Fortinet Inc.
config firewall ssh local-key 380
config firewall ssh setting 380
config firewall ssl-server 381
config firewall ssl-ssh-profile 384
config firewall ssl setting 412
config firewall traffic-class 414
config firewall ttl-policy 415
config firewall vendor-mac-summary 416
config firewall vendor-mac 416
config firewall vip 417
config firewall vip6 447
config firewall vipgrp 477
config firewall vipgrp6 478
config firewall wildcard-fqdn custom 479
config firewall wildcard-fqdn group 480
ftp-proxy 481
config ftp-proxy explicit 481
hardware 483
config hardware cpu 483
config hardware memory 483
config hardware nic 483
config hardware npu np6 dce 484
config hardware npu np6 ipsec-stats 485
config hardware npu np6 port-list 486
config hardware npu np6 session-stats 487
config hardware npu np6 sse-stats 488
config hardware npu np6 synproxy-stats 489
config hardware status 489
icap 490
config icap profile 490
config icap server 495
ips 497
config ips custom 497
config ips decoder 499
config ips global 499
config ips rule-settings 503
config ips rule 503
config ips sensor 506
config ips session 510
config ips settings 511
config ips view-map 511
ipsec 513
config ipsec tunnel 513
log 514
config log custom-field 515
config log disk filter 516
config log disk setting 519
config log eventfilter 525

FortiOS 7.0.9 CLI Reference 6

Fortinet Inc.
config log fortianalyzer-cloud filter 527
config log fortianalyzer-cloud override-filter 531
config log fortianalyzer-cloud override-setting 534
config log fortianalyzer-cloud setting 535
config log fortianalyzer2 filter 538
config log fortianalyzer2 override-filter 542
config log fortianalyzer2 override-setting 545
config log fortianalyzer2 setting 549
config log fortianalyzer3 filter 553
config log fortianalyzer3 override-filter 556
config log fortianalyzer3 override-setting 560
config log fortianalyzer3 setting 564
config log fortianalyzer filter 568
config log fortianalyzer override-filter 571
config log fortianalyzer override-setting 574
config log fortianalyzer setting 578
config log fortiguard filter 582
config log fortiguard override-filter 585
config log fortiguard override-setting 589
config log fortiguard setting 590
config log gui-display 593
config log memory filter 594
config log memory global-setting 597
config log memory setting 598
config log null-device filter 598
config log null-device setting 601
config log setting 602
config log syslogd2 filter 606
config log syslogd2 override-filter 609
config log syslogd2 override-setting 612
config log syslogd2 setting 616
config log syslogd3 filter 620
config log syslogd3 override-filter 623
config log syslogd3 override-setting 626
config log syslogd3 setting 630
config log syslogd4 filter 634
config log syslogd4 override-filter 637
config log syslogd4 override-setting 640
config log syslogd4 setting 644
config log syslogd filter 648
config log syslogd override-filter 651
config log syslogd override-setting 654
config log syslogd setting 658
config log tacacs+accounting2 filter 662
config log tacacs+accounting2 setting 663
config log tacacs+accounting3 filter 663
config log tacacs+accounting3 setting 664
config log tacacs+accounting filter 665
config log tacacs+accounting setting 666

FortiOS 7.0.9 CLI Reference 7

Fortinet Inc.
config log threat-weight 666
config log webtrends filter 677
config log webtrends setting 680
mgmt-data 681
config mgmt-data status 681
monitoring 682
config monitoring np6-ipsec-engine 682
config monitoring npu-hpe 683
nsxt 685
config nsxt service-chain 685
config nsxt setting 687
report 688
config report layout 688
config report setting 696
config report sql status 698
router 699
config router access-list 699
config router access-list6 701
config router aspath-list 702
config router auth-path 703
config router bfd 703
config router bfd6 705
config router bgp 706
config router community-list 748
config router info 749
config router info6 749
config router isis 749
config router key-chain 763
config router multicast-flow 764
config router multicast 765
config router multicast6 774
config router ospf 776
config router ospf6 792
config router policy 807
config router policy6 810
config router prefix-list 812
config router prefix-list6 813
config router rip 814
config router ripng 821
config router route-map 827
config router setting 833
config router static 833
config router static6 836
sctp-filter 839
config sctp-filter profile 839
ssh-filter 841
config ssh-filter profile 841
switch-controller 844

FortiOS 7.0.9 CLI Reference 8

Fortinet Inc.
config switch-controller 802-1X-settings 845
config switch-controller auto-config custom 847
config switch-controller auto-config default 848
config switch-controller auto-config policy 849
config switch-controller custom-command 851
config switch-controller dsl link-time 852
config switch-controller dsl pkt-count 853
config switch-controller dsl pm-line-curr 854
config switch-controller dsl policy 855
config switch-controller dsl rate 857
config switch-controller dsl status 858
config switch-controller dsl summary 859
config switch-controller dsl version 860
config switch-controller dynamic-port-policy 861
config switch-controller flow-tracking 864
config switch-controller fortilink-settings 867
config switch-controller global 869
config switch-controller igmp-snooping 873
config switch-controller initial-config template 874
config switch-controller initial-config vlans 876
config switch-controller lldp-profile 877
config switch-controller lldp-settings 882
config switch-controller location 883
config switch-controller mac-policy 888
config switch-controller managed-switch 890
config switch-controller network-monitor-settings 925
config switch-controller ptp policy 926
config switch-controller ptp settings 927
config switch-controller qos dot1p-map 928
config switch-controller qos ip-dscp-map 932
config switch-controller qos qos-policy 934
config switch-controller qos queue-policy 936
config switch-controller quarantine 939
config switch-controller remote-log 940
config switch-controller security-policy 802-1X 943
config switch-controller security-policy local-access 946
config switch-controller sflow 948
config switch-controller snmp-community 949
config switch-controller snmp-sysinfo 952
config switch-controller snmp-trap-threshold 953
config switch-controller snmp-user 954
config switch-controller storm-control-policy 956
config switch-controller storm-control 958
config switch-controller stp-instance 960
config switch-controller stp-settings 961
config switch-controller switch-group 962
config switch-controller switch-interface-tag 963
config switch-controller switch-log 964
config switch-controller switch-profile 966

FortiOS 7.0.9 CLI Reference 9

Fortinet Inc.
config switch-controller system 967
config switch-controller traffic-policy 969
config switch-controller traffic-sniffer 971
config switch-controller virtual-port-pool 973
config switch-controller vlan-policy 974
system 976
config system 3g-modem custom 980
config system accprofile 981
config system acme 991
config system admin 992
config system affinity-interrupt 999
config system affinity-packet-redistribution 1000
config system alarm 1001
config system alias 1004
config system api-user 1005
config system arp-table 1006
config system arp 1007
config system auto-install 1007
config system auto-script 1008
config system auto-update status 1009
config system auto-update versions 1009
config system automation-action 1009
config system automation-destination 1014
config system automation-stitch 1015
config system automation-trigger 1016
config system autoupdate schedule 1020
config system autoupdate tunneling 1021
config system bypass 1022
config system central-management 1024
config system central-mgmt 1029
config system checksum status 1029
config system cluster-sync 1029
config system cmdb 1032
config system console 1032
config system csf 1033
config system custom-language 1038
config system ddns 1038
config system dedicated-mgmt 1041
config system dhcp6 server 1042
config system dhcp server 1046
config system dnp3-proxy 1058
config system dns-database 1060
config system dns-server 1063
config system dns 1064
config system dns64 1066
config system dscp-based-priority 1067
config system dsl status 1068
config system elbc 1069
config system email-server 1070

FortiOS 7.0.9 CLI Reference 10

Fortinet Inc.
config system external-resource 1072
config system federated-upgrade 1074
config system fips-cc 1077
config system fortianalyzer-connectivity 1078
config system fortiguard-log-service 1078
config system fortiguard-service 1078
config system fortiguard 1078
config system fortindr 1086
config system fortisandbox 1087
config system fsso-polling 1089
config system ftm-push 1089
config system geneve 1090
config system geoip-country 1091
config system geoip-override 1092
config system global 1093
config system gre-tunnel 1144
config system ha-monitor 1147
config system ha-nonsync-csum 1147
config system ha 1147
config system ike 1160
config system info admin ssh 1174
config system info admin status 1174
config system interface 1174
config system ip-conflict status 1233
config system ipam 1233
config system ipip-tunnel 1234
config system ips-urlfilter-dns 1235
config system ips-urlfilter-dns6 1236
config system ips 1236
config system ipsec-aggregate 1237
config system ipv6-neighbor-cache 1238
config system ipv6-tunnel 1238
config system isf-queue-profile 1240
config system link-monitor 1242
config system lldp network-policy 1247
config system lte-modem 1255
config system mac-address-table 1260
config system management-tunnel 1260
config system mgmt-csum 1262
config system mobile-tunnel 1262
config system modem 1265
config system nd-proxy 1272
config system netflow 1272
config system network-visibility 1274
config system np6 1275
config system np6xlite 1288
config system npu-setting prp 1300
config system npu-vlink 1301
config system npu 1302

FortiOS 7.0.9 CLI Reference 11

Fortinet Inc.
config system ntp 1357
config system object-tagging 1360
config system password-policy-guest-admin 1361
config system password-policy 1363
config system performance firewall packet-distribution 1365
config system performance firewall statistics 1365
config system performance status 1365
config system performance top 1366
config system physical-switch 1366
config system pppoe-interface 1367
config system probe-response 1369
config system proxy-arp 1370
config system ptp 1371
config system replacemsg-group 1373
config system replacemsg-image 1385
config system replacemsg admin 1386
config system replacemsg alertmail 1387
config system replacemsg auth 1388
config system replacemsg automation 1389
config system replacemsg fortiguard-wf 1390
config system replacemsg ftp 1390
config system replacemsg http 1391
config system replacemsg icap 1392
config system replacemsg mail 1393
config system replacemsg nac-quar 1394
config system replacemsg spam 1395
config system replacemsg sslvpn 1396
config system replacemsg traffic-quota 1396
config system replacemsg utm 1397
config system replacemsg webproxy 1398
config system resource-limits 1399
config system saml 1402
config system sdn-connector 1405
config system sdwan 1414
config system session-helper-info list 1434
config system session-helper 1434
config system session-info expectation 1435
config system session-info full-stat 1436
config system session-info list 1436
config system session-info statistics 1436
config system session-info ttl 1436
config system session-ttl 1436
config system session 1437
config system session6 1438
config system settings 1438
config system sflow 1459
config system sit-tunnel 1460
config system smc-ntp 1462
config system sms-server 1463

FortiOS 7.0.9 CLI Reference 12

Fortinet Inc.
config system snmp community 1464
config system snmp sysinfo 1471
config system snmp user 1473
config system source-ip status 1479
config system speed-test-schedule 1479
config system speed-test-server 1481
config system sso-admin 1483
config system sso-forticloud-admin 1483
config system standalone-cluster 1484
config system startup-error-log 1485
config system status 1485
config system storage 1485
config system stp 1487
config system switch-interface 1488
config system tos-based-priority 1490
config system vdom-dns 1491
config system vdom-exception 1493
config system vdom-link 1495
config system vdom-netflow 1496
config system vdom-property 1497
config system vdom-radius-server 1498
config system vdom-sflow 1499
config system vdom 1500
config system virtual-switch 1501
config system virtual-wire-pair 1503
config system vne-tunnel 1504
config system vxlan 1505
config system wccp 1506
config system wireless ap-status 1510
config system wireless detected-ap 1512
config system wireless settings 1513
config system zone 1516
test 1518
config test acd 1520
config test acsd 1520
config test autod 1520
config test awsd 1521
config test azd 1521
config test bfd 1521
config test chlbd 1522
config test confsyncd 1523
config test confsynchbd 1524
config test csfd 1524
config test ddnscd 1525
config test dhcp6c 1525
config test dhcp6r 1525
config test dhcprelay 1526
config test dlpfingerprint 1526
config test dlpfpcache 1527

FortiOS 7.0.9 CLI Reference 13

Fortinet Inc.
config test dnsproxy 1528
config test dsd 1528
config test fas 1528
config test fcnacd 1529
config test fds_notify 1529
config test fnbamd 1529
config test forticldd 1530
config test forticron 1530
config test fsd 1530
config test fsvrd 1531
config test gcpd 1531
config test harelay 1531
config test hasync 1532
config test hatalk 1532
config test ibmd 1532
config test imap 1533
config test init 1533
config test iotd 1533
config test ipamd 1534
config test ipamsd 1534
config test ipldbd 1534
config test ipmc_sensord 1535
config test ipsengine 1535
config test ipsmonitor 1536
config test ipsufd 1536
config test kubed 1536
config test l2tpcd 1537
config test lnkmtd 1537
config test lted 1538
config test miglogd 1538
config test mrd 1539
config test netxd 1539
config test nntp 1539
config test ocid 1540
config test openstackd 1540
config test ovrd 1540
config test pop3 1541
config test pptpcd 1541
config test quarantined 1541
config test radius-das 1542
config test radiusd 1542
config test radvd 1542
config test reportd 1543
config test sdncd 1543
config test sdnd 1544
config test sepmd 1544
config test sessionsync 1544
config test sflowd 1545
config test sfupgraded 1545

FortiOS 7.0.9 CLI Reference 14

Fortinet Inc.
config test smtp 1545
config test snmpd 1546
config test syslogd 1546
config test updated 1546
config test uploadd 1547
config test urlfilter 1547
config test vned 1547
config test wad 1548
config test wccpd 1548
config test wf_monitor 1548
config test wiredapd 1549
config test zebos_launcher 1549
user 1550
config user adgrp 1550
config user certificate 1551
config user domain-controller 1552
config user exchange 1555
config user fortitoken 1557
config user fsso-polling 1558
config user fsso 1560
config user group 1564
config user krb-keytab 1569
config user ldap 1570
config user local 1576
config user nac-policy 1579
config user password-policy 1581
config user peer 1582
config user peergrp 1584
config user pop3 1584
config user quarantine 1585
config user radius 1587
config user saml 1598
config user security-exempt-list 1602
config user setting 1603
config user tacacs+ 1607
videofilter 1610
config videofilter profile 1610
config videofilter youtube-channel-filter 1612
config videofilter youtube-key 1614
voip 1615
config voip profile 1615
vpn 1640
config vpn certificate ca 1641
config vpn certificate crl 1642
config vpn certificate local 1643
config vpn certificate ocsp-server 1647
config vpn certificate remote 1648
config vpn certificate setting 1648
config vpn ike gateway 1653

FortiOS 7.0.9 CLI Reference 15

Fortinet Inc.
config vpn ipsec concentrator 1654
config vpn ipsec fec 1654
config vpn ipsec forticlient 1656
config vpn ipsec manualkey-interface 1657
config vpn ipsec manualkey 1659
config vpn ipsec phase1-interface 1661
config vpn ipsec phase1 1685
config vpn ipsec phase2-interface 1705
config vpn ipsec phase2 1714
config vpn ipsec stats crypto 1723
config vpn ipsec stats tunnel 1723
config vpn ipsec tunnel details 1724
config vpn ipsec tunnel name 1724
config vpn ipsec tunnel summary 1724
config vpn l2tp 1724
config vpn ocvpn 1725
config vpn pptp 1730
config vpn ssl client 1730
config vpn ssl monitor 1732
config vpn ssl settings 1732
config vpn ssl web host-check-software 1745
config vpn ssl web portal 1747
config vpn ssl web realm 1766
config vpn ssl web user-bookmark 1767
config vpn ssl web user-group-bookmark 1773
config vpn status l2tp 1779
config vpn status pptp 1780
config vpn status ssl hw-acceleration-status 1780
config vpn status ssl list 1780
waf 1781
config waf main-class 1781
config waf profile 1781
config waf signature 1806
config waf sub-class 1807
wanopt 1808
config wanopt auth-group 1808
config wanopt cache-service 1810
config wanopt content-delivery-network-rule 1813
config wanopt peer 1818
config wanopt profile 1819
config wanopt remote-storage 1828
config wanopt settings 1829
config wanopt webcache 1831
web-proxy 1835
config web-proxy debug-url 1835
config web-proxy explicit 1836
config web-proxy forward-server-group 1841
config web-proxy forward-server 1842
config web-proxy global 1844

FortiOS 7.0.9 CLI Reference 16

Fortinet Inc.
config web-proxy profile 1846
config web-proxy url-match 1850
config web-proxy wisp 1851
webfilter 1853
config webfilter categories 1853
config webfilter content-header 1853
config webfilter content 1854
config webfilter fortiguard 1856
config webfilter ftgd-local-cat 1858
config webfilter ftgd-local-rating 1859
config webfilter ftgd-statistics 1860
config webfilter ips-urlfilter-cache-setting 1860
config webfilter ips-urlfilter-setting 1860
config webfilter ips-urlfilter-setting6 1861
config webfilter override-usr 1862
config webfilter override 1862
config webfilter profile 1863
config webfilter search-engine 1880
config webfilter status 1881
config webfilter urlfilter 1881
wireless-controller 1885
config wireless-controller access-control-list 1886
config wireless-controller address 1889
config wireless-controller addrgrp 1889
config wireless-controller ap-status 1890
config wireless-controller apcfg-profile 1891
config wireless-controller arrp-profile 1893
config wireless-controller ble-profile 1896
config wireless-controller bonjour-profile 1898
config wireless-controller client-info 1899
config wireless-controller global 1899
config wireless-controller hotspot20 anqp-3gpp-cellular 1903
config wireless-controller hotspot20 anqp-ip-address-type 1904
config wireless-controller hotspot20 anqp-nai-realm 1905
config wireless-controller hotspot20 anqp-network-auth-type 1909
config wireless-controller hotspot20 anqp-roaming-consortium 1909
config wireless-controller hotspot20 anqp-venue-name 1910
config wireless-controller hotspot20 anqp-venue-url 1911
config wireless-controller hotspot20 h2qp-advice-of-charge 1912
config wireless-controller hotspot20 h2qp-conn-capability 1913
config wireless-controller hotspot20 h2qp-operator-name 1916
config wireless-controller hotspot20 h2qp-osu-provider-nai 1917
config wireless-controller hotspot20 h2qp-osu-provider 1918
config wireless-controller hotspot20 h2qp-terms-and-conditions 1919
config wireless-controller hotspot20 h2qp-wan-metric 1920
config wireless-controller hotspot20 hs-profile 1921
config wireless-controller hotspot20 icon 1929
config wireless-controller hotspot20 qos-map 1930
config wireless-controller inter-controller 1932

FortiOS 7.0.9 CLI Reference 17

Fortinet Inc.
config wireless-controller log 1934
config wireless-controller mpsk-profile 1938
config wireless-controller nac-profile 1940
config wireless-controller qos-profile 1941
config wireless-controller region 1944
config wireless-controller rf-analysis 1945
config wireless-controller scan 1945
config wireless-controller setting 1946
config wireless-controller snmp 1955
config wireless-controller spectral-info 1959
config wireless-controller ssid-policy 1959
config wireless-controller status 1960
config wireless-controller syslog-profile 1960
config wireless-controller timers 1962
config wireless-controller utm-profile 1964
config wireless-controller vap-group 1965
config wireless-controller vap-status 1965
config wireless-controller vap 1966
config wireless-controller wag-profile 1998
config wireless-controller wids-profile 1999
config wireless-controller wlchanlistlic 2007
config wireless-controller wtp-group 2007
config wireless-controller wtp-profile 2010
config wireless-controller wtp-status 2082
config wireless-controller wtp 2082

FortiOS 7.0.9 CLI Reference 18

Fortinet Inc.
Change Log

Change Log

Date Change Description

2022-11-22 First automated release of the FortiOS 7.0.9 CLI Reference.

2022-12-06 Updated to include more reference models.

FortiOS 7.0.9 CLI Reference 19

Fortinet Inc.
FortiOS CLI reference

This document describes FortiOS 7.0.9 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI). For information on using the CLI, see the FortiOS 7.0.9 Administration Guide, which
contains information such as:
l Connecting to the CLI
l CLI basics
l Command syntax
l Subcommands
l Permissions

Availability of commands and options

Some FortiOS CLI commands and options are not available on all FortiGate units. The CLI displays an error message if
you attempt to enter a command or option that is not available. You can use the question mark ‘?’ to verify the commands
and options that are available.
Commands and options may not be available for the following reasons:

FortiGate model

All commands are not available on all FortiGate models. For example, a hardware switch can be configured only on
models which have the corresponding hardware switch chipset.

Hardware configuration

For example, settings like mediatype would only be available on units with SFPs.

FortiOS Carrier, FortiGate 5K/6K/7K, FortiGate with LTE, etc.

Commands for extended functionality are not available on all FortiGate models. The CLI Reference may not include all
commands.

Command tree

Enter tree to display the entire FortiOS CLI command tree. To capture the full output, connect to your device using a
terminal emulation program, such as PuTTY, and capture the output to a log file.
l To view all available commands, enter tree.
l To view a specific configuration branch of a tree, enter tree <branch>, for example: tree system.

FortiOS 7.0.9 CLI Reference 20

Fortinet Inc.
FortiOS CLI reference

l To view all available diagnose commands, enter tree diagnose.

l To view all available execute commands, enter tree execute.

FortiOS 7.0.9 CLI Reference 21

Fortinet Inc.
CLI configuration commands

Use configuration commands to configure and manage a FortiGate unit from the command line interface (CLI).
The CLI syntax is created by processing the schema from FortiGate models running FortiOS 7.0.9 and reformatting the
resultant CLI output.
If you have comments on this content, its format, or requests for commands that are not included, contact us at
[email protected].

FortiOS 7.0.9 CLI Reference 22

Fortinet Inc.
alertemail

This section includes syntax for the following commands:

l config alertemail setting on page 23

config alertemail setting

Configure alert email settings.

config alertemail setting
Description: Configure alert email settings.
set FDS-license-expiring-days {integer}
set FDS-license-expiring-warning [enable|disable]
set FDS-update-logs [enable|disable]
set FIPS-CC-errors [enable|disable]
set FSSO-disconnect-logs [enable|disable]
set HA-logs [enable|disable]
set IPS-logs [enable|disable]
set IPsec-errors-logs [enable|disable]
set PPP-errors-logs [enable|disable]
set admin-login-logs [enable|disable]
set alert-interval {integer}
set amc-interface-bypass-mode [enable|disable]
set antivirus-logs [enable|disable]
set configuration-changes-logs [enable|disable]
set critical-interval {integer}
set debug-interval {integer}
set email-interval {integer}
set emergency-interval {integer}
set error-interval {integer}
set filter-mode [category|threshold]
set firewall-authentication-failure-logs [enable|disable]
set fortiguard-log-quota-warning [enable|disable]
set information-interval {integer}
set local-disk-usage {integer}
set log-disk-usage-warning [enable|disable]
set mailto1 {string}
set mailto2 {string}
set mailto3 {string}
set notification-interval {integer}
set severity [emergency|alert|...]
set ssh-logs [enable|disable]
set sslvpn-authentication-errors-logs [enable|disable]
set username {string}
set violation-traffic-logs [enable|disable]
set warning-interval {integer}
set webfilter-logs [enable|disable]
end

FortiOS 7.0.9 CLI Reference 23

Fortinet Inc.
config alertemail setting

Parameter Description Type Size Default

FDS-license- Number of days to send alert email prior to integer Minimum 15

expiring-days FortiGuard license expiration. value: 1
Maximum
value: 100

disable Disable FIPS and Common Criteria error logs in alert email.

Option Description

enable Enable PPP error logs in alert email.

disable Disable PPP error logs in alert email.

admin-login-logs Enable/disable administrator login/logout logs in alert option - disable

email.

Option Description

enable Enable administrator login/logout logs in alert email.

disable Disable administrator login/logout logs in alert email.

alert-interval Alert alert interval in minutes. integer Minimum 2

value: 1
Maximum
value:
99999

amc-interface- Enable/disable Fortinet Advanced Mezzanine Card option - disable

bypass-mode (AMC) interface bypass mode logs in alert email.

value: 1
Maximum
value:
99999

debug-interval Debug alert interval in minutes. integer Minimum 60

value: 1
Maximum
value:
99999

email-interval Interval between sending alert emails. integer Minimum 5

value: 1
Maximum
value:
99999

emergency- Emergency alert interval in minutes. integer Minimum 1

interval value: 1
Maximum
value:
99999

error-interval Error alert interval in minutes. integer Minimum 5

value: 1
Maximum
value:
99999

filter-mode How to filter log messages that are sent to alert option - category
emails.

FortiOS 7.0.9 CLI Reference 26

Fortinet Inc.
Parameter Description Type Size Default

Option Description

category Filter based on category.

threshold Filter based on severity.

firewall- Enable/disable firewall authentication failure logs in option - disable

authentication- alert email.
failure-logs

Option Description

enable Enable firewall authentication failure logs in alert email.

disable Disable firewall authentication failure logs in alert email.

fortiguard-log- Enable/disable FortiCloud log quota warnings in alert option - disable

quota-warning email.

Option Description

enable Enable FortiCloud log quota warnings in alert email.

disable Disable FortiCloud log quota warnings in alert email.

information- Information alert interval in minutes. integer Minimum 30

interval value: 1
Maximum
value:
99999

local-disk-usage Disk usage percentage at which to send alert email. integer Minimum 75
value: 1
Maximum
value: 99

log-disk-usage- Enable/disable disk usage warnings in alert email. option - disable

warning

Option Description

enable Enable disk usage warnings in alert email.

disable Disable disk usage warnings in alert email.

mailto1 Email address to send alert email to (usually a string Not

system administrator) (max. 63 characters). Specified

mailto2 Optional second email address to send alert email to string Not
(max. 63 characters). Specified

FortiOS 7.0.9 CLI Reference 27

Fortinet Inc.
Parameter Description Type Size Default

mailto3 Optional third email address to send alert email to string Not
(max. 63 characters). Specified

notification- Notification alert interval in minutes. integer Minimum 20

interval value: 1
Maximum
value:
99999

severity Lowest severity level to log. option - alert

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

ssh-logs Enable/disable SSH logs in alert email. option - disable

Option Description

enable Enable SSH logs in alert email.

disable Disable SSH logs in alert email.

sslvpn- Enable/disable SSL-VPN authentication error logs in option - disable

authentication- alert email.
errors-logs

Option Description

enable Enable SSL-VPN authentication error logs in alert email.

disable Disable SSL-VPN authentication error logs in alert email.

username Name that appears in the From: field of alert emails string Not
(max. 63 characters). Specified

violation-traffic- Enable/disable violation traffic logs in alert email. option - disable

logs

FortiOS 7.0.9 CLI Reference 28

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable violation traffic logs in alert email.

disable Disable violation traffic logs in alert email.

warning-interval Warning alert interval in minutes. integer Minimum 10

value: 1
Maximum
value:
99999

webfilter-logs Enable/disable web filter logs in alert email. option - disable

Option Description

enable Enable web filter logs in alert email.

disable Disable web filter logs in alert email.

FortiOS 7.0.9 CLI Reference 29

Fortinet Inc.
antivirus

This section includes syntax for the following commands:

l config antivirus profile on page 30
l config antivirus quarantine on page 58
l config antivirus settings on page 63

config antivirus profile

Configure AntiVirus profiles.

config antivirus profile
Description: Configure AntiVirus profiles.
edit <name>
set analytics-accept-filetype {integer}
set analytics-db [disable|enable]
set analytics-ignore-filetype {integer}
set analytics-max-upload {integer}
set av-block-log [enable|disable]
set av-virus-log [enable|disable]
config cifs
Description: Configure CIFS AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
set comment {var-string}
config content-disarm
Description: AV Content Disarm and Reconstruction settings.
set original-file-destination [fortisandbox|quarantine|...]
set error-action [block|log-only|...]
set office-macro [disable|enable]
set office-hylink [disable|enable]
set office-linked [disable|enable]
set office-embed [disable|enable]
set office-dde [disable|enable]
set office-action [disable|enable]
set pdf-javacode [disable|enable]
set pdf-embedfile [disable|enable]
set pdf-hyperlink [disable|enable]
set pdf-act-gotor [disable|enable]
set pdf-act-launch [disable|enable]
set pdf-act-sound [disable|enable]
set pdf-act-movie [disable|enable]

FortiOS 7.0.9 CLI Reference 30

Fortinet Inc.
set pdf-act-java [disable|enable]
set pdf-act-form [disable|enable]
set cover-page [disable|enable]
set detect-only [disable|enable]
end
set ems-threat-feed [disable|enable]
set extended-log [enable|disable]
set external-blocklist <name1>, <name2>, ...
set external-blocklist-enable-all [disable|enable]
set feature-set [flow|proxy]
set fortindr-error-action [log-only|block|...]
set fortindr-timeout-action [log-only|block|...]
set ftgd-analytics [disable|suspicious|...]
config ftp
Description: Configure FTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
config http
Description: Configure HTTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set unknown-content-encoding [block|inspect|...]
set content-disarm [disable|enable]
end
config imap
Description: Configure IMAP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
set content-disarm [disable|enable]
end
config mapi
Description: Configure MAPI AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set quarantine [disable|enable]

FortiOS 7.0.9 CLI Reference 31

Fortinet Inc.
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
end
set mobile-malware-db [disable|enable]
config nac-quar
Description: Configure AntiVirus quarantine settings.
set infected [none|quar-src-ip]
set expiry {user}
set log [enable|disable]
end
set name {string}
config nntp
Description: Configure NNTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
set outbreak-prevention-archive-scan [disable|enable]
config pop3
Description: Configure POP3 AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
set content-disarm [disable|enable]
end
set replacemsg-group {string}
set scan-mode [default|legacy]
config smtp
Description: Configure SMTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
set content-disarm [disable|enable]
end
config ssh
Description: Configure SFTP and SCP AntiVirus options.
set av-scan [disable|block|...]

FortiOS 7.0.9 CLI Reference 32

Fortinet Inc.
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
next
end

config antivirus profile

Parameter Description Type Size Default

analytics- Only submit files matching this DLP file-pattern to integer Minimum 0
accept-filetype FortiSandbox. value: 0
Maximum
value:
4294967295

analytics-db Enable/disable using the FortiSandbox signature option - disable

database to supplement the AV signature
databases.

Option Description

disable Use only the standard AV signature databases.

enable Also use the FortiSandbox signature database.

analytics- Do not submit files matching this DLP file-pattern to integer Minimum 0
ignore-filetype FortiSandbox. value: 0
Maximum
value:
4294967295

analytics-max- Maximum size of files that can be uploaded to integer Minimum 10

upload FortiSandbox. value: 1
Maximum
value: 1606 **

av-block-log Enable/disable logging for AntiVirus file blocking. option - enable

Option Description

enable Enable setting.

disable Disable setting.

av-virus-log Enable/disable AntiVirus logging. option - enable

FortiOS 7.0.9 CLI Reference 33

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

comment Comment. var-string Not Specified

ems-threat- Enable/disable use of EMS threat feed when option - disable

feed performing AntiVirus scan. Analyzes files including
the content of archives.

Option Description

disable Disable use of EMS threat feed when performing AntiVirus scan.

enable Enable use of EMS threat feed when performing AntiVirus scan.

extended-log Enable/disable extended logging for antivirus. option - disable

Option Description

enable Enable setting.

disable Disable setting.

external- One or more external malware block lists. string Maximum

blocklist External blocklist. length: 79
<name>

external- Enable/disable all external blocklists. option - disable

blocklist-
enable-all

Option Description

disable Use configured external blocklists.

enable Enable all external blocklists.

feature-set Flow/proxy feature set. option - flow

Option Description

flow Flow feature set.

proxy Proxy feature set.

fortindr-error- Action to take if FortiNDR encounters an error. option - log-only

action

FortiOS 7.0.9 CLI Reference 34

Fortinet Inc.
Parameter Description Type Size Default

Option Description

log-only Log FortiNDR error, but allow the file.

block Block the file on FortiNDR error.

ignore Do nothing on FortiNDR error.

fortindr- Action to take if FortiNDR encounters a scan timeout. option - log-only

timeout-action

Option Description

log-only Log FortiNDR scan timeout, but allow the file.

block Block the file on FortiNDR scan timeout.

ignore Do nothing on FortiNDR scan timeout.

ftgd-analytics Settings to control which files are uploaded to option - disable

FortiSandbox.

Option Description

disable Do not upload files to FortiSandbox.

suspicious Submit files supported by FortiSandbox if heuristics or other methods

determine they are suspicious.

everything Submit files supported by FortiSandbox and known infected files.

mobile- Enable/disable using the mobile malware signature option - enable

malware-db database.

Option Description

disable Do not use the mobile malware signature database.

enable Also use the mobile malware signature database.

name Profile name. string Not Specified

outbreak- Enable/disable outbreak-prevention archive option - enable

prevention- scanning.
archive-scan

Option Description

disable Analyze files as sent, not the content of archives.

enable Analyze files including the content of archives.

FortiOS 7.0.9 CLI Reference 35

Fortinet Inc.
Parameter Description Type Size Default

replacemsg- Replacement message group customized for this string Not Specified
group profile.

scan-mode Configure scan mode. option - default

Option Description

default On the fly decompression and scanning of certain archive files.

legacy Scan archive files only after the entire file is received.

** Values may differ between models.

config cifs

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

FortiOS 7.0.9 CLI Reference 37

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable the virus emulator.

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

office-hylink Enable/disable stripping of hyperlinks in Microsoft Office option - enable

documents.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

office-linked Enable/disable stripping of linked objects in Microsoft option - enable

Office documents.

FortiOS 7.0.9 CLI Reference 38

enable Enable this Content Disarm and Reconstruction feature.

pdf-act-form Enable/disable stripping of PDF document actions that option - enable

submit data to other targets.

FortiOS 7.0.9 CLI Reference 40

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

cover-page Enable/disable inserting a cover page into the disarmed option - enable
document.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

detect-only Enable/disable only detect disarmable files, do not alter option - disable
content.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

config ftp

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

block Block the virus infected files.

monitor Log the virus infected files.

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

block Block the matched files.

monitor Log the matched files.

external- Enable external-blocklist. Analyzes files including the option - disable

blocklist content of archives.

FortiOS 7.0.9 CLI Reference 41

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable.

block Block the matched files.

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

FortiOS 7.0.9 CLI Reference 43

Fortinet Inc.
Parameter Description Type Size Default

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

FortiOS 7.0.9 CLI Reference 44

Fortinet Inc.
Parameter Description Type Size Default

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

unknown- Configure the action the FortiGate unit will take on option - block
content- unknown content-encoding.
encoding

Option Description

block Block HTTP session when unknown content-encoding is detected.

inspect Inspect HTTP traffic as plain-text with AV scan when unknown content-
encoding is detected.

bypass Bypass AV scan when unknown content-encoding is detected.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

Option Description

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config imap

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

block Block the virus infected files.

monitor Log the virus infected files.

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

block Block the matched files.

monitor Log the matched files.

FortiOS 7.0.9 CLI Reference 45

Fortinet Inc.
Parameter Description Type Size Default

external- Enable external-blocklist. Analyzes files including the option - disable

blocklist content of archives.

Option Description

disable Disable.

block Block the matched files.

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

FortiOS 7.0.9 CLI Reference 46

Fortinet Inc.
Parameter Description Type Size Default

Option Description

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

Option Description

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config mapi

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

block Block the virus infected files.

monitor Log the virus infected files.

FortiOS 7.0.9 CLI Reference 47

Fortinet Inc.
Parameter Description Type Size Default

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

block Block the matched files.

monitor Log the matched files.

external- Enable external-blocklist. Analyzes files including the option - disable

blocklist content of archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

FortiOS 7.0.9 CLI Reference 48

Fortinet Inc.
Parameter Description Type Size Default

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

config nac-quar

Parameter Description Type Size Default

infected Enable/Disable quarantining infected hosts to the option - none

banned user list.

Option Description

none Do not quarantine infected hosts.

quar-src-ip Quarantine all traffic from the infected hosts source IP.

expiry Duration of quarantine. user Not 5m

Specified

log Enable/disable AntiVirus quarantine logging. option - disable

FortiOS 7.0.9 CLI Reference 49

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable AntiVirus quarantine logging.

disable Disable AntiVirus quarantine logging.

config nntp

fortindr Enable/disable scanning of files by FortiNDR. option - disable

Option Description

disable Disable.

block Block the FortiNDR detected infections.

monitor Log the FortiNDR detected infections.

quarantine Enable/disable quarantine for infected files. option - disable

FortiOS 7.0.9 CLI Reference 50

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

FortiOS 7.0.9 CLI Reference 51

Fortinet Inc.
config pop3

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config smtp

fortindr Enable/disable scanning of files by FortiNDR. option - disable

Option Description

disable Disable.

block Block the FortiNDR detected infections.

monitor Log the FortiNDR detected infections.

FortiOS 7.0.9 CLI Reference 54

Fortinet Inc.
Parameter Description Type Size Default

quarantine Enable/disable quarantine for infected files. option - disable

Option Description

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

FortiOS 7.0.9 CLI Reference 55

Fortinet Inc.
Parameter Description Type Size Default

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

Option Description

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config ssh

FortiOS 7.0.9 CLI Reference 56

Fortinet Inc.
Parameter Description Type Size Default

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

FortiOS 7.0.9 CLI Reference 57

Fortinet Inc.
Parameter Description Type Size Default

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

config antivirus quarantine

Configure quarantine options.

config antivirus quarantine
Description: Configure quarantine options.
set agelimit {integer}
set destination [NULL|disk|...]
set drop-blocked {option1}, {option2}, ...
set drop-infected {option1}, {option2}, ...
set drop-machine-learning {option1}, {option2}, ...
set lowspace [drop-new|ovrw-old]
set maxfilesize {integer}
set quarantine-quota {integer}
set store-blocked {option1}, {option2}, ...
set store-infected {option1}, {option2}, ...
set store-machine-learning {option1}, {option2}, ...
end

config antivirus quarantine

Parameter Description Type Size Default

agelimit Age limit for quarantined files. integer Minimum 0

value: 0
Maximum
value: 479

destination Choose whether to quarantine files to the FortiGate option - disk **

disk or to FortiAnalyzer or to delete them instead of
quarantining them.

Option Description

NULL Files that would be quarantined are deleted.

disk Quarantine files to the FortiGate hard disk.

FortiAnalyzer FortiAnalyzer

FortiOS 7.0.9 CLI Reference 58

Fortinet Inc.
Parameter Description Type Size Default

drop-blocked Do not quarantine dropped files found in sessions option -

using the selected protocols. Dropped files are deleted
instead of being quarantined.

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

drop-infected Do not quarantine infected files found in sessions option -

using the selected protocols. Dropped files are deleted
instead of being quarantined.

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

FortiOS 7.0.9 CLI Reference 59

Fortinet Inc.
Parameter Description Type Size Default

Option Description

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

drop- Do not quarantine files detected by machine learning option -

machine- found in sessions using the selected protocols.
learning Dropped files are deleted instead of being
quarantined.

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

lowspace Select the method for handling additional files when option - ovrw-old
running low on disk space.

Option Description

drop-new Drop (delete) the most recently quarantined files.

ovrw-old Overwrite the oldest quarantined files. That is, the files that are closest to
being deleted from the quarantine.

FortiOS 7.0.9 CLI Reference 60

Fortinet Inc.
Parameter Description Type Size Default

maxfilesize Maximum file size to quarantine. integer Minimum 0

value: 0
Maximum
value: 500

quarantine- The amount of disk space to reserve for quarantining integer Minimum 0
quota files. value: 0
Maximum
value:
4294967295

store-blocked Quarantine blocked files found in sessions using the option - imap smtp
selected protocols. pop3 http
ftp nntp
imaps
smtps
pop3s ftps
mapi cifs
ssh

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

FortiOS 7.0.9 CLI Reference 61

Fortinet Inc.
Parameter Description Type Size Default

store-infected Quarantine infected files found in sessions using the option - imap smtp
selected protocols. pop3 http
ftp nntp
imaps
smtps
pop3s
https ftps
mapi cifs
ssh

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

store- Quarantine files detected by machine learning found in option - imap smtp
machine- sessions using the selected protocols. pop3 http
learning ftp nntp
imaps
smtps
pop3s
https ftps
mapi cifs
ssh

Option Description

imap IMAP.

FortiOS 7.0.9 CLI Reference 62

Fortinet Inc.
Parameter Description Type Size Default

Option Description

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

** Values may differ between models.

config antivirus settings

Configure AntiVirus settings.

config antivirus settings
Description: Configure AntiVirus settings.
set cache-infected-result [enable|disable]
set grayware [enable|disable]
set machine-learning-detection [enable|monitor|...]
set override-timeout {integer}
set use-extreme-db [enable|disable]
end

config antivirus settings

Parameter Description Type Size Default

cache- Enable/disable cache of infected scan results. option - enable

infected-result

FortiOS 7.0.9 CLI Reference 63

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable cache of infected scan results.

disable Disable cache of infected scan results.

grayware Enable/disable grayware detection when an AntiVirus option - disable

profile is applied to traffic.

Option Description

enable Enable grayware detection.

disable Disable grayware detection.

machine- Use machine learning based malware detection. option - enable

learning-
detection

Option Description

enable Enable machine learning based malware detection.

monitor Enable machine learning based malware detection for monitoring only.

disable Disable machine learning based malware detection.

override- Override the large file scan timeout value in seconds. integer Minimum 0
timeout Zero is the default value and is used to disable this value: 30
command. When disabled, the daemon adjusts the Maximum
large file scan timeout based on the file size. value: 3600

use-extreme- Enable/disable the use of Extreme AVDB. option - disable

Option Description

enable Enable extreme AVDB.

disable Disable extreme AVDB.

FortiOS 7.0.9 CLI Reference 64

Fortinet Inc.
application

This section includes syntax for the following commands:

l config application custom on page 65
l config application group on page 66
l config application list on page 67
l config application name on page 76
l config application rule-settings on page 78

config application custom

Configure custom application signatures.

config application custom
Description: Configure custom application signatures.
edit <tag>
set behavior {user}
set category {integer}
set comment {string}
set id {integer}
set protocol {user}
set signature {var-string}
set tag {string}
set technology {user}
set vendor {user}
next
end

config application custom

Parameter Description Type Size Default

behavior Custom application signature behavior. user Not Specified

category Custom application category ID (use ? to view integer Minimum 0

available options). value: 0
Maximum
value:
4294967295

comment Comment. string Not Specified

FortiOS 7.0.9 CLI Reference 65

Fortinet Inc.
Parameter Description Type Size Default

id Custom application category ID (use ? to view integer Minimum 0

available options). value: 0
Maximum
value:
4294967295

protocol Custom application signature protocol. user Not Specified

signature The text that makes up the actual custom application var-string Not Specified
signature.

tag Signature tag. string Not Specified

technology Custom application signature technology. user Not Specified

vendor Custom application signature vendor. user Not Specified

config application group

Configure firewall application groups.

config application group
Description: Configure firewall application groups.
edit <name>
set application <id1>, <id2>, ...
set behavior {user}
set category <id1>, <id2>, ...
set comment {var-string}
set name {string}
set popularity {option1}, {option2}, ...
set protocols {user}
set risk <level1>, <level2>, ...
set technology {user}
set type [application|filter]
set vendor {user}
next
end

config application group

Parameter Description Type Size Default

application Application ID list. integer Minimum

<id> Application IDs. value: 0
Maximum
value:
4294967295

behavior Application behavior filter. user Not Specified all

FortiOS 7.0.9 CLI Reference 66

Fortinet Inc.
Parameter Description Type Size Default

category Application category ID list. integer Minimum

<id> Category IDs. value: 0
Maximum
value:
4294967295

comment Comments. var-string Not Specified

name Application group name. string Not Specified

popularity Application popularity filter. option - 12345

Option Description

1 Popularity level 1.

2 Popularity level 2.

3 Popularity level 3.

4 Popularity level 4.

5 Popularity level 5.

protocols Application protocol filter. user Not Specified all

risk <level> Risk, or impact, of allowing traffic from this integer Minimum
application to occur (1 - 5; Low, Elevated, Medium, value: 0
High, and Critical). Maximum
Risk, or impact, of allowing traffic from this value:
application to occur (1 - 5; Low, Elevated, Medium, 4294967295
High, and Critical).

technology Application technology filter. user Not Specified all

type Application group type. option - application

Option Description

application Application ID.

filter Application filter.

vendor Application vendor filter. user Not Specified all

config application list

Configure application control lists.

config application list
Description: Configure application control lists.
edit <name>
set app-replacemsg [disable|enable]
set comment {var-string}

FortiOS 7.0.9 CLI Reference 67

Fortinet Inc.
set control-default-network-services [disable|enable]
set deep-app-inspection [disable|enable]
config default-network-services
Description: Default network service entries.
edit <id>
set id {integer}
set port {integer}
set services {option1}, {option2}, ...
set violation-action [pass|monitor|...]
next
end
set enforce-default-app-port [disable|enable]
config entries
Description: Application list entries.
edit <id>
set id {integer}
set risk <level1>, <level2>, ...
set category <id1>, <id2>, ...
set application <id1>, <id2>, ...
set protocols {user}
set vendor {user}
set technology {user}
set behavior {user}
set popularity {option1}, {option2}, ...
set exclusion <id1>, <id2>, ...
config parameters
Description: Application parameters.
edit <id>
set id {integer}
config members
Description: Parameter tuple members.
edit <id>
set id {integer}
set name {string}
set value {string}
next
end
next
end
set action [pass|block|...]
set log [disable|enable]
set log-packet [disable|enable]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]
set rate-track [none|src-ip|...]
set session-ttl {integer}
set shaper {string}
set shaper-reverse {string}
set per-ip-shaper {string}
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
next
end
set extended-log [enable|disable]

FortiOS 7.0.9 CLI Reference 68

Fortinet Inc.
set force-inclusion-ssl-di-sigs [disable|enable]
set name {string}
set options {option1}, {option2}, ...
set other-application-action [pass|block]
set other-application-log [disable|enable]
set p2p-block-list {option1}, {option2}, ...
set replacemsg-group {string}
set unknown-application-action [pass|block]
set unknown-application-log [disable|enable]
next
end

config application list

Parameter Description Type Size Default

app- Enable/disable replacement messages for blocked option - enable

replacemsg applications.

Option Description

disable Disable replacement messages for blocked applications.

enable Enable replacement messages for blocked applications.

comment Comments. var-string Not

Specified

control- Enable/disable enforcement of protocols over selected option - disable

default- ports.
network-
services

Option Description

disable Disable protocol enforcement over selected ports.

enable Enable protocol enforcement over selected ports.

deep-app- Enable/disable deep application inspection. option - enable

inspection

Option Description

disable Disable deep application inspection.

enable Enable deep application inspection.

enforce- Enable/disable default application port enforcement for option - disable

default-app- allowed applications.
port

FortiOS 7.0.9 CLI Reference 69

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable default application port enforcement.

enable Enable default application port enforcement.

extended-log Enable/disable extended logging. option - disable

Option Description

enable Enable setting.

disable Disable setting.

force- Enable/disable forced inclusion of SSL deep inspection option - disable

inclusion-ssl- signatures.
di-sigs

Option Description

disable Disable forced inclusion of signatures which normally require SSL deep
inspection.

enable Enable forced inclusion of signatures which normally require SSL deep
inspection.

name List name. string Not

Specified

options Basic application protocol signatures allowed by option - allow-dns

default.

Option Description

allow-dns Allow DNS.

allow-icmp Allow ICMP.

allow-http Allow generic HTTP web browsing.

allow-ssl Allow generic SSL communication.

allow-quic Allow QUIC.

other- Action for other applications. option - pass

application-
action

Option Description

pass Allow sessions matching an application in this application list.

block Block sessions matching an application in this application list.

FortiOS 7.0.9 CLI Reference 70

Fortinet Inc.
Parameter Description Type Size Default

other- Enable/disable logging for other applications. option - disable

application-log

Option Description

disable Disable logging for other applications.

enable Enable logging for other applications.

p2p-block-list P2P applications to be block listed. option -

Option Description

skype Skype.

edonkey Edonkey.

bittorrent Bit torrent.

replacemsg- Replacement message group. string Not

group Specified

unknown- Pass or block traffic from unknown applications. option - pass

application-
action

Option Description

pass Pass or allow unknown applications.

block Drop or block unknown applications.

unknown- Enable/disable logging for unknown applications. option - disable

application-log

Option Description

disable Disable logging for unknown applications.

enable Enable logging for unknown applications.

config default-network-services

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 71

Fortinet Inc.
Parameter Description Type Size Default

port Port number. integer Minimum 0

value: 0
Maximum
value: 65535

services Network protocols. option -

Option Description

http HTTP.

ssh SSH.

telnet TELNET.

ftp FTP.

dns DNS.

smtp SMTP.

pop3 POP3.

imap IMAP.

snmp SNMP.

nntp NNTP.

https HTTPS.

violation- Action for protocols not in the allowlist for selected option - block
action port.

Option Description

pass Allow protocols not in the allowlist for selected port.

monitor Monitor protocols not in the allowlist for selected port.

block Block protocols not in the allowlist for selected port.

config entries

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 72

Fortinet Inc.
Parameter Description Type Size Default

category Category ID list. integer Minimum

<id> Application category ID. value: 0
Maximum
value:
4294967295

application ID of allowed applications. integer Minimum

<id> Application IDs. value: 0
Maximum
value:
4294967295

protocols Application protocol filter. user Not Specified all

vendor Application vendor filter. user Not Specified all

technology Application technology filter. user Not Specified all

behavior Application behavior filter. user Not Specified all

popularity Application popularity filter. option - 12345

Option Description

1 Popularity level 1.

2 Popularity level 2.

3 Popularity level 3.

4 Popularity level 4.

5 Popularity level 5.

exclusion ID of excluded applications. integer Minimum

<id> Excluded application IDs. value: 0
Maximum
value:
4294967295

action Pass or block traffic, or reset connection for traffic option - block
from this application.

value: 0
Maximum
value: 65535

rate-duration Duration (sec) of the rate. integer Minimum 60

value: 1
Maximum
value: 65535

rate-mode Rate limit mode. option - continuous

Option Description

periodical Allow configured number of packets every rate-duration.

continuous Block packets once the rate is reached.

rate-track Track the packet protocol field. option - none

Option Description

none none

src-ip Source IP.

dest-ip Destination IP.

dhcp-client-mac DHCP client.

dns-domain DNS domain.

FortiOS 7.0.9 CLI Reference 74

Fortinet Inc.
Parameter Description Type Size Default

session-ttl Session TTL. integer Minimum 0

value: 0
Maximum
value:
4294967295

shaper Traffic shaper. string Not Specified

shaper- Reverse traffic shaper. string Not Specified

reverse

per-ip-shaper Per-IP traffic shaper. string Not Specified

quarantine Quarantine method. option - none

Option Description

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine.. Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

config parameters

Parameter Description Type Size Default

id Parameter tuple ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 75

Fortinet Inc.
config members

Parameter Description Type Size Default

id Parameter. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Parameter name. string Not Specified

value Parameter value. string Not Specified

config application name

Configure application signatures.

config application name
Description: Configure application signatures.
edit <name>
set behavior {user}
set category {integer}
set id {integer}
config metadata
Description: Meta data.
edit <id>
set id {integer}
set metaid {integer}
set valueid {integer}
next
end
set name {string}
config parameters
Description: Application parameters.
edit <name>
set name {string}
set default value {string}
next
end
set popularity {integer}
set protocol {user}
set risk {integer}
set technology {user}
set vendor {user}
set weight {integer}
next
end

FortiOS 7.0.9 CLI Reference 76

Fortinet Inc.
config application name

Parameter Description Type Size Default

behavior Application behavior. user Not Specified

category Application category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

id Application ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Application name. string Not Specified

popularity Application popularity. integer Minimum 0

FortiOS 7.0.9 CLI Reference 77

Fortinet Inc.
Parameter Description Type Size Default

metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config parameters

Parameter Description Type Size Default

name Parameter name. string Not

Specified

default value Parameter default value. string Not

Specified

config application rule-settings

Configure application rule settings.

config application rule-settings
Description: Configure application rule settings.
edit <id>
set id {integer}
next
end

config application rule-settings

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 78

Fortinet Inc.
authentication

This section includes syntax for the following commands:

l config authentication rule on page 79
l config authentication scheme on page 81
l config authentication setting on page 83

config authentication rule

Configure Authentication Rules.

config authentication rule
Description: Configure Authentication Rules.
edit <name>
set active-auth-method {string}
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set ip-based [enable|disable]
set name {string}
set protocol [http|ftp|...]
set srcaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set sso-auth-method {string}
set status [enable|disable]
set transaction-based [enable|disable]
set web-auth-cookie [enable|disable]
set web-portal [enable|disable]
next
end

config authentication rule

Parameter Description Type Size Default

active-auth- Select an active authentication method. string Not

method Specified

comments Comment. var-string Not

Specified

dstaddr Select an IPv4 destination address from available string Maximum

<name> options. Required for web proxy authentication. length: 79
Address name.

FortiOS 7.0.9 CLI Reference 79

Fortinet Inc.
Parameter Description Type Size Default

dstaddr6 Select an IPv6 destination address from available string Maximum

<name> options. Required for web proxy authentication. length: 79
Address name.

ip-based Enable/disable IP-based authentication. When enabled, option - enable

previously authenticated users from the same IP
address will be exempted.

Option Description

enable Enable IP-based authentication.

disable Disable IP-based authentication.

name Authentication rule name. string Not

Specified

protocol Authentication is required for the selected protocol. option - http

Option Description

http HTTP traffic is matched and authentication is required.

ftp FTP traffic is matched and authentication is required.

socks SOCKS traffic is matched and authentication is required.

ssh SSH traffic is matched and authentication is required.

srcaddr Authentication is required for the selected IPv4 source string Maximum
<name> address. length: 79
Address name.

srcaddr6 Authentication is required for the selected IPv6 source string Maximum
<name> address. length: 79
Address name.

srcintf Incoming (ingress) interface. string Maximum

<name> Interface name. length: 79

sso-auth- Select a single-sign on (SSO) authentication method. string Not

method Specified

status Enable/disable this authentication rule. option - enable

Option Description

enable Enable this authentication rule.

disable Disable this authentication rule.

transaction- Enable/disable transaction based authentication. option - disable

based

FortiOS 7.0.9 CLI Reference 80

config authentication scheme

Configure Authentication Schemes.

config authentication scheme
Description: Configure Authentication Schemes.
edit <name>
set domain-controller {string}
set fsso-agent-for-ntlm {string}
set fsso-guest [enable|disable]
set kerberos-keytab {string}
set method {option1}, {option2}, ...
set name {string}
set negotiate-ntlm [enable|disable]
set require-tfa [enable|disable]
set saml-server {string}
set saml-timeout {integer}
set ssh-ca {string}
set user-cert [enable|disable]
set user-database <name1>, <name2>, ...
next
end

FortiOS 7.0.9 CLI Reference 81

Fortinet Inc.
config authentication scheme

Parameter Description Type Size Default

domain- Domain controller setting. string Not

controller Specified

fsso-agent- FSSO agent to use for NTLM authentication. string Not

for-ntlm Specified

fsso-guest Enable/disable user fsso-guest authentication. option - disable

Option Description

enable Enable user fsso-guest authentication.

disable Disable user fsso-guest authentication.

kerberos- Kerberos keytab setting. string Not

keytab Specified

method Authentication methods. option -

Option Description

ntlm NTLM authentication.

basic Basic HTTP authentication.

digest Digest HTTP authentication.

form Form-based HTTP authentication.

negotiate Negotiate authentication.

fsso Fortinet Single Sign-On (FSSO) authentication.

rsso RADIUS Single Sign-On (RSSO) authentication.

ssh-publickey Public key based SSH authentication.

cert Client certificate authentication.

saml SAML authentication.

name Authentication scheme name. string Not

Specified

negotiate- Enable/disable negotiate authentication for NTLM. option - enable

ntlm

Option Description

enable Enable negotiate authentication for NTLM.

disable Disable negotiate authentication for NTLM.

require-tfa Enable/disable two-factor authentication. option - disable

FortiOS 7.0.9 CLI Reference 82

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable two-factor authentication.

disable Disable two-factor authentication.

saml-server SAML configuration. string Not

Specified

saml-timeout SAML authentication timeout in seconds. integer Minimum 120

value: 30
Maximum
value: 1200

ssh-ca SSH CA name. string Not

Specified

user-cert Enable/disable authentication with user certificate. option - disable

Option Description

enable Enable client certificate field authentication.

disable Disable client certificate field authentication.

user- Authentication server to contain user information; "local" string Maximum

database (default) or "123" (for LDAP). length: 79
<name> Authentication server name.

config authentication setting

Configure authentication setting.

config authentication setting
Description: Configure authentication setting.
set active-auth-scheme {string}
set auth-https [enable|disable]
set captive-portal {string}
set captive-portal-ip {ipv4-address-any}
set captive-portal-ip6 {ipv6-address}
set captive-portal-port {integer}
set captive-portal-ssl-port {integer}
set captive-portal-type [fqdn|ip]
set captive-portal6 {string}
set cert-auth [enable|disable]
set cert-captive-portal {string}
set cert-captive-portal-ip {ipv4-address-any}
set cert-captive-portal-port {integer}
set dev-range <name1>, <name2>, ...
set sso-auth-scheme {string}
set user-cert-ca <name1>, <name2>, ...
end

FortiOS 7.0.9 CLI Reference 83

Fortinet Inc.
config authentication setting

Parameter Description Type Size Default

active-auth- Active authentication method (scheme name). string Not

scheme Specified

auth-https Enable/disable redirecting HTTP user authentication to option - enable

HTTPS.

Option Description

enable Enable setting.

disable Disable setting.

captive-portal Captive portal host name. string Not

Specified

captive- Captive portal IP address. ipv4- Not 0.0.0.0

portal-ip address- Specified
any

captive- Captive portal IPv6 address. ipv6- Not ::

portal-ip6 address Specified

captive- Captive portal port number. integer Minimum 7830

portal-port value: 1
Maximum
value:
65535

captive- Captive portal SSL port number. integer Minimum 7831

portal-ssl-port value: 1
Maximum
value:
65535

captive- Captive portal type. option - fqdn

portal-type

Option Description

fqdn Use FQDN for captive portal.

ip Use an IP address for captive portal.

captive- IPv6 captive portal host name. string Not

portal6 Specified

cert-auth Enable/disable redirecting certificate authentication to option - disable

HTTPS portal.

FortiOS 7.0.9 CLI Reference 84

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

cert-captive- Certificate captive portal host name. string Not

portal Specified

cert-captive- Certificate captive portal IP address. ipv4- Not 0.0.0.0

portal-ip address- Specified
any

cert-captive- Certificate captive portal port number. integer Minimum 7832

portal-port value: 1
Maximum
value:
65535

dev-range Address range for the IP based device query. string Maximum
<name> Address name. length: 79

sso-auth- Single-Sign-On authentication method (scheme name). string Not

scheme Specified

user-cert-ca CA certificate used for client certificate verification. string Maximum **

<name> CA certificate list. length: 79

** Values may differ between models.

FortiOS 7.0.9 CLI Reference 85

Fortinet Inc.
certificate

This section includes syntax for the following commands:

l config certificate ca on page 86
l config certificate crl on page 87
l config certificate local on page 89
l config certificate remote on page 92

config certificate ca

CA certificate.
config certificate ca
Description: CA certificate.
edit <name>
set auto-update-days {integer}
set auto-update-days-warning {integer}
set ca {user}
set ca-identifier {string}
set name {string}
set range [global|vdom]
set scep-url {string}
set source [factory|user|...]
set source-ip {ipv4-address}
set ssl-inspection-trusted [enable|disable]
next
end

config certificate ca

Parameter Description Type Size Default

auto-update- Number of days to wait before requesting an updated integer Minimum 0

days CA certificate. value: 0
Maximum
value:
4294967295

auto-update- Number of days before an expiry-warning message is integer Minimum 0

days-warning generated. value: 0
Maximum
value:
4294967295

ca CA certificate as a PEM file. user Not Specified

FortiOS 7.0.9 CLI Reference 86

Fortinet Inc.
Parameter Description Type Size Default

config certificate crl

Certificate Revocation List as a PEM file.

config certificate crl
Description: Certificate Revocation List as a PEM file.
edit <name>
set crl {user}
set http-url {string}
set ldap-password {password}
set ldap-server {string}
set ldap-username {string}
set name {string}
set range [global|vdom]
set scep-cert {string}
set scep-url {string}

FortiOS 7.0.9 CLI Reference 87

Fortinet Inc.
set source [factory|user|...]
set source-ip {ipv4-address}
set update-interval {integer}
set update-vdom {string}
next
end

config certificate crl

Parameter Description Type Size Default

crl Certificate Revocation List as a PEM file. user Not Specified

http-url HTTP server URL for CRL auto-update. string Not Specified

ldap- LDAP server user password. password Not Specified

password

ldap-server LDAP server name for CRL auto-update. string Not Specified

ldap- LDAP server user name. string Not Specified

username

name Name. string Not Specified

range Either global or VDOM IP address range for the option - global
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

scep-cert Local certificate for SCEP communication for CRL string Not Specified Fortinet_
auto-update. CA_SSL

scep-url SCEP server URL for CRL auto-update. string Not Specified

source Certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

source-ip Source IP address for communications to a HTTP or ipv4- Not Specified 0.0.0.0
SCEP CA server. address

update- Time in seconds before the FortiGate checks for an integer Minimum 0
interval updated CRL. Set to 0 to update only when it expires. value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 88

Fortinet Inc.
Parameter Description Type Size Default

update-vdom VDOM for CRL update. string Not Specified root

config certificate local

Local keys and certificates.

config certificate local
Description: Local keys and certificates.
edit <name>
set acme-ca-url {string}
set acme-domain {string}
set acme-email {string}
set acme-renew-window {integer}
set acme-rsa-key-size {integer}
set auto-regenerate-days {integer}
set auto-regenerate-days-warning {integer}
set ca-identifier {string}
set certificate {user}
set cmp-path {string}
set cmp-regeneration-method [keyupate|renewal]
set cmp-server {string}
set cmp-server-cert {string}
set comments {string}
set csr {user}
set enroll-protocol [none|scep|...]
set ike-localid {string}
set ike-localid-type [asn1dn|fqdn]
set name {string}
set name-encoding [printable|utf8]
set password {password}
set private-key {user}
set range [global|vdom]
set scep-password {password}
set scep-url {string}
set source [factory|user|...]
set source-ip {ipv4-address}
set state {user}
next
end

config certificate local

Parameter Description Type Size Default

acme-ca-url The URL for the ACME CA string Not Specified https://acme-
server. v02.api.letsencrypt.org/directory

acme-domain A valid domain that resolves string Not Specified

to this FortiGate unit.

FortiOS 7.0.9 CLI Reference 89

Fortinet Inc.
Parameter Description Type Size Default

acme-email Contact email address that string Not Specified

is required by some CAs like
LetsEncrypt.

acme-renew- Beginning of the renewal integer Minimum 30

window window. value: 1
Maximum
value: 60

acme-rsa-key- Length of the RSA private integer Minimum 2048

size key of the generated cert value: 2048
(Minimum 2048 bits). Maximum
value: 4096

auto- Number of days to wait integer Minimum 0

regenerate- before expiry of an updated value: 0
days local certificate is requested Maximum
(0 = disabled). value:
4294967295

auto- Number of days to wait integer Minimum 0

regenerate- before an expiry warning value: 0
days-warning message is generated (0 = Maximum
disabled). value:
4294967295

ca-identifier CA identifier of the CA string Not Specified

server for signing via SCEP.

certificate PEM format certificate. user Not Specified

cmp-path Path location inside CMP string Not Specified

server.

cmp- CMP auto-regeneration option - keyupate

regeneration- method.
method

Option Description

keyupate Key Update.

renewal Renewal.

cmp-server Address and port for CMP string Not Specified

server (format =
address:port).

cmp-server-cert CMP server certificate. string Not Specified

comments Comment. string Not Specified

csr Certificate Signing Request. user Not Specified

FortiOS 7.0.9 CLI Reference 90

Fortinet Inc.
Parameter Description Type Size Default

enroll-protocol Certificate enrollment option - none

protocol.

Option Description

none None (default).

scep Simple Certificate Enrollment Protocol.

cmpv2 Certificate Management Protocol Version 2.

acme2 Automated Certificate Management Environment Version 2.

ike-localid Local ID the FortiGate uses string Not Specified

for authentication as a VPN
client.

ike-localid-type IKE local ID type. option - asn1dn

Option Description

asn1dn ASN.1 distinguished name.

fqdn Fully qualified domain name.

name Name. string Not Specified

name-encoding Name encoding method for option - printable

auto-regeneration.

Option Description

printable Printable encoding (default).

utf8 UTF-8 encoding.

password Password as a PEM file. password Not Specified

private-key PEM format key encrypted user Not Specified

with a password.

range Either a global or VDOM IP option - global

address range for the
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

scep-password SCEP server challenge password Not Specified

password for auto-
regeneration.

FortiOS 7.0.9 CLI Reference 91

Fortinet Inc.
Parameter Description Type Size Default

scep-url SCEP server URL. string Not Specified

source Certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

source-ip Source IP address for ipv4- Not Specified 0.0.0.0

communications to the address
SCEP server.

state Certificate Signing Request user Not Specified

State.

config certificate remote

Remote certificate as a PEM file.

config certificate remote
Description: Remote certificate as a PEM file.
edit <name>
set name {string}
set range [global|vdom]
set remote {user}
set source [factory|user|...]
next
end

config certificate remote

Parameter Description Type Size Default

name Name. string Not

Specified

range Either the global or VDOM IP address range for the option - global
remote certificate.

Option Description

global Global range.

vdom VDOM IP address range.

remote Remote certificate. user Not

Specified

FortiOS 7.0.9 CLI Reference 92

Fortinet Inc.
Parameter Description Type Size Default

source Remote certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

FortiOS 7.0.9 CLI Reference 93

Fortinet Inc.
dlp

This section includes syntax for the following commands:

l config dlp filepattern on page 94
l config dlp fp-doc-source on page 97
l config dlp sensitivity on page 100
l config dlp sensor on page 101
l config dlp settings on page 106

config dlp filepattern

Configure file patterns used by DLP blocking.

config dlp filepattern
Description: Configure file patterns used by DLP blocking.
edit <id>
set comment {var-string}
config entries
Description: Configure file patterns used by DLP blocking.
edit <pattern>
set filter-type [pattern|type]
set pattern {string}
set file-type [7z|arj|...]
next
end
set id {integer}
set name {string}
next
end

config dlp filepattern

Parameter Description Type Size Default

comment Optional comments. var-string Not Specified

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table containing the file pattern list. string Not Specified

FortiOS 7.0.9 CLI Reference 94

Fortinet Inc.
config entries

Parameter Description Type Size Default

filter-type Filter by file name pattern or by file type. option - pattern

Option Description

pattern Filter by file name pattern.

type Filter by file type.

pattern Add a file name pattern. string Not

Specified

file-type Select a file type. option - unknown

Option Description

7z Match 7-zip files.

arj Match arj compressed files.

cab Match Windows cab files.

lzh Match lzh compressed files.

rar Match rar archives.

tar Match tar files.

zip Match zip files.

bzip Match bzip files.

gzip Match gzip files.

bzip2 Match bzip2 files.

xz Match xz files.

bat Match Windows batch files.

uue Match uue files.

mime Match mime files.

base64 Match base64 files.

binhex Match binhex files.

elf Match elf files.

exe Match Windows executable files.

hta Match hta files.

html Match html files.

jad Match jad files.

FortiOS 7.0.9 CLI Reference 95

Fortinet Inc.
Parameter Description Type Size Default

Option Description

class Match class files.

cod Match cod files.

javascript Match javascript files.

msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.

msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

fsg Match fsg files.

upx Match upx files.

petite Match petite files.

aspack Match aspack files.

sis Match sis files.

hlp Match Windows help files.

activemime Match activemime files.

jpeg Match jpeg files.

gif Match gif files.

tiff Match tiff files.

png Match png files.

bmp Match bmp files.

unknown Match unknown files.

mpeg Match mpeg files.

mov Match mov files.

mp3 Match mp3 files.

wma Match wma files.

wav Match wav files.

pdf Match Acrobat PDF files.

avi Match avi files.

rm Match rm files.

torrent Match torrent files.

hibun Match special-file-23-support files.

msi Match Windows Installer msi files.

FortiOS 7.0.9 CLI Reference 96

Fortinet Inc.
Parameter Description Type Size Default

Option Description

mach-o Match Mach object files.

dmg Match Apple disk image files.

.net Match .NET files.

xar Match xar archive files.

chm Match Windows compiled HTML help files.

iso Match ISO archive files.

crx Match Chrome extension files.

flac Match flac files.

config dlp fp-doc-source

This command is available for model(s): FortiGate 1000D, FortiGate 101E, FortiGate 101F,
FortiGate 1101E, FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D, FortiGate 1801F,
FortiGate 2000E, FortiGate 201E, FortiGate 201F, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3301E, FortiGate 3401E, FortiGate 3501F, FortiGate 3601E,
FortiGate 3700D, FortiGate 3800D, FortiGate 401E, FortiGate 40F 3G4G, FortiGate 40F,
FortiGate 4201F, FortiGate 4401F, FortiGate 5001E1, FortiGate 501E, FortiGate 601E,
FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate 80F Bypass,
FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D,
FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F,
FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi
80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 1100E,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 200E, FortiGate 200F,
FortiGate 2200E, FortiGate 300E, FortiGate 3300E, FortiGate 3400E, FortiGate 3500F,
FortiGate 3600E, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E,
FortiGate 4200F, FortiGate 4400F, FortiGate 5001E, FortiGate 500E, FortiGate 600E,
FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 80E-
POE, FortiGate 80E, FortiGate 80F-POE, FortiGate 80F, FortiGate 90E, FortiWiFi 60E DSL,
FortiWiFi 60E.

Create a DLP fingerprint database by allowing the FortiGate to access a file server containing files from which to create
fingerprints.
config dlp fp-doc-source
Description: Create a DLP fingerprint database by allowing the FortiGate to access a
file server containing files from which to create fingerprints.
edit <name>
set date {integer}
set file-path {string}

FortiOS 7.0.9 CLI Reference 97

Fortinet Inc.
set file-pattern {string}
set keep-modified [enable|disable]
set name {string}
set password {password}
set period [none|daily|...]
set remove-deleted [enable|disable]
set scan-on-creation [enable|disable]
set scan-subdirectories [enable|disable]
set sensitivity {string}
set server {string}
set server-type {option}
set tod-hour {integer}
set tod-min {integer}
set username {string}
set vdom [mgmt|current]
set weekday [sunday|monday|...]
next
end

config dlp fp-doc-source

Parameter Description Type Size Default

date Day of the month on which to scan the server. integer Minimum 1
value: 1
Maximum
value: 31

file-path Path on the server to the fingerprint files (max 119 string Not
characters). Specified

file-pattern Files matching this pattern on the server are string Not *
fingerprinted. Optionally use the * and ? wildcards. Specified

keep-modified Enable so that when a file is changed on the server option - enable
the FortiGate keeps the old fingerprint and adds a
new fingerprint to the database.

Option Description

enable Keep the old fingerprint and add a new fingerprint when a file is changed on
the server.

disable Replace the old fingerprint with the new fingerprint when a file is changed on
the server.

name Name of the DLP fingerprint database. string Not

Specified

password Password required to log into the file server. password Not
Specified

period Frequency for which the FortiGate checks the server option - none
for new or changed files.

FortiOS 7.0.9 CLI Reference 98

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none Check the server when the FortiGate starts up.

daily Check the server once a day.

weekly Check the server once a week.

monthly Check the server once a month.

remove-deleted Enable to keep the fingerprint database up to date option - enable

when a file is deleted from the server.

Option Description

enable Keep the fingerprint database up to date when a file is deleted from the
server.

disable Do not check for deleted files on the server. Saves system resources.

scan-on- Enable to keep the fingerprint database up to date option - enable

creation when a file is added or changed on the server.

Option Description

enable Keep the fingerprint database up to date when a file is added or changed on
the server.

disable Do not check for added or changed files on the server. Saves system
resources.

scan- Enable/disable scanning subdirectories to find files to option - enable

subdirectories create fingerprints from.

Option Description

enable Scan subdirectories.

disable Do not scan subdirectories.

sensitivity Select a sensitivity or threat level for matches with string Not
this fingerprint database. Add sensitivities using Specified
sensitivity.

server IPv4 or IPv6 address of the server. string Not

Specified

server-type Protocol used to communicate with the file server. option - samba
Currently only Samba (SMB) servers are supported.

Option Description

samba SAMBA server.

FortiOS 7.0.9 CLI Reference 99

Fortinet Inc.
Parameter Description Type Size Default

tod-hour Hour of the day on which to scan the server. integer Minimum 1
value: 0
Maximum
value: 23

tod-min Minute of the hour on which to scan the server. integer Minimum 0
value: 0
Maximum
value: 59

username User name required to log into the file server. string Not
Specified

vdom Select the VDOM that can communicate with the file option - mgmt
server.

Option Description

mgmt Communicate with the file server through the management VDOM.

current Communicate with the file server through the VDOM containing this DLP
fingerprint database configuration.

weekday Day of the week on which to scan the server. option - sunday

Option Description

sunday Sunday

monday Monday

tuesday Tuesday

wednesday Wednesday

thursday Thursday

friday Friday

saturday Saturday

config dlp sensitivity

Create self-explanatory DLP sensitivity levels to be used when setting sensitivity under config fp-doc-source.
config dlp sensitivity
Description: Create self-explanatory DLP sensitivity levels to be used when setting
sensitivity under config fp-doc-source.
edit <name>
set name {string}
next
end

FortiOS 7.0.9 CLI Reference 100

Fortinet Inc.
config dlp sensitivity

Parameter Description Type Size Default

name DLP Sensitivity Levels. string Not

Specified

config dlp sensor

Configure DLP sensors.

config dlp sensor
Description: Configure DLP sensors.
edit <name>
set comment {var-string}
set dlp-log [enable|disable]
set extended-log [enable|disable]
set feature-set [flow|proxy]
config filter
Description: Set up DLP filters for this sensor.
edit <id>
set id {integer}
set name {string}
set severity [info|low|...]
set type [file|message]
set proto {option1}, {option2}, ...
set filter-by [credit-card|ssn|...]
set file-size {integer}
set company-identifier {string}
set sensitivity <name1>, <name2>, ...
set match-percentage {integer}
set file-type {integer}
set regexp {string}
set archive [disable|enable]
set action [allow|log-only|...]
set expiry {user}
next
end
set full-archive-proto {option1}, {option2}, ...
set nac-quar-log [enable|disable]
set name {string}
set replacemsg-group {string}
set summary-proto {option1}, {option2}, ...
next
end

FortiOS 7.0.9 CLI Reference 101

Fortinet Inc.
config dlp sensor

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

dlp-log Enable/disable DLP logging. option - enable

Option Description

enable Enable DLP logging.

disable Disable DLP logging.

extended-log Enable/disable extended logging for data leak option - disable

prevention.

Option Description

enable Enable setting.

disable Disable setting.

feature-set Flow/proxy feature set. option - flow

Option Description

flow Flow feature set.

proxy Proxy feature set.

full-archive- Protocols to always content archive. option -

proto

Option Description

smtp SMTP.

pop3 POP3.

imap IMAP.

http-get HTTP GET.

http-post HTTP POST.

ftp FTP.

nntp NNTP.

mapi MAPI.

ssh SFTP and SCP.

cifs CIFS.

nac-quar-log Enable/disable NAC quarantine logging. option - disable

FortiOS 7.0.9 CLI Reference 102

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable NAC quarantine logging.

disable Disable NAC quarantine logging.

name Name of the DLP sensor. string Not

Specified

replacemsg- Replacement message group used by this DLP sensor. string Not
group Specified

summary- Protocols to always log summary. option -

proto

Option Description

smtp SMTP.

pop3 POP3.

imap IMAP.

http-get HTTP GET.

http-post HTTP POST.

ftp FTP.

nntp NNTP.

mapi MAPI.

ssh SFTP and SCP.

cifs CIFS.

config filter

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Filter name. string Not Specified

severity Select the severity or threat level that matches this option - medium
filter.

FortiOS 7.0.9 CLI Reference 103

Fortinet Inc.
Parameter Description Type Size Default

Option Description

info Informational.

low Low.

medium Medium.

high High.

critical Critical.

type Select whether to check the content of messages (an option - file
email message) or files (downloaded files or email
attachments).

Option Description

file Check the contents of downloaded or attached files.

message Check the contents of email messages, web pages, etc.

proto Check messages or files over one or more of these option -

protocols.

Option Description

smtp SMTP.

pop3 POP3.

imap IMAP.

http-get HTTP GET.

http-post HTTP POST.

ftp FTP.

nntp NNTP.

mapi MAPI.

ssh SFTP and SCP.

cifs CIFS.

filter-by Select the type of content to match. option - credit-card

Option Description

credit-card Match credit cards.

ssn Match social security numbers.

FortiOS 7.0.9 CLI Reference 104

Fortinet Inc.
Parameter Description Type Size Default

Option Description

regexp Use a regular expression to match content.

file-type Match a DLP file pattern list.

file-size Match any file over with a size over the threshold.

fingerprint Match against a fingerprint sensitivity.

watermark Look for defined file watermarks.

encrypted Look for encrypted files.

file-size Match files this size or larger. integer Minimum 10 **

value: 0
Maximum
value:
4294967295

company- Enter a company identifier watermark to match. Only string Not Specified
identifier watermarks that your company has placed on the
files are matched.

sensitivity Select a DLP file pattern sensitivity to match. string Maximum

<name> Select a DLP sensitivity. length: 35

match- Percentage of fingerprints in the fingerprint integer Minimum 10

percentage * databases designated with the selected sensitivity to value: 1
match. Maximum
value: 100

file-type Select the number of a DLP file pattern table to integer Minimum 0
match. value: 0
Maximum
value:
4294967295

regexp Enter a regular expression to match (max. 255 string Not Specified
characters).

archive Enable/disable DLP archiving. option - disable

Option Description

disable No DLP archiving.

enable Enable full DLP archiving.

action Action to take with content that this DLP sensor option - allow
matches.

FortiOS 7.0.9 CLI Reference 105

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow the content to pass through the FortiGate and do not create a log
message.

log-only Allow the content to pass through the FortiGate, but write a log message.

block Block the content and write a log message.

quarantine-ip Quarantine all traffic from the IP address and write a log message.

expiry Quarantine duration in days, hours, minutes (format = user Not Specified 5m
dddhhmm).

* This parameter may not exist in some models.

** Values may differ between models.

config dlp settings

Designate logical storage for DLP fingerprint database.

config dlp settings
Description: Designate logical storage for DLP fingerprint database.
set cache-mem-percent {integer}
set chunk-size {integer}
set db-mode [stop-adding|remove-modified-then-oldest|...]
set size {integer}

FortiOS 7.0.9 CLI Reference 106

Fortinet Inc.
set storage-device {string}
end

config dlp settings

Parameter Description Type Size Default

cache-mem- Maximum percentage of available memory allocated integer Minimum 2

percent to caching. value: 1
Maximum
value: 15

chunk-size Maximum fingerprint chunk size. Caution, changing integer Minimum 2800
this setting will flush the entire database. value: 100
Maximum
value: 100000

db-mode Behavior when the maximum size is reached. option - stop-adding

Option Description

stop-adding Stop adding entries.

remove- Remove modified chunks first, then oldest file entries.

modified-then-
oldest

remove-oldest Remove the oldest files first.

size Maximum total size of files within the storage (MB). integer Minimum 16
value: 16
Maximum
value:
4294967295

storage- Storage device name. string Not Specified

device

FortiOS 7.0.9 CLI Reference 107

Fortinet Inc.
dnsfilter

This section includes syntax for the following commands:

l config dnsfilter domain-filter on page 108
l config dnsfilter profile on page 109

config dnsfilter domain-filter

Configure DNS domain filters.

config dnsfilter domain-filter
Description: Configure DNS domain filters.
edit <id>
set comment {var-string}
config entries
Description: DNS domain filter entries.
edit <id>
set id {integer}
set domain {string}
set type [simple|regex|...]
set action [block|allow|...]
set status [enable|disable]
next
end
set id {integer}
set name {string}
next
end

config dnsfilter domain-filter

Parameter Description Type Size Default

comment Optional comments. var-string Not Specified

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Not Specified

FortiOS 7.0.9 CLI Reference 108

Fortinet Inc.
config entries

Parameter Description Type Size Default

id Id. integer Minimum 0

value: 0
Maximum
value:
4294967295

domain Domain entries to be filtered. string Not Specified

type DNS domain filter type. option - simple

Option Description

simple Simple domain string.

regex Regular expression domain string.

wildcard Wildcard domain string.

action Action to take for domain filter matches. option - block

Option Description

block Block DNS requests matching the domain filter.

allow Allow DNS requests matching the domain filter without logging.

monitor Allow DNS requests matching the domain filter with logging.

status Enable/disable this domain filter. option - enable

Option Description

enable Enable this domain filter.

disable Disable this domain filter.

config dnsfilter profile

Configure DNS domain filter profile.

config dnsfilter profile
Description: Configure DNS domain filter profile.
edit <name>
set block-action [block|redirect|...]
set block-botnet [disable|enable]
set comment {var-string}
config dns-translation
Description: DNS translation settings.
edit <id>
set id {integer}
set addr-type [ipv4|ipv6]

FortiOS 7.0.9 CLI Reference 109

Fortinet Inc.
set src {ipv4-address}
set dst {ipv4-address}
set netmask {ipv4-netmask}
set status [enable|disable]
set src6 {ipv6-address}
set dst6 {ipv6-address}
set prefix {integer}
next
end
config domain-filter
Description: Domain filter settings.
set domain-filter-table {integer}
end
set external-ip-blocklist <name1>, <name2>, ...
config ftgd-dns
Description: FortiGuard DNS Filter settings.
set options {option1}, {option2}, ...
config filters
Description: FortiGuard DNS domain filters.
edit <id>
set id {integer}
set category {integer}
set action [block|monitor]
set log [enable|disable]
next
end
end
set log-all-domain [enable|disable]
set name {string}
set redirect-portal {ipv4-address}
set redirect-portal6 {ipv6-address}
set safe-search [disable|enable]
set sdns-domain-log [enable|disable]
set sdns-ftgd-err-log [enable|disable]
set youtube-restrict [strict|moderate]
next
end

config dnsfilter profile

Parameter Description Type Size Default

block-action Action to take for blocked domains. option - redirect

Option Description

block Return NXDOMAIN for blocked domains.

redirect Redirect blocked domains to SDNS portal.

block-sevrfail Return SERVFAIL for blocked domains.

block-botnet Enable/disable blocking botnet C&C DNS lookups. option - disable

FortiOS 7.0.9 CLI Reference 110

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable blocking botnet C&C DNS lookups.

enable Enable blocking botnet C&C DNS lookups.

comment Comment. var-string Not

Specified

external-ip- One or more external IP block lists. string Maximum

blocklist External domain block list name. length: 79
<name>

log-all-domain Enable/disable logging of all domains visited (detailed option - disable

DNS logging).

Option Description

enable Enable logging of all domains visited.

disable Disable logging of all domains visited.

name Profile name. string Not

Specified

redirect-portal IPv4 address of the SDNS redirect portal. ipv4- Not 0.0.0.0
address Specified

redirect- IPv6 address of the SDNS redirect portal. ipv6- Not ::

portal6 address Specified

safe-search Enable/disable Google, Bing, YouTube, Qwant, option - disable

DuckDuckGo safe search.

Option Description

disable Disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

enable Enable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

sdns-domain- Enable/disable domain filtering and botnet domain option - enable

log logging.

Option Description

enable Enable domain filtering and botnet domain logging.

disable Disable domain filtering and botnet domain logging.

sdns-ftgd-err- Enable/disable FortiGuard SDNS rating error logging. option - enable

log

FortiOS 7.0.9 CLI Reference 111

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable FortiGuard SDNS rating error logging.

disable Disable FortiGuard SDNS rating error logging.

youtube- Set safe search for YouTube restriction level. option - strict
restrict

Option Description

strict Enable strict safe seach for YouTube.

moderate Enable moderate safe search for YouTube.

config dns-translation

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type DNS translation type (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 address type.

ipv6 IPv6 address type.

src IPv4 address or subnet on the internal ipv4- Not Specified 0.0.0.0
network to compare with the resolved address address
in DNS query replies. If the resolved address
matches, the resolved address is substituted
with dst.

dst IPv4 address or subnet on the external ipv4- Not Specified 0.0.0.0
network to substitute for the resolved address address
in DNS query replies. Can be single IP
address or subnet on the external network, but
number of addresses must equal number of
mapped IP addresses in src.

netmask If src and dst are subnets rather than single IP ipv4- Not Specified 255.255.255.255
addresses, enter the netmask for both src and netmask
dst.

status Enable/disable this DNS translation entry. option - enable

FortiOS 7.0.9 CLI Reference 112

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable this DNS translation.

disable Disable this DNS translation.

src6 IPv6 address or subnet on the internal ipv6- Not Specified ::

network to compare with the resolved address address
in DNS query replies. If the resolved address
matches, the resolved address is substituted
with dst6.

dst6 IPv6 address or subnet on the external ipv6- Not Specified ::

network to substitute for the resolved address address
in DNS query replies. Can be single IP
address or subnet on the external network, but
number of addresses must equal number of
mapped IP addresses in src6.

prefix If src6 and dst6 are subnets rather than single integer Minimum 128
IP addresses, enter the prefix for both src6 value: 1
and dst6. Maximum
value: 128

config domain-filter

Parameter Description Type Size Default

domain-filter- DNS domain filter table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295

config ftgd-dns

Parameter Description Type Size Default

options FortiGuard DNS filter options. option -

Option Description

error-allow Allow all domains when FortiGuard DNS servers fail.

ftgd-disable Disable FortiGuard DNS domain rating.

FortiOS 7.0.9 CLI Reference 113

Fortinet Inc.
config filters

Parameter Description Type Size Default

id ID number. integer Minimum 0

value: 0
Maximum
value: 255

category Category number. integer Minimum 0

value: 0
Maximum
value: 255

action Action to take for DNS requests matching the category. option - monitor

Option Description

block Block DNS requests matching the category.

monitor Allow DNS requests matching the category and log the result.

log Enable/disable DNS filter logging for this DNS profile. option - enable

Option Description

enable Enable DNS filter logging.

disable Disable DNS filter logging.

FortiOS 7.0.9 CLI Reference 114

Fortinet Inc.
dpdk

This section includes syntax for the following commands:

l config dpdk cpus on page 115
l config dpdk global on page 116

config dpdk cpus

This command is available for model(s): FortiGate VM64.

It is not available for: FortiGate 1000D, FortiGate 100EF, FortiGate 100E, FortiGate 100F,
FortiGate 101E, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 1200D,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1500DT, FortiGate 1500D, FortiGate 1800F,
FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 201E,
FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F,
FortiGate 2601F, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D,
FortiGate 3800D, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate
400E, FortiGate 401E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate
4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate
500E, FortiGate 501E, FortiGate 600E, FortiGate 601E, FortiGate 60E DSLJ, FortiGate 60E
DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F,
FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-
POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F,
FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E,
FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE,
FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

Configure CPUs enabled to run engines in each DPDK stage.

config dpdk cpus
Description: Configure CPUs enabled to run engines in each DPDK stage.
set rx-cpus {string}
set vnp-cpus {string}
set ips-cpus {string}
set tx-cpus {string}
set isolated-cpus {string}
end

FortiOS 7.0.9 CLI Reference 115

Fortinet Inc.
config dpdk cpus

Parameter Description Type Size Default

rx-cpus CPUs enabled to run DPDK RX engines. string Not all

Specified

vnp-cpus CPUs enabled to run DPDK VNP engines. string Not all
Specified

ips-cpus CPUs enabled to run DPDK IPS engines. string Not all
Specified

tx-cpus CPUs enabled to run DPDK TX engines. string Not all

Specified

isolated-cpus CPUs isolated to run only the DPDK engines with the string Not none
exception of processes that have affinity explicitly set by Specified
either a user configuration or by their implementation.

config dpdk global

This command is available for model(s): FortiGate VM64.

Configure global DPDK options.

config dpdk global
Description: Configure global DPDK options.
set status [disable|enable]
set interface <interface-name1>, <interface-name2>, ...
set multiqueue [disable|enable]

FortiOS 7.0.9 CLI Reference 116

Fortinet Inc.
set sleep-on-idle [disable|enable]
set elasticbuffer [disable|enable]
set per-session-accounting [disable|traffic-log-only|...]
set ipsec-offload [disable|enable]
set hugepage-percentage {integer}
set mbufpool-percentage {integer}
end

config dpdk global

Parameter Description Type Size Default

status Enable/disable DPDK operation for the entire option - disable

system.

Option Description

disable Disable DPDK operation.

enable Enable DPDK operation. *The minimum system requirements for DPDK is
2 vCPUs and 4GB memory.

interface Physical interfaces that enable DPDK. string Maximum

<interface- Physical interface name. length: 31
name>

multiqueue Enable/disable multi-queue RX/TX support for all option - disable

DPDK ports.

Option Description

disable Disable multi-queue RX/TX support for DPDK ports.

enable Enable multi-queue RX/TX support for DPDK ports.

sleep-on-idle Enable/disable sleep-on-idle support for all FDH option - disable

engines.

Option Description

disable Disable sleep-on-idle support for FDH engines.

enable Enable sleep-on-idle support for FDH engines.

elasticbuffer Enable/disable elasticbuffer support for all DPDK option - disable

ports.

Option Description

disable Disable elasticbuffer support for DPDK ports.

enable Enable elasticbuffer support for DPDK ports.

FortiOS 7.0.9 CLI Reference 117

Fortinet Inc.
Parameter Description Type Size Default

per-session- Enable/disable per-session accounting. option - traffic-log-

accounting only

Option Description

disable Disable per-session accounting.

traffic-log-only Enable per-session accounting only for VNP sessions with traffic logging
turned on in firewall policy.

enable Enable per-session accounting for all VNP sessions. *Affect performance.

ipsec-offload Enable/disable DPDK IPsec phase 2 offloading. option - disable

Option Description

disable Disable DPDK IPsec phase 2 offloading.

enable Enable DPDK IPsec phase 2 offloading.

hugepage- Percentage of main memory allocated to hugepages, integer Minimum 30

percentage which are available for DPDK operation. value: 15
Maximum
value: 50

mbufpool- Percentage of main memory allocated to DPDK integer Minimum 25

percentage packet buffer. value: 10
Maximum
value: 45

FortiOS 7.0.9 CLI Reference 118

Fortinet Inc.
emailfilter

This section includes syntax for the following commands:

l config emailfilter block-allow-list on page 119
l config emailfilter bword on page 121
l config emailfilter dnsbl on page 123
l config emailfilter fortishield on page 124
l config emailfilter iptrust on page 125
l config emailfilter mheader on page 126
l config emailfilter options on page 128
l config emailfilter profile on page 128

config emailfilter block-allow-list

Configure anti-spam block/allow list.

config emailfilter block-allow-list
Description: Configure anti-spam block/allow list.
edit <id>
set comment {var-string}
config entries
Description: Anti-spam block/allow entries.
edit <id>
set status [enable|disable]
set id {integer}
set type [ip|email]
set action [reject|spam|...]
set addr-type [ipv4|ipv6]
set ip4-subnet {ipv4-classnet}
set ip6-subnet {ipv6-network}
set pattern-type [wildcard|regexp]
set email-pattern {string}
next
end
set id {integer}
set name {string}
next
end

config emailfilter block-allow-list

Parameter Description Type Size Default

comment Optional comments. var-string Not Specified

FortiOS 7.0.9 CLI Reference 119

Fortinet Inc.
Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Not Specified

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ipv6 IPv6 Address type.

FortiOS 7.0.9 CLI Reference 120

Fortinet Inc.
Parameter Description Type Size Default

ip4-subnet IPv4 network address/subnet mask bits. ipv4- Not Specified 0.0.0.0
classnet 0.0.0.0

ip6-subnet IPv6 network address/subnet mask bits. ipv6- Not Specified ::/128
network

pattern-type Wildcard pattern or regular expression. option - wildcard

Option Description

wildcard Wildcard pattern.

regexp Perl regular expression.

email-pattern Email address pattern. string Not Specified

config emailfilter bword

Configure AntiSpam banned word list.

config emailfilter bword
Description: Configure AntiSpam banned word list.
edit <id>
set comment {var-string}
config entries
Description: Spam filter banned word.
edit <id>
set status [enable|disable]
set id {integer}
set pattern {string}
set pattern-type [wildcard|regexp]
set action [spam|clear]
set where [subject|body|...]
set language [western|simch|...]
set score {integer}
next
end
set id {integer}
set name {string}
next
end

config emailfilter bword

Parameter Description Type Size Default

comment Optional comments. var-string Not Specified

FortiOS 7.0.9 CLI Reference 121

Fortinet Inc.
Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Not Specified

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

id Banned word entry ID. integer Minimum 0

subject Banned word in email subject.

body Banned word in email body.

all Banned word in both subject and body.

FortiOS 7.0.9 CLI Reference 122

Fortinet Inc.
Parameter Description Type Size Default

language Language for the banned word. option - western

Option Description

western Western.

simch Simplified Chinese.

trach Traditional Chinese.

japanese Japanese.

korean Korean.

french French.

thai Thai.

spanish Spanish.

score Score value. integer Minimum 10

value: 1
Maximum
value: 99999

config emailfilter dnsbl

Configure AntiSpam DNSBL/ORBL.

config emailfilter dnsbl
Description: Configure AntiSpam DNSBL/ORBL.
edit <id>
set comment {var-string}
config entries
Description: Spam filter DNSBL and ORBL server.
edit <id>
set status [enable|disable]
set id {integer}
set server {string}
set action [reject|spam]
next
end
set id {integer}
set name {string}
next
end

FortiOS 7.0.9 CLI Reference 123

Fortinet Inc.
config emailfilter dnsbl

Parameter Description Type Size Default

comment Optional comments. var-string Not Specified

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Not Specified

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

id DNSBL/ORBL entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

server DNSBL or ORBL server name. string Not Specified

action Reject connection or mark as spam email. option - spam

Option Description

reject Reject the connection.

spam Mark as spam email.

config emailfilter fortishield

Configure FortiGuard - AntiSpam.

config emailfilter fortishield
Description: Configure FortiGuard - AntiSpam.
set spam-submit-force [enable|disable]
set spam-submit-srv {string}
set spam-submit-txt2htm [enable|disable]
end

FortiOS 7.0.9 CLI Reference 124

Fortinet Inc.
config emailfilter fortishield

Parameter Description Type Size Default

spam-submit- Enable/disable force insertion of a new mime option - enable

force entity for the submission text.

Option Description

enable Enable setting.

disable Disable setting.

spam-submit- Hostname of the spam submission server. string Not www.nospammer.net

srv Specified

spam-submit- Enable/disable conversion of text email to option - enable

txt2htm HTML email.

Option Description

enable Enable setting.

disable Disable setting.

config emailfilter iptrust

Configure AntiSpam IP trust.

config emailfilter iptrust
Description: Configure AntiSpam IP trust.
edit <id>
set comment {var-string}
config entries
Description: Spam filter trusted IP addresses.
edit <id>
set status [enable|disable]
set id {integer}
set addr-type [ipv4|ipv6]
set ip4-subnet {ipv4-classnet}
set ip6-subnet {ipv6-network}
next
end
set id {integer}
set name {string}
next
end

FortiOS 7.0.9 CLI Reference 125

Fortinet Inc.
config emailfilter iptrust

Parameter Description Type Size Default

comment Optional comments. var-string Not Specified

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Not Specified

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

id Trusted IP entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ipv4

Option Description

ipv4 IPv4 Address type.

ipv6 IPv6 Address type.

ip4-subnet IPv4 network address or network address/subnet ipv4- Not Specified 0.0.0.0
mask bits. classnet 0.0.0.0

ip6-subnet IPv6 network address/subnet mask bits. ipv6- Not Specified ::/128
network

config emailfilter mheader

Configure AntiSpam MIME header.

config emailfilter mheader
Description: Configure AntiSpam MIME header.
edit <id>

FortiOS 7.0.9 CLI Reference 126

Fortinet Inc.
set comment {var-string}
config entries
Description: Spam filter mime header content.
edit <id>
set status [enable|disable]
set id {integer}
set fieldname {string}
set fieldbody {string}
set pattern-type [wildcard|regexp]
set action [spam|clear]
next
end
set id {integer}
set name {string}
next
end

config emailfilter mheader

Parameter Description Type Size Default

comment Optional comments. var-string Not Specified

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Name of table. string Not Specified

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

id Mime header entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

fieldname Pattern for header field name. string Not Specified

fieldbody Pattern for the header field body. string Not Specified

FortiOS 7.0.9 CLI Reference 127

Fortinet Inc.
Parameter Description Type Size Default

pattern-type Wildcard pattern or regular expression. option - wildcard

Option Description

wildcard Wildcard pattern.

regexp Perl regular expression.

action Mark spam or good. option - spam

Option Description

spam Mark as spam email.

clear Mark as good email.

config emailfilter options

Configure AntiSpam options.

config emailfilter options
Description: Configure AntiSpam options.
set dns-timeout {integer}
end

config emailfilter options

Parameter Description Type Size Default

dns-timeout DNS query time out. integer Minimum 7

value: 1
Maximum
value: 30

config emailfilter profile

Configure Email Filter profiles.

config emailfilter profile
Description: Configure Email Filter profiles.
edit <name>
set comment {var-string}
set external [enable|disable]
set feature-set [flow|proxy]
config gmail
Description: Gmail.
set log-all [disable|enable]
end
config imap

FortiOS 7.0.9 CLI Reference 128

Fortinet Inc.
Description: IMAP.
set log-all [disable|enable]
set action [pass|tag]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
end
config mapi
Description: MAPI.
set log-all [disable|enable]
set action [pass|discard]
end
config msn-hotmail
Description: MSN Hotmail.
set log-all [disable|enable]
end
set name {string}
set options {option1}, {option2}, ...
config other-webmails
Description: Other supported webmails.
set log-all [disable|enable]
end
config pop3
Description: POP3.
set log-all [disable|enable]
set action [pass|tag]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
end
set replacemsg-group {string}
config smtp
Description: SMTP.
set log-all [disable|enable]
set action [pass|tag|...]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
set hdrip [disable|enable]
set local-override [disable|enable]
end
set spam-bal-table {integer}
set spam-bword-table {integer}
set spam-bword-threshold {integer}
set spam-filtering [enable|disable]
set spam-iptrust-table {integer}
set spam-log [disable|enable]
set spam-log-fortiguard-response [disable|enable]
set spam-mheader-table {integer}
set spam-rbl-table {integer}
config yahoo-mail
Description: Yahoo! Mail.
set log-all [disable|enable]
end
next
end

FortiOS 7.0.9 CLI Reference 129

Fortinet Inc.
config emailfilter profile

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 130

Fortinet Inc.
Parameter Description Type Size Default

spam-bword- Anti-spam banned word table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295

spam-bword- Spam banned word threshold. integer Minimum 10

threshold value: 0
Maximum
value:
2147483647

spam-filtering Enable/disable spam filtering. option - disable

Option Description

enable Enable setting.

disable Disable setting.

spam-iptrust- Anti-spam IP trust table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295

spam-log Enable/disable spam logging for email filtering. option - enable

Option Description

disable Disable spam logging for email filtering.

enable Enable spam logging for email filtering.

spam-log- Enable/disable logging FortiGuard spam response. option - disable

fortiguard-
response

Option Description

disable Disable logging FortiGuard spam response.

enable Enable logging FortiGuard spam response.

spam- Anti-spam MIME header table ID. integer Minimum 0

mheader-table value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 131

Fortinet Inc.
Parameter Description Type Size Default

spam-rbl-table Anti-spam DNSBL table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config gmail

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

config imap

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

action Action for spam email. option - tag

Option Description

pass Allow spam email to pass through.

tag Tag spam email with configured text in subject or header.

tag-type Tag subject or header for spam email. option - subject

spaminfo

Option Description

subject Prepend text to spam email subject.

header Append a user defined mime header to spam email.

spaminfo Append spam info to spam email header.

tag-msg Subject text or header added to spam email. string Not Spam
Specified

FortiOS 7.0.9 CLI Reference 132

Fortinet Inc.
config mapi

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

FortiOS 7.0.9 CLI Reference 133

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

action Action for spam email. option - tag

Option Description

pass Allow spam email to pass through.

tag Tag spam email with configured text in subject or header.

tag-type Tag subject or header for spam email. option - subject

spaminfo

Option Description

subject Prepend text to spam email subject.

header Append a user defined mime header to spam email.

spaminfo Append spam info to spam email header.

tag-msg Subject text or header added to spam email. string Not Spam
Specified

config smtp

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

action Action for spam email. option - discard

Option Description

pass Allow spam email to pass through.

tag Tag spam email with configured text in subject or header.

discard Discard (block) spam email.

tag-type Tag subject or header for spam email. option - subject

spaminfo

FortiOS 7.0.9 CLI Reference 134

Fortinet Inc.
Parameter Description Type Size Default

Option Description

subject Prepend text to spam email subject.

header Append a user defined mime header to spam email.

spaminfo Append spam info to spam email header.

tag-msg Subject text or header added to spam email. string Not Spam
Specified

hdrip Enable/disable SMTP email header IP checks for option - disable

spamfsip, spamrbl, and spambal filters.

Option Description

disable Disable SMTP email header IP checks for spamfsip, spamrbl, and spambal
filters.

enable Enable SMTP email header IP checks for spamfsip, spamrbl, and spambal
filters.

local-override Enable/disable local filter to override SMTP remote option - disable

check result.

Option Description

disable Disable local filter to override SMTP remote check result.

enable Enable local filter to override SMTP remote check result.

config yahoo-mail

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

FortiOS 7.0.9 CLI Reference 135

Fortinet Inc.
endpoint-control

This section includes syntax for the following commands:

l config endpoint-control fctems on page 136

config endpoint-control fctems

Configure FortiClient Enterprise Management Server (EMS) entries.

config endpoint-control fctems
Description: Configure FortiClient Enterprise Management Server (EMS) entries.
edit <ems-id>
set call-timeout {integer}
set capabilities {option1}, {option2}, ...
set cloud-server-type [production|alpha|...]
set dirty-reason [none|mismatched-ems-sn]
set ems-id {integer}
set fortinetone-cloud-authentication [enable|disable]
set https-port {integer}
set interface {string}
set interface-select-method [auto|sdwan|...]
set name {string}
set out-of-sync-threshold {integer}
set preserve-ssl-session [enable|disable]
set pull-avatars [enable|disable]
set pull-malware-hash [enable|disable]
set pull-sysinfo [enable|disable]
set pull-tags [enable|disable]
set pull-vulnerabilities [enable|disable]
set serial-number {string}
set server {string}
set source-ip {ipv4-address-any}
set status [enable|disable]
set websocket-override [disable|enable]
next
end

config endpoint-control fctems

Parameter Description Type Size Default

call-timeout FortiClient EMS call timeout in seconds. integer Minimum 30

value: 1
Maximum
value: 180

capabilities List of EMS capabilities. option -

FortiOS 7.0.9 CLI Reference 136

Fortinet Inc.
Parameter Description Type Size Default

Option Description

fabric-auth Allow this FortiGate unit to load the authentication page provided by EMS to
authenticate itself with EMS.

silent-approval Allow silent approval of non-root or FortiGate HA clusters on EMS in the

Security Fabric.

websocket Enable/disable websockets for this FortiGate unit. Override behavior using
websocket-override.

websocket- Allow this FortiGate unit to request malware hash notifications over
malware websocket.

push-ca-certs Enable/disable syncing deep inspection certificates with EMS.

common-tags- Can recieve tag information from New Common Tags API from EMS.
api

cloud-server- Cloud server type. option - production

type

Option Description

production Production FortiClient EMS Cloud Controller.

alpha Alpha FortiClient EMS Cloud Controller. For testing only.

beta Beta FortiClient EMS Cloud Controller. For testing only.

dirty-reason Dirty Reason for FortiClient EMS. option - none

Option Description

none FortiClient EMS entry not dirty.

mismatched- FortiClient EMS entry dirty because EMS SN is mismatched with configured
ems-sn SN.

ems-id EMS ID in order integer Minimum 0

value: 1
Maximum
value: 5

fortinetone- Enable/disable authentication of FortiClient EMS option - disable

cloud- Cloud through FortiCloud account.
authentication

Option Description

enable Enable authentication of FortiClient EMS Cloud through the use of

FortiCloud account.

FortiOS 7.0.9 CLI Reference 137

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable authentication of FortiClient EMS Cloud through the use of

FortiCloud account.

https-port FortiClient EMS HTTPS access port number.. integer Minimum 443
value: 1
Maximum
value:
65535

interface Specify outgoing interface to reach server. string Not

Specified

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

name FortiClient Enterprise Management Server (EMS) string Not

name. Specified

out-of-sync- Outdated resource threshold in seconds. integer Minimum 180

threshold value: 10
Maximum
value: 3600

preserve-ssl- Enable/disable preservation of EMS SSL session option - disable

session connection. Warning, most users should not touch
this setting.

Option Description

enable Allow preservation of EMS SSL session connection.

disable Don't allow preservation of EMS SSL session connection.

pull-avatars Enable/disable pulling avatars from EMS. option - enable

Option Description

enable Enable pulling FortiClient user avatars from EMS.

disable Disable pulling FortiClient user avatars from EMS.

FortiOS 7.0.9 CLI Reference 138

Fortinet Inc.
Parameter Description Type Size Default

pull-malware- Enable/disable pulling FortiClient malware hash from option - enable

hash EMS.

Option Description

enable Enable pulling FortiClient malware hash from EMS.

disable Disable pulling FortiClient malware hash from EMS.

pull-sysinfo Enable/disable pulling SysInfo from EMS. option - enable

server FortiClient EMS FQDN or IPv4 address. string Not

Specified

source-ip REST API call source IP. ipv4- Not 0.0.0.0

address- Specified
any

status Enable or disable this EMS configuration. option - disable

Option Description

enable Enable EMS configuration and operation.

disable Disable EMS configuration and operation.

FortiOS 7.0.9 CLI Reference 139

Fortinet Inc.
Parameter Description Type Size Default

websocket- Enable/disable override behavior for how this option - disable

override FortiGate unit connects to EMS using a WebSocket
connection.

Option Description

disable Do not override the WebSocket connection. Connect to WebSocket of this

EMS server if it is capable (default).

enable Override the WebSocket connection. Do not connect to WebSocket even if

EMS is capable of a WebSocket connection.

FortiOS 7.0.9 CLI Reference 140

Fortinet Inc.
extender

This section includes syntax for the following commands:

l config extender extender-info on page 141
l config extender lte-carrier-by-mcc-mnc on page 141
l config extender lte-carrier-list on page 142
l config extender modem-status on page 142
l config extender session-info on page 142
l config extender sys-info on page 142

config extender extender-info

Display FortiExtender struct information.

config extender extender-info
Description: Display FortiExtender struct information.
set <sn> {string}
end

config extender extender-info

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Not

Specified

config extender lte-carrier-by-mcc-mnc

Display FortiExtender modem carrier based on MCC and MNC.

config extender lte-carrier-by-mcc-mnc
Description: Display FortiExtender modem carrier based on MCC and MNC.
set <sn> {string}
end

config extender lte-carrier-by-mcc-mnc

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Not

Specified

FortiOS 7.0.9 CLI Reference 141

Fortinet Inc.
config extender lte-carrier-list

Display FortiExtender modem carrier list.

config extender lte-carrier-list
Description: Display FortiExtender modem carrier list.
set <sn> {string}
end

config extender lte-carrier-list

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Not

Specified

config extender modem-status

Display detailed FortiExtender modem status.

config extender modem-status
Description: Display detailed FortiExtender modem status.
set <sn> {string}
end

config extender modem-status

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Not

Specified

config extender session-info

Display FortiExtender session information.

config extender session-info
Description: Display FortiExtender session information.
end

config extender sys-info

Display detailed FortiExtender system information.

config extender sys-info
Description: Display detailed FortiExtender system information.
set <sn> {string}
end

FortiOS 7.0.9 CLI Reference 142

Fortinet Inc.
config extender sys-info

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Not

Specified

FortiOS 7.0.9 CLI Reference 143

Fortinet Inc.
extender-controller

This section includes syntax for the following commands:

l config extender-controller dataplan on page 144
l config extender-controller extender-profile on page 147
l config extender-controller extender on page 158

config extender-controller dataplan

FortiExtender dataplan configuration.

config extender-controller dataplan
Description: FortiExtender dataplan configuration.
edit <name>
set apn {string}
set auth-type [none|pap|...]
set billing-date {integer}
set capacity {integer}
set carrier {string}
set iccid {string}
set modem-id [modem1|modem2|...]
set monthly-fee {integer}
set name {string}
set overage [disable|enable]
set password {password}
set pdn [ipv4-only|ipv6-only|...]
set preferred-subnet {integer}
set private-network [disable|enable]
set signal-period {integer}
set signal-threshold {integer}
set slot [sim1|sim2]
set type [carrier|slot|...]
set username {string}
next
end

config extender-controller dataplan

Parameter Description Type Size Default

apn APN configuration. string Not Specified

auth-type Authentication type. option - none

FortiOS 7.0.9 CLI Reference 144

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none No authentication.

pap PAP.

chap CHAP.

billing-date Billing day of the month. integer Minimum 1

value: 1
Maximum
value: 31

capacity Capacity in MB. integer Minimum 0

value: 0
Maximum
value:
102400000

carrier Carrier configuration. string Not Specified

iccid ICCID configuration. string Not Specified

modem-id Dataplan's modem specifics, if any. option - all

Option Description

modem1 Modem one.

modem2 Modem two.

all All modems.

monthly-fee Monthly fee of dataplan. integer Minimum 0

value: 0
Maximum
value:
1000000

name FortiExtender data plan name. string Not Specified

overage Enable/disable dataplan overage detection. option - disable

Option Description

disable Disable dataplan overage detection.

enable Enable dataplan overage detection.

password Password. password Not Specified

pdn PDN type. option - ipv4-only

FortiOS 7.0.9 CLI Reference 145

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ipv4-only IPv4 only PDN activation.

ipv6-only IPv6 only PDN activation.

ipv4-ipv6 Both IPv4 and IPv6 PDN activations.

preferred- Preferred subnet mask. integer Minimum 0

subnet value: 0
Maximum
value: 32

private- Enable/disable dataplan private network support. option - disable

network

Option Description

disable Disable dataplan private network support.

enable Enable dataplan private network support.

signal-period Signal period (600 to 18000 seconds). integer Minimum 3600

value: 600
Maximum
value: 18000

signal- Signal threshold. Specify the range between 50 - 100, integer Minimum 100
threshold where 50/100 means -50/-100 dBm. value: 50
Maximum
value: 100

slot SIM slot configuration. option -

Option Description

sim1 Sim slot one.

sim2 Sim slot two.

type Type preferences configuration. option - generic

Option Description

carrier Assign by SIM carrier.

slot Assign to SIM slot 1 or 2.

iccid Assign to a specific SIM by ICCID.

generic Compatible with any SIM. Assigned if no other dataplan matches the chosen
SIM.

username Username. string Not Specified

FortiOS 7.0.9 CLI Reference 146

Fortinet Inc.
config extender-controller extender-profile

FortiExtender extender profile configuration.

config extender-controller extender-profile
Description: FortiExtender extender profile configuration.
edit <name>
set allowaccess {option1}, {option2}, ...
set bandwidth-limit {integer}
config cellular
Description: FortiExtender cellular configuration.
set dataplan <name1>, <name2>, ...
config controller-report
Description: FortiExtender controller report configuration.
set status [disable|enable]
set interval {integer}
set signal-threshold {integer}
end
config sms-notification
Description: FortiExtender cellular SMS notification configuration.
set status [disable|enable]
config alert
Description: SMS alert list.
set system-reboot {string}
set data-exhausted {string}
set session-disconnect {string}
set low-signal-strength {string}
set os-image-fallback {string}
set mode-switch {string}
set fgt-backup-mode-switch {string}
end
config receiver
Description: SMS notification receiver list.
edit <name>
set name {string}
set status [disable|enable]
set phone-number {string}
set alert {option1}, {option2}, ...
next
end
end
config modem1
Description: Configuration options for modem 1.
set redundant-mode [disable|enable]
set redundant-intf {string}
set conn-status {integer}
set default-sim [sim1|sim2|...]
set gps [disable|enable]
set sim1-pin [disable|enable]
set sim2-pin [disable|enable]
set sim1-pin-code {password}
set sim2-pin-code {password}
set preferred-carrier {string}
config auto-switch
Description: FortiExtender auto switch configuration.
set disconnect [disable|enable]

FortiOS 7.0.9 CLI Reference 147

Fortinet Inc.
set disconnect-threshold {integer}
set disconnect-period {integer}
set signal [disable|enable]
set dataplan [disable|enable]
set switch-back {option1}, {option2}, ...
set switch-back-time {string}
set switch-back-timer {integer}
end
end
config modem2
Description: Configuration options for modem 2.
set redundant-mode [disable|enable]
set redundant-intf {string}
set conn-status {integer}
set default-sim [sim1|sim2|...]
set gps [disable|enable]
set sim1-pin [disable|enable]
set sim2-pin [disable|enable]
set sim1-pin-code {password}
set sim2-pin-code {password}
set preferred-carrier {string}
config auto-switch
Description: FortiExtender auto switch configuration.
set disconnect [disable|enable]
set disconnect-threshold {integer}
set disconnect-period {integer}
set signal [disable|enable]
set dataplan [disable|enable]
set switch-back {option1}, {option2}, ...
set switch-back-time {string}
set switch-back-timer {integer}
end
end
end
set enforce-bandwidth [enable|disable]
set extension [wan-extension|lan-extension]
set id {integer}
config lan-extension
Description: FortiExtender lan extension configuration.
set link-loadbalance [activebackup|loadbalance]
set ipsec-tunnel {string}
set backhaul-interface {string}
set backhaul-ip {string}
config backhaul
Description: LAN extension backhaul tunnel configuration.
edit <name>
set name {string}
set port [wan|lte1|...]
set role [primary|secondary]
set weight {integer}
next
end
end
set login-password {password}
set login-password-change [yes|default|...]
set model [FX201E|FX211E|...]

FortiOS 7.0.9 CLI Reference 148

Fortinet Inc.
set name {string}
next
end

config extender-controller extender-profile

Parameter Description Type Size Default

allowaccess Control management access to the managed option -

extender. Separate entries with a space.

Option Description

ping PING access.

telnet TELNET access.

http HTTP access.

https HTTPS access.

ssh SSH access.

snmp SNMP access.

bandwidth- FortiExtender LAN extension bandwidth limit (Mbps). integer Minimum 1024
limit value: 1
Maximum
value:
16776000

enforce- Enable/disable enforcement of bandwidth on LAN option - disable

bandwidth extension interface.

Option Description

enable Enable to enforce bandwidth limit on LAN extension interface.

disable Disable to enforce bandwidth limit on LAN extension interface.

extension Extension option. option - wan-

extension

Option Description

wan-extension WAN extension.

lan-extension LAN extension.

id ID. integer Minimum 32

value: 0
Maximum
value:
102400000

FortiOS 7.0.9 CLI Reference 149

Fortinet Inc.
Parameter Description Type Size Default

login- Change or reset the administrator password of a option - no

password- managed extender.
change

Option Description

yes Change the managed extender's administrator password. Use the login-
password option to set the password.

default Keep the managed extender's administrator password set to the factory
default.

no Do not change the managed extender's administrator password.

model Model. option - FX201E

Option Description

FX201E FEX-201E model.

FX211E FEX-211E model.

FX200F FEX-200F model.

FXA11F FEX-101F-AM model.

FXE11F FEX-101F-EA model.

FXA21F FEX-201F-AM model.

FXE21F FEX-201F-EA model.

FXA22F FEX-202F-AM model.

FXE22F FEX-202F-EA model.

FX212F FEX-212F model.

FX311F FEX-311F model.

FX312F FEX-312F model.

FX511F FEX-511F model.

FVG21F FEV-211F model.

FVA21F FEV-211F-AM model.

FVG22F FEV-212F model.

FVA22F FEV-212F-AM model.

FX04DA FX40D-AMEU model.

FortiOS 7.0.9 CLI Reference 150

Fortinet Inc.
Parameter Description Type Size Default

Option Description

FX04DN FX40D-NAM model,

FX04DI FX40D-INTL model,

name FortiExtender profile name. string Not Specified

config cellular

Parameter Description Type Size Default

dataplan Dataplan names. string Maximum

<name> Dataplan name. length: 79

config controller-report

Parameter Description Type Size Default

status FortiExtender controller report status. option - disable

Option Description

disable Controller is configured to not provide service to this FortiExtender.

enable Controller is configured to provide service to this FortiExtender.

interval Controller report interval. integer Minimum 300

value: 0
Maximum
value:
4294967295

signal- Controller report signal threshold. integer Minimum 10

threshold value: 10
Maximum
value: 50

config sms-notification

Parameter Description Type Size Default

status FortiExtender SMS notification status. option - disable

Option Description

disable SMS notification is configured to not provide service to this FortiExtender.

enable SMS notification is configured to provide service to this FortiExtender.

FortiOS 7.0.9 CLI Reference 151

Fortinet Inc.
config alert

Parameter Description Type Size Default

system- Display string when system rebooted. string Not system will
reboot Specified reboot

data- Display string when data exhausted. string Not data plan is
exhausted Specified exhausted

session- Display string when session disconnected. string Not LTE data
disconnect Specified session is
disconnected

low-signal- Display string when signal strength is low. string Not LTE signal
strength Specified strength is too
low

os-image- Display string when falling back to a previous OS string Not system start to
fallback image. Specified fallback OS
image

mode-switch Display string when mode is switched. string Not system

Specified networking
mode switched

fgt-backup- Display string when FortiGate backup mode string Not FortiGate
mode-switch switched. Specified backup work
mode switched

config receiver

Parameter Description Type Size Default

name FortiExtender SMS notification receiver name. string Not

Specified

status SMS notification receiver status. option - disable

Option Description

disable Disable SMS notification receiver.

enable Enable SMS notification receiver.

phone- Receiver phone number. Format: [+][country code][area string Not

number code][local phone number]. For example, Specified
+16501234567.

alert Alert multi-options. option -

Option Description

system-reboot System will reboot.

FortiOS 7.0.9 CLI Reference 152

Fortinet Inc.
Parameter Description Type Size Default

Option Description

data-exhausted Data plan is exhausted.

session- LTE data session is disconnected.

disconnect

low-signal- LTE signal strength is too low.

strength

mode-switch System is starting to use fallback OS image.

os-image- System networking mode switched.

fallback

fgt-backup- FortiGate backup work mode switched.

mode-switch

config modem1

Parameter Description Type Size Default

redundant- FortiExtender mode. option - disable

mode

Option Description

disable Disable interface redundancy.

enable Enable interface redundancy.

redundant-intf Redundant interface. string Not Specified

conn-status Connection status. integer Minimum 0

value: 0
Maximum
value:
4294967295

default-sim Default SIM selection. option - sim1

Option Description

sim1 Use SIM #1 by default.

sim2 Use SIM #2 by default.

carrier Assign default SIM based on carrier.

cost Assign default SIM based on cost.

disable Disable SIM #2 PIN.

enable Enable SIM #2 PIN.

sim1-pin-code SIM #1 PIN password. password Not Specified

sim2-pin-code SIM #2 PIN password. password Not Specified

preferred- Preferred carrier. string Not Specified

carrier

config auto-switch

Parameter Description Type Size Default

disconnect Auto switch by disconnect. option - disable

Option Description

disable Disable switching of SIM card based on cellular disconnections.

enable Enable switching of SIM card based on cellular disconnections.

disconnect- Automatically switch based on disconnect threshold. integer Minimum 3

threshold value: 1
Maximum
value: 100

disconnect- Automatically switch based on disconnect period. integer Minimum 600

period value: 600
Maximum
value: 18000

signal Automatically switch based on signal strength. option - disable

FortiOS 7.0.9 CLI Reference 154

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable switching of SIM card based on cellular signal quality.

enable Enable switching of SIM card based on cellular signal quality.

dataplan Automatically switch based on data usage. option - disable

Option Description

disable Disable switching of SIM card based on cellular data usage.

enable Enable switching of SIM card based on cellular data usage.

switch-back Auto switch with switch back multi-options. option -

Option Description

time Switch back based on specific time in UTC (HH:MM).

timer Switch back based on an interval.

switch-back- Automatically switch over to preferred SIM/carrier at a string Not Specified 00:01
time specified time in UTC (HH:MM).

switch-back- Automatically switch over to preferred SIM/carrier integer Minimum 86400

timer after the given time. value: 3600
Maximum
value:
2147483647

config modem2

Parameter Description Type Size Default

redundant- FortiExtender mode. option - disable

mode

Option Description

disable Disable interface redundancy.

enable Enable interface redundancy.

redundant-intf Redundant interface. string Not Specified

conn-status Connection status. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 155

Fortinet Inc.
Parameter Description Type Size Default

default-sim Default SIM selection. option - sim1

Option Description

sim1 Use SIM #1 by default.

sim2 Use SIM #2 by default.

carrier Assign default SIM based on carrier.

cost Assign default SIM based on cost.

gps FortiExtender GPS enable/disable. option - enable

Option Description

disable Disable GPS.

enable Enable GPS.

sim1-pin SIM #1 PIN status. option - disable

Option Description

disable Disable SIM #1 PIN.

enable Enable SIM #1 PIN.

sim2-pin SIM #2 PIN status. option - disable

Option Description

disable Disable SIM #2 PIN.

enable Enable SIM #2 PIN.

sim1-pin-code SIM #1 PIN password. password Not Specified

sim2-pin-code SIM #2 PIN password. password Not Specified

preferred- Preferred carrier. string Not Specified

carrier

config auto-switch

Parameter Description Type Size Default

disconnect Auto switch by disconnect. option - disable

disconnect- Automatically switch based on disconnect threshold. integer Minimum 3

threshold value: 1
Maximum
value: 100

FortiOS 7.0.9 CLI Reference 156

Fortinet Inc.
Parameter Description Type Size Default

disconnect- Automatically switch based on disconnect period. integer Minimum 600

period value: 600
Maximum
value: 18000

signal Automatically switch based on signal strength. option - disable

dataplan Automatically switch based on data usage. option - disable

switch-back Auto switch with switch back multi-options. option -

switch-back- Automatically switch over to preferred SIM/carrier at a string Not Specified 00:01
time specified time in UTC (HH:MM).

switch-back- Automatically switch over to preferred SIM/carrier integer Minimum 86400

timer after the given time. value: 3600
Maximum
value:
2147483647

config lan-extension

Parameter Description Type Size Default

link- LAN extension link load balance strategy. option - activebackup

loadbalance

Option Description

activebackup FortiExtender LAN extension active-backup.

loadbalance FortiExtender LAN extension load-balance.

ipsec-tunnel IPsec tunnel name. string Not

Specified

backhaul- IPsec phase1 interface. string Not

interface Specified

backhaul-ip IPsec phase1 IPv4/FQDN. Used to specify the string Not

external IP/FQDN when the FortiGate unit is behind Specified
a NAT device.

config backhaul

Parameter Description Type Size Default

name FortiExtender LAN extension backhaul name. string Not

Specified

port FortiExtender uplink port. option - wan

FortiOS 7.0.9 CLI Reference 157

Fortinet Inc.
Parameter Description Type Size Default

Option Description

wan FortiExtender WAN port.

lte1 FortiExtender LTE1 port.

lte2 FortiExtender LTE2 port.

port1 FortiExtender port1 port.

port2 FortiExtender port2 port.

port3 FortiExtender port3 port.

port4 FortiExtender port4 port.

port5 FortiExtender port5 port.

sfp FortiExtender SFP port.

role FortiExtender uplink port. option - primary

Option Description

primary FortiExtender LAN extension primary role.

secondary FortiExtender LAN extension secondary role.

weight WRR weight parameter. integer Minimum 1

value: 1
Maximum
value: 256

config extender-controller extender

Extender controller configuration.

config extender-controller extender
Description: Extender controller configuration.
edit <name>
set allowaccess {option1}, {option2}, ...
set authorized [disable|enable]
set bandwidth-limit {integer}
set description {string}
set device-id {integer}
set enforce-bandwidth [enable|disable]
set ext-name {string}
set extension-type [wan-extension|lan-extension]
set id {string}
set login-password {password}
set login-password-change [yes|default|...]
set name {string}
set override-allowaccess [enable|disable]
set override-enforce-bandwidth [enable|disable]

FortiOS 7.0.9 CLI Reference 158

Fortinet Inc.
set override-login-password-change [enable|disable]
set profile {string}
set vdom {integer}
config wan-extension
Description: FortiExtender wan extension configuration.
set modem1-extension {string}
set modem2-extension {string}
end
next
end

config extender-controller extender

Parameter Description Type Size Default

allowaccess Control management access to the managed option -

extender. Separate entries with a space.

Option Description

ping PING access.

telnet TELNET access.

http HTTP access.

https HTTPS access.

ssh SSH access.

snmp SNMP access.

authorized FortiExtender Administration (enable or disable). option - disable

Option Description

disable Controller is configured to not provide service to this FortiExtender.

enable Controller is configured to provide service to this FortiExtender.

bandwidth- FortiExtender LAN extension bandwidth limit (Mbps). integer Minimum 1024
limit value: 1
Maximum
value:
16776000

description Description. string Not Specified

device-id Device ID. integer Minimum 1024

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 159

Fortinet Inc.
Parameter Description Type Size Default

enforce- Enable/disable enforcement of bandwidth on LAN option - disable

bandwidth extension interface.

Option Description

enable Enable to enforce bandwidth limit on LAN extension interface.

disable Disable to enforce bandwidth limit on LAN extension interface.

ext-name FortiExtender name. string Not Specified

extension-type Extension type for this FortiExtender. option -

Option Description

wan-extension FortiExtender wan-extension.

lan-extension FortiExtender lan-extension.

id FortiExtender serial number. string Not Specified

login- Change or reset the administrator password of a option - no

password- managed extender.
change

Option Description

yes Change the managed extender's administrator password. Use the login-
password option to set the password.

default Keep the managed extender's administrator password set to the factory
default.

no Do not change the managed extender's administrator password.

name FortiExtender entry name. string Not Specified

override- Enable to override the extender profile management option - disable

allowaccess access configuration.

Option Description

enable Override the extender profile management access configuration.

disable Use the extender profile management access configuration.

override- Enable to override the extender profile enforce- option - disable

enforce- bandwidth setting.
bandwidth

FortiOS 7.0.9 CLI Reference 160

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable override of FortiExtender profile bandwidth setting.

disable Disable override of FortiExtender profile bandwidth setting.

override-login- Enable to override the extender profile login- option - disable

password- password (administrator password) setting.
change

Option Description

enable Override the WTP profile login-password (administrator password) setting.

disable Use the the WTP profile login-password (administrator password) setting.

profile FortiExtender profile configuration. string Not Specified

vdom VDOM. integer Minimum 0

value: 0
Maximum
value:
4294967295

config wan-extension

Parameter Description Type Size Default

modem1- FortiExtender interface name. string Not

extension Specified

modem2- FortiExtender interface name. string Not

extension Specified

FortiOS 7.0.9 CLI Reference 161

Fortinet Inc.
file-filter

This section includes syntax for the following commands:

l config file-filter profile on page 162

config file-filter profile

disable Disable logging.

enable Enable logging.

name Profile name. string Not

Specified

replacemsg- Replacement message group. string Not

group Specified

scan-archive- Enable/disable archive contents scan. option - enable

contents

Option Description

disable Disable scanning archive contents.

enable Enable scanning archive contents.

config rules

Parameter Description Type Size Default

name File-filter rule name. string Not

Specified

comment Comment. var-string Not

Specified

protocol Protocols to apply rule to. option - http ftp

smtp imap
pop3 mapi
cifs ssh

Option Description

http Filter on HTTP.

ftp Filter on FTP.

FortiOS 7.0.9 CLI Reference 163

Fortinet Inc.
Parameter Description Type Size Default

Option Description

smtp Filter on SMTP.

imap Filter on IMAP.

pop3 Filter on POP3.

mapi Filter on MAPI. (Proxy mode only.)

cifs Filter on CIFS.

ssh Filter on SFTP and SCP. (Proxy mode only.)

action Action taken for matched file. option - log-only

Option Description

log-only Allow the content and write a log message.

block Block the content and write a log message.

direction Traffic direction (HTTP, FTP, SSH, CIFS only). option - any

Option Description

incoming Match files transmitted in the session's reply direction.

outgoing Match files transmitted in the session's originating direction.

any Match files transmitted in the session's originating and reply directions.

password- Match password-protected files. option - any

protected

Option Description

yes Match only password-protected files.

any Match any file.

file-type Select file type. string Maximum

<name> File type name. length: 39

FortiOS 7.0.9 CLI Reference 164

Fortinet Inc.
firewall

This section includes syntax for the following commands:

l config firewall DoS-policy on page 167
l config firewall DoS-policy6 on page 169
l config firewall access-proxy-ssh-client-cert on page 172
l config firewall access-proxy-virtual-host on page 174
l config firewall access-proxy on page 175
l config firewall access-proxy6 on page 196
l config firewall acl on page 217
l config firewall acl6 on page 219
l config firewall address on page 220
l config firewall address6-template on page 225
l config firewall address6 on page 227
l config firewall addrgrp on page 230
l config firewall addrgrp6 on page 232
l config firewall auth-portal on page 234
l config firewall central-snat-map on page 234
l config firewall city on page 237
l config firewall country on page 237
l config firewall decrypted-traffic-mirror on page 238
l config firewall dnstranslation on page 239
l config firewall identity-based-route on page 240
l config firewall interface-policy on page 241
l config firewall interface-policy6 on page 244
l config firewall internet-service-addition on page 247
l config firewall internet-service-append on page 248
l config firewall internet-service-botnet on page 249
l config firewall internet-service-custom-group on page 249
l config firewall internet-service-custom on page 250
l config firewall internet-service-definition on page 251
l config firewall internet-service-extension on page 253
l config firewall internet-service-group on page 256
l config firewall internet-service-ipbl-reason on page 257
l config firewall internet-service-ipbl-vendor on page 257
l config firewall internet-service-list on page 258
l config firewall internet-service-name on page 258
l config firewall internet-service-owner on page 259
l config firewall internet-service-reputation on page 260
l config firewall internet-service-sld on page 260

FortiOS 7.0.9 CLI Reference 165

Fortinet Inc.
l config firewall internet-service on page 261
l config firewall ip-translation on page 263
l config firewall ipmacbinding setting on page 263
l config firewall ipmacbinding table on page 264
l config firewall ippool on page 265
l config firewall ippool6 on page 269
l config firewall iprope appctrl list on page 270
l config firewall iprope appctrl status on page 271
l config firewall iprope list on page 271
l config firewall ipv6-eh-filter on page 271
l config firewall ldb-monitor on page 273
l config firewall local-in-policy on page 275
l config firewall local-in-policy6 on page 277
l config firewall multicast-address on page 279
l config firewall multicast-address6 on page 280
l config firewall multicast-policy on page 281
l config firewall multicast-policy6 on page 284
l config firewall policy on page 286
l config firewall profile-group on page 304
l config firewall profile-protocol-options on page 306
l config firewall proute on page 330
l config firewall proute6 on page 331
l config firewall proxy-address on page 331
l config firewall proxy-addrgrp on page 334
l config firewall proxy-policy on page 336
l config firewall region on page 343
l config firewall schedule group on page 344
l config firewall schedule onetime on page 345
l config firewall schedule recurring on page 346
l config firewall security-policy on page 347
l config firewall service category on page 354
l config firewall service custom on page 355
l config firewall service group on page 359
l config firewall shaper per-ip-shaper on page 360
l config firewall shaper per-ip on page 362
l config firewall shaper traffic-shaper on page 362
l config firewall shaper traffic on page 364
l config firewall shaping-policy on page 365
l config firewall shaping-profile on page 369
l config firewall sniffer on page 371
l config firewall ssh host-key on page 377
l config firewall ssh local-ca on page 379
l config firewall ssh local-key on page 380

FortiOS 7.0.9 CLI Reference 166

Fortinet Inc.
l config firewall ssh setting on page 380
l config firewall ssl-server on page 381
l config firewall ssl-ssh-profile on page 384
l config firewall ssl setting on page 412
l config firewall traffic-class on page 414
l config firewall ttl-policy on page 415
l config firewall vendor-mac-summary on page 416
l config firewall vendor-mac on page 416
l config firewall vip on page 417
l config firewall vip6 on page 447
l config firewall vipgrp on page 477
l config firewall vipgrp6 on page 478
l config firewall wildcard-fqdn custom on page 479
l config firewall wildcard-fqdn group on page 480

config firewall DoS-policy

Configure IPv4 DoS policies.

config firewall DoS-policy
Description: Configure IPv4 DoS policies.
edit <policyid>
config anomaly
Description: Anomaly name.
edit <name>
set name {string}
set status [disable|enable]
set log [enable|disable]
set action [pass|block]
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
set threshold {integer}
set threshold(default) {integer}
next
end
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set interface {string}
set name {string}
set policyid {integer}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set status [enable|disable]
next
end

FortiOS 7.0.9 CLI Reference 167

Fortinet Inc.
config firewall DoS-policy

Parameter Description Type Size Default

comments Comment. var-string Not

Specified

dstaddr Destination address name from available addresses. string Maximum

<name> Address name. length: 79

interface Incoming interface name from available interfaces. string Not

Specified

name Policy name. string Not

Specified

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value: 9999
**

service Service object from available options. string Maximum

<name> Service name. length: 79

srcaddr Source address name from available addresses. string Maximum

<name> Address name. length: 79

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

** Values may differ between models.

config anomaly

Parameter Description Type Size Default

name Anomaly name. string Not Specified

status Enable/disable this anomaly. option - disable

Option Description

disable Disable this status.

enable Enable this status.

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine.. Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

threshold Anomaly threshold. Number of detected instances integer Minimum 0

(packets per second or concurrent session number) value: 1
that triggers the anomaly action. Maximum
value:
2147483647

threshold Number of detected instances. Note that each integer Minimum 0

(default) anomaly has a different threshold value assigned to value: 0
it. Maximum
value:
4294967295

config firewall DoS-policy6

Configure IPv6 DoS policies.

FortiOS 7.0.9 CLI Reference 169

Fortinet Inc.
config firewall DoS-policy6
Description: Configure IPv6 DoS policies.
edit <policyid>
config anomaly
Description: Anomaly name.
edit <name>
set name {string}
set status [disable|enable]
set log [enable|disable]
set action [pass|block]
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
set threshold {integer}
set threshold(default) {integer}
next
end
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set interface {string}
set name {string}
set policyid {integer}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set status [enable|disable]
next
end

config firewall DoS-policy6

Parameter Description Type Size Default

comments Comment. var-string Not

Specified

dstaddr Destination address name from available addresses. string Maximum

<name> Address name. length: 79

interface Incoming interface name from available interfaces. string Not

Specified

name Policy name. string Not

Specified

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value: 9999
**

service Service object from available options. string Maximum

<name> Service name. length: 79

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

threshold Anomaly threshold. Number of detected instances integer Minimum 0

(packets per second or concurrent session number) value: 1
that triggers the anomaly action. Maximum
value:
2147483647

threshold Number of detected instances. Note that each integer Minimum 0

(default) anomaly has a different threshold value assigned to value: 0
it. Maximum
value:
4294967295

config firewall access-proxy-ssh-client-cert

Configure Access Proxy SSH client certificate.

config firewall access-proxy-ssh-client-cert
Description: Configure Access Proxy SSH client certificate.
edit <name>
set auth-ca {string}
config cert-extension
Description: Configure certificate extension for user certificate.
edit <name>
set name {string}
set critical [no|yes]
set type [fixed|user]
set data {string}
next
end
set name {string}
set permit-agent-forwarding [enable|disable]
set permit-port-forwarding [enable|disable]
set permit-pty [enable|disable]
set permit-user-rc [enable|disable]
set permit-x11-forwarding [enable|disable]
set source-address [enable|disable]
next
end

FortiOS 7.0.9 CLI Reference 172

Fortinet Inc.
config firewall access-proxy-ssh-client-cert

Parameter Description Type Size Default

source- Enable/disable appending source-address certificate option - disable

address critical option. This option ensure certificate only
accepted from FortiGate source address.

Option Description

enable Enable setting.

disable Disable setting.

config cert-extension

Parameter Description Type Size Default

name Name of certificate extension. string Not

Specified

critical Critical option. option - no

Option Description

no Certificate extension, server ignores the unsupported certificate extension.

yes Critical option, server refuses to authorize if it cannnot recognize the critical
option.

type Type of certificate extension. option - fixed

Option Description

fixed Fixed certificate extension entry.

user Certificate extension entry filled with authenticated username.

data Data of certificate extension. string Not

Specified

config firewall access-proxy-virtual-host

Configure Access Proxy virtual hosts.

config firewall access-proxy-virtual-host
Description: Configure Access Proxy virtual hosts.
edit <name>
set host {string}
set host-type [sub-string|wildcard]
set name {string}
set replacemsg-group {string}
set ssl-certificate {string}
next
end

FortiOS 7.0.9 CLI Reference 174

Fortinet Inc.
config firewall access-proxy-virtual-host

Parameter Description Type Size Default

config firewall access-proxy

Configure IPv4 access proxy.

config firewall access-proxy
Description: Configure IPv4 access proxy.
edit <name>
config api-gateway
Description: Set IPv4 API Gateway.
edit <id>
set id {integer}
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
config realservers
Description: Select the real servers that this Access Proxy will
distribute traffic to.
edit <id>
set id {integer}
set addr-type [ip|fqdn]
set address {string}
set ip {ipv4-address-any}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]
set weight {integer}

FortiOS 7.0.9 CLI Reference 175

Fortinet Inc.
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next
end
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by
priority.
edit <priority>
set priority {integer}
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-vpn-web-portal {string}
next
end
config api-gateway6
Description: Set IPv6 API Gateway.
edit <id>
set id {integer}
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
config realservers
Description: Select the real servers that this Access Proxy will
distribute traffic to.
edit <id>
set id {integer}
set addr-type [ip|fqdn]
set address {string}
set ip {ipv6-address}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]

FortiOS 7.0.9 CLI Reference 176

Fortinet Inc.
set type [tcp-forwarding|ssh]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next
end
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by
priority.
edit <priority>
set priority {integer}
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-vpn-web-portal {string}
next
end
set auth-portal [disable|enable]
set auth-virtual-host {string}
set client-cert [disable|enable]
set decrypted-traffic-mirror {string}
set empty-cert-action [accept|block]
set log-blocked-traffic [enable|disable]
set name {string}
set vip {string}
next
end

config firewall access-proxy

Parameter Description Type Size Default

auth-portal Enable/disable authentication portal. option - disable

FortiOS 7.0.9 CLI Reference 177

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable authentication portal.

enable Enable authentication portal.

auth-virtual- Virtual host for authentication portal. string Not

host Specified

client-cert Enable/disable to request client certificate. option - disable

Option Description

disable Disable client certificate request.

enable Enable client certificate request.

decrypted- Decrypted traffic mirror. string Not

traffic-mirror Specified

empty-cert- Action of an empty client certificate. option - block

action

Option Description

accept Accept the SSL handshake if the client certificate is empty.

block Block the SSL handshake if the client certificate is empty.

log-blocked- Enable/disable logging of blocked traffic. option - disable

traffic

Option Description

enable Log all traffic denied by this access proxy.

disable Do not log all traffic denied by this access proxy.

name Access Proxy name. string Not

Specified

vip Virtual IP name. string Not

Specified

FortiOS 7.0.9 CLI Reference 178

Fortinet Inc.
config api-gateway

Parameter Description Type Size Default

id API Gateway ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

url-map URL pattern to match. string Not Specified /

service Service. option - https

Option Description

http HTTP

https HTTPS

tcp-forwarding TCP-FORWARDING

samlsp SAML-SP

web-portal VPN-SSL-WEB-PORTAL

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Not Specified

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

persistence Configure how to make sure that clients connect to option - none
the same server every time they make a request that
is part of the same session.

FortiOS 7.0.9 CLI Reference 179

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none None.

http-cookie HTTP cookie.

http-cookie- Enable/disable use of HTTP cookie domain from host option - disable
domain-from- field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence should apply string Not Specified
domain to.

http-cookie- Limit HTTP cookie persistence to the specified path. string Not Specified
path

http-cookie- Generation of HTTP cookie to be accepted. Changing integer Minimum 0

generation invalidates all existing cookies. value: 0
Maximum
value:
4294967295

http-cookie- Time in minutes that client web browsers should keep integer Minimum 60
age a cookie. Default is 60 minutes. 0 = no time limit. value: 0
Maximum
value: 525600

http-cookie- Control sharing of cookies across API Gateway. Use option - same-ip
share of same-ip means a cookie from one virtual server
can be used by another. Disable stops cookie
sharing.

Option Description

disable Only allow HTTP cookie to match this API Gateway.

same-ip Allow HTTP cookie to match any API Gateway with same IP.

https-cookie- Enable/disable verification that inserted HTTPS option - disable

secure cookies are secure.

FortiOS 7.0.9 CLI Reference 180

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

saml-server SAML service provider configuration for VIP string Not Specified
authentication.

saml-redirect Enable/disable SAML redirection after successful option - disable

authentication.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-vpn-web- SSL-VPN web portal. string Not Specified

portal

config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ip

Option Description

ip Standard IPv4 address.

fqdn Non-wildcard FQDN address object.

address Address or address group of the real server. string Not Specified

ip IPv6 address of the real server. ipv6- Not Specified ::

address

domain Wildcard domain name of the real server. string Not Specified

FortiOS 7.0.9 CLI Reference 182

Fortinet Inc.
Parameter Description Type Size Default

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value: 65535

mappedport Port for communicating with the real server. user Not Specified

status Set the status of the real server to active so that it option - active
can accept traffic, or on standby or disabled so no
traffic is sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

type TCP forwarding server type. option - tcp-

forwarding

Option Description

tcp-forwarding TCP forwarding.

ssh SSH.

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

http-host HTTP server domain name in HTTP header. string Not Specified

health-check Enable to check the responsiveness of the real option - disable

server before forwarding traffic.

Option Description

disable Disable per server health check.

enable Enable per server health check.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

Option Description

ping Use PING to test the link with the server.

http Use HTTP-GET to test the link with the server.

tcp-connect Use a full TCP connection to test the link with the server.

FortiOS 7.0.9 CLI Reference 183

Fortinet Inc.
Parameter Description Type Size Default

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

Option Description

enable Enable per server holddown.

disable Disable per server holddown.

ssh-client-cert Set access-proxy SSH client certificate profile. string Not Specified

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

Option Description

disable Disable SSH real server host key validation.

enable Enable SSH real server host key validation.

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

FortiOS 7.0.9 CLI Reference 184

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

FortiOS 7.0.9 CLI Reference 185

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

FortiOS 7.0.9 CLI Reference 186

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

FortiOS 7.0.9 CLI Reference 187

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

FortiOS 7.0.9 CLI Reference 188

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

FortiOS 7.0.9 CLI Reference 189

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

FortiOS 7.0.9 CLI Reference 190

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - tls-1.0 tls-
with. 1.1 tls-1.2
tls-1.3

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config api-gateway6

Parameter Description Type Size Default

id API Gateway ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

url-map URL pattern to match. string Not Specified /

service Service. option - https

Option Description

http HTTP

https HTTPS

tcp-forwarding TCP-FORWARDING

FortiOS 7.0.9 CLI Reference 191

Fortinet Inc.
Parameter Description Type Size Default

Option Description

samlsp SAML-SP

web-portal VPN-SSL-WEB-PORTAL

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Not Specified

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

persistence Configure how to make sure that clients connect to option - none
the same server every time they make a request that
is part of the same session.

Option Description

none None.

http-cookie HTTP cookie.

http-cookie- Enable/disable use of HTTP cookie domain from host option - disable
domain-from- field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence should apply string Not Specified
domain to.

FortiOS 7.0.9 CLI Reference 192

Fortinet Inc.
Parameter Description Type Size Default

http-cookie- Limit HTTP cookie persistence to the specified path. string Not Specified
path

http-cookie- Generation of HTTP cookie to be accepted. Changing integer Minimum 0

generation invalidates all existing cookies. value: 0
Maximum
value:
4294967295

http-cookie- Time in minutes that client web browsers should keep integer Minimum 60
age a cookie. Default is 60 minutes. 0 = no time limit. value: 0
Maximum
value: 525600

http-cookie- Control sharing of cookies across API Gateway. Use option - same-ip
share of same-ip means a cookie from one virtual server
can be used by another. Disable stops cookie
sharing.

Option Description

disable Only allow HTTP cookie to match this API Gateway.

same-ip Allow HTTP cookie to match any API Gateway with same IP.

https-cookie- Enable/disable verification that inserted HTTPS option - disable

secure cookies are secure.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

saml-server SAML service provider configuration for VIP string Not Specified
authentication.

saml-redirect Enable/disable SAML redirection after successful option - disable

authentication.

Option Description

disable Do not support redirection after successful SAML authentication.

enable Support redirection after successful SAML authentication.

ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange option - 2048

for RSA encryption of SSL sessions.

FortiOS 7.0.9 CLI Reference 193

Fortinet Inc.
Parameter Description Type Size Default

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for the server side of option - high
SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min- Lowest SSL/TLS version acceptable from a server. option - tls-1.1

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-vpn-web- SSL-VPN web portal. string Not Specified

portal

FortiOS 7.0.9 CLI Reference 194

Fortinet Inc.
config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ip

address Address or address group of the real server. string Not Specified

ip IPv6 address of the real server. ipv6- Not Specified ::

address

domain Wildcard domain name of the real server. string Not Specified

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value: 65535

mappedport Port for communicating with the real server. user Not Specified

status Set the status of the real server to active so that it option - active
can accept traffic, or on standby or disabled so no
traffic is sent.

type TCP forwarding server type. option - tcp-

forwarding

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

http-host HTTP server domain name in HTTP header. string Not Specified

health-check Enable to check the responsiveness of the real option - disable

server before forwarding traffic.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

ssh-client-cert Set access-proxy SSH client certificate profile. string Not Specified

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

FortiOS 7.0.9 CLI Reference 195

Fortinet Inc.
config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

versions SSL/TLS versions that the cipher suite can be used option - tls-1.0 tls-
with. 1.1 tls-1.2
tls-1.3

config firewall access-proxy6

Configure IPv6 access proxy.

config firewall access-proxy6
Description: Configure IPv6 access proxy.
edit <name>
config api-gateway
Description: Set IPv4 API Gateway.
edit <id>
set id {integer}
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
config realservers
Description: Select the real servers that this Access Proxy will
distribute traffic to.
edit <id>
set id {integer}
set addr-type [ip|fqdn]
set address {string}
set ip {ipv4-address-any}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next

FortiOS 7.0.9 CLI Reference 196

Fortinet Inc.
end
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by
priority.
edit <priority>
set priority {integer}
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-vpn-web-portal {string}
next
end
config api-gateway6
Description: Set IPv6 API Gateway.
edit <id>
set id {integer}
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
config realservers
Description: Select the real servers that this Access Proxy will
distribute traffic to.
edit <id>
set id {integer}
set addr-type [ip|fqdn]
set address {string}
set ip {ipv6-address}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]

FortiOS 7.0.9 CLI Reference 197

Fortinet Inc.
set ssh-host-key <name1>, <name2>, ...
next
end
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by
priority.
edit <priority>
set priority {integer}
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-vpn-web-portal {string}
next
end
set auth-portal [disable|enable]
set auth-virtual-host {string}
set client-cert [disable|enable]
set decrypted-traffic-mirror {string}
set empty-cert-action [accept|block]
set log-blocked-traffic [enable|disable]
set name {string}
set vip {string}
next
end

config firewall access-proxy6

Parameter Description Type Size Default

auth-portal Enable/disable authentication portal. option - disable

Option Description

disable Disable authentication portal.

enable Enable authentication portal.

auth-virtual- Virtual host for authentication portal. string Not

host Specified

FortiOS 7.0.9 CLI Reference 198

Fortinet Inc.
Parameter Description Type Size Default

client-cert Enable/disable to request client certificate. option - disable

Option Description

disable Disable client certificate request.

enable Enable client certificate request.

decrypted- Decrypted traffic mirror. string Not

traffic-mirror Specified

empty-cert- Action of an empty client certificate. option - block

action

Option Description

accept Accept the SSL handshake if the client certificate is empty.

block Block the SSL handshake if the client certificate is empty.

log-blocked- Enable/disable logging of blocked traffic. option - disable

traffic

Option Description

enable Log all traffic denied by this access proxy.

disable Do not log all traffic denied by this access proxy.

name Access Proxy name. string Not

Specified

vip Virtual IP name. string Not

Specified

config api-gateway

Parameter Description Type Size Default

id API Gateway ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

url-map URL pattern to match. string Not Specified /

service Service. option - https

Option Description

http HTTP

FortiOS 7.0.9 CLI Reference 199

Fortinet Inc.
Parameter Description Type Size Default

Option Description

https HTTPS

tcp-forwarding TCP-FORWARDING

samlsp SAML-SP

web-portal VPN-SSL-WEB-PORTAL

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Not Specified

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

saml-server SAML service provider configuration for VIP string Not Specified
authentication.

saml-redirect Enable/disable SAML redirection after successful option - disable

authentication.

FortiOS 7.0.9 CLI Reference 201

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not support redirection after successful SAML authentication.

enable Support redirection after successful SAML authentication.

ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange option - 2048

for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for the server side of option - high
SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min- Lowest SSL/TLS version acceptable from a server. option - tls-1.1

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

FortiOS 7.0.9 CLI Reference 202

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-vpn-web- SSL-VPN web portal. string Not Specified

portal

config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ip

Option Description

ip Standard IPv4 address.

fqdn Non-wildcard FQDN address object.

address Address or address group of the real server. string Not Specified

ip IPv6 address of the real server. ipv6- Not Specified ::

address

domain Wildcard domain name of the real server. string Not Specified

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value: 65535

mappedport Port for communicating with the real server. user Not Specified

status Set the status of the real server to active so that it option - active
can accept traffic, or on standby or disabled so no
traffic is sent.

Option Description

active Server status active.

FortiOS 7.0.9 CLI Reference 203

Fortinet Inc.
Parameter Description Type Size Default

Option Description

standby Server status standby.

disable Server status disable.

type TCP forwarding server type. option - tcp-

forwarding

Option Description

tcp-forwarding TCP forwarding.

ssh SSH.

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

http-host HTTP server domain name in HTTP header. string Not Specified

health-check Enable to check the responsiveness of the real option - disable

server before forwarding traffic.

Option Description

disable Disable per server health check.

enable Enable per server health check.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

Option Description

ping Use PING to test the link with the server.

http Use HTTP-GET to test the link with the server.

tcp-connect Use a full TCP connection to test the link with the server.

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

Option Description

enable Enable per server holddown.

disable Disable per server holddown.

ssh-client-cert Set access-proxy SSH client certificate profile. string Not Specified

FortiOS 7.0.9 CLI Reference 204

Fortinet Inc.
Parameter Description Type Size Default

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

Option Description

disable Disable SSH real server host key validation.

enable Enable SSH real server host key validation.

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

FortiOS 7.0.9 CLI Reference 205

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

FortiOS 7.0.9 CLI Reference 206

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

FortiOS 7.0.9 CLI Reference 207

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

FortiOS 7.0.9 CLI Reference 208

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

FortiOS 7.0.9 CLI Reference 209

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

FortiOS 7.0.9 CLI Reference 210

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - tls-1.0 tls-
with. 1.1 tls-1.2
tls-1.3

FortiOS 7.0.9 CLI Reference 211

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config api-gateway6

Parameter Description Type Size Default

id API Gateway ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

url-map URL pattern to match. string Not Specified /

service Service. option - https

Option Description

http HTTP

https HTTPS

tcp-forwarding TCP-FORWARDING

samlsp SAML-SP

web-portal VPN-SSL-WEB-PORTAL

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Not Specified

url-map-type Type of url-map. option - sub-string

FortiOS 7.0.9 CLI Reference 212

Fortinet Inc.
Parameter Description Type Size Default

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

persistence Configure how to make sure that clients connect to option - none
the same server every time they make a request that
is part of the same session.

Option Description

none None.

http-cookie HTTP cookie.

http-cookie- Enable/disable use of HTTP cookie domain from host option - disable
domain-from- field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence should apply string Not Specified
domain to.

http-cookie- Limit HTTP cookie persistence to the specified path. string Not Specified
path

http-cookie- Generation of HTTP cookie to be accepted. Changing integer Minimum 0

generation invalidates all existing cookies. value: 0
Maximum
value:
4294967295

http-cookie- Time in minutes that client web browsers should keep integer Minimum 60
age a cookie. Default is 60 minutes. 0 = no time limit. value: 0
Maximum
value: 525600

http-cookie- Control sharing of cookies across API Gateway. Use option - same-ip
share of same-ip means a cookie from one virtual server
can be used by another. Disable stops cookie
sharing.

FortiOS 7.0.9 CLI Reference 213

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Only allow HTTP cookie to match this API Gateway.

same-ip Allow HTTP cookie to match any API Gateway with same IP.

https-cookie- Enable/disable verification that inserted HTTPS option - disable

secure cookies are secure.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

saml-server SAML service provider configuration for VIP string Not Specified
authentication.

saml-redirect Enable/disable SAML redirection after successful option - disable

authentication.

Option Description

disable Do not support redirection after successful SAML authentication.

enable Support redirection after successful SAML authentication.

ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange option - 2048

for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for the server side of option - high
SSL full mode sessions according to encryption
strength.

FortiOS 7.0.9 CLI Reference 214

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min- Lowest SSL/TLS version acceptable from a server. option - tls-1.1

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-vpn-web- SSL-VPN web portal. string Not Specified

portal

config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

addr-type Type of address. option - ip

address Address or address group of the real server. string Not Specified

ip IPv6 address of the real server. ipv6- Not Specified ::

address

FortiOS 7.0.9 CLI Reference 215

Fortinet Inc.
Parameter Description Type Size Default

domain Wildcard domain name of the real server. string Not Specified

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value: 65535

mappedport Port for communicating with the real server. user Not Specified

status Set the status of the real server to active so that it option - active
can accept traffic, or on standby or disabled so no
traffic is sent.

type TCP forwarding server type. option - tcp-

forwarding

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

http-host HTTP server domain name in HTTP header. string Not Specified

health-check Enable to check the responsiveness of the real option - disable

server before forwarding traffic.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

ssh-client-cert Set access-proxy SSH client certificate profile. string Not Specified

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

FortiOS 7.0.9 CLI Reference 216

Fortinet Inc.
Parameter Description Type Size Default

versions SSL/TLS versions that the cipher suite can be used option - tls-1.0 tls-
with. 1.1 tls-1.2
tls-1.3

config firewall acl

This command is available for model(s): FortiGate 100EF, FortiGate 100E, FortiGate 100F,
FortiGate 101E, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 1200D,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1500DT, FortiGate 1500D, FortiGate 1800F,
FortiGate 1801F, FortiGate 2000E, FortiGate 200F, FortiGate 201F, FortiGate 2200E,
FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D,
FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3300E,
FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F,
FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D, FortiGate 3960E,
FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 4200F,
FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 500E, FortiGate 501E,
FortiGate 600E, FortiGate 601E.
It is not available for: FortiGate 1000D, FortiGate 200E, FortiGate 201E, FortiGate 40F 3G4G,
FortiGate 40F, FortiGate 5001E1, FortiGate 5001E, FortiGate 60E DSLJ, FortiGate 60E DSL,
FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate
800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE,
FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F,
FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E,
FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE,
FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

Configure IPv4 access control list.

config firewall acl
Description: Configure IPv4 access control list.
edit <policyid>
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set interface {string}
set name {string}
set policyid {integer}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set status [enable|disable]
next
end

FortiOS 7.0.9 CLI Reference 217

Fortinet Inc.
config firewall acl

Parameter Description Type Size Default

comments Comment. var-string Not

Specified

enable Enable access control list status.

disable Disable access control list status.

config firewall address

Configure IPv4 addresses.

config firewall address
Description: Configure IPv4 addresses.
edit <name>
set allow-routing [enable|disable]
set associated-interface {string}
set cache-ttl {integer}
set clearpass-spt [unknown|healthy|...]
set color {integer}
set comment {var-string}
set country {string}
set end-ip {ipv4-address-any}
set epg-name {string}
set fabric-object [enable|disable]
set filter {var-string}
set fqdn {string}
set fsso-group <name1>, <name2>, ...
set interface {string}
config list
Description: IP address list.
edit <ip>
set ip {string}
next
end
set macaddr <macaddr1>, <macaddr2>, ...

FortiOS 7.0.9 CLI Reference 220

Fortinet Inc.
set name {string}
set node-ip-only [enable|disable]
set obj-id {var-string}
set obj-tag {string}
set obj-type [ip|mac]
set organization {string}
set policy-group {string}
set sdn {string}
set sdn-addr-type [private|public|...]
set sdn-tag {string}
set start-ip {ipv4-address-any}
set sub-type [sdn|clearpass-spt|...]
set subnet {ipv4-classnet-any}
set subnet-name {string}
set tag-detection-level {string}
set tag-type {string}
config tagging
Description: Config object tagging.
edit <name>
set name {string}
set category {string}
set tags <name1>, <name2>, ...
next
end
set tenant {string}
set type [ipmask|iprange|...]
set uuid {uuid}
set wildcard {ipv4-classnet-any}
set wildcard-fqdn {string}
next
end

config firewall address

Parameter Description Type Size Default

allow-routing Enable/disable use of this address in the static option - disable

route configuration.

Option Description

enable Enable use of this address in the static route configuration.

disable Disable use of this address in the static route configuration.

associated- Network interface associated with address. string Not

interface Specified

cache-ttl Defines the minimal TTL of individual IP integer Minimum 0

addresses in FQDN cache measured in seconds. value: 0
Maximum
value:
86400

clearpass-spt SPT (System Posture Token) value. option - unknown

FortiOS 7.0.9 CLI Reference 221

Fortinet Inc.
Parameter Description Type Size Default

Option Description

unknown UNKNOWN.

healthy HEALTHY.

quarantine QUARANTINE.

checkup CHECKUP.

transient TRANSIENT.

infected INFECTED.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Not

Specified

country IP addresses associated to a specific country. string Not

Specified

in Kubernetes.

Option Description

enable Enable collection of node addresses only in Kubernetes.

disable Disable collection of node addresses only in Kubernetes.

obj-id Object ID for NSX. var-string Not

Specified

obj-tag Tag of dynamic address object. string Not

Specified

obj-type Object type. option - ip

Option Description

ip IP address.

mac MAC address

organization Organization domain name (Syntax: string Not

organization/domain). Specified

policy-group Policy group name. string Not

Specified

sdn SDN. string Not

Specified

sdn-addr-type Type of addresses to collect. option - private

Option Description

private Collect private addresses only.

public Collect public addresses only.

all Collect both public and private addresses.

sdn-tag SDN Tag. string Not

Specified

start-ip First IP address (inclusive) in the range for the ipv4- Not 0.0.0.0
address. address- Specified
any

FortiOS 7.0.9 CLI Reference 223

Fortinet Inc.
Parameter Description Type Size Default

sub-type Sub-type of address. option - sdn

Option Description

sdn SDN address.

clearpass-spt ClearPass SPT (System Posture Token) address.

fsso FSSO address.

ems-tag FortiClient EMS tag.

fortivoice-tag FortiVoice tag.

fortinac-tag FortiNAC tag.

ipmask Standard IPv4 address with subnet mask.

iprange Range of IPv4 addresses between two specified addresses (inclusive).

fqdn Fully Qualified Domain Name address.

geography IP addresses from a specified country.

wildcard Standard IPv4 using a wildcard subnet mask.

dynamic Dynamic address object.

interface-subnet IP and subnet of interface.

mac Range of MAC addresses.

FortiOS 7.0.9 CLI Reference 224

Fortinet Inc.
Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

wildcard IP address and wildcard netmask. ipv4- Not 0.0.0.0 0.0.0.0

classnet- Specified
any

wildcard-fqdn Fully Qualified Domain Name with wildcard string Not

characters. Specified

config list

Parameter Description Type Size Default

ip IP. string Not

Specified

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Not

Specified

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall address6-template

Configure IPv6 address templates.

config firewall address6-template
Description: Configure IPv6 address templates.
edit <name>
set fabric-object [enable|disable]
set ip6 {ipv6-network}
set name {string}
config subnet-segment
Description: IPv6 subnet segments.
edit <id>
set id {integer}
set name {string}
set bits {integer}
set exclusive [enable|disable]
config values
Description: Subnet segment values.

FortiOS 7.0.9 CLI Reference 225

Fortinet Inc.
edit <name>
set name {string}
set value {string}
next
end
next
end
set subnet-segment-count {integer}
next
end

config firewall address6-template

Parameter Description Type Size Default

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

ip6 IPv6 address prefix. ipv6- Not ::/0

network Specified

name IPv6 address template name. string Not

Specified

subnet- Number of IPv6 subnet segments. integer Minimum 0

segment- value: 1
count Maximum
value: 6

config subnet-segment

Parameter Description Type Size Default

id Subnet segment ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Subnet segment name. string Not Specified

bits Number of bits. integer Minimum 0

value: 1
Maximum
value: 16

exclusive Enable/disable exclusive value. option - disable

FortiOS 7.0.9 CLI Reference 226

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable exclusive value.

disable Disable exclusive value.

config values

Parameter Description Type Size Default

name Subnet segment value name. string Not

Specified

value Subnet segment value. string Not

Specified

config firewall address6

Configure IPv6 firewall addresses.

config firewall address6
Description: Configure IPv6 firewall addresses.
edit <name>
set cache-ttl {integer}
set color {integer}
set comment {var-string}
set country {string}
set end-ip {ipv6-address}
set fabric-object [enable|disable]
set fqdn {string}
set host {ipv6-address}
set host-type [any|specific]
set ip6 {ipv6-network}
config list
Description: IP address list.
edit <ip>
set ip {string}
next
end
set macaddr <macaddr1>, <macaddr2>, ...
set name {string}
set obj-id {var-string}
set sdn {string}
set start-ip {ipv6-address}
config subnet-segment
Description: IPv6 subnet segments.
edit <name>
set name {string}
set type [any|specific]
set value {string}
next

FortiOS 7.0.9 CLI Reference 227

Fortinet Inc.
end
config tagging
Description: Config object tagging.
edit <name>
set name {string}
set category {string}
set tags <name1>, <name2>, ...
next
end
set template {string}
set type [ipprefix|iprange|...]
set uuid {uuid}
next
end

config firewall address6

Parameter Description Type Size Default

cache-ttl Minimal TTL of individual IPv6 addresses in FQDN integer Minimum 0

cache. value: 0
Maximum
value:
86400

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comment Comment. var-string Not

Specified

country IPv6 addresses associated to a specific country. string Not

Specified

end-ip Final IP address (inclusive) in the range for the ipv6- Not ::
address (format: address Specified
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

fqdn Fully qualified domain name. string Not

Specified

host Host Address. ipv6- Not ::

address Specified

FortiOS 7.0.9 CLI Reference 228

Fortinet Inc.
Parameter Description Type Size Default

host-type Host type. option - any

Option Description

any Wildcard.

specific Specific host address.

ip6 IPv6 address prefix (format: ipv6- Not ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx). network Specified

macaddr Multiple MAC address ranges. string Maximum

<macaddr> MAC address ranges <start>[-<end>] separated length: 127
by space.

name Address name. string Not

Specified

obj-id Object ID for NSX. var-string Not

Specified

sdn SDN. string Not

Specified

start-ip First IP address (inclusive) in the range for the ipv6- Not ::
address (format: address Specified
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).

template IPv6 address template. string Not

Specified

type Type of IPv6 address object. option - ipprefix

Option Description

ipprefix Uses the IP prefix to define a range of IPv6 addresses.

iprange Range of IPv6 addresses between two specified addresses (inclusive).

fqdn Fully qualified domain name.

geography IPv6 addresses from a specified country.

dynamic Dynamic address object for SDN.

template Template.

mac Range of MAC addresses.

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

FortiOS 7.0.9 CLI Reference 229

Fortinet Inc.
config list

Parameter Description Type Size Default

ip IP. string Not

Specified

config subnet-segment

Parameter Description Type Size Default

name Name. string Not

Specified

type Subnet segment type. option - any

Option Description

any Wildcard.

specific Specific subnet segment address.

value Subnet segment value. string Not

Specified

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Not

Specified

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall addrgrp

Configure IPv4 address groups.

config firewall addrgrp
Description: Configure IPv4 address groups.
edit <name>
set allow-routing [enable|disable]
set category [default|ztna-ems-tag|...]
set color {integer}
set comment {var-string}
set exclude [enable|disable]
set exclude-member <name1>, <name2>, ...
set fabric-object [enable|disable]

FortiOS 7.0.9 CLI Reference 230

Fortinet Inc.
set member <name1>, <name2>, ...
set name {string}
config tagging
Description: Config object tagging.
edit <name>
set name {string}
set category {string}
set tags <name1>, <name2>, ...
next
end
set type [default|folder]
set uuid {uuid}
next
end

config firewall addrgrp

Parameter Description Type Size Default

allow-routing Enable/disable use of this group in the static route option - disable
configuration.

Option Description

enable Enable use of this group in the static route configuration.

disable Disable use of this group in the static route configuration.

category Address group category. option - default

Option Description

default Default address group category (cannot be used as ztna-ems-tag/ztna-geo-

tag in policy).

ztna-ems-tag Members must be ztna-ems-tag group or ems-tag address, can be used as

ztna-ems-tag in policy.

ztna-geo-tag Members must be ztna-geo-tag group or geographic address, can be used as

ztna-geo-tag in policy.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Not

Specified

exclude Enable/disable address exclusion. option - disable

FortiOS 7.0.9 CLI Reference 231

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable address exclusion.

disable Disable address exclusion.

exclude- Address exclusion member. string Maximum

member Address name. length: 79
<name>

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

member Address objects contained within the group. string Maximum

<name> Address name. length: 79

name Address group name. string Not

Specified

type Address group type. option - default

Option Description

default Default address group type (address may belong to multiple groups).

folder Address folder group (members may not belong to any other group).

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Not

Specified

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall addrgrp6

Configure IPv6 address groups.

FortiOS 7.0.9 CLI Reference 232

Fortinet Inc.
config firewall addrgrp6
Description: Configure IPv6 address groups.
edit <name>
set color {integer}
set comment {var-string}
set fabric-object [enable|disable]
set member <name1>, <name2>, ...
set name {string}
config tagging
Description: Config object tagging.
edit <name>
set name {string}
set category {string}
set tags <name1>, <name2>, ...
next
end
set uuid {uuid}
next
end

config firewall addrgrp6

Parameter Description Type Size Default

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comment Comment. var-string Not

Specified

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

member Address objects contained within the group. string Maximum

<name> Address6/addrgrp6 name. length: 79

name IPv6 address group name. string Not

Specified

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

config firewall central-snat-map

Configure IPv4 and IPv6 central SNAT policies.

config firewall central-snat-map
Description: Configure IPv4 and IPv6 central SNAT policies.
edit <policyid>
set comments {var-string}
set dst-addr <name1>, <name2>, ...

FortiOS 7.0.9 CLI Reference 234

Fortinet Inc.
set dst-addr6 <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set nat [disable|enable]
set nat-ippool <name1>, <name2>, ...
set nat-ippool6 <name1>, <name2>, ...
set nat-port {user}
set nat46 [enable|disable]
set nat64 [enable|disable]
set orig-addr <name1>, <name2>, ...
set orig-addr6 <name1>, <name2>, ...
set orig-port {user}
set policyid {integer}
set protocol {integer}
set srcintf <name1>, <name2>, ...
set status [enable|disable]
set type [ipv4|ipv6]
set uuid {uuid}
next
end

config firewall central-snat-map

Parameter Description Type Size Default

comments Comment. var-string Not Specified

enable Enable NAT64.

disable Disable NAT64.

orig-addr IPv4 Original address. string Maximum

<name> Address name. length: 79

orig-addr6 IPv6 Original address. string Maximum

<name> Address name. length: 79

orig-port Original TCP port (1 to 65535, 0 means any user Not Specified
port).

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

protocol Integer value for the protocol type. integer Minimum 0

value: 0
Maximum
value: 255

srcintf Source interface name from available interfaces. string Maximum

<name> Interface name. length: 79

Specified

config firewall country

Define country table.

config firewall country
Description: Define country table.
edit <id>
set id {integer}
set name {string}
set region <id1>, <id2>, ...
next
end

FortiOS 7.0.9 CLI Reference 237

Fortinet Inc.
config firewall country

Parameter Description Type Size Default

id Country ID. integer Minimum 0

value: 0
Maximum
value:
65535

name Country name. string Not

Specified

region <id> Region ID list. integer Minimum

Region ID. value: 0
Maximum
value:
65535

config firewall decrypted-traffic-mirror

Configure decrypted traffic mirror.

config firewall decrypted-traffic-mirror
Description: Configure decrypted traffic mirror.
edit <name>
set dstmac {mac-address}
set interface <name1>, <name2>, ...
set name {string}
set traffic-source [client|server|...]
set traffic-type {option1}, {option2}, ...
next
end

config firewall decrypted-traffic-mirror

Parameter Description Type Size Default

dstmac Set destination MAC address for mirrored traffic. mac- Not ff:ff:ff:ff:ff:ff
address Specified

interface Decrypted traffic mirror interface. string Maximum

<name> Decrypted traffic mirror interface. length: 79

name Name. string Not

Specified

traffic-source Source of decrypted traffic to be mirrored. option - client

FortiOS 7.0.9 CLI Reference 238

Fortinet Inc.
Parameter Description Type Size Default

Option Description

client Mirror client side decrypted traffic.

server Mirror server side decrypted traffic.

both Mirror both client and server side decrypted traffic.

traffic-type Types of decrypted traffic to be mirrored. option - ssl

Option Description

ssl Mirror decrypted SSL traffic.

ssh Mirror decrypted SSH traffic.

config firewall dnstranslation

Configure DNS translation.

config firewall dnstranslation
Description: Configure DNS translation.
edit <id>
set dst {ipv4-address}
set id {integer}
set netmask {ipv4-netmask}
set src {ipv4-address}
next
end

config firewall dnstranslation

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 239

Fortinet Inc.
Parameter Description Type Size Default

netmask If src and dst are subnets rather than single IP ipv4- Not Specified 255.255.255.255
addresses, enter the netmask for both src and netmask
dst.

config firewall identity-based-route

Configure identity based routing.

config firewall identity-based-route
Description: Configure identity based routing.
edit <name>
set comments {string}
set name {string}
config rule
Description: Rule.
edit <id>
set id {integer}
set gateway {ipv4-address}
set device {string}
set groups <name1>, <name2>, ...
next
end
next
end

config firewall identity-based-route

Parameter Description Type Size Default

comments Comments. string Not

Specified

name Name. string Not

Specified

FortiOS 7.0.9 CLI Reference 240

Fortinet Inc.
config rule

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

gateway IPv4 address of the gateway (Format: xxx.xxx.xxx.xxx ipv4- Not Specified 0.0.0.0
, Default: 0.0.0.0). address

device Outgoing interface for the rule. string Not Specified

groups Select one or more group(s) from available groups string Maximum
<name> that are allowed to use this route. Separate group length: 79
names with a space.
Group name.

config firewall interface-policy

Configure IPv4 interface policies.

config firewall interface-policy
Description: Configure IPv4 interface policies.
edit <policyid>
set application-list {string}
set application-list-status [enable|disable]
set av-profile {string}
set av-profile-status [enable|disable]
set comments {var-string}
set dlp-sensor {string}
set dlp-sensor-status [enable|disable]
set dsri [enable|disable]
set dstaddr <name1>, <name2>, ...
set emailfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set interface {string}
set ips-sensor {string}
set ips-sensor-status [enable|disable]
set logtraffic [all|utm|...]
set policyid {integer}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set status [enable|disable]
set webfilter-profile {string}
set webfilter-profile-status [enable|disable]
next
end

FortiOS 7.0.9 CLI Reference 241

Fortinet Inc.
config firewall interface-policy

Parameter Description Type Size Default

application- Application list name. string Not Specified

list

application- Enable/disable application control. option - disable

list-status

enable Enable DSRI.

disable Disable DSRI.

dstaddr Address object to limit traffic monitoring to network string Maximum

<name> traffic sent to the specified address or range. length: 79
Address name.

emailfilter- Email filter profile. string Not Specified

profile

emailfilter- Enable/disable email filter. option - disable

profile-status

FortiOS 7.0.9 CLI Reference 242

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable Email filter.

disable Disable Email filter.

interface Monitored interface name from available interfaces. string Not Specified

ips-sensor IPS sensor name. string Not Specified

ips-sensor- Enable/disable IPS. option - disable

status

Option Description

enable Enable IPS.

disable Disable IPS.

logtraffic Logging type to be used in this policy (Options: all | option - utm
utm | disable, Default: utm).

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

service Service object from available options. string Maximum

<name> Service name. length: 79

srcaddr Address object to limit traffic monitoring to network string Maximum

<name> traffic sent from the specified address or range. length: 79
Address name.

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

webfilter- Web filter profile. string Not Specified

profile

FortiOS 7.0.9 CLI Reference 243

Fortinet Inc.
Parameter Description Type Size Default

webfilter- Enable/disable web filtering. option - disable

profile-status

Option Description

enable Enable web filtering.

disable Disable web filtering.

config firewall interface-policy6

Configure IPv6 interface policies.

config firewall interface-policy6
Description: Configure IPv6 interface policies.
edit <policyid>
set application-list {string}
set application-list-status [enable|disable]
set av-profile {string}
set av-profile-status [enable|disable]
set comments {var-string}
set dlp-sensor {string}
set dlp-sensor-status [enable|disable]
set dsri [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set emailfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set interface {string}
set ips-sensor {string}
set ips-sensor-status [enable|disable]
set logtraffic [all|utm|...]
set policyid {integer}
set service6 <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set status [enable|disable]
set webfilter-profile {string}
set webfilter-profile-status [enable|disable]
next
end

config firewall interface-policy6

Parameter Description Type Size Default

application- Application list name. string Not Specified

list

application- Enable/disable application control. option - disable

list-status

FortiOS 7.0.9 CLI Reference 244

Fortinet Inc.
Parameter Description Type Size Default

enable Enable DSRI.

disable Disable DSRI.

dstaddr6 IPv6 address object to limit traffic monitoring to string Maximum

<name> network traffic sent to the specified address or range. length: 79
Address name.

emailfilter- Email filter profile. string Not Specified

profile

emailfilter- Enable/disable email filter. option - disable

profile-status

Option Description

enable Enable Email filter.

disable Disable Email filter.

FortiOS 7.0.9 CLI Reference 245

Fortinet Inc.
Parameter Description Type Size Default

interface Monitored interface name from available interfaces. string Not Specified

ips-sensor IPS sensor name. string Not Specified

ips-sensor- Enable/disable IPS. option - disable

status

Option Description

enable Enable IPS.

disable Disable IPS.

logtraffic Logging type to be used in this policy (Options: all | option - utm
utm | disable, Default: utm).

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

service6 Service name. string Maximum

<name> Address name. length: 79

srcaddr6 IPv6 address object to limit traffic monitoring to string Maximum

<name> network traffic sent from the specified address or length: 79
range.
Address name.

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

webfilter- Web filter profile. string Not Specified

profile

webfilter- Enable/disable web filtering. option - disable

profile-status

FortiOS 7.0.9 CLI Reference 246

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable web filtering.

disable Disable web filtering.

config firewall internet-service-addition

Configure Internet Services Addition.

config firewall internet-service-addition
Description: Configure Internet Services Addition.
edit <id>
set comment {var-string}
config entry
Description: Entries added to the Internet Service addition database.
edit <id>
set id {integer}
set protocol {integer}
config port-range
Description: Port ranges in the custom entry.
edit <id>
set id {integer}
set start-port {integer}
set end-port {integer}
next
end
next
end
set id {integer}
next
end

config firewall internet-service-addition

Parameter Description Type Size Default

comment Comment. var-string Not Specified

id Internet Service ID in the Internet Service database. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 247

Fortinet Inc.
config entry

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value: 65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value: 65535

config firewall internet-service-append

Configure additional port mappings for Internet Services.

config firewall internet-service-append
Description: Configure additional port mappings for Internet Services.
set append-port {integer}
set match-port {integer}
end

FortiOS 7.0.9 CLI Reference 248

Fortinet Inc.
config firewall internet-service-append

Parameter Description Type Size Default

append-port Appending TCP/UDP/SCTP destination port (1 to integer Minimum 0

65535). value: 1
Maximum
value:
65535

match-port Matching TCP/UDP/SCTP destination port (0 to 65535, integer Minimum 0

0 means any port). value: 0
Maximum
value:
65535

config firewall internet-service-botnet

Show Internet Service botnet.

config firewall internet-service-botnet
Description: Show Internet Service botnet.
edit <id>
set id {integer}
set name {string}
next
end

config firewall internet-service-botnet

Parameter Description Type Size Default

id Internet Service Botnet ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Internet Service Botnet name. string Not Specified

config firewall internet-service-custom-group

Configure custom Internet Service group.

config firewall internet-service-custom-group
Description: Configure custom Internet Service group.
edit <name>
set comment {var-string}
set member <name1>, <name2>, ...
set name {string}

FortiOS 7.0.9 CLI Reference 249

Fortinet Inc.
next
end

config firewall internet-service-custom-group

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

member Custom Internet Service group members. string Maximum

<name> Group member name. length: 79

name Custom Internet Service group name. string Not

Specified

config firewall internet-service-custom

Configure custom Internet Services.

config firewall internet-service-custom
Description: Configure custom Internet Services.
edit <name>
set comment {var-string}
config entry
Description: Entries added to the Internet Service database and custom database.
edit <id>
set id {integer}
set protocol {integer}
config port-range
Description: Port ranges in the custom entry.
edit <id>
set id {integer}
set start-port {integer}
set end-port {integer}
next
end
set dst <name1>, <name2>, ...
next
end
set name {string}
set reputation {integer}
next
end

config firewall internet-service-custom

Parameter Description Type Size Default

comment Comment. var-string Not Specified

name Internet Service name. string Not Specified

FortiOS 7.0.9 CLI Reference 250

Fortinet Inc.
Parameter Description Type Size Default

reputation Reputation level of the custom Internet Service. integer Minimum 3

value: 0
Maximum
value:
4294967295

config entry

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

dst <name> Destination address or address group name. string Maximum

Select the destination address or address group object length: 79
from available options.

config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value: 65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value: 65535

config firewall internet-service-definition

Configure Internet Service definition.

FortiOS 7.0.9 CLI Reference 251

Fortinet Inc.
config firewall internet-service-definition
Description: Configure Internet Service definition.
edit <id>
config entry
Description: Protocol and port information in an Internet Service entry.
edit <seq-num>
set seq-num {integer}
set category-id {integer}
set name {string}
set protocol {integer}
config port-range
Description: Port ranges in the definition entry.
edit <id>
set id {integer}
set start-port {integer}
set end-port {integer}
next
end
next
end
set id {integer}
next
end

config firewall internet-service-definition

Parameter Description Type Size Default

id Internet Service application list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config entry

Parameter Description Type Size Default

seq-num Entry sequence number. integer Minimum 7 **

value: 0
Maximum
value:
4294967295

category-id Internet Service category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Internet Service name. string Not Specified

FortiOS 7.0.9 CLI Reference 252

Fortinet Inc.
Parameter Description Type Size Default

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

** Values may differ between models.

config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-port Starting TCP/UDP/SCTP destination port (1 to integer Minimum 1

65535). value: 1
Maximum
value: 65535

end-port Ending TCP/UDP/SCTP destination port (1 to 65535). integer Minimum 65535

value: 1
Maximum
value: 65535

config firewall internet-service-extension

Configure Internet Services Extension.

config firewall internet-service-extension
Description: Configure Internet Services Extension.
edit <id>
set comment {var-string}
config disable-entry
Description: Disable entries in the Internet Service database.
edit <id>
set id {integer}
set protocol {integer}
config port-range
Description: Port ranges in the disable entry.
edit <id>
set id {integer}
set start-port {integer}
set end-port {integer}
next
end
config ip-range
Description: IP ranges in the disable entry.

FortiOS 7.0.9 CLI Reference 253

Fortinet Inc.
edit <id>
set id {integer}
set start-ip {ipv4-address-any}
set end-ip {ipv4-address-any}
next
end
next
end
config entry
Description: Entries added to the Internet Service extension database.
edit <id>
set id {integer}
set protocol {integer}
config port-range
Description: Port ranges in the custom entry.
edit <id>
set id {integer}
set start-port {integer}
set end-port {integer}
next
end
set dst <name1>, <name2>, ...
next
end
set id {integer}
next
end

config firewall internet-service-extension

Parameter Description Type Size Default

comment Comment. var-string Not Specified

id Internet Service ID in the Internet Service database. integer Minimum 0

value: 0
Maximum
value:
4294967295

config disable-entry

Parameter Description Type Size Default

id Disable entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 254

Fortinet Inc.
Parameter Description Type Size Default

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value: 65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value: 65535

config ip-range

Parameter Description Type Size Default

id Disable entry range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-ip Start IP address. ipv4- Not Specified 0.0.0.0

address-
any

end-ip End IP address. ipv4- Not Specified 0.0.0.0

address-
any

FortiOS 7.0.9 CLI Reference 255

Fortinet Inc.
config entry

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255

dst <name> Destination address or address group name. string Maximum

Select the destination address or address group object length: 79
from available options.

config port-range

Parameter Description Type Size Default

id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value: 65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value: 65535

config firewall internet-service-group

Configure group of Internet Service.

config firewall internet-service-group
Description: Configure group of Internet Service.
edit <name>
set comment {var-string}
set direction [source|destination|...]
set member <name1>, <name2>, ...
set name {string}
next
end

FortiOS 7.0.9 CLI Reference 256

Fortinet Inc.
config firewall internet-service-group

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

direction How this service may be used (source, destination or option - both
both).

Option Description

source As source when applied.

destination As destination when applied.

both Both directions when applied.

member Internet Service group member. string Maximum

<name> Internet Service name. length: 79

name Internet Service group name. string Not

Specified

config firewall internet-service-ipbl-reason

IP block list reason.

config firewall internet-service-ipbl-reason
Description: IP block list reason.
edit <id>
set id {integer}
set name {string}
next
end

config firewall internet-service-ipbl-reason

Parameter Description Type Size Default

id IP block list reason ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name IP block list reason name. string Not Specified

config firewall internet-service-ipbl-vendor

IP block list vendor.

FortiOS 7.0.9 CLI Reference 257

Fortinet Inc.
config firewall internet-service-ipbl-vendor
Description: IP block list vendor.
edit <id>
set id {integer}
set name {string}
next
end

config firewall internet-service-ipbl-vendor

Parameter Description Type Size Default

id IP block list vendor ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name IP block list vendor name. string Not Specified

config firewall internet-service-list

Internet Service list.

config firewall internet-service-list
Description: Internet Service list.
edit <id>
set id {integer}
set name {string}
next
end

config firewall internet-service-list

Parameter Description Type Size Default

id Internet Service category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Internet Service category name. string Not Specified

config firewall internet-service-name

Define internet service names.

config firewall internet-service-name
Description: Define internet service names.

FortiOS 7.0.9 CLI Reference 258

Fortinet Inc.
edit <name>
set city-id {integer}
set country-id {integer}
set internet-service-id {integer}
set name {string}
set region-id {integer}
set type [default|location]
next
end

config firewall internet-service-name

Parameter Description Type Size Default

city-id City ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

country-id Country or Area ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

internet- Internet Service ID. integer Minimum 0

service-id value: 0
Maximum
value:
4294967295

name Internet Service name. string Not Specified

region-id Region ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type Internet Service name type. option - default

Option Description

default Automatically generated Internet Service.

location Geography location based Internet Service.

config firewall internet-service-owner

Internet Service owner.

FortiOS 7.0.9 CLI Reference 259

Fortinet Inc.
config firewall internet-service-owner
Description: Internet Service owner.
edit <id>
set id {integer}
set name {string}
next
end

config firewall internet-service-owner

Parameter Description Type Size Default

id Internet Service owner ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Internet Service owner name. string Not Specified

config firewall internet-service-reputation

Show Internet Service reputation.

config firewall internet-service-reputation
Description: Show Internet Service reputation.
edit <id>
set description {string}
set id {integer}
next
end

config firewall internet-service-reputation

Parameter Description Type Size Default

description Description. string Not Specified

id Internet Service Reputation ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config firewall internet-service-sld

Internet Service Second Level Domain.

config firewall internet-service-sld
Description: Internet Service Second Level Domain.

FortiOS 7.0.9 CLI Reference 260

Fortinet Inc.
edit <id>
set id {integer}
set name {string}
next
end

config firewall internet-service-sld

Parameter Description Type Size Default

id Second Level Domain ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Second Level Domain name. string Not Specified

config firewall internet-service

Show Internet Service application.

config firewall internet-service
Description: Show Internet Service application.
edit <id>
set database [isdb|irdb]
set direction [src|dst|...]
set extra-ip-range-number {integer}
set icon-id {integer}
set id {integer}
set ip-number {integer}
set ip-range-number {integer}
set name {string}
set obsolete {integer}
set singularity {integer}
next
end

config firewall internet-service

Parameter Description Type Size Default

database Database name this Internet Service belongs to. option - isdb

Option Description

isdb Internet Service Database.

irdb Internet RRR Database.

FortiOS 7.0.9 CLI Reference 261

Fortinet Inc.
Parameter Description Type Size Default

direction How this service may be used in a firewall policy option - both
(source, destination or both).

Option Description

src As source in the firewall policy.

dst As destination in the firewall policy.

both Both directions in the firewall policy.

extra-ip- Extra number of IP ranges. integer Minimum 0

range-number value: 0
Maximum
value:
4294967295

icon-id Icon ID of Internet Service. integer Minimum 0

value: 0
Maximum
value:
4294967295

id Internet Service ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip-number Total number of IP addresses. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip-range- Number of IP ranges. integer Minimum 0

number value: 0
Maximum
value:
4294967295

name Internet Service name. string Not Specified

obsolete Indicates whether the Internet Service can be used. integer Minimum 0
value: 0
Maximum
value: 255

singularity Singular level of the Internet Service. integer Minimum 0

value: 0
Maximum
value: 65535

FortiOS 7.0.9 CLI Reference 262

Fortinet Inc.
config firewall ip-translation

Configure firewall IP-translation.

config firewall ip-translation
Description: Configure firewall IP-translation.
edit <transid>
set endip {ipv4-address-any}
set map-startip {ipv4-address-any}
set startip {ipv4-address-any}
set transid {integer}
set type {option}
next
end

config firewall ip-translation

Parameter Description Type Size Default

endip Final IPv4 address. ipv4- Not Specified 0.0.0.0

address-
any

map-startip Address to be used as the starting point for translation ipv4- Not Specified 0.0.0.0
in the range. address-
any

startip First IPv4 address. ipv4- Not Specified 0.0.0.0

address-
any

transid IP translation ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type IP translation type (option: SCTP). option - SCTP

Option Description

SCTP SCTP

config firewall ipmacbinding setting

Configure IP to MAC binding settings.

config firewall ipmacbinding setting
Description: Configure IP to MAC binding settings.
set bindthroughfw [enable|disable]
set bindtofw [enable|disable]

FortiOS 7.0.9 CLI Reference 263

Fortinet Inc.
set undefinedhost [allow|block]
end

config firewall ipmacbinding setting

block Block packets from MAC addresses not in the IP/MAC list.

config firewall ipmacbinding table

Configure IP to MAC address pairs in the IP/MAC binding table.

config firewall ipmacbinding table
Description: Configure IP to MAC address pairs in the IP/MAC binding table.
edit <seq-num>
set ip {ipv4-address}
set mac {mac-address}
set name {string}
set seq-num {integer}
set status [enable|disable]
next
end

FortiOS 7.0.9 CLI Reference 264

Fortinet Inc.
config firewall ipmacbinding table

Parameter Description Type Size Default

ip IPv4 address portion of the pair (format: ipv4- Not Specified 0.0.0.0
xxx.xxx.xxx.xxx). address

mac MAC address portion of the pair (format = mac- Not Specified 00:00:00:00:00:00
xx:xx:xx:xx:xx:xx in hexadecimal). address

name Name of the pair. string Not Specified noname

seq-num Entry number. integer Minimum 0

value: 0
Maximum
value:
4294967295

status Enable/disable this IP-mac binding pair. option - disable

Option Description

enable Enable this IP-mac binding pair.

disable Disable this IP-mac binding pair.

config firewall ippool

Configure IPv4 IP pools.

config firewall ippool
Description: Configure IPv4 IP pools.
edit <name>
set add-nat64-route [disable|enable]
set arp-intf {string}
set arp-reply [disable|enable]
set associated-interface {string}
set block-size {integer}
set cgn-block-size {integer}
set cgn-client-endip {var-string}
set cgn-client-ipv6shift {integer}
set cgn-client-startip {var-string}
set cgn-fixedalloc [disable|enable]
set cgn-overload [disable|enable]
set cgn-port-end {integer}
set cgn-port-start {integer}
set cgn-spa [disable|enable]
set comments {var-string}
set endip {ipv4-address-any}
set endport {integer}
set name {string}
set nat64 [disable|enable]
set num-blocks-per-user {integer}
set pba-timeout {integer}

FortiOS 7.0.9 CLI Reference 265

Fortinet Inc.
set permit-any-host [disable|enable]
set port-per-user {integer}
set source-endip {ipv4-address-any}
set source-startip {ipv4-address-any}
set startip {ipv4-address-any}
set startport {integer}
set subnet-broadcast-in-ippool [disable|enable]
set type [overload|one-to-one|...]
set utilization-alarm-clear {integer}
set utilization-alarm-raise {integer}
next
end

config firewall ippool

Parameter Description Type Size Default

add-nat64- Enable/disable adding NAT64 route. option - enable

route

Option Description

disable Disable adding NAT64 route.

enable Enable adding NAT64 route.

arp-intf Select an interface from available options that will reply string Not
to ARP requests. (If blank, any is selected). Specified

arp-reply Enable/disable replying to ARP requests when an IP option - enable

Pool is added to a policy.

Option Description

disable Disable ARP reply.

enable Enable ARP reply.

associated- Associated interface name. string Not

interface Specified

block-size Number of addresses in a block. integer Minimum 128

value: 64
Maximum
value: 4096

cgn-block- Number of ports in a block. integer Minimum 128

size * value: 64
Maximum
value: 4096

cgn-client- Final client IPv4 address (inclusive) (format var-string Not

endip * xxx.xxx.xxx.xxx, Default: 0.0.0.0). Specified

FortiOS 7.0.9 CLI Reference 266

Fortinet Inc.
Parameter Description Type Size Default

cgn-client- IPv6 shift for fixed-allocation. integer Minimum 0

ipv6shift * value: 0
Maximum
value: 127

cgn-client- First client IPv4 address (inclusive) (format var-string Not

startip * xxx.xxx.xxx.xxx, Default: 0.0.0.0). Specified

cgn-fixedalloc Enable/disable fixed-allocation mode. option - disable

Option Description

disable Disable fixed-allocation mode.

enable Enable fixed-allocation mode.

cgn-overload Enable/disable overload mode. option - disable

Option Description

disable Disable overload mode.

enable Enable overload mode.

cgn-port-end * Ending public port can be allocated. integer Minimum 65530

value: 1024
Maximum
value:
65535

cgn-port-start Starting public port can be allocated. integer Minimum 5117

* value: 1024
Maximum
value:
65535

cgn-spa * Enable/disable single port allocation mode. option - disable

Option Description

disable Disable SPA mode.

enable Enable SPA mode.

comments Comment. var-string Not

Specified

endip Final IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). address- Specified
any

FortiOS 7.0.9 CLI Reference 267

Fortinet Inc.
Parameter Description Type Size Default

endport Final port number (inclusive) in the range for the integer Minimum 65533
address pool (Default: 65533). value: 5117
Maximum
value:
65533

name IP pool name. string Not

Specified

nat64 Enable/disable NAT64. option - disable

Option Description

disable Disable DNAT64.

enable Enable DNAT64.

num-blocks- Number of addresses blocks that can be used by a user. integer Minimum 8
per-user value: 1
Maximum
value: 128

pba-timeout Port block allocation timeout (seconds). integer Minimum 30

value: 3
Maximum
value: 300

permit-any- Enable/disable full cone NAT. option - disable

host

Option Description

disable Disable full cone NAT.

enable Enable full cone NAT.

port-per-user Number of port for each user. integer Minimum 0

value: 32
Maximum
value:
60416

source-endip Final IPv4 address (inclusive) in the range of the source ipv4- Not 0.0.0.0
addresses to be translated (format xxx.xxx.xxx.xxx, address- Specified
Default: 0.0.0.0). any

source-startip First IPv4 address. ipv4- Not 0.0.0.0

address- Specified
any

FortiOS 7.0.9 CLI Reference 268

Fortinet Inc.
Parameter Description Type Size Default

startip First IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). address- Specified
any

startport First port number (inclusive) in the range for the address integer Minimum 5117
pool (Default: 5117). value: 5117
Maximum
value:
65533

subnet- Enable/disable inclusion of the subnetwork address and option - enable

broadcast-in- broadcast IP address in the NAT64 IP pool.
ippool

Option Description

disable Do not include the subnetwork address and broadcast IP address in the
NAT64 IP pool.

enable Include the subnetwork address and broadcast IP address in the NAT64 IP
pool.

type IP pool type (overload, one-to-one, fixed port range, or option - overload
port block allocation).

Option Description

overload IP addresses in the IP pool can be shared by clients.

one-to-one One to one mapping.

fixed-port-range Fixed port range.

port-block- Port block allocation.

allocation

utilization- Pool utilization alarm clear threshold. integer Minimum 80

alarm-clear * value: 40
Maximum
value: 100

utilization- Pool utilization alarm raise threshold. integer Minimum 100

alarm-raise * value: 50
Maximum
value: 100

* This parameter may not exist in some models.

config firewall ippool6

Configure IPv6 IP pools.

FortiOS 7.0.9 CLI Reference 269

Fortinet Inc.
config firewall ippool6
Description: Configure IPv6 IP pools.
edit <name>
set add-nat46-route [disable|enable]
set comments {var-string}
set endip {ipv6-address}
set name {string}
set nat46 [disable|enable]
set startip {ipv6-address}
next
end

config firewall ippool6

Parameter Description Type Size Default

add-nat46-route Enable/disable adding NAT46 route. option - enable

Option Description

disable Disable adding NAT46 route.

enable Enable adding NAT46 route.

comments Comment. var-string Not

Specified

endip Final IPv6 address. ipv6- Not ::

address Specified

name IPv6 IP pool name. string Not

Specified

nat46 Enable/disable NAT46. option - disable

Option Description

disable Disable NAT46.

enable Enable NAT46.

startip First IPv6 address. ipv6- Not ::

address Specified

config firewall iprope appctrl list

List application control policies.

config firewall iprope appctrl list
Description: List application control policies.
end

FortiOS 7.0.9 CLI Reference 270

Fortinet Inc.
config firewall iprope appctrl status

Application control policy status.

config firewall iprope appctrl status
Description: Application control policy status.
end

config firewall iprope list

List.
config firewall iprope list
Description: List.
set <group_number> {string}
end

config firewall iprope list

Parameter Description Type Size Default

<group_number> Number, hexadecimal. string Not

Specified

config firewall ipv6-eh-filter

Configure IPv6 extension header filter.

config firewall ipv6-eh-filter
Description: Configure IPv6 extension header filter.
set auth [enable|disable]
set dest-opt [enable|disable]
set fragment [enable|disable]
set hdopt-type {integer}
set hop-opt [enable|disable]
set no-next [enable|disable]
set routing [enable|disable]
set routing-type {integer}
end

config firewall ipv6-eh-filter

Parameter Description Type Size Default

enable Block packets with the Fragment header.

disable Allow packets with the Fragment header.

hdopt-type Block specific Hop-by-Hop and/or Destination Option integer Minimum

types (max. 7 types, each between 0 and 255). value: 0
Maximum
value: 255

hop-opt Enable/disable blocking packets with the Hop-by-Hop option - disable

Options header.

Option Description

enable Enable blocking packets with the Hop-by-Hop Options header.

disable Disable blocking packets with the Hop-by-Hop Options header.

no-next Enable/disable blocking packets with the No Next option - disable

header.

Option Description

enable Block packets with the No Next header.

disable Allow packets with the No Next header.

routing Enable/disable blocking packets with Routing headers. option - enable

Option Description

enable Block packets with Routing headers.

FortiOS 7.0.9 CLI Reference 272

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Allow packets with Routing headers.

routing-type Block specific Routing header types. integer Minimum 0

value: 0
Maximum
value: 255

config firewall ldb-monitor

Configure server load balancing health monitors.

config firewall ldb-monitor
Description: Configure server load balancing health monitors.
edit <name>
set dns-match-ip {ipv4-address}
set dns-protocol [udp|tcp]
set dns-request-domain {string}
set http-get {string}
set http-match {string}
set http-max-redirects {integer}
set interval {integer}
set name {string}
set port {integer}
set retry {integer}
set src-ip {ipv4-address}
set timeout {integer}
set type [ping|tcp|...]
next
end

config firewall ldb-monitor

Parameter Description Type Size Default

dns-match-ip Response IP expected from DNS server. ipv4- Not 0.0.0.0

address Specified

dns-protocol Select the protocol used by the DNS health check option - udp
monitor to check the health of the server (UDP | TCP).

Option Description

udp UDP.

tcp TCP.

FortiOS 7.0.9 CLI Reference 273

Fortinet Inc.
Parameter Description Type Size Default

dns-request- Fully qualified domain name to resolve for the DNS string Not
domain probe. Specified

http-get URL used to send a GET request to check the health of string Not
an HTTP server. Specified

http-match String to match the value expected in response to an string Not

HTTP-GET request. Specified

http-max- The maximum number of HTTP redirects to be allowed. integer Minimum 0

redirects value: 0
Maximum
value: 5

interval Time between health checks. integer Minimum 10

value: 5
Maximum
value:
65535

name Monitor name. string Not

Specified

port Service port used to perform the health check. If 0, integer Minimum 0
health check monitor inherits port configured for the value: 0
server. Maximum
value:
65535

retry Number health check attempts before the server is integer Minimum 3
considered down. value: 1
Maximum
value: 255

src-ip Source IP for ldb-monitor. ipv4- Not 0.0.0.0

address Specified

timeout Time to wait to receive response to a health check from integer Minimum 2
a server. Reaching the timeout means the health check value: 1
failed. Maximum
value: 255

type Select the Monitor type used by the health check option -
monitor to check the health of the server (PING | TCP |
HTTP | HTTPS | DNS).

Option Description

ping PING health monitor.

tcp TCP-connect health monitor.

FortiOS 7.0.9 CLI Reference 274

Fortinet Inc.
Parameter Description Type Size Default

Option Description

http HTTP-GET health monitor.

https HTTP-GET health monitor with SSL.

dns DNS health monitor.

config firewall local-in-policy

Configure user defined IPv4 local-in policies.

config firewall local-in-policy
Description: Configure user defined IPv4 local-in policies.
edit <policyid>
set action [accept|deny]
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set ha-mgmt-intf-only [enable|disable]
set intf {string}
set policyid {integer}
set schedule {string}
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set status [enable|disable]
set uuid {uuid}
next
end

config firewall local-in-policy

Parameter Description Type Size Default

action Action performed on traffic matching the policy. option - deny

Option Description

accept Allow traffic matching this policy.

deny Deny or block traffic matching this policy.

comments Comment. var-string Not Specified

dstaddr Destination address object from available string Maximum

<name> options. length: 79
Address name.

FortiOS 7.0.9 CLI Reference 275

Fortinet Inc.
Parameter Description Type Size Default

dstaddr- When enabled dstaddr specifies what the option - disable

negate destination address must NOT be.

Option Description

enable Enable destination address negate.

disable Disable destination address negate.

ha-mgmt-intf- Enable/disable dedicating the HA management option - disable

only interface only for local-in policy.

Option Description

enable Enable dedicating HA management interface only for local-in policy.

disable Disable dedicating HA management interface only for local-in policy.

intf Incoming interface name from available options. string Not Specified

policyid User defined local in policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

disable Disable this local-in policy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

config firewall local-in-policy6

Configure user defined IPv6 local-in policies.

config firewall local-in-policy6
Description: Configure user defined IPv6 local-in policies.
edit <policyid>
set action [accept|deny]
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set intf {string}
set policyid {integer}
set schedule {string}
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set status [enable|disable]
set uuid {uuid}
next
end

config firewall local-in-policy6

Parameter Description Type Size Default

action Action performed on traffic matching the policy. option - deny

Option Description

accept Allow local-in traffic matching this policy.

deny Deny or block local-in traffic matching this policy.

comments Comment. var-string Not Specified

dstaddr Destination address object from available string Maximum

<name> options. length: 79
Address name.

FortiOS 7.0.9 CLI Reference 277

Fortinet Inc.
Parameter Description Type Size Default

dstaddr- When enabled dstaddr specifies what the option - disable

negate destination address must NOT be.

Option Description

enable Enable destination address negate.

disable Disable destination address negate.

intf Incoming interface name from available options. string Not Specified

policyid User defined local in policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

schedule Schedule object from available options. string Not Specified

service Service object from available options. Separate string Maximum

<name> names with a space. length: 79
Service name.

service- When enabled service specifies what the service option - disable
negate must NOT be.

Option Description

enable Enable negated service match.

disable Disable negated service match.

srcaddr Source address object from available options. string Maximum

<name> Address name. length: 79

srcaddr- When enabled srcaddr specifies what the source option - disable
negate address must NOT be.

Option Description

enable Enable source address negate.

disable Disable source address negate.

status Enable/disable this local-in policy. option - enable

Option Description

enable Enable this local-in policy.

disable Disable this local-in policy.

FortiOS 7.0.9 CLI Reference 278

Fortinet Inc.
Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

config firewall multicast-address

Configure multicast addresses.

config firewall multicast-address
Description: Configure multicast addresses.
edit <name>
set associated-interface {string}
set color {integer}
set comment {var-string}
set end-ip {ipv4-address-any}
set name {string}
set start-ip {ipv4-address-any}
set subnet {ipv4-classnet-any}
config tagging
Description: Config object tagging.
edit <name>
set name {string}
set category {string}
set tags <name1>, <name2>, ...
next
end
set type [multicastrange|broadcastmask]
next
end

config firewall multicast-address

Parameter Description Type Size Default

associated- Interface associated with the address object. When string Not
interface setting up a policy, only addresses associated with Specified
this interface are available.

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comment Comment. var-string Not

Specified

end-ip Final IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address. address- Specified
any

FortiOS 7.0.9 CLI Reference 279

Fortinet Inc.
Parameter Description Type Size Default

name Multicast address name. string Not

Specified

start-ip First IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address. address- Specified
any

subnet Broadcast address and subnet. ipv4- Not 0.0.0.0 0.0.0.0

classnet- Specified
any

type Type of address object: multicast IP address range option - multicastrange

or broadcast IP/mask to be treated as a multicast
address.

Option Description

multicastrange Multicast range.

broadcastmask Broadcast IP/mask.

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Not

Specified

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall multicast-address6

Configure IPv6 multicast address.

config firewall multicast-address6
Description: Configure IPv6 multicast address.
edit <name>
set color {integer}
set comment {var-string}
set ip6 {ipv6-network}
set name {string}
config tagging
Description: Config object tagging.
edit <name>
set name {string}
set category {string}
set tags <name1>, <name2>, ...

FortiOS 7.0.9 CLI Reference 280

Fortinet Inc.
next
end
next
end

config firewall multicast-address6

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Not

Specified

ip6 IPv6 address prefix (format: ipv6- Not ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx). network Specified

name IPv6 multicast address name. string Not

Specified

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Not

Specified

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall multicast-policy

Configure multicast NAT policies.

config firewall multicast-policy
Description: Configure multicast NAT policies.
edit <id>
set action [accept|deny]
set auto-asic-offload [enable|disable]
set comments {var-string}
set dnat {ipv4-address-any}
set dstaddr <name1>, <name2>, ...
set dstintf {string}
set end-port {integer}
set id {integer}
set logtraffic [enable|disable]

FortiOS 7.0.9 CLI Reference 281

Fortinet Inc.
set name {string}
set protocol {integer}
set snat [enable|disable]
set snat-ip {ipv4-address}
set srcaddr <name1>, <name2>, ...
set srcintf {string}
set start-port {integer}
set status [enable|disable]
set uuid {uuid}
next
end

config firewall multicast-policy

Parameter Description Type Size Default

action Accept or deny traffic matching the policy. option - accept

Option Description

accept Accept traffic matching the policy.

deny Deny or block traffic matching the policy.

auto-asic- Enable/disable offloading policy traffic for option - enable

offload * hardware acceleration.

Option Description

enable Enable hardware acceleration offloading.

disable Disable offloading for hardware acceleration.

comments Comment. var-string Not Specified

dnat IPv4 DNAT address used for multicast ipv4- Not Specified 0.0.0.0
destination addresses. address-
any

dstaddr Destination address objects. string Maximum

<name> Destination address objects. length: 79

dstintf Destination interface name. string Not Specified

end-port Integer value for ending TCP/UDP/SCTP integer Minimum 65535

destination port in range. value: 0
Maximum
value: 65535

id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967294

FortiOS 7.0.9 CLI Reference 282

Fortinet Inc.
Parameter Description Type Size Default

logtraffic Enable/disable logging traffic accepted by this option - disable

policy.

Option Description

enable Enable logging traffic accepted by this policy.

disable Disable logging traffic accepted by this policy.

name Policy name. string Not Specified

protocol Integer value for the protocol type as defined by integer Minimum 0
IANA. value: 0
Maximum
value: 255

snat Enable/disable substitution of the outgoing option - disable

interface IP address for the original source IP
address (called source NAT or SNAT).

Option Description

enable Enable source NAT.

disable Disable source NAT.

snat-ip IPv4 address to be used as the source address ipv4- Not Specified 0.0.0.0
for NATed traffic. address

srcaddr Source address objects. string Maximum

<name> Source address objects. length: 79

srcintf Source interface name. string Not Specified

start-port Integer value for starting TCP/UDP/SCTP integer Minimum 1

destination port in range. value: 0
Maximum
value: 65535

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 283

Fortinet Inc.
config firewall multicast-policy6

Configure IPv6 multicast NAT policies.

config firewall multicast-policy6
Description: Configure IPv6 multicast NAT policies.
edit <id>
set action [accept|deny]
set auto-asic-offload [enable|disable]
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set dstintf {string}
set end-port {integer}
set id {integer}
set logtraffic [enable|disable]
set name {string}
set protocol {integer}
set srcaddr <name1>, <name2>, ...
set srcintf {string}
set start-port {integer}
set status [enable|disable]
set uuid {uuid}
next
end

config firewall multicast-policy6

Parameter Description Type Size Default

action Accept or deny traffic matching the policy. option - accept

Option Description

accept Accept.

deny Deny.

auto-asic- Enable/disable offloading policy traffic for option - enable

offload * hardware acceleration.

Option Description

enable Enable offloading policy traffic for hardware acceleration.

disable Disable offloading policy traffic for hardware acceleration.

comments Comment. var-string Not Specified

dstaddr IPv6 destination address name. string Maximum

<name> Address name. length: 79

dstintf IPv6 destination interface name. string Not Specified

FortiOS 7.0.9 CLI Reference 284

Fortinet Inc.
Parameter Description Type Size Default

end-port Integer value for ending TCP/UDP/SCTP integer Minimum 65535

destination port in range. value: 0
Maximum
value: 65535

id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967294

logtraffic Enable/disable logging traffic accepted by this option - disable

policy.

Option Description

enable Enable logging traffic accepted by this policy.

disable Disable logging traffic accepted by this policy.

name Policy name. string Not Specified

protocol Integer value for the protocol type as defined by integer Minimum 0
IANA. value: 0
Maximum
value: 255

srcaddr IPv6 source address name. string Maximum

<name> Address name. length: 79

srcintf IPv6 source interface name. string Not Specified

start-port Integer value for starting TCP/UDP/SCTP integer Minimum 1

destination port in range. value: 0
Maximum
value: 65535

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 285

Fortinet Inc.
config firewall policy

Configure IPv4/IPv6 policies.

config firewall policy
Description: Configure IPv4/IPv6 policies.
edit <policyid>
set action [accept|deny|...]
set anti-replay [enable|disable]
set application-list {string}
set auth-cert {string}
set auth-path [enable|disable]
set auth-redirect-addr {string}
set auto-asic-offload [enable|disable]
set av-profile {string}
set block-notification [enable|disable]
set captive-portal-exempt [enable|disable]
set capture-packet [enable|disable]
set cifs-profile {string}
set comments {var-string}
set custom-log-fields <field-id1>, <field-id2>, ...
set decrypted-traffic-mirror {string}
set delay-tcp-npu-session [enable|disable]
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set disclaimer [enable|disable]
set dlp-sensor {string}
set dnsfilter-profile {string}
set dsri [enable|disable]
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set dynamic-shaping [enable|disable]
set email-collect [enable|disable]
set emailfilter-profile {string}
set fec [enable|disable]
set file-filter-profile {string}
set firewall-session-dirty [check-all|check-new]
set fixedport [enable|disable]
set fsso-agent-for-ntlm {string}
set fsso-groups <name1>, <name2>, ...
set geoip-anycast [enable|disable]
set geoip-match [physical-location|registered-location]
set groups <name1>, <name2>, ...
set http-policy-redirect [enable|disable]
set icap-profile {string}
set identity-based-route {string}
set inbound [enable|disable]
set inspection-mode [proxy|flow]
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...

FortiOS 7.0.9 CLI Reference 286

Fortinet Inc.
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]
set ippool [enable|disable]
set ips-sensor {string}
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set match-vip [enable|disable]
set match-vip-only [enable|disable]
set name {string}
set nat [enable|disable]
set nat46 [enable|disable]
set nat64 [enable|disable]
set natinbound [enable|disable]
set natip {ipv4-classnet}
set natoutbound [enable|disable]
set np-acceleration [enable|disable]
set ntlm [enable|disable]
set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
set ntlm-guest [enable|disable]
set outbound [enable|disable]
set passive-wan-health-measurement [enable|disable]
set per-ip-shaper {string}
set permit-any-host [enable|disable]
set permit-stun-host [enable|disable]
set policyid {integer}
set poolname <name1>, <name2>, ...
set poolname6 <name1>, <name2>, ...
set profile-group {string}
set profile-protocol-options {string}
set profile-type [single|group]
set radius-mac-auth-bypass [enable|disable]
set redirect-url {var-string}
set replacemsg-override-group {string}
set reputation-direction [source|destination]
set reputation-minimum {integer}
set rtp-addr <name1>, <name2>, ...
set rtp-nat [disable|enable]
set schedule {string}
set schedule-timeout [enable|disable]
set sctp-filter-profile {string}
set send-deny-packet [disable|enable]
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set session-ttl {user}
set sgt <id1>, <id2>, ...
set sgt-check [enable|disable]
set src-vendor-mac <id1>, <id2>, ...
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set srcaddr6 <name1>, <name2>, ...

FortiOS 7.0.9 CLI Reference 287

Fortinet Inc.
set srcintf <name1>, <name2>, ...
set ssh-filter-profile {string}
set ssh-policy-redirect [enable|disable]
set ssl-ssh-profile {string}
set status [enable|disable]
set tcp-mss-receiver {integer}
set tcp-mss-sender {integer}
set tcp-session-without-syn [all|data-only|...]
set timeout-send-rst [enable|disable]
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set users <name1>, <name2>, ...
set utm-status [enable|disable]
set uuid {uuid}
set videofilter-profile {string}
set vlan-cos-fwd {integer}
set vlan-cos-rev {integer}
set vlan-filter {user}
set voip-profile {string}
set vpntunnel {string}
set waf-profile {string}
set wanopt [enable|disable]
set wanopt-detection [active|passive|...]
set wanopt-passive-opt [default|transparent|...]
set wanopt-peer {string}
set wanopt-profile {string}
set wccp [enable|disable]
set webcache [enable|disable]
set webcache-https [disable|enable]
set webfilter-profile {string}
set webproxy-forward-server {string}
set webproxy-profile {string}
set ztna-ems-tag <name1>, <name2>, ...
set ztna-geo-tag <name1>, <name2>, ...
set ztna-status [enable|disable]
next
end

config firewall policy

Parameter Description Type Size Default

action Policy action (accept/deny/ipsec). option - deny

Option Description

accept Allows session that match the firewall policy.

deny Blocks sessions that match the firewall policy.

ipsec Firewall policy becomes a policy-based IPsec VPN policy.

FortiOS 7.0.9 CLI Reference 288

Fortinet Inc.
Parameter Description Type Size Default

anti-replay Enable/disable anti-replay check. option - enable

Option Description

enable Enable anti-replay check.

disable Disable anti-replay check.

application-list Name of an existing Application list. string Not Specified

auth-cert HTTPS server certificate for policy string Not Specified

authentication.

auth-path Enable/disable authentication-based routing. option - disable

Option Description

enable Enable authentication-based routing.

disable Disable authentication-based routing.

auth-redirect- HTTP-to-HTTPS redirect address for firewall string Not Specified

addr authentication.

auto-asic- Enable/disable policy traffic ASIC offloading. option - enable

offload *

Option Description

enable Enable auto ASIC offloading.

disable Disable ASIC offloading.

av-profile Name of an existing Antivirus profile. string Not Specified

block- Enable/disable block notification. option - disable

notification

Option Description

enable Enable setting.

disable Disable setting.

captive-portal- Enable to exempt some users from the captive option - disable
exempt portal.

Option Description

enable Enable exemption of captive portal.

disable Disable exemption of captive portal.

capture-packet * Enable/disable capture packets. option - disable

FortiOS 7.0.9 CLI Reference 289

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable capture packets.

disable Disable capture packets.

cifs-profile Name of an existing CIFS profile. string Not Specified

comments Comment. var-string Not Specified

custom-log- Custom fields to append to log messages for string Maximum

fields <field- this policy. length: 35
id> Custom log field.

decrypted- Decrypted traffic mirror. string Not Specified

traffic-mirror

delay-tcp-npu- Enable TCP NPU session delay to guarantee option - disable

session packet order of 3-way handshake.

Option Description

enable Enable TCP NPU session delay in order to guarantee packet order of 3-way
handshake.

disable Disable TCP NPU session delay in order to guarantee packet order of 3-way
handshake.

diffserv-forward Enable to change packet's DiffServ values to option - disable

the specified diffservcode-forward value.

Option Description

enable Enable setting forward (original) traffic Diffserv.

disable Disable setting forward (original) traffic Diffserv.

diffserv-reverse Enable to change packet's reverse (reply) option - disable

DiffServ values to the specified diffservcode-
rev value.

Option Description

enable Enable setting reverse (reply) traffic DiffServ.

disable Disable setting reverse (reply) traffic DiffServ.

diffservcode- Change packet's DiffServ to this value. user Not Specified

forward

diffservcode-rev Change packet's reverse (reply) DiffServ to user Not Specified

this value.

FortiOS 7.0.9 CLI Reference 290

Fortinet Inc.
Parameter Description Type Size Default

disclaimer Enable/disable user authentication disclaimer. option - disable

Option Description

enable Enable user authentication disclaimer.

disable Disable user authentication disclaimer.

dlp-sensor Name of an existing DLP sensor. string Not Specified

dnsfilter-profile Name of an existing DNS filter profile. string Not Specified

dsri Enable DSRI to ignore HTTP server option - disable

responses.

Option Description

enable Enable DSRI.

disable Disable DSRI.

dstaddr <name> Destination IPv4 address and address group string Maximum
names. length: 79
Address name.

dstaddr-negate When enabled dstaddr/dstaddr6 specifies option - disable

what the destination address must NOT be.

Option Description

enable Enable destination address negate.

disable Disable destination address negate.

dstaddr6 Destination IPv6 address name and address string Maximum

<name> group names. length: 79
Address name.

dstintf <name> Outgoing (egress) interface. string Maximum

Interface name. length: 79

dynamic- Enable/disable dynamic RADIUS defined option - disable

shaping traffic shaping.

Option Description

fixedport Enable to prevent source NAT from changing option - disable

a session's source port.

database.

geoip-match Match geography address based either on its option - physical-location

physical location or registered location.

Option Description

physical-location Match geography address to its physical location using the geography IP
database.

registered- Match geography address to its registered location using the geography IP
location database.

groups <name> Names of user groups that can authenticate string Maximum
with this policy. length: 79
Group name.

Fortinet Inc.
Parameter Description Type Size Default

internet-service Enable/disable use of Internet Services for this option - disable

policy. If enabled, destination address and
service are not used.

Option Description

enable Enable use of Internet Services in policy.

disable Disable use of Internet Services in policy.

internet-service- Custom Internet Service name. string Maximum

custom <name> Custom Internet Service name. length: 79

internet-service- Custom Internet Service group name. string Maximum

custom-group Custom Internet Service group name. length: 79
<name>

internet-service- Internet Service group name. string Maximum

group <name> Internet Service group name. length: 79

internet-service- Internet Service name. string Maximum

name <name> Internet Service name. length: 79

internet-service- When enabled internet-service specifies what option - disable

negate the service must NOT be.

Option Description

enable Enable negated Internet Service match.

disable Disable negated Internet Service match.

internet-service- Enable/disable use of Internet Services in option - disable

src source for this policy. If enabled, source
address is not used.

Option Description

enable Enable use of Internet Services source in policy.

disable Disable use of Internet Services source in policy.

internet-service- Custom Internet Service source name. string Maximum

src-custom Custom Internet Service name. length: 79
<name>

internet-service- Custom Internet Service source group name. string Maximum

src-custom- Custom Internet Service group name. length: 79
group <name>

internet-service- Internet Service source group name. string Maximum

src-group Internet Service group name. length: 79
<name>

FortiOS 7.0.9 CLI Reference 294

Fortinet Inc.
Parameter Description Type Size Default

internet-service- Internet Service source name. string Maximum

src-name Internet Service name. length: 79
<name>

enable Enable setting.

disable Disable setting.

ntlm-enabled- HTTP-User-Agent value of supported string Maximum

browsers browsers. length: 79
<user-agent- User agent string.
string>

ntlm-guest Enable/disable NTLM guest user access. option - disable

poolname IP Pool names. string Maximum

<name> IP pool name. length: 79

poolname6 IPv6 pool names. string Maximum

<name> IPv6 pool name. length: 79

profile-group Name of profile group. string Not Specified

profile-protocol- Name of an existing Protocol options profile. string Not Specified default
options

profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.

Option Description

single Do not allow security profile groups.

group Allow security profile groups.

radius-mac- Enable MAC authentication bypass. The option - disable

auth-bypass bypassed MAC address must be received
from RADIUS server.

FortiOS 7.0.9 CLI Reference 298

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable MAC authentication bypass.

disable Disable MAC authentication bypass.

redirect-url URL users are directed to after seeing and var-string Not Specified
accepting the disclaimer or authenticating.

replacemsg- Override the default replacement message string Not Specified

override-group group for this policy.

reputation- Direction of the initial traffic for reputation to option - destination

direction take effect.

Option Description

source Check reputation for source address.

destination Check reputation for destination address.

reputation- Minimum Reputation to take action. integer Minimum 0

minimum value: 0
Maximum
value:
4294967295

rtp-addr Address names if this is an RTP NAT policy. string Maximum

<name> Address name. length: 79

rtp-nat Enable Real Time Protocol (RTP) NAT. option - disable

Option Description

disable Disable setting.

enable Enable setting.

schedule Schedule name. string Not Specified

schedule- Enable to force current sessions to end when option - disable

timeout the schedule object times out. Disable allows
them to end from inactivity.

Option Description

enable Enable schedule timeout.

disable Disable schedule timeout.

sctp-filter-profile Name of an existing SCTP filter profile. string Not Specified

FortiOS 7.0.9 CLI Reference 299

Fortinet Inc.
Parameter Description Type Size Default

send-deny- Enable to send a reply when a session is option - disable

packet denied or blocked by a firewall policy.

Option Description

disable Disable deny-packet sending.

enable Enable deny-packet sending.

service <name> Service and service group names. string Maximum

Service and service group names. length: 79

service-negate When enabled service specifies what the option - disable

service must NOT be.

Option Description

enable Enable negated service match.

disable Disable negated service match.

session-ttl TTL in seconds for sessions accepted by this user Not Specified
policy.

sgt <id> Security group tags. integer Minimum

Security group tag (1 - 65535). value: 1
Maximum
value: 65535

sgt-check Enable/disable security group tags (SGT) option - disable

check.

Option Description

enable Enable SGT check.

disable Disable SGT check.

src-vendor-mac Vendor MAC source ID. integer Minimum

<id> Vendor MAC ID. value: 0
Maximum
value:
4294967295

srcaddr <name> Source IPv4 address and address group string Maximum
names. length: 79
Address name.

srcaddr-negate When enabled srcaddr/srcaddr6 specifies option - disable

what the source address must NOT be.

FortiOS 7.0.9 CLI Reference 300

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable source address negate.

disable Disable source address negate.

srcaddr6 Source IPv6 address name and address group string Maximum
<name> names. length: 79
Address name.

srcintf <name> Incoming (ingress) interface. string Maximum

Interface name. length: 79

ssh-filter-profile Name of an existing SSH filter profile. string Not Specified

ssh-policy- Redirect SSH traffic to matching transparent option - disable

redirect proxy policy.

Option Description

enable Enable SSH policy redirect.

disable Disable SSH policy redirect.

ssl-ssh-profile Name of an existing SSL SSH profile. string Not Specified no-inspection

status Enable or disable this policy. option - enable

Option Description

enable Enable setting.

disable Disable setting.

tcp-mss- Receiver TCP maximum segment size (MSS). integer Minimum 0

receiver value: 0
Maximum
value: 65535

tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum 0

value: 0
Maximum
value: 65535

tcp-session- Enable/disable creation of TCP session option - disable

without-syn without SYN flag.

Option Description

all Enable TCP session without SYN.

data-only Enable TCP session data only.

FortiOS 7.0.9 CLI Reference 301

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable TCP session without SYN.

timeout-send-rst Enable/disable sending RST packets when option - disable

TCP sessions expire.

Option Description

enable Enable sending of RST packet upon TCP session expiration.

disable Disable sending of RST packet upon TCP session expiration.

tos ToS (Type of Service) value used for user Not Specified
comparison.

tos-mask Non-zero bit positions are used for comparison user Not Specified
while zero bit positions are ignored.

tos-negate Enable negated TOS match. option - disable

Option Description

enable Enable TOS match negate.

disable Disable TOS match negate.

traffic-shaper Traffic shaper. string Not Specified

traffic-shaper- Reverse traffic shaper. string Not Specified

reverse

users <name> Names of individual users that can string Maximum

authenticate with this policy. length: 79
Names of individual users that can
authenticate with this policy.

utm-status Enable to add one or more security profiles option - disable

(AV, IPS, etc.) to the firewall policy.

Option Description

enable Enable setting.

disable Disable setting.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

videofilter- Name of an existing VideoFilter profile. string Not Specified

profile

FortiOS 7.0.9 CLI Reference 302

Fortinet Inc.
Parameter Description Type Size Default

vlan-cos-fwd VLAN forward direction user priority: 255 integer Minimum 255
passthrough, 0 lowest, 7 highest. value: 0
Maximum
value: 7

vlan-cos-rev VLAN reverse direction user priority: 255 integer Minimum 255
passthrough, 0 lowest, 7 highest. value: 0
Maximum
value: 7

vlan-filter Set VLAN filters. user Not Specified

voip-profile Name of an existing VoIP profile. string Not Specified

vpntunnel Policy-based IPsec VPN: name of the IPsec string Not Specified
VPN Phase 1.

waf-profile Name of an existing Web application firewall string Not Specified

profile.

wanopt * Enable/disable WAN optimization. option - disable

Option Description

enable Enable setting.

disable Disable setting.

wanopt- WAN optimization auto-detection mode. option - active

detection *

Option Description

active Active WAN optimization peer auto-detection.

passive Passive WAN optimization peer auto-detection.

off Turn off WAN optimization peer auto-detection.

wanopt- WAN optimization passive mode options. This option - default

passive-opt * option decides what IP address will be used to
connect server.

Option Description

default Allow client side WAN opt peer to decide.

transparent Use address of client to connect to server.

non-transparent Use local FortiGate address to connect to server.

wanopt-peer * WAN optimization peer. string Not Specified

wanopt-profile * WAN optimization profile. string Not Specified

FortiOS 7.0.9 CLI Reference 303

Fortinet Inc.
Parameter Description Type Size Default

enable Enable web cache for HTTPS.

webfilter-profile Name of an existing Web filter profile. string Not Specified

webproxy- Webproxy forward server name. string Not Specified

forward-server

webproxy- Webproxy profile name. string Not Specified

profile

ztna-ems-tag Source ztna-ems-tag names. string Maximum

<name> Address name. length: 79

ztna-geo-tag Source ztna-geo-tag names. string Maximum

<name> Address name. length: 79

ztna-status Enable/disable zero trust access. option - disable

Option Description

enable Enable zero trust network access.

disable Disable zero trust network access.

* This parameter may not exist in some models.

config firewall profile-group

Configure profile groups.

config firewall profile-protocol-options

Configure protocol options.

config firewall profile-protocol-options
Description: Configure protocol options.
edit <name>
config cifs
Description: Configure CIFS protocol options.
set ports {integer}
set status [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set server-credential-type [none|credential-replication|...]
set domain-controller {string}
config server-keytab
Description: Server keytab.
edit <principal>

FortiOS 7.0.9 CLI Reference 306

Fortinet Inc.
set principal {string}
set keytab {string}
next
end
end
set comment {var-string}
config dns
Description: Configure DNS protocol options.
set ports {integer}
set status [enable|disable]
end
config ftp
Description: Configure FTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set options {option1}, {option2}, ...
set comfort-interval {integer}
set comfort-amount {integer}
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set stream-based-uncompressed-limit {integer}
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set ssl-offloaded [no|yes]
set explicit-ftp-tls [enable|disable]
end
config http
Description: Configure HTTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set comfort-interval {integer}
set comfort-amount {integer}
set range-block [disable|enable]
set strip-x-forwarded-for [disable|enable]
set post-lang {option1}, {option2}, ...
set streaming-content-bypass [enable|disable]
set switching-protocols [bypass|block]
set unknown-http-version [reject|tunnel|...]
set tunnel-non-http [enable|disable]
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set stream-based-uncompressed-limit {integer}
set scan-bzip2 [enable|disable]
set block-page-status-code {integer}
set retry-count {integer}
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}

FortiOS 7.0.9 CLI Reference 307

Fortinet Inc.
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set ssl-offloaded [no|yes]
set address-ip-rating [enable|disable]
end
config imap
Description: Configure IMAP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set ssl-offloaded [no|yes]
end
config mail-signature
Description: Configure Mail signature.
set status [disable|enable]
set signature {string}
end
config mapi
Description: Configure MAPI protocol options.
set ports {integer}
set status [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
end
set name {string}
config nntp
Description: Configure NNTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
end
set oversize-log [disable|enable]
config pop3
Description: Configure POP3 protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}

FortiOS 7.0.9 CLI Reference 308

Fortinet Inc.
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set ssl-offloaded [no|yes]
end
set replacemsg-group {string}
set rpc-over-http [enable|disable]
config smtp
Description: Configure SMTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set server-busy [enable|disable]
set ssl-offloaded [no|yes]
end
config ssh
Description: Configure SFTP and SCP protocol options.
set options {option1}, {option2}, ...
set comfort-interval {integer}
set comfort-amount {integer}
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set stream-based-uncompressed-limit {integer}
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set ssl-offloaded [no|yes]
end
set switching-protocols-log [disable|enable]
next
end

config firewall profile-protocol-options

Parameter Description Type Size Default

comment Optional comments. var-string Not

Specified

name Name. string Not

Specified

oversize-log Enable/disable logging for antivirus oversize file option - disable

blocking.

FortiOS 7.0.9 CLI Reference 309

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable logging for antivirus oversize file blocking.

enable Enable logging for antivirus oversize file blocking.

replacemsg- Name of the replacement message group to be used. string Not

group Specified

rpc-over-http Enable/disable inspection of RPC over HTTP. option - disable

Option Description

enable Enable inspection of RPC over HTTP.

disable Disable inspection of RPC over HTTP.

switching- Enable/disable logging for HTTP/HTTPS switching option - disable

protocols-log protocols.

Option Description

disable Disable logging for HTTP/HTTPS switching protocols.

enable Enable logging for HTTP/HTTPS switching protocols.

config cifs

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

oversize Block oversized file.

FortiOS 7.0.9 CLI Reference 310

Fortinet Inc.
Parameter Description Type Size Default

oversize-limit Maximum in-memory file size that can be scanned. integer Minimum 10
value: 1
Maximum
value: 1606
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned. value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

tcp-window-type TCP window type to use for this protocol. option - auto-tuning

Option Description

auto-tuning Allow system to auto-tune TCP window size (default).

system Use system default TCP window size for this protocol.

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value:
65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

FortiOS 7.0.9 CLI Reference 311

Fortinet Inc.
Parameter Description Type Size Default

tcp-window-size Set TCP static window size. integer Minimum 262144

value:
65536
Maximum
value:
33554432

server-credential- CIFS server credential type. option - none

type

Option Description

none Credential derivation not set.

credential- Credential derived using Replication account on Domain Controller.

replication

credential- Credential derived using server keytab.

keytab

domain-controller Domain for which to decrypt CIFS traffic. string Not

Specified

** Values may differ between models.

config server-keytab

Parameter Description Type Size Default

principal Service principal. For example, string Not

host/[email protected]. Specified

keytab Base64 encoded keytab file containing credential of the string Not
server. Specified

config dns

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

FortiOS 7.0.9 CLI Reference 312

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

config ftp

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value: 65535

status Enable/disable the active status of scanning for option - enable

this protocol.

Option Description

enable Enable setting.

disable Disable setting.

inspect-all Enable/disable the inspection of all ports for the option - disable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

clientcomfort Prevent client timeout.

oversize Block oversized file.

splice Enable splice mode.

bypass-rest- Bypass REST command.

command

bypass-mode- Bypass MODE command.

command

FortiOS 7.0.9 CLI Reference 313

Fortinet Inc.
Parameter Description Type Size Default

comfort-interval Period of time between start, or last transmission, integer Minimum 10

and the next client comfort transmission of data. value: 1
Maximum
value: 900

comfort-amount Amount of data to send in a transmission for client integer Minimum 1

comforting. value: 1
Maximum
value: 65535

oversize-limit Maximum in-memory file size that can be integer Minimum 10

scanned. value: 1
Maximum
value: 1606 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned. value: 1
Maximum
value: 1606 **

uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned. value: 2
Maximum
value: 100

stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions. value:
4294967295

scan-bzip2 Enable/disable scanning of BZip2 compressed option - enable

files.

Option Description

enable Enable setting.

disable Disable setting.

tcp-window-type TCP window type to use for this protocol. option - auto-tuning

Option Description

auto-tuning Allow system to auto-tune TCP window size (default).

system Use system default TCP window size for this protocol.

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

FortiOS 7.0.9 CLI Reference 314

Fortinet Inc.
Parameter Description Type Size Default

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value: 65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value: 65536
Maximum
value:
33554432

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

explicit-ftp-tls Enable/disable FTP redirection for explicit FTPS. option - disable

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

config http

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value: 65535

status Enable/disable the active status of scanning for option - enable

this protocol.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

clientcomfort Prevent client timeout.

servercomfort Prevent server timeout.

oversize Block oversized file.

chunkedbypass Bypass chunked transfer encoded sites.

comfort-interval Period of time between start, or last transmission, integer Minimum 10

and the next client comfort transmission of data. value: 1
Maximum
value: 900

comfort-amount Amount of data to send in a transmission for client integer Minimum 1

comforting. value: 1
Maximum
value: 65535

range-block Enable/disable blocking of partial downloads. option - disable

to UTF-8 for banned words and DLP on HTTP
posts (maximum of 5 character sets).

Option Description

jisx0201 Japanese Industrial Standard 0201.

jisx0208 Japanese Industrial Standard 0208.

jisx0212 Japanese Industrial Standard 0212.

gb2312 Guojia Biaozhun 2312 (simplified Chinese).

ksc5601-ex Wansung Korean standard 5601.

euc-jp Extended Unicode Japanese.

sjis Shift Japanese Industrial Standard.

iso2022-jp ISO 2022 Japanese.

iso2022-jp-1 ISO 2022-1 Japanese.

iso2022-jp-2 ISO 2022-2 Japanese.

euc-cn Extended Unicode Chinese.

ces-gbk Extended GB2312 (simplified Chinese).

hz Hanzi simplified Chinese.

ces-big5 Big-5 traditional Chinese.

euc-kr Extended Unicode Korean.

iso2022-jp-3 ISO 2022-3 Japanese.

iso8859-1 ISO 8859 Part 1 (Western European).

tis620 Thai Industrial Standard 620.

FortiOS 7.0.9 CLI Reference 317

Fortinet Inc.
Parameter Description Type Size Default

Option Description

cp874 Code Page 874 (Thai).

tunnel Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying
HTTP protocol optimization, byte-caching, or web caching. TCP protocol
optimization is applied.

best-effort Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session
uses a different HTTP version, it may not parse correctly and the
connection may be lost.

tunnel-non-http Configure how to process non-HTTP traffic when option - enable

a profile configured for HTTP traffic accepts a
non-HTTP session. Can occur if an application
sends non-HTTP traffic using an HTTP
destination port.

FortiOS 7.0.9 CLI Reference 318

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Pass non-HTTP sessions through the tunnel without applying protocol
optimization, byte-caching, or web caching. TCP protocol optimization is
applied.

disable Drop or tear down non-HTTP sessions accepted by the profile.

oversize-limit Maximum in-memory file size that can be integer Minimum 10

scanned. value: 1
Maximum
value: 1606 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned. value: 1
Maximum
value: 1606 **

uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned. value: 2
Maximum
value: 100

stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions. value:
4294967295

scan-bzip2 Enable/disable scanning of BZip2 compressed option - enable

files.

Option Description

enable Enable setting.

disable Disable setting.

block-page- Code number returned for blocked HTTP pages. integer Minimum 403
status-code value: 100
Maximum
value: 599

retry-count Number of attempts to retry HTTP connection. integer Minimum 0

value: 0
Maximum
value: 100

tcp-window-type TCP window type to use for this protocol. option - auto-tuning

FortiOS 7.0.9 CLI Reference 319

Fortinet Inc.
Parameter Description Type Size Default

Option Description

auto-tuning Allow system to auto-tune TCP window size (default).

system Use system default TCP window size for this protocol.

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value: 65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value: 65536
Maximum
value:
33554432

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

address-ip-rating Enable/disable IP based URL rating. option - enable

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

FortiOS 7.0.9 CLI Reference 320

Fortinet Inc.
config imap

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

options One or more options that can be applied to the option -

session.

Option Description

fragmail Pass fragmented email.

oversize Block oversized email.

oversize-limit Maximum in-memory file size that can be scanned. integer Minimum 10
value: 1
Maximum
value: 1606
**

FortiOS 7.0.9 CLI Reference 321

Fortinet Inc.
Parameter Description Type Size Default

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned. value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config mail-signature

Parameter Description Type Size Default

status Enable/disable adding an email signature to SMTP option - disable

email messages as they pass through the FortiGate.

Option Description

disable Disable mail signature.

enable Enable mail signature.

signature Email signature to be added to outgoing email (if the string Not
signature contains spaces, enclose with quotation Specified
marks).

FortiOS 7.0.9 CLI Reference 322

Fortinet Inc.
config mapi

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

fragmail Pass fragmented email.

oversize Block oversized email.

oversize-limit Maximum in-memory file size that can be scanned. integer Minimum 10
value: 1
Maximum
value: 1606
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned. value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

FortiOS 7.0.9 CLI Reference 323

Fortinet Inc.
config nntp

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

options One or more options that can be applied to the option -

session.

Option Description

oversize Block oversized file.

splice Enable splice mode.

oversize-limit Maximum in-memory file size that can be scanned. integer Minimum 10
value: 1
Maximum
value: 1606
**

FortiOS 7.0.9 CLI Reference 324

Fortinet Inc.
Parameter Description Type Size Default

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned. value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

config pop3

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

inspect-all Enable/disable the inspection of all ports for the option - disable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has option - disable
handshake been established (not before).

FortiOS 7.0.9 CLI Reference 325

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

fragmail Pass fragmented email.

oversize Block oversized email.

oversize-limit Maximum in-memory file size that can be scanned. integer Minimum 10
value: 1
Maximum
value: 1606
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned. value: 1
Maximum
value: 1606
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

FortiOS 7.0.9 CLI Reference 326

Fortinet Inc.
config smtp

Parameter Description Type Size Default

ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535

options One or more options that can be applied to the option -

session.

disable Disable setting.

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config ssh

Parameter Description Type Size Default

options One or more options that can be applied to the option -

session.

Option Description

oversize Block oversized file.

FortiOS 7.0.9 CLI Reference 328

Fortinet Inc.
Parameter Description Type Size Default

Option Description

clientcomfort Prevent client timeout.

servercomfort Prevent server timeout.

comfort-interval Period of time between start, or last transmission, integer Minimum 10

and the next client comfort transmission of data. value: 1
Maximum
value: 900

comfort-amount Amount of data to send in a transmission for client integer Minimum 1

comforting. value: 1
Maximum
value: 65535

oversize-limit Maximum in-memory file size that can be integer Minimum 10

scanned. value: 1
Maximum
value: 1606 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned. value: 1
Maximum
value: 1606 **

uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned. value: 2
Maximum
value: 100

stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions. value:
4294967295

scan-bzip2 Enable/disable scanning of BZip2 compressed option - enable

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value: 65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value: 65536
Maximum
value:
33554432

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config firewall proute

List policy routing.

config firewall proute
Description: List policy routing.
set <policy route id> {string}
end

FortiOS 7.0.9 CLI Reference 330

Fortinet Inc.
config firewall proute

Parameter Description Type Size Default

<policy route id> Number. string Not

Specified

config firewall proute6

List IPv6 policy routing.

config firewall proute6
Description: List IPv6 policy routing.
end

config firewall proxy-address

Configure web proxy address.

config firewall proxy-address
Description: Configure web proxy address.
edit <name>
set case-sensitivity [disable|enable]
set category <id1>, <id2>, ...
set color {integer}
set comment {var-string}
set header {string}
config header-group
Description: HTTP header group.
edit <id>
set id {integer}
set header-name {string}
set header {string}
set case-sensitivity [disable|enable]
next
end
set header-name {string}
set host {string}
set host-regex {string}
set method {option1}, {option2}, ...
set name {string}
set path {string}
set query {string}
set referrer [enable|disable]
config tagging
Description: Config object tagging.
edit <name>
set name {string}
set category {string}
set tags <name1>, <name2>, ...
next
end

FortiOS 7.0.9 CLI Reference 331

Fortinet Inc.
set type [host-regex|url|...]
set ua {option1}, {option2}, ...
set uuid {uuid}
next
end

config firewall proxy-address

Parameter Description Type Size Default

case- Enable to make the pattern case sensitive. option - disable

sensitivity

Option Description

disable Case insensitive in pattern.

enable Case sensitive in pattern.

category FortiGuard category ID. integer Minimum

<id> FortiGuard category ID. value: 0
Maximum
value:
4294967295

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

comment Optional comments. var-string Not Specified

header HTTP header name as a regular expression. string Not Specified

header-name Name of HTTP header. string Not Specified

host Address object for the host. string Not Specified

host-regex Host name as a regular expression. string Not Specified

method HTTP request methods to be used. option -

Option Description

get GET method.

post POST method.

put PUT method.

head HEAD method.

connect CONNECT method.

trace TRACE method.

FortiOS 7.0.9 CLI Reference 332

Fortinet Inc.
Parameter Description Type Size Default

Option Description

options OPTIONS method.

delete DELETE method.

name Address name. string Not Specified

path URL path as a regular expression. string Not Specified

query Match the query part of the URL as a regular string Not Specified
expression.

referrer Enable/disable use of referrer field in the HTTP option - disable

header to match the address.

Option Description

enable Enable setting.

disable Disable setting.

type Proxy address type. option - url

Option Description

host-regex Host regular expression.

url HTTP URL.

category FortiGuard URL catgegory.

method HTTP request method.

ua HTTP request user agent.

header HTTP request header.

src-advanced HTTP advanced source criteria.

dst-advanced HTTP advanced destination criteria.

ua Names of browsers to be used as user agent. option -

Option Description

chrome Google Chrome.

ms Microsoft Internet Explorer or EDGE.

firefox Mozilla Firefox.

safari Apple Safari.

other Other browsers.

FortiOS 7.0.9 CLI Reference 333

Fortinet Inc.
Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

config header-group

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

header-name HTTP header. string Not Specified

header HTTP header regular expression. string Not Specified

case- Case sensitivity in pattern. option - disable

sensitivity

Option Description

disable Case insensitive in pattern.

enable Case sensitive in pattern.

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Not

member Members of address group. string Maximum

<name> Address name. length: 79

name Address group name. string Not

Specified

type Source or destination address group type. option - src

Option Description

src Source group.

dst Destination group.

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

config tagging

Parameter Description Type Size Default

name Tagging entry name. string Not

Specified

category Tag category. string Not

Specified

FortiOS 7.0.9 CLI Reference 335

Fortinet Inc.
Parameter Description Type Size Default

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall proxy-policy

Configure proxy policies.

config firewall proxy-policy
Description: Configure proxy policies.
edit <policyid>
set access-proxy <name1>, <name2>, ...
set access-proxy6 <name1>, <name2>, ...
set action [accept|deny|...]
set application-list {string}
set av-profile {string}
set block-notification [enable|disable]
set comments {var-string}
set decrypted-traffic-mirror {string}
set device-ownership [enable|disable]
set disclaimer [disable|domain|...]
set dlp-sensor {string}
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set emailfilter-profile {string}
set file-filter-profile {string}
set groups <name1>, <name2>, ...
set http-tunnel-auth [enable|disable]
set icap-profile {string}
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set ips-sensor {string}
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set name {string}
set policyid {integer}
set poolname <name1>, <name2>, ...
set profile-group {string}
set profile-protocol-options {string}
set profile-type [single|group]
set proxy [explicit-web|transparent-web|...]
set redirect-url {var-string}
set replacemsg-override-group {string}
set schedule {string}
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set session-ttl {integer}

FortiOS 7.0.9 CLI Reference 336

Fortinet Inc.
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set srcaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set ssh-filter-profile {string}
set ssh-policy-redirect [enable|disable]
set ssl-ssh-profile {string}
set status [enable|disable]
set transparent [enable|disable]
set users <name1>, <name2>, ...
set utm-status [enable|disable]
set uuid {uuid}
set videofilter-profile {string}
set waf-profile {string}
set webcache [enable|disable]
set webcache-https [disable|enable]
set webfilter-profile {string}
set webproxy-forward-server {string}
set webproxy-profile {string}
set ztna-ems-tag <name1>, <name2>, ...
set ztna-tags-match-logic [or|and]
next
end

config firewall proxy-policy

Parameter Description Type Size Default

access-proxy IPv4 access proxy. string Maximum

<name> Access Proxy name. length: 79

access-proxy6 IPv6 access proxy. string Maximum

<name> Access proxy name. length: 79

action Accept or deny traffic matching the policy option - deny

parameters.

Option Description

accept Action accept.

deny Action deny.

redirect Action redirect.

application-list Name of an existing Application list. string Not Specified

av-profile Name of an existing Antivirus profile. string Not Specified

block- Enable/disable block notification. option - disable

notification

FortiOS 7.0.9 CLI Reference 337

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

comments Optional comments. var-string Not Specified

decrypted- Decrypted traffic mirror. string Not Specified

traffic-mirror

device- When enabled, the ownership enforcement will option - disable

ownership be done at policy level.

Option Description

enable Enable device ownership.

disable Disable device ownership.

disclaimer Web proxy disclaimer setting: by domain, option - disable

policy, or user.

Option Description

disable Disable disclaimer.

domain Display disclaimer for domain

policy Display disclaimer for policy

user Display disclaimer for current user

dlp-sensor Name of an existing DLP sensor. string Not Specified

dstaddr Destination address objects. string Maximum

<name> Address name. length: 79

dstaddr- When enabled, destination addresses match option - disable

negate against any address EXCEPT the specified
destination addresses.

Option Description

enable Enable source address negate.

disable Disable destination address negate.

dstaddr6 IPv6 destination address objects. string Maximum

<name> Address name. length: 79

dstintf <name> Destination interface names. string Maximum

Interface name. length: 79

FortiOS 7.0.9 CLI Reference 338

Fortinet Inc.
Parameter Description Type Size Default

emailfilter- Name of an existing email filter profile. string Not Specified

profile

file-filter-profile Name of an existing file-filter profile. string Not Specified

groups Names of group objects. string Maximum

<name> Group name. length: 79

http-tunnel- Enable/disable HTTP tunnel authentication. option - disable

auth

Option Description

enable Enable setting.

disable Disable setting.

icap-profile Name of an existing ICAP profile. string Not Specified

internet- Enable/disable use of Internet Services for this option - disable

service policy. If enabled, destination address and
service are not used.

Option Description

enable Enable use of Internet Services in policy.

disable Disable use of Internet Services in policy.

internet- Custom Internet Service name. string Maximum

service- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>

internet- Internet Service name. string Maximum

service-name Internet Service name. length: 79
<name>

internet- When enabled, Internet Services match against option - disable

service-negate any internet service EXCEPT the selected
Internet Service.

value: 0
Maximum
value:
4294967295

poolname Name of IP pool object. string Maximum

<name> IP pool name. length: 79

profile-group Name of profile group. string Not Specified

profile- Name of an existing Protocol options profile. string Not Specified default
protocol-
options

profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.

Option Description

single Do not allow security profile groups.

group Allow security profile groups.

proxy Type of explicit proxy. option -

FortiOS 7.0.9 CLI Reference 340

Fortinet Inc.
Parameter Description Type Size Default

Option Description

explicit-web Explicit Web Proxy

transparent-web Transparent Web Proxy

ftp Explicit FTP Proxy

ssh SSH Proxy

ssh-tunnel SSH Tunnel

access-proxy Access Proxy

wanopt WANopt Tunnel

redirect-url Redirect URL for further explicit web proxy var-string Not Specified
processing.

replacemsg- Authentication replacement message override string Not Specified

override-group group.

schedule Name of schedule object. string Not Specified

service Name of service objects. string Maximum

<name> Service name. length: 79

service-negate When enabled, services match against any option - disable

service EXCEPT the specified destination
services.

Option Description

enable Enable negated service match.

disable Disable negated service match.

session-ttl TTL in seconds for sessions accepted by this integer Minimum 0

policy. value: 300
Maximum
value:
2764800

srcaddr Source address objects. string Maximum

<name> Address name. length: 79

srcaddr- When enabled, source addresses match option - disable

negate against any address EXCEPT the specified
source addresses.

Option Description

enable Enable source address negate.

FortiOS 7.0.9 CLI Reference 341

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable destination address negate.

srcaddr6 IPv6 source address objects. string Maximum

<name> Address name. length: 79

srcintf <name> Source interface names. string Maximum

Interface name. length: 79

ssh-filter- Name of an existing SSH filter profile. string Not Specified

profile

ssh-policy- Redirect SSH traffic to matching transparent option - disable

redirect proxy policy.

Option Description

enable Enable SSH policy redirect.

disable Disable SSH policy redirect.

ssl-ssh-profile Name of an existing SSL SSH profile. string Not Specified no-inspection

status Enable/disable the active status of the policy. option - enable

Option Description

enable Enable setting.

disable Disable setting.

transparent Enable to use the IP address of the client to option - disable

connect to the server.

disable Disable web cache for HTTPS.

enable Enable web cache for HTTPS.

webfilter- Name of an existing Web filter profile. string Not Specified

profile

webproxy- Web proxy forward server name. string Not Specified

forward-server

webproxy- Name of web proxy profile. string Not Specified

profile

ztna-ems-tag ZTNA EMS Tag names. string Maximum

<name> EMS Tag name. length: 79

ztna-tags- ZTNA tag matching logic. option - or

match-logic

Option Description

or Match ZTNA tags using a logical OR operator.

and Match ZTNA tags using a logical AND operator.

* This parameter may not exist in some models.

config firewall region

Define region table.

FortiOS 7.0.9 CLI Reference 343

Fortinet Inc.
config firewall region
Description: Define region table.
edit <id>
set city <id1>, <id2>, ...
set id {integer}
set name {string}
next
end

config firewall region

Parameter Description Type Size Default

city <id> City ID list. integer Minimum

City ID. value: 0
Maximum
value:
65535

id Region ID. integer Minimum 0

value: 0
Maximum
value:
65535

name Region name. string Not

Specified

config firewall schedule group

Schedule group configuration.

config firewall schedule group
Description: Schedule group configuration.
edit <name>
set color {integer}
set fabric-object [enable|disable]
set member <name1>, <name2>, ...
set name {string}
next
end

config firewall schedule group

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

FortiOS 7.0.9 CLI Reference 344

Fortinet Inc.
Parameter Description Type Size Default

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

member Schedules added to the schedule group. string Maximum

<name> Schedule name. length: 79

name Schedule group name. string Not

Specified

config firewall schedule onetime

Onetime schedule configuration.

config firewall schedule onetime
Description: Onetime schedule configuration.
edit <name>
set color {integer}
set end {user}
set expiration-days {integer}
set fabric-object [enable|disable]
set name {string}
set start {user}
next
end

config firewall schedule onetime

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

end Schedule end date and time, format hh:mm user Not
yyyy/mm/dd. Specified

expiration- Write an event log message this many days before the integer Minimum 3
days schedule expires. value: 0
Maximum
value: 100

fabric-object Security Fabric global object setting. option - disable

FortiOS 7.0.9 CLI Reference 345

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

name Onetime schedule name. string Not

Specified

start Schedule start date and time, format hh:mm user Not
yyyy/mm/dd. Specified

config firewall schedule recurring

Recurring schedule configuration.

config firewall schedule recurring
Description: Recurring schedule configuration.
edit <name>
set color {integer}
set day {option1}, {option2}, ...
set end {user}
set fabric-object [enable|disable]
set name {string}
set start {user}
next
end

config firewall schedule recurring

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

day One or more days of the week on which the schedule is option - none
valid. Separate the names of the days with a space.

Option Description

sunday Sunday.

monday Monday.

tuesday Tuesday.

wednesday Wednesday.

FortiOS 7.0.9 CLI Reference 346

Fortinet Inc.
Parameter Description Type Size Default

Option Description

thursday Thursday.

friday Friday.

saturday Saturday.

none None.

end Time of day to end the schedule, format hh:mm. user Not
Specified

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

name Recurring schedule name. string Not

Specified

start Time of day to start the schedule, format hh:mm. user Not
Specified

config firewall security-policy

Configure NGFW IPv4/IPv6 application policies.

config firewall security-policy
Description: Configure NGFW IPv4/IPv6 application policies.
edit <policyid>
set action [accept|deny]
set app-category <id1>, <id2>, ...
set app-group <name1>, <name2>, ...
set application <id1>, <id2>, ...
set application-list {string}
set av-profile {string}
set cifs-profile {string}
set comments {var-string}
set dlp-sensor {string}
set dnsfilter-profile {string}
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set emailfilter-profile {string}
set enforce-default-app-port [enable|disable]
set file-filter-profile {string}
set fsso-groups <name1>, <name2>, ...
set groups <name1>, <name2>, ...

FortiOS 7.0.9 CLI Reference 347

Fortinet Inc.
set icap-profile {string}
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]
set ips-sensor {string}
set learning-mode [enable|disable]
set logtraffic [all|utm|...]
set name {string}
set nat46 [enable|disable]
set nat64 [enable|disable]
set policyid {integer}
set profile-group {string}
set profile-protocol-options {string}
set profile-type [single|group]
set schedule {string}
set sctp-filter-profile {string}
set send-deny-packet [disable|enable]
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set srcaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set ssh-filter-profile {string}
set ssl-ssh-profile {string}
set status [enable|disable]
set url-category <id1>, <id2>, ...
set users <name1>, <name2>, ...
set uuid {uuid}
set videofilter-profile {string}
set voip-profile {string}
set webfilter-profile {string}
next
end

config firewall security-policy

Parameter Description Type Size Default

action Policy action (accept/deny). option - deny

Option Description

accept Allows session that match the firewall policy.

deny Blocks sessions that match the firewall policy.

FortiOS 7.0.9 CLI Reference 348

Fortinet Inc.
Parameter Description Type Size Default

app-category Application category ID list. integer Minimum

<id> Category IDs. value: 0
Maximum
value:
4294967295

app-group Application group names. string Maximum

<name> Application group names. length: 79

application Application ID list. integer Minimum

<id> Application IDs. value: 0
Maximum
value:
4294967295

application- Name of an existing Application list. string Not Specified

list

av-profile Name of an existing Antivirus profile. string Not Specified

cifs-profile Name of an existing CIFS profile. string Not Specified

comments Comment. var-string Not Specified

dlp-sensor Name of an existing DLP sensor. string Not Specified

dnsfilter- Name of an existing DNS filter profile. string Not Specified

profile

dstaddr Destination IPv4 address name and address string Maximum

<name> group names. length: 79
Address name.

dstaddr- When enabled dstaddr/dstaddr6 specifies what option - disable

negate the destination address must NOT be.

Option Description

enable Enable destination address negate.

disable Disable destination address negate.

dstaddr6 Destination IPv6 address name and address string Maximum

<name> group names. length: 79
Address name.

dstintf Outgoing (egress) interface. string Maximum

<name> Interface name. length: 79

emailfilter- Name of an existing email filter profile. string Not Specified

profile

FortiOS 7.0.9 CLI Reference 349

Fortinet Inc.
Parameter Description Type Size Default

enforce- Enable/disable default application port option - enable

default-app- enforcement for allowed applications.
port

Option Description

enable Enable setting.

disable Disable setting.

file-filter- Name of an existing file-filter profile. string Not Specified

profile

fsso-groups Names of FSSO groups. string Maximum

<name> Names of FSSO groups. length: 511

groups Names of user groups that can authenticate with string Maximum
<name> this policy. length: 79
User group name.

icap-profile Name of an existing ICAP profile. string Not Specified

internet- Enable/disable use of Internet Services for this option - disable

service policy. If enabled, destination address and
service are not used.

Option Description

enable Enable use of Internet Services in policy.

disable Disable use of Internet Services in policy.

internet- Custom Internet Service name. string Maximum

service- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>

internet- Internet Service name. string Maximum

service-name Internet Service name. length: 79
<name>

internet- When enabled internet-service specifies what option - disable

service- the service must NOT be.
negate

FortiOS 7.0.9 CLI Reference 350

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable negated Internet Service match.

disable Disable negated Internet Service match.

internet- Enable/disable use of Internet Services in option - disable

service-src source for this policy. If enabled, source address
is not used.

Option Description

enable Enable use of Internet Services source in policy.

disable Disable use of Internet Services source in policy.

internet- Custom Internet Service source name. string Maximum

service-src- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service source group name. string Maximum

service-src- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service source group name. string Maximum

service-src- Internet Service group name. length: 79
group
<name>

internet- Internet Service source name. string Maximum

service-src- Internet Service name. length: 79
name
<name>

internet- When enabled internet-service-src specifies option - disable

service-src- what the service must NOT be.
negate

Option Description

enable Enable negated Internet Service source match.

disable Disable negated Internet Service source match.

ips-sensor Name of an existing IPS sensor. string Not Specified

learning- Enable to allow everything, but log all of the option - disable
mode meaningful data for security information
gathering. A learning report will be generated.

FortiOS 7.0.9 CLI Reference 351

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable learning mode.

disable Disable learning mode.

logtraffic Enable or disable logging. Log all sessions or option - utm

security profile sessions.

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

name Policy name. string Not Specified

nat46 Enable/disable NAT46. option - disable

Option Description

enable Enable NAT46.

disable Disable NAT46.

nat64 Enable/disable NAT64. option - disable

Option Description

enable Enable NAT64.

disable Disable NAT64.

policyid Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967294

profile-group Name of profile group. string Not Specified

profile- Name of an existing Protocol options profile. string Not Specified default
protocol-
options

profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.

FortiOS 7.0.9 CLI Reference 352

Fortinet Inc.
Parameter Description Type Size Default

Option Description

single Do not allow security profile groups.

group Allow security profile groups.

schedule Schedule name. string Not Specified

sctp-filter- Name of an existing SCTP filter profile. string Not Specified

profile

send-deny- Enable to send a reply when a session is denied option - disable

packet or blocked by a firewall policy.

FortiOS 7.0.9 CLI Reference 354

Fortinet Inc.
config firewall service category

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

name Service category name. string Not

Specified

config firewall service custom

Configure custom services.

config firewall service custom
Description: Configure custom services.
edit <name>
set app-category <id1>, <id2>, ...
set app-service-type [disable|app-id|...]
set application <id1>, <id2>, ...
set category {string}
set check-reset-range [disable|strict|...]
set color {integer}
set comment {var-string}
set fabric-object [enable|disable]
set fqdn {string}
set helper [auto|disable|...]
set icmpcode {integer}
set icmptype {integer}
set iprange {user}
set name {string}
set protocol [TCP/UDP/SCTP|ICMP|...]
set protocol-number {integer}
set proxy [enable|disable]
set sctp-portrange {user}
set session-ttl {user}
set tcp-halfclose-timer {integer}
set tcp-halfopen-timer {integer}
set tcp-portrange {user}
set tcp-rst-timer {integer}
set tcp-timewait-timer {integer}
set udp-idle-timer {integer}
set udp-portrange {user}
set visibility [enable|disable]
next
end

FortiOS 7.0.9 CLI Reference 355

Fortinet Inc.
config firewall service custom

Parameter Description Type Size Default

app-category Application category ID. integer Minimum

<id> Application category id. value: 0
Maximum
value:
4294967295

app-service- Application service type. option - disable

type

Option Description

disable Disable application type.

app-id Application ID.

app-category Applicatin category.

application Application ID. integer Minimum

<id> Application id. value: 0
Maximum
value:
4294967295

category Service category. string Not Specified

check-reset- Configure the type of ICMP error message option - default

range verification.

Option Description

disable Disable RST range check.

strict Check RST range strictly.

default Using system default setting.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Not Specified

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

FortiOS 7.0.9 CLI Reference 356

Fortinet Inc.
Parameter Description Type Size Default

fqdn Fully qualified domain name. string Not Specified

helper Helper name. option - auto

Option Description

auto Automatically select helper based on protocol and port.

disable Disable helper.

ftp FTP.

tftp TFTP.

ras RAS.

h323 H323.

tns TNS.

mms MMS.

sip SIP.

pptp PPTP.

rtsp RTSP.

dns-udp DNS UDP.

dns-tcp DNS TCP.

pmap PMAP.

rsh RSH.

dcerpc DCERPC.

mgcp MGCP.

icmpcode ICMP code. integer Minimum

value: 0
Maximum
value: 255

icmptype ICMP type. integer Minimum

value: 0
Maximum
value:
4294967295

iprange Start and end of the IP range associated with user Not Specified
service.

name Custom service name. string Not Specified

protocol Protocol type based on IANA numbers. option - TCP/UDP/SCTP

FortiOS 7.0.9 CLI Reference 357

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TCP/UDP/SCTP TCP, UDP and SCTP.

ICMP ICMP.

ICMP6 ICMP6.

IP IP.

HTTP HTTP - for web proxy.

FTP FTP - for web proxy.

CONNECT Connect - for web proxy.

SOCKS-TCP Socks TCP - for web proxy.

SOCKS-UDP Socks UDP - for web proxy.

ALL All - for web proxy.

protocol- IP protocol number. integer Minimum 0

number value: 0
Maximum
value: 254

proxy Enable/disable web proxy service. option - disable

Option Description

enable Enable setting.

disable Disable setting.

sctp- Multiple SCTP port ranges. user Not Specified

portrange

session-ttl Session TTL. user Not Specified

tcp-halfclose- Wait time to close a TCP session waiting for an integer Minimum 0
timer unanswered FIN packet. value: 0
Maximum
value: 86400

tcp-halfopen- Wait time to close a TCP session waiting for an integer Minimum 0
timer unanswered open session packet. value: 0
Maximum
value: 86400

tcp-portrange Multiple TCP port ranges. user Not Specified

FortiOS 7.0.9 CLI Reference 358

Fortinet Inc.
Parameter Description Type Size Default

tcp-rst-timer Set the length of the TCP CLOSE state in integer Minimum 0
seconds. value: 5
Maximum
value: 300

tcp-timewait- Set the length of the TCP TIME-WAIT state in integer Minimum 0
timer seconds. value: 0
Maximum
value: 300

udp-idle-timer UDP half close timeout. integer Minimum 0

value: 0
Maximum
value: 86400

udp-portrange Multiple UDP port ranges. user Not Specified

visibility Enable/disable the visibility of the service on option - enable

the GUI.

Option Description

enable Show in service selection.

disable Hide from service selection.

config firewall service group

Configure service groups.

config firewall service group
Description: Configure service groups.
edit <name>
set color {integer}
set comment {var-string}
set fabric-object [enable|disable]
set member <name1>, <name2>, ...
set name {string}
set proxy [enable|disable]
next
end

FortiOS 7.0.9 CLI Reference 359

Fortinet Inc.
config firewall service group

Parameter Description Type Size Default

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Not

Specified

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

member Service objects contained within the group. string Maximum

<name> Address name. length: 79

name Address group name. string Not

Specified

proxy Enable/disable web proxy service group. option - disable

Option Description

enable Enable setting.

disable Disable setting.

config firewall shaper per-ip-shaper

Configure per-IP traffic shaper.

config firewall shaper per-ip-shaper
Description: Configure per-IP traffic shaper.
edit <name>
set bandwidth-unit [kbps|mbps|...]
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set max-bandwidth {integer}
set max-concurrent-session {integer}
set max-concurrent-tcp-session {integer}
set max-concurrent-udp-session {integer}
set name {string}
next
end

FortiOS 7.0.9 CLI Reference 360

Fortinet Inc.
config firewall shaper per-ip-shaper

Parameter Description Type Size Default

bandwidth-unit Unit of measurement for maximum bandwidth for this option - kbps
shaper (Kbps, Mbps or Gbps).

Option Description

kbps Kilobits per second.

mbps Megabits per second.

gbps Gigabits per second.

diffserv- Enable/disable changing the Forward (original) option - disable

forward DiffServ setting applied to traffic accepted by this
shaper.

Option Description

enable Enable setting forward (original) traffic DiffServ.

disable Disable setting forward (original) traffic DiffServ.

diffserv- Enable/disable changing the Reverse (reply) DiffServ option - disable

reverse setting applied to traffic accepted by this shaper.

Option Description

enable Enable setting reverse (reply) traffic DiffServ.

disable Disable setting reverse (reply) traffic DiffServ.

diffservcode- Forward (original) DiffServ setting to be applied to user Not

forward traffic accepted by this shaper. Specified

diffservcode- Reverse (reply) DiffServ setting to be applied to traffic user Not

rev accepted by this shaper. Specified

max-bandwidth Upper bandwidth limit enforced by this shaper. 0 integer Minimum 0

means no limit. Units depend on the bandwidth-unit value: 0
setting. Maximum
value:
80000000 **

max- Maximum number of concurrent sessions allowed by integer Minimum 0

concurrent- this shaper. 0 means no limit. value: 0
session Maximum
value:
2097000

FortiOS 7.0.9 CLI Reference 361

Fortinet Inc.
Parameter Description Type Size Default

max- Maximum number of concurrent TCP sessions allowed integer Minimum 0

concurrent-tcp- by this shaper. 0 means no limit. value: 0
session Maximum
value:
2097000

max- Maximum number of concurrent UDP sessions integer Minimum 0

concurrent- allowed by this shaper. 0 means no limit. value: 0
udp-session Maximum
value:
2097000

name Traffic shaper name. string Not

Specified

** Values may differ between models.

config firewall shaper per-ip

Per-IP traffic shapers.

config firewall shaper per-ip
Description: Per-IP traffic shapers.
end

config firewall shaper traffic-shaper

Configure shared traffic shaper.

config firewall shaper traffic-shaper
Description: Configure shared traffic shaper.
edit <name>
set bandwidth-unit [kbps|mbps|...]
set diffserv [enable|disable]
set diffservcode {user}
set dscp-marking-method [multi-stage|static]
set exceed-bandwidth {integer}
set exceed-class-id {integer}
set exceed-dscp {user}
set guaranteed-bandwidth {integer}
set maximum-bandwidth {integer}
set maximum-dscp {user}
set name {string}
set overhead {integer}
set per-policy [disable|enable]
set priority [low|medium|...]
next
end

FortiOS 7.0.9 CLI Reference 362

Fortinet Inc.
config firewall shaper traffic-shaper

Parameter Description Type Size Default

bandwidth-unit Unit of measurement for guaranteed and maximum option - kbps

bandwidth for this shaper (Kbps, Mbps or Gbps).

Option Description

kbps Kilobits per second.

mbps Megabits per second.

gbps Gigabits per second.

diffserv Enable/disable changing the DiffServ setting applied option - disable

to traffic accepted by this shaper.

Option Description

enable Enable setting traffic DiffServ.

disable Disable setting traffic DiffServ.

diffservcode DiffServ setting to be applied to traffic accepted by user Not Specified

this shaper.

dscp-marking- Select DSCP marking method. option - static

method

Option Description

multi-stage Multistage marking.

static Static marking.

exceed- Exceed bandwidth used for DSCP multi-stage integer Minimum 0

bandwidth marking. Units depend on the bandwidth-unit setting. value: 0
Maximum
value:
80000000 **

exceed-class- Class ID for traffic in guaranteed-bandwidth and integer Minimum 0

id maximum-bandwidth. value: 0
Maximum
value:
4294967295

exceed-dscp DSCP mark for traffic in guaranteed-bandwidth and user Not Specified
exceed-bandwidth.

FortiOS 7.0.9 CLI Reference 363

Fortinet Inc.
Parameter Description Type Size Default

guaranteed- Amount of bandwidth guaranteed for this shaper. integer Minimum 0

bandwidth Units depend on the bandwidth-unit setting. value: 0
Maximum
value:
80000000 **

maximum- Upper bandwidth limit enforced by this shaper. 0 integer Minimum 0

bandwidth means no limit. Units depend on the bandwidth-unit value: 0
setting. Maximum
value:
80000000 **

maximum- DSCP mark for traffic in exceed-bandwidth and user Not Specified
dscp maximum-bandwidth.

name Traffic shaper name. string Not Specified

overhead Per-packet size overhead used in rate computations. integer Minimum 0

value: 0
Maximum
value: 100

per-policy Enable/disable applying a separate shaper for each option - disable

policy. For example, if enabled the guaranteed
bandwidth is applied separately for each policy.

Option Description

disable All referring policies share one traffic shaper.

enable Each referring policy has its own traffic shaper.

priority Higher priority traffic is more likely to be forwarded option - high

without delays and without compromising the
guaranteed bandwidth.

Option Description

low Low priority.

medium Medium priority.

high High priority.

** Values may differ between models.

config firewall shaper traffic

Shared traffic shapers.

FortiOS 7.0.9 CLI Reference 364

Fortinet Inc.
config firewall shaper traffic
Description: Shared traffic shapers.
end

config firewall shaping-policy

Configure shaping policies.

config firewall shaping-policy
Description: Configure shaping policies.
edit <id>
set app-category <id1>, <id2>, ...
set app-group <name1>, <name2>, ...
set application <id1>, <id2>, ...
set class-id {integer}
set comment {var-string}
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set dstaddr <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set id {integer}
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set ip-version [4|6]
set name {string}
set per-ip-shaper {string}
set schedule {string}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set status [enable|disable]
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set url-category <id1>, <id2>, ...
set users <name1>, <name2>, ...
next
end

FortiOS 7.0.9 CLI Reference 365

Fortinet Inc.
config firewall shaping-policy

Parameter Description Type Size Default

app-category IDs of one or more application categories that this integer Minimum
<id> shaper applies application control traffic shaping to. value: 0
Category IDs. Maximum
value:
4294967295

app-group One or more application group names. string Maximum

<name> Application group name. length: 79

application IDs of one or more applications that this shaper integer Minimum
<id> applies application control traffic shaping to. value: 0
Application IDs. Maximum
value:
4294967295

class-id Traffic class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

comment Comments. var-string Not Specified

diffserv- Enable to change packet's DiffServ values to the option - disable

forward specified diffservcode-forward value.

Option Description

enable Enable setting forward (original) traffic DiffServ.

disable Disable setting forward (original) traffic DiffServ.

diffserv- Enable to change packet's reverse (reply) DiffServ option - disable

reverse values to the specified diffservcode-rev value.

Option Description

enable Enable setting reverse (reply) traffic DiffServ.

disable Disable setting reverse (reply) traffic DiffServ.

diffservcode- Change packet's DiffServ to this value. user Not Specified

forward

diffservcode- Change packet's reverse (reply) DiffServ to this user Not Specified
rev value.

dstaddr IPv4 destination address and address group names. string Maximum
<name> Address name. length: 79

FortiOS 7.0.9 CLI Reference 366

Fortinet Inc.
Parameter Description Type Size Default

dstaddr6 IPv6 destination address and address group names. string Maximum
<name> Address name. length: 79

dstintf <name> One or more outgoing (egress) interfaces. string Maximum

Interface name. length: 79

groups Apply this traffic shaping policy to user groups that string Maximum
<name> have authenticated with the FortiGate. length: 79
Group name.

id Shaping policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

internet-service Enable/disable use of Internet Services for this option - disable

policy. If enabled, destination address and service
are not used.

Option Description

enable Enable use of Internet Service in shaping-policy.

disable Disable use of Internet Service in shaping-policy.

internet- Custom Internet Service name. string Maximum

service-custom Custom Internet Service name. length: 79
<name>

internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>

internet- Internet Service ID. string Maximum

service-name Internet Service name. length: 79
<name>

internet- Enable/disable use of Internet Services in source for option - disable

service-src this policy. If enabled, source address is not used.

Option Description

enable Enable use of Internet Service source in shaping-policy.

disable Disable use of Internet Service source in shaping-policy.

FortiOS 7.0.9 CLI Reference 367

Fortinet Inc.
Parameter Description Type Size Default

internet- Custom Internet Service source name. string Maximum

service-src- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service source group name. string Maximum

service-src- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Internet Service source group name. string Maximum

service-src- Internet Service group name. length: 79
group <name>

internet- Internet Service source name. string Maximum

service-src- Internet Service name. length: 79
name <name>

ip-version Apply this traffic shaping policy to IPv4 or IPv6 traffic. option - 4

Option Description

4 Use IPv4 addressing for Configuration Method.

6 Use IPv6 addressing for Configuration Method.

name Shaping policy name. string Not Specified

per-ip-shaper Per-IP traffic shaper to apply with this policy. string Not Specified

schedule Schedule name. string Not Specified

service Service and service group names. string Maximum

<name> Service name. length: 79

srcaddr IPv4 source address and address group names. string Maximum
<name> Address name. length: 79

srcaddr6 IPv6 source address and address group names. string Maximum
<name> Address name. length: 79

srcintf <name> One or more incoming (ingress) interfaces. string Maximum

Interface name. length: 79

status Enable/disable this traffic shaping policy. option - enable

Option Description

enable Enable traffic shaping policy.

disable Disable traffic shaping policy.

tos ToS (Type of Service) value used for comparison. user Not Specified

FortiOS 7.0.9 CLI Reference 368

Fortinet Inc.
Parameter Description Type Size Default

tos-mask Non-zero bit positions are used for comparison while user Not Specified
zero bit positions are ignored.

tos-negate Enable negated TOS match. option - disable

Option Description

enable Enable TOS match negate.

disable Disable TOS match negate.

traffic-shaper Traffic shaper to apply to traffic forwarded by the string Not Specified
firewall policy.

traffic-shaper- Traffic shaper to apply to response traffic received string Not Specified
reverse by the firewall policy.

url-category IDs of one or more FortiGuard Web Filtering integer Minimum

<id> categories that this shaper applies traffic shaping to. value: 0
URL category ID. Maximum
value:
4294967295

users <name> Apply this traffic shaping policy to individual users string Maximum
that have authenticated with the FortiGate. length: 79
User name.

config firewall shaping-profile

Configure shaping profiles.

config firewall shaping-profile
Description: Configure shaping profiles.
edit <profile-name>
set comment {var-string}
set default-class-id {integer}
set profile-name {string}
config shaping-entries
Description: Define shaping entries of this shaping profile.
edit <id>
set id {integer}
set class-id {integer}
set priority [top|critical|...]
set guaranteed-bandwidth-percentage {integer}
set maximum-bandwidth-percentage {integer}
set limit {integer}
set burst-in-msec {integer}
set cburst-in-msec {integer}
set red-probability {integer}
set min {integer}
set max {integer}
next

FortiOS 7.0.9 CLI Reference 369

Fortinet Inc.
end
set type [policing|queuing]
next
end

config firewall shaping-profile

Parameter Description Type Size Default

comment Comment. var-string Not Specified

default-class- Default class ID to handle unclassified packets integer Minimum 0

id (including all local traffic). value: 0
Maximum
value:
4294967295

profile-name Shaping profile name. string Not Specified

type Select shaping profile type: policing / queuing. option - policing

Option Description

policing Enable policing mode.

queuing Enable queuing mode.

config shaping-entries

Parameter Description Type Size Default

id ID number. integer Minimum 0

value: 0
Maximum
value:
4294967295

class-id Class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

priority Priority. option - high

Option Description

top Top priority.

critical Critical priority.

high High priority.

FortiOS 7.0.9 CLI Reference 370

Fortinet Inc.
Parameter Description Type Size Default

Option Description

medium Medium priority.

low Low priority.

guaranteed- Guaranteed bandwidth in percentage. integer Minimum 0

bandwidth- value: 0
percentage Maximum
value: 100

maximum- Maximum bandwidth in percentage. integer Minimum 1

bandwidth- value: 1
percentage Maximum
value: 100

limit Hard limit on the real queue size in packets. integer Minimum 1000
value: 5
Maximum
value: 10000

burst-in-msec Number of bytes that can be burst at maximum- integer Minimum 0

bandwidth speed. Formula: burst = maximum- value: 0
bandwidth*burst-in-msec. Maximum
value: 2000

cburst-in- Number of bytes that can be burst as fast as the integer Minimum 0
msec interface can transmit. Formula: cburst = maximum- value: 0
bandwidth*cburst-in-msec. Maximum
value: 2000

red-probability Maximum probability (in percentage) for RED integer Minimum 0

marking. value: 0
Maximum
value: 20

min Average queue size in packets at which RED drop integer Minimum 83
becomes a possibility. value: 3
Maximum
value: 3000

max Average queue size in packets at which RED drop integer Minimum 250
probability is maximal. value: 3
Maximum
value: 3000

config firewall sniffer

Configure sniffer.

FortiOS 7.0.9 CLI Reference 371

Fortinet Inc.
config firewall sniffer
Description: Configure sniffer.
edit <id>
config anomaly
Description: Configuration method to edit Denial of Service (DoS) anomaly
settings.
edit <name>
set name {string}
set status [disable|enable]
set log [enable|disable]
set action [pass|block]
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
set threshold {integer}
set threshold(default) {integer}
next
end
set application-list {string}
set application-list-status [enable|disable]
set av-profile {string}
set av-profile-status [enable|disable]
set dlp-sensor {string}
set dlp-sensor-status [enable|disable]
set dsri [enable|disable]
set emailfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set file-filter-profile {string}
set file-filter-profile-status [enable|disable]
set host {string}
set id {integer}
set interface {string}
set ip-threatfeed <name1>, <name2>, ...
set ip-threatfeed-status [enable|disable]
set ips-dos-status [enable|disable]
set ips-sensor {string}
set ips-sensor-status [enable|disable]
set ipv6 [enable|disable]
set logtraffic [all|utm|...]
set max-packet-count {integer}
set non-ip [enable|disable]
set port {string}
set protocol {string}
set status [enable|disable]
set vlan {string}
set webfilter-profile {string}
set webfilter-profile-status [enable|disable]
next
end

FortiOS 7.0.9 CLI Reference 372

enable Enable setting.

disable Disable setting.

dsri Enable/disable DSRI. option - disable

Option Description

enable Enable DSRI.

disable Disable DSRI.

emailfilter- Name of an existing email filter profile. string Not

profile Specified

emailfilter- Enable/disable emailfilter. option - disable

profile-status

FortiOS 7.0.9 CLI Reference 373

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

file-filter- Name of an existing file-filter profile. string Not

profile Specified

file-filter- Enable/disable file filter. option - disable

profile-status

Option Description

enable Enable setting.

disable Disable setting.

host Hosts to filter for in sniffer traffic. string Not

Specified

id Sniffer ID. integer Minimum 0

value: 0
Maximum
value: 9999

interface Interface name that traffic sniffing will take place on. string Not
Specified

ip-threatfeed Name of an existing IP threat feed. string Maximum

<name> Threat feed name. length: 79

ip-threatfeed- Enable/disable IP threat feed. option - disable

status

Option Description

enable Enable setting.

disable Disable setting.

ips-dos-status Enable/disable IPS DoS anomaly detection. option - disable

Option Description

enable Enable setting.

disable Disable setting.

ips-sensor Name of an existing IPS sensor. string Not

Specified

FortiOS 7.0.9 CLI Reference 374

Fortinet Inc.
Parameter Description Type Size Default

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

max-packet- Maximum packet count. integer Minimum 4000

count value: 1
Maximum
value:
1000000 **

non-ip Enable/disable sniffing non-IP packets. option - disable

Option Description

enable Enable sniffer for non-IP packets.

disable Disable sniffer for non-IP packets.

port Ports to sniff. string Not

Specified

protocol Integer value for the protocol type as defined by IANA. string Not
Specified

status Enable/disable the active status of the sniffer. option - enable

FortiOS 7.0.9 CLI Reference 375

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer status.

disable Disable sniffer status.

vlan List of VLANs to sniff. string Not

Specified

webfilter- Name of an existing web filter profile. string Not

profile Specified

Option Description

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine.. Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

threshold Anomaly threshold. Number of detected instances integer Minimum 0

(packets per second or concurrent session number) value: 1
that triggers the anomaly action. Maximum
value:
2147483647

threshold Number of detected instances. Note that each integer Minimum 0

(default) anomaly has a different threshold value assigned to value: 0
it. Maximum
value:
4294967295

config firewall ssh host-key

SSH proxy host public keys.

config firewall ssh host-key
Description: SSH proxy host public keys.
edit <name>
set hostname {string}
set ip {ipv4-address-any}
set name {string}
set nid [256|384|...]
set port {integer}
set public-key {var-string}
set status [trusted|revoked]
set type [RSA|DSA|...]
set usage [transparent-proxy|access-proxy]
next
end

FortiOS 7.0.9 CLI Reference 377

Fortinet Inc.
config firewall ssh host-key

Parameter Description Type Size Default

hostname Hostname of the SSH server to match SSH string Not Specified
certificate principals.

ip IP address of the SSH server. ipv4- Not Specified 0.0.0.0

address-
any

name SSH public key name. string Not Specified

nid Set the nid of the ECDSA key. option - 256

Option Description

256 The NID is ecdsa-sha2-nistp256.

384 The NID is ecdsa-sha2-nistp384.

521 The NID is ecdsa-sha2-nistp521.

port Port of the SSH server. integer Minimum 22

value: 0
Maximum
value:
4294967295

public-key SSH public key. var-string Not Specified

status Set the trust status of the public key. option - trusted

Option Description

trusted The public key is trusted.

revoked The public key is revoked.

type Set the type of the public key. option - RSA

Option Description

RSA The type of the public key is RSA.

DSA The type of the public key is DSA.

ECDSA The type of the public key is ECDSA.

ED25519 The type of the public key is ED25519.

RSA-CA The type of the public key is from RSA CA.

DSA-CA The type of the public key is from DSA CA.

ECDSA-CA The type of the public key is from ECDSA CA.

ED25519-CA The type of the public key is from ED25519 CA.

FortiOS 7.0.9 CLI Reference 378

Fortinet Inc.
Parameter Description Type Size Default

usage Usage for this public key. option - transparent-

proxy

Option Description

transparent- Transparent proxy uses this public key to validate server.

proxy

access-proxy Access proxy uses this public key to validate server.

config firewall ssh local-ca

SSH proxy local CA.

config firewall ssh local-ca
Description: SSH proxy local CA.
edit <name>
set name {string}
set password {password}
set private-key {user}
set public-key {user}
set source [built-in|user]
next
end

config firewall ssh local-ca

Parameter Description Type Size Default

name SSH proxy local CA name. string Not

Specified

password Password for SSH private key. password Not

Specified

private-key SSH proxy private key, encrypted with a password. user Not
Specified

public-key SSH proxy public key. user Not

Specified

source SSH proxy local CA source type. option - user

Option Description

built-in Built-in SSH proxy local keys.

user User imported SSH proxy local keys.

FortiOS 7.0.9 CLI Reference 379

Fortinet Inc.
config firewall ssh local-key

SSH proxy local keys.

config firewall ssh local-key
Description: SSH proxy local keys.
edit <name>
set name {string}
set password {password}
set private-key {user}
set public-key {user}
set source [built-in|user]
next
end

config firewall ssh local-key

FortiOS 7.0.9 CLI Reference 380

Fortinet Inc.
set untrusted-caname {string}
end

config firewall ssh setting

Parameter Description Type Size Default

caname CA certificate used by SSH Inspection. string Not

Specified

host-trusted- Enable/disable host trusted checking. option - enable

checking

Option Description

enable Enable host key trusted checking.

disable Disable host key trusted checking.

hostkey- DSA certificate used by SSH proxy. string Not

dsa1024 Specified

hostkey- ECDSA nid256 certificate used by SSH proxy. string Not

ecdsa256 Specified

hostkey- ECDSA nid384 certificate used by SSH proxy. string Not

ecdsa384 Specified

hostkey- ECDSA nid384 certificate used by SSH proxy. string Not

ecdsa521 Specified

hostkey- ED25519 hostkey used by SSH proxy. string Not

ed25519 Specified

hostkey- RSA certificate used by SSH proxy. string Not

rsa2048 Specified

untrusted- Untrusted CA certificate used by SSH Inspection. string Not

caname Specified

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server
Description: Configure SSL servers.
edit <name>
set add-header-x-forwarded-proto [enable|disable]
set ip {ipv4-address-any}
set mapped-port {integer}
set name {string}
set port {integer}
set ssl-algorithm [high|medium|...]
set ssl-cert {string}

FortiOS 7.0.9 CLI Reference 381

config firewall ssl-server

Parameter Description Type Size Default

add-header-x- Enable/disable adding an X-Forwarded-Proto header option - enable

forwarded- to forwarded requests.
proto

Option Description

enable Add X-Forwarded-Proto header.

disable Do not add X-Forwarded-Proto header.

ip IPv4 address of the SSL server. ipv4- Not 0.0.0.0

address- Specified
any

mapped-port Mapped server service port. integer Minimum 80

value: 1
Maximum
value:
65535

name Server name. string Not

Specified

port Server service port. integer Minimum 443

value: 1
Maximum
value:
65535

ssl-algorithm Relative strength of encryption algorithms accepted in option - high

negotiation.

Option Description

high High encryption. Allow only AES and ChaCha

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

FortiOS 7.0.9 CLI Reference 382

Fortinet Inc.
Parameter Description Type Size Default

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-min-version Lowest SSL/TLS version to negotiate. option - tls-1.1

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-mode SSL/TLS mode for encryption and decryption of traffic. option - full

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile
Description: Configure SSL/SSH protocol options.
edit <name>
set allowlist [enable|disable]
set block-blocklisted-certificates [disable|enable]
set caname {string}
set comment {var-string}
config dot
Description: Configure DNS over TLS options.
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ftps
Description: Configure FTPS options.
set ports {integer}
set status [disable|deep-inspection]

FortiOS 7.0.9 CLI Reference 384

Fortinet Inc.
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end
config https
Description: Configure HTTPS options.
set ports {integer}
set status [disable|certificate-inspection|...]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set cert-probe-failure [allow|block]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end
config imaps
Description: Configure IMAPS options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
set mapi-over-https [enable|disable]
set name {string}
config pop3s
Description: Configure POP3S options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]

FortiOS 7.0.9 CLI Reference 385

Fortinet Inc.
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
set rpc-over-https [enable|disable]
set server-cert <name1>, <name2>, ...
set server-cert-mode [re-sign|replace]
config smtps
Description: Configure SMTPS options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ssh
Description: Configure SSH options.
set ports {integer}
set status [disable|deep-inspection]
set inspect-all [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set unsupported-version [bypass|block]
set ssh-tun-policy-check [disable|enable]
set ssh-algorithm [compatible|high-encryption]
end
config ssl
Description: Configure SSL options.
set inspect-all [disable|certificate-inspection|...]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set cert-probe-failure [allow|block]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end
set ssl-anomaly-log [disable|enable]
config ssl-exempt
Description: Servers to exempt from SSL inspection.

FortiOS 7.0.9 CLI Reference 386

enable Enable FortiGuard certificate blocklist.

caname CA certificate used by SSL Inspection. string Not Fortinet_

Specified CA_SSL

comment Optional comments. var-string Not

Specified

mapi-over- Enable/disable inspection of MAPI over HTTPS. option - disable

https

Option Description

enable Enable inspection of MAPI over HTTPS.

disable Disable inspection of MAPI over HTTPS.

name Name. string Not

Specified

rpc-over-https Enable/disable inspection of RPC over HTTPS. option - disable

Option Description

enable Enable inspection of RPC over HTTPS.

disable Disable inspection of RPC over HTTPS.

server-cert Certificate used by SSL Inspection to replace server string Maximum

<name> certificate. length: 35
Certificate list.

server-cert- Re-sign or replace the server's certificate. option - re-sign

mode

Option Description

re-sign Multiple clients connecting to multiple servers.

replace Protect an SSL server.

ssl-anomaly- Enable/disable logging of SSL anomalies. option - enable

log

Option Description

disable Disable logging of SSL anomalies.

enable Enable logging of SSL anomalies.

disable Disable logging server certificate.

enable Enable logging server certificate.

supported- Configure ALPN option. option - all

alpn

FortiOS 7.0.9 CLI Reference 389

Fortinet Inc.
Parameter Description Type Size Default

Option Description

http1-1 Enable ALPN of HTTP1.1.

http2 Enable ALPN of HTTP2.

all Enable ALPN of HTTP1.1 and HTTP2.

none Do not use ALPN.

untrusted- Untrusted CA certificate used by SSL Inspection. string Not Fortinet_

caname Specified CA_
Untrusted

use-ssl-server Enable/disable the use of SSL server table for SSL option - disable
offloading.

Option Description

disable Don't use SSL server configuration.

enable Use SSL server configuration.

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

FortiOS 7.0.9 CLI Reference 390

Fortinet Inc.
Parameter Description Type Size Default

expired-server- Action based on server certificate is expired. option - block

cert

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

revoked-server- Action based on server certificate is revoked. option - block

cert

Option Description

allow Allow the server certificate.

block Block the session.

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

FortiOS 7.0.9 CLI Reference 392

Fortinet Inc.
config ftps

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

min-allowed- Minimum SSL version to be allowed. option - tls-1.1

ssl-version

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config https

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

certificate- Inspect SSL handshake only.

allow Bypass the session when the version is not supported.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

Option Description

allow Bypass the session when the negotiation is not supported.

block Block the session when the negotiation is not supported.

expired-server- Action based on server certificate is expired. option - block

cert

Option Description

allow Allow the server certificate.

FortiOS 7.0.9 CLI Reference 396

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

FortiOS 7.0.9 CLI Reference 397

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

cert-probe- Action based on certificate probe failure. option - block

failure

Option Description

allow Bypass the session when unable to retrieve server's certificate for
inspection.

block Block the session when unable to retrieve server's certificate for inspection.

min-allowed- Minimum SSL version to be allowed. option - tls-1.1

ssl-version

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config imaps

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

FortiOS 7.0.9 CLI Reference 398

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable.

deep-inspection Full SSL inspection.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - inspect

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.

Option Description

allow Bypass the session when the version is not supported.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

Option Description

allow Bypass the session when the negotiation is not supported.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

config pop3s

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

expired-server- Action based on server certificate is expired. option - block

cert

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

revoked-server- Action based on server certificate is revoked. option - block

cert

Option Description

allow Allow the server certificate.

block Block the session.

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

FortiOS 7.0.9 CLI Reference 403

Fortinet Inc.
config smtps

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

deep-inspection Full SSL inspection.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - inspect

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

cert-validation- Action based on certificate validation failure. option - block

failure

FortiOS 7.0.9 CLI Reference 405

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

config ssh

Parameter Description Type Size Default

ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - disable

Option Description

disable Disable.

high-encryption Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

config ssl

Parameter Description Type Size Default

inspect-all Level of SSL inspection. option - disable

Option Description

disable Disable.

certificate- Inspect SSL handshake only.

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

timeout

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

cert-validation- Action based on certificate validation failure. option - block

failure

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

FortiOS 7.0.9 CLI Reference 409

Fortinet Inc.
Parameter Description Type Size Default

cert-probe- Action based on certificate probe failure. option - block

failure

Option Description

allow Bypass the session when unable to retrieve server's certificate for
inspection.

block Block the session when unable to retrieve server's certificate for inspection.

min-allowed- Minimum SSL version to be allowed. option - tls-1.1

ssl-version

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config ssl-exempt

Parameter Description Type Size Default

id ID number. integer Minimum 0

value: 0
Maximum
value: 512

type Type of address object (IPv4 or IPv6) or FortiGuard option - fortiguard-

category. category

Option Description

fortiguard- FortiGuard category.

address Firewall IPv4 address.

address6 Firewall IPv6 address.

wildcard-fqdn Fully Qualified Domain Name with wildcard characters.

regex Regular expression FQDN.

config ssl-server

Parameter Description Type Size Default

id SSL server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip IPv4 address of the SSL server. ipv4- Not Specified 0.0.0.0

address-
any

https-client- Action based on received client certificate during the option - bypass
certificate HTTPS handshake.

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

smtps-client- Action based on received client certificate during the option - bypass
certificate SMTPS handshake.

Option Description

bypass Bypass the session.

inspect Inspect the session.

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

ssl-other- Action based on received client certificate during an option - bypass

client- SSL protocol handshake.
certificate

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting
Description: SSL proxy settings.
set abbreviate-handshake [enable|disable]
set cert-cache-capacity {integer}
set cert-cache-timeout {integer}

FortiOS 7.0.9 CLI Reference 412

Fortinet Inc.
set kxp-queue-threshold {integer}
set no-matching-cipher-action [bypass|drop]
set proxy-connect-timeout {integer}
set session-cache-capacity {integer}
set session-cache-timeout {integer}
set ssl-dh-bits [768|1024|...]
set ssl-queue-threshold {integer}
set ssl-send-empty-frags [enable|disable]
end

config firewall ssl setting

Parameter Description Type Size Default

abbreviate- Enable/disable use of SSL abbreviated handshake. option - enable

handshake

Option Description

enable Enable use of SSL abbreviated handshake.

disable Disable use of SSL abbreviated handshake.

cert-cache- Maximum capacity of the host certificate cache. integer Minimum 200
capacity value: 0
Maximum
value: 500

cert-cache- Time limit to keep certificate cache. integer Minimum 10

timeout value: 1
Maximum
value: 120

kxp-queue- Maximum length of the CP KXP queue. When the integer Minimum 16
threshold * queue becomes full, the proxy switches cipher functions value: 0
to the main CPU. Maximum
value: 512

no-matching- Bypass or drop the connection when no matching cipher option - bypass
cipher-action is found.

Option Description

bypass Bypass connection.

drop Drop connection.

proxy- Time limit to make an internal connection to the integer Minimum 30

connect- appropriate proxy process. value: 1
timeout Maximum
value: 60

FortiOS 7.0.9 CLI Reference 413

Fortinet Inc.
Parameter Description Type Size Default

session- Capacity of the SSL session cache. integer Minimum 500

cache- value: 0
capacity Maximum
value: 1000

session- Time limit to keep SSL session state. integer Minimum 20

cache-timeout value: 1
Maximum
value: 60

ssl-dh-bits Bit-size of Diffie-Hellman. option - 2048

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

ssl-queue- Maximum length of the CP SSL queue. When the queue integer Minimum 32
threshold * becomes full, the proxy switches cipher functions to the value: 0
main CPU. Maximum
value: 512

ssl-send- Enable/disable sending empty fragments to avoid attack option - enable

empty-frags on CBC IV (for SSL 3.0 and TLS 1.0 only).

Option Description

enable Send empty fragments.

disable Do not send empty fragments.

* This parameter may not exist in some models.

config firewall traffic-class

Configure names for shaping classes.

config firewall traffic-class
Description: Configure names for shaping classes.
edit <class-id>
set class-id {integer}
set class-name {string}
next
end

FortiOS 7.0.9 CLI Reference 414

Fortinet Inc.
config firewall traffic-class

Parameter Description Type Size Default

class-id Class ID to be named. integer Minimum 0

value: 2
Maximum
value: 31

class-name Define the name for this class-id. string Not

Specified

config firewall ttl-policy

Configure TTL policies.

config firewall ttl-policy
Description: Configure TTL policies.
edit <id>
set action [accept|deny]
set id {integer}
set schedule {string}
set service <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set srcintf {string}
set status [enable|disable]
set ttl {user}
next
end

config firewall ttl-policy

Parameter Description Type Size Default

action Action to be performed on traffic matching this policy. option - deny

Option Description

accept Allow traffic matching this policy.

deny Deny or block traffic matching this policy.

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

schedule Schedule object from available options. string Not Specified

service Service object(s) from available options. Separate string Maximum

<name> multiple names with a space. length: 79

FortiOS 7.0.9 CLI Reference 415

Fortinet Inc.
Parameter Description Type Size Default

Service name.

srcaddr Source address object(s) from available options. string Maximum

<name> Separate multiple names with a space. length: 79
Address name.

srcintf Source interface name from available interfaces. string Not Specified

status Enable/disable this TTL policy. option - enable

Option Description

enable Enable this TTL policy.

disable Disable this TTL policy.

ttl Value/range to match against the packet's Time to user Not Specified
Live value.

config firewall vendor-mac-summary

Vendor MAC database summary.

config firewall vendor-mac-summary
Description: Vendor MAC database summary.
end

config firewall vendor-mac

Show vendor and the MAC address they have.

config firewall vendor-mac
Description: Show vendor and the MAC address they have.
edit <id>
set id {integer}
set mac-number {integer}
set name {string}
set obsolete {integer}
next
end

FortiOS 7.0.9 CLI Reference 416

Fortinet Inc.
config firewall vendor-mac

Parameter Description Type Size Default

id Vendor ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

mac-number Total number of MAC addresses. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Vendor name. string Not Specified

obsolete Indicates whether the Vendor ID can be used. integer Minimum 0

value: 0
Maximum
value: 255

config firewall vip

Configure virtual IP for IPv4.

config firewall vip
Description: Configure virtual IP for IPv4.
edit <name>
set add-nat46-route [disable|enable]
set arp-reply [disable|enable]
set color {integer}
set comment {var-string}
set dns-mapping-ttl {integer}
set extaddr <name1>, <name2>, ...
set extintf {string}
set extip {user}
set extport {user}
set gratuitous-arp-interval {integer}
set http-cookie-age {integer}
set http-cookie-domain {string}
set http-cookie-domain-from-host [disable|enable]
set http-cookie-generation {integer}
set http-cookie-path {string}
set http-cookie-share [disable|same-ip]
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set http-multiplex [enable|disable]
set http-redirect [enable|disable]
set https-cookie-secure [disable|enable]
set id {integer}
set ipv6-mappedip {user}

FortiOS 7.0.9 CLI Reference 417

Fortinet Inc.
set ipv6-mappedport {user}
set ldb-method [static|round-robin|...]
set mapped-addr {string}
set mappedip <range1>, <range2>, ...
set mappedport {user}
set max-embryonic-connections {integer}
set monitor <name1>, <name2>, ...
set name {string}
set nat-source-vip [disable|enable]
set nat44 [disable|enable]
set nat46 [disable|enable]
set outlook-web-access [disable|enable]
set persistence [none|http-cookie|...]
set portforward [disable|enable]
set portmapping-type [1-to-1|m-to-n]
set protocol [tcp|udp|...]
config realservers
Description: Select the real servers that this server load balancing VIP will
distribute traffic to.
edit <id>
set id {integer}
set type [ip|address]
set address {string}
set ip {user}
set port {integer}
set status [active|standby|...]
set weight {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set http-host {string}
set max-connections {integer}
set monitor <name1>, <name2>, ...
set client-ip {user}
next
end
set server-type [http|https|...]
set service <name1>, <name2>, ...
set src-filter <range1>, <range2>, ...
set srcintf-filter <interface-name1>, <interface-name2>, ...
set ssl-accept-ffdhe-groups [enable|disable]
set ssl-algorithm [high|medium|...]
set ssl-certificate {string}
config ssl-cipher-suites
Description: SSL/TLS cipher suites acceptable from a client, ordered by
priority.
edit <priority>
set priority {integer}
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-client-fallback [disable|enable]
set ssl-client-rekey-count {integer}
set ssl-client-renegotiation [allow|deny|...]
set ssl-client-session-state-max {integer}
set ssl-client-session-state-timeout {integer}

FortiOS 7.0.9 CLI Reference 418

Fortinet Inc.
set ssl-client-session-state-type [disable|time|...]
set ssl-dh-bits [768|1024|...]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-age {integer}
set ssl-hpkp-backup {string}
set ssl-hpkp-include-subdomains [disable|enable]
set ssl-hpkp-primary {string}
set ssl-hpkp-report-uri {var-string}
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-mode [half|full]
set ssl-pfs [require|deny|...]
set ssl-send-empty-frags [enable|disable]
set ssl-server-algorithm [high|medium|...]
config ssl-server-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set priority {integer}
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-session-state-max {integer}
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-type [disable|time|...]
set status [disable|enable]
set type [static-nat|load-balance|...]
set uuid {uuid}
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
next
end

config firewall vip

Parameter Description Type Size Default

add-nat46-route Enable/disable adding NAT46 route. option - enable

Option Description

disable Disable adding NAT46 route.

enable Enable adding NAT46 route.

arp-reply Enable to respond to ARP requests for this option - enable

virtual IP address. Enabled by default.

FortiOS 7.0.9 CLI Reference 419

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable ARP reply.

enable Enable ARP reply.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Not Specified

dns-mapping-ttl DNS mapping TTL. integer Minimum 0

value: 0
Maximum
value: 604800

extaddr <name> External FQDN address name. string Maximum

Address name. length: 79

extintf Interface connected to the source network string Not Specified

that receives the packets that will be
forwarded to the destination network.

extip IP address or address range on the external user Not Specified

interface that you want to map to an address
or address range on the destination network.

extport Incoming port number range that you want to user Not Specified
map to a port number range on the
destination network.

gratuitous-arp- Enable to have the VIP send gratuitous integer Minimum 0

interval ARPs. 0=disabled. Set from 5 up to 8640000 value: 5
seconds to enable. Maximum
value:
8640000

http-cookie-age Time in minutes that client web browsers integer Minimum 60

should keep a cookie. Default is 60 minutes. value: 0
0 = no time limit. Maximum
value: 525600

http-cookie- Domain that HTTP cookie persistence string Not Specified

disable Disable adding HTTP header.

http-ip-header- For HTTP multiplexing, enter a custom string Not Specified

name HTTPS header name. The original client IP
address is added to this header. If empty, X-
Forwarded-For is used.

http-multiplex Enable/disable HTTP multiplexing. option - disable

Option Description

enable Enable HTTP session multiplexing.

disable Disable HTTP session multiplexing.

http-redirect Enable/disable redirection of HTTP to option - disable

HTTPS.

FortiOS 7.0.9 CLI Reference 421

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable redirection of HTTP to HTTPS.

disable Disable redirection of HTTP to HTTPS.

https-cookie- Enable/disable verification that inserted option - disable

secure HTTPS cookies are secure.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

id Custom defined ID. integer Minimum 0

value: 0
Maximum
value: 65535

ipv6-mappedip Range of mapped IPv6 addresses. Specify user Not Specified

the start IPv6 address followed by a space
and the end IPv6 address.

ipv6-mappedport IPv6 port number range on the destination user Not Specified
network to which the external port number
range is mapped.

ldb-method Method used to distribute sessions to real option - static

servers.

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

least-session Distribute to server with lowest session count.

least-rtt Distribute to server with lowest Round-Trip-Time.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

mapped-addr Mapped FQDN address name. string Not Specified

mappedip IP address or address range on the string Maximum

<range> destination network to which the external IP length: 79
address is mapped.

FortiOS 7.0.9 CLI Reference 422

Fortinet Inc.
Parameter Description Type Size Default

Mapped IP range.

mappedport Port number range on the destination user Not Specified

network to which the external port number
range is mapped.

max-embryonic- Maximum number of incomplete integer Minimum 1000

connections connections. value: 0
Maximum
value: 100000

monitor <name> Name of the health check monitor to use string Maximum
when polling to determine a virtual server's length: 79
connectivity status.
Health monitor name.

name Virtual IP name. string Not Specified

nat-source-vip Enable/disable forcing the source NAT option - disable

mapped IP to the external IP for all traffic.

Option Description

disable Force only the source NAT mapped IP to the external IP for traffic
egressing the external interface of the VIP.

enable Force the source NAT mapped IP to the external IP for all traffic.

nat44 Enable/disable NAT44. option - enable

Option Description

disable Disable NAT44.

enable Enable NAT44.

nat46 Enable/disable NAT46. option - disable

Option Description

disable Disable NAT46.

enable Enable NAT46.

outlook-web- Enable to add the Front-End-Https header option - disable

access for Microsoft Outlook Web Access.

Option Description

disable Disable Outlook Web Access support.

enable Enable Outlook Web Access support.

FortiOS 7.0.9 CLI Reference 423

Fortinet Inc.
Parameter Description Type Size Default

persistence Configure how to make sure that clients option - none

connect to the same server every time they
make a request that is part of the same
session.

Option Description

none None.

http-cookie HTTP cookie.

ssl-session-id SSL session ID.

portforward Enable/disable port forwarding. option - disable

Option Description

disable Disable port forward.

enable Enable port forward.

portmapping- Port mapping type. option - 1-to-1

type

Option Description

1-to-1 One to one.

ssl SSL.

tcp TCP.

udp UDP.

ip IP.

service <name> Service name. string Maximum

Service name. length: 79

src-filter Source address filter. Each address must be string Maximum

<range> either an IP/subnet (x.x.x.x/n) or a range length: 79
(x.x.x.x-y.y.y.y). Separate addresses with
spaces.
Source-filter range.

srcintf-filter Interfaces to which the VIP applies. Separate string Maximum

<interface- the names with spaces. length: 79
name> Interface name.

ssl-accept-ffdhe- Enable/disable FFDHE cipher suite for SSL option - enable

groups key exchange.

Option Description

enable Accept FFDHE groups.

disable Do not accept FFDHE groups.

ssl-algorithm Permitted encryption algorithms for SSL option - high

sessions according to encryption strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom Custom encryption. Use config ssl-cipher-suites to select the cipher suites
that are allowed.

ssl-certificate The name of the certificate to use for SSL string Not Specified
handshake.

FortiOS 7.0.9 CLI Reference 425

Fortinet Inc.
Parameter Description Type Size Default

ssl-client-fallback Enable/disable support for preventing option - enable

Downgrade Attacks on client connections
(RFC 7507).

Option Description

disable Disable.

enable Enable.

ssl-client-rekey- Maximum length of data in MB before integer Minimum 0

count triggering a client rekey (0 = disable). value: 200
Maximum
value:
1048576

ssl-client- Allow, deny, or require secure renegotiation option - secure

renegotiation of client sessions to comply with RFC 5746.

Option Description

allow Allow a SSL client to renegotiate.

deny Abort any client initiated SSL re-negotiation attempt.

secure Abort any client initiated SSL re-negotiation attempt that does not use RFC
5746 Secure Renegotiation.

ssl-client- Maximum number of client to FortiGate SSL integer Minimum 1000

session-state- session states to keep. value: 1
max Maximum
value: 10000

ssl-client- Number of minutes to keep client to integer Minimum 30

session-state- FortiGate SSL session state. value: 1
timeout Maximum
value: 14400

ssl-client- How to expire SSL sessions for the segment option - both
session-state- of the SSL connection between the client and
type the FortiGate.

Option Description

disable Do not keep session states.

time Expire session states after this many minutes.

count Expire session states when this maximum is reached.

both Expire session states based on time or count, whichever occurs first.

FortiOS 7.0.9 CLI Reference 426

Fortinet Inc.
Parameter Description Type Size Default

ssl-dh-bits Number of bits to use in the Diffie-Hellman option - 2048

exchange for RSA encryption of SSL
sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-hpkp Enable/disable including HPKP header in option - disable

response.

Option Description

disable Do not add a HPKP header to each HTTP response.

enable Add a HPKP header to each a HTTP response.

report-only Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-age Number of seconds the client should honor integer Minimum 5184000
the HPKP setting. value: 60
Maximum
value:
157680000

ssl-hpkp-backup Certificate to generate backup HPKP pin string Not Specified

from.

ssl-hpkp-include- Indicate that HPKP header applies to all option - disable

subdomains subdomains.

Option Description

disable HPKP header does not apply to subdomains.

enable HPKP header applies to subdomains.

ssl-hpkp-primary Certificate to generate primary HPKP pin string Not Specified

from.

ssl-hpkp-report- URL to report HPKP violations to. var-string Not Specified

uri

ssl-hsts Enable/disable including HSTS header in option - disable

response.

FortiOS 7.0.9 CLI Reference 427

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not add a HSTS header to each a HTTP response.

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

FortiOS 7.0.9 CLI Reference 428

Fortinet Inc.
Parameter Description Type Size Default

ssl-min-version Lowest SSL/TLS version acceptable from a option - tls-1.1

client.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-mode Apply SSL offloading between the client and option - half
the FortiGate (half) or from the client to the
FortiGate and from the FortiGate to the
server (full).

Option Description

half Client to FortiGate SSL.

full Client to FortiGate and FortiGate to Server SSL.

ssl-pfs Select the cipher suites that can be used for option - require
SSL perfect forward secrecy (PFS). Applies
to both client and server sessions.

Option Description

require Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow Allow use of any cipher suite so PFS may or may not be used depending on
the cipher suite selected.

ssl-send-empty- Enable/disable sending empty fragments to option - enable

frags avoid CBC IV attacks (SSL 3.0 & TLS 1.0
only). May need to be disabled for
compatibility with older systems.

Option Description

enable Send empty fragments.

disable Do not send empty fragments.

ssl-server- Permitted encryption algorithms for the option - client

algorithm server side of SSL full mode sessions
according to encryption strength.

FortiOS 7.0.9 CLI Reference 429

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom Custom encryption. Use ssl-server-cipher-suites to select the cipher suites

that are allowed.

client Use the same encryption algorithms for both client and server sessions.

ssl-server-max- Highest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

client Use same value as client configuration.

ssl-server-min- Lowest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

client Use same value as client configuration.

ssl-server- Maximum number of FortiGate to Server SSL integer Minimum 100

session-state- session states to keep. value: 1
max Maximum
value: 10000

FortiOS 7.0.9 CLI Reference 430

Fortinet Inc.
Parameter Description Type Size Default

balance

dns-translation DNS translation.

fqdn Fully qualified domain name.

access-proxy Access proxy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

weblogic-server Enable to add an HTTP header to indicate option - disable

SSL offloading for a WebLogic server.

FortiOS 7.0.9 CLI Reference 431

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not add HTTP header indicating SSL offload for WebLogic server.

enable Add HTTP header indicating SSL offload for WebLogic server.

websphere- Enable to add an HTTP header to indicate option - disable

server SSL offloading for a WebSphere server.

Option Description

disable Do not add HTTP header indicating SSL offload for WebSphere server.

enable Add HTTP header indicating SSL offload for WebSphere server.

config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

type Type of address. option - ip

Option Description

ip Standard IPv4 address.

address Dynamic address object.

address Dynamic address of the real server. string Not Specified

ip IP address of the real server. user Not Specified

port Port for communicating with the real server. Required integer Minimum 0
if port forwarding is enabled. value: 1
Maximum
value: 65535

status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic
is sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

FortiOS 7.0.9 CLI Reference 432

Fortinet Inc.
Parameter Description Type Size Default

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

holddown- Time in seconds that the health check monitor integer Minimum 300
interval continues to monitor and unresponsive server that value: 30
should be active. Maximum
value: 65535

healthcheck Enable to check the responsiveness of the real option - vip

server before forwarding traffic.

Option Description

disable Disable per server health check.

enable Enable per server health check.

vip Use health check defined in VIP.

http-host HTTP server domain name in HTTP header. string Not Specified

max- Max number of active connections that can be integer Minimum 0

connections directed to the real server. When reached, sessions value: 0
are sent to other real servers. Maximum
value:
2147483647

monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's connectivity length: 79
status.
Health monitor name.

client-ip Only clients in this IP range can connect to this real user Not Specified
server.

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

FortiOS 7.0.9 CLI Reference 433

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

FortiOS 7.0.9 CLI Reference 434

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

FortiOS 7.0.9 CLI Reference 435

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

FortiOS 7.0.9 CLI Reference 436

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

FortiOS 7.0.9 CLI Reference 437

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

FortiOS 7.0.9 CLI Reference 438

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

FortiOS 7.0.9 CLI Reference 439

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - ssl-3.0 tls-
with. 1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

FortiOS 7.0.9 CLI Reference 440

Fortinet Inc.
config ssl-server-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

FortiOS 7.0.9 CLI Reference 441

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

FortiOS 7.0.9 CLI Reference 442

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

FortiOS 7.0.9 CLI Reference 443

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

FortiOS 7.0.9 CLI Reference 444

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

FortiOS 7.0.9 CLI Reference 445

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

FortiOS 7.0.9 CLI Reference 446

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - ssl-3.0 tls-
with. 1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config firewall vip6

Configure virtual IP for IPv6.

config firewall vip6
Description: Configure virtual IP for IPv6.
edit <name>
set add-nat64-route [disable|enable]
set color {integer}

FortiOS 7.0.9 CLI Reference 447

Fortinet Inc.
set comment {var-string}
set embedded-ipv4-address [disable|enable]
set extip {user}
set extport {user}
set http-cookie-age {integer}
set http-cookie-domain {string}
set http-cookie-domain-from-host [disable|enable]
set http-cookie-generation {integer}
set http-cookie-path {string}
set http-cookie-share [disable|same-ip]
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set http-multiplex [enable|disable]
set http-redirect [enable|disable]
set https-cookie-secure [disable|enable]
set id {integer}
set ipv4-mappedip {user}
set ipv4-mappedport {user}
set ldb-method [static|round-robin|...]
set mappedip {user}
set mappedport {user}
set max-embryonic-connections {integer}
set monitor <name1>, <name2>, ...
set name {string}
set nat-source-vip [disable|enable]
set nat64 [disable|enable]
set nat66 [disable|enable]
set ndp-reply [disable|enable]
set outlook-web-access [disable|enable]
set persistence [none|http-cookie|...]
set portforward [disable|enable]
set protocol [tcp|udp|...]
config realservers
Description: Select the real servers that this server load balancing VIP will
distribute traffic to.
edit <id>
set id {integer}
set ip {user}
set port {integer}
set status [active|standby|...]
set weight {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set http-host {string}
set max-connections {integer}
set monitor <name1>, <name2>, ...
set client-ip {user}
next
end
set server-type [http|https|...]
set src-filter <range1>, <range2>, ...
set ssl-accept-ffdhe-groups [enable|disable]
set ssl-algorithm [high|medium|...]
set ssl-certificate {string}
config ssl-cipher-suites
Description: SSL/TLS cipher suites acceptable from a client, ordered by

FortiOS 7.0.9 CLI Reference 448

Fortinet Inc.
priority.
edit <priority>
set priority {integer}
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-client-fallback [disable|enable]
set ssl-client-rekey-count {integer}
set ssl-client-renegotiation [allow|deny|...]
set ssl-client-session-state-max {integer}
set ssl-client-session-state-timeout {integer}
set ssl-client-session-state-type [disable|time|...]
set ssl-dh-bits [768|1024|...]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-age {integer}
set ssl-hpkp-backup {string}
set ssl-hpkp-include-subdomains [disable|enable]
set ssl-hpkp-primary {string}
set ssl-hpkp-report-uri {var-string}
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-mode [half|full]
set ssl-pfs [require|deny|...]
set ssl-send-empty-frags [enable|disable]
set ssl-server-algorithm [high|medium|...]
config ssl-server-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set priority {integer}
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-session-state-max {integer}
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-type [disable|time|...]
set type [static-nat|server-load-balance|...]
set uuid {uuid}
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
next
end

FortiOS 7.0.9 CLI Reference 449

Fortinet Inc.
config firewall vip6

Parameter Description Type Size Default

add-nat64- Enable/disable adding NAT64 route. option - enable

route

Option Description

disable Disable adding NAT64 route.

enable Enable adding NAT64 route.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Not Specified

embedded- Enable/disable use of the lower 32 bits of the option - disable

ipv4-address external IPv6 address as mapped IPv4
address.

Option Description

disable Disable use of the lower 32 bits of the external IPv6 address as mapped IPv4
address.

enable Enable use of the lower 32 bits of the external IPv6 address as mapped IPv4
address.

extip IPv6 address or address range on the external user Not Specified
interface that you want to map to an address or
address range on the destination network.

extport Incoming port number range that you want to user Not Specified
map to a port number range on the destination
network.

http-cookie-age Time in minutes that client web browsers integer Minimum 60

should keep a cookie. Default is 60 minutes. 0 value: 0
= no time limit. Maximum
value: 525600

http-cookie- Domain that HTTP cookie persistence should string Not Specified
domain apply to.

http-cookie- Enable/disable use of HTTP cookie domain option - disable

domain-from- from host field in HTTP.
host

FortiOS 7.0.9 CLI Reference 450

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

generation Changing invalidates all existing cookies. value: 0
Maximum
value:
4294967295

http-cookie- Limit HTTP cookie persistence to the specified string Not Specified
path path.

http-cookie- Control sharing of cookies across virtual option - same-ip

share servers. Use of same-ip means a cookie from
one virtual server can be used by another.
Disable stops cookie sharing.

Option Description

disable Only allow HTTP cookie to match this virtual server.

same-ip Allow HTTP cookie to match any virtual server with same IP.

http-ip-header For HTTP multiplexing, enable to add the option - disable

original client IP address in the XForwarded-
For HTTP header.

Option Description

enable Enable adding HTTP header.

disable Disable adding HTTP header.

http-ip-header- For HTTP multiplexing, enter a custom HTTPS string Not Specified
name header name. The original client IP address is
added to this header. If empty, X-Forwarded-
For is used.

http-multiplex Enable/disable HTTP multiplexing. option - disable

Option Description

enable Enable HTTP session multiplexing.

disable Disable HTTP session multiplexing.

http-redirect Enable/disable redirection of HTTP to HTTPS. option - disable

FortiOS 7.0.9 CLI Reference 451

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable redirection of HTTP to HTTPS.

disable Disable redirection of HTTP to HTTPS.

https-cookie- Enable/disable verification that inserted option - disable

secure HTTPS cookies are secure.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

id Custom defined ID. integer Minimum 0

value: 0
Maximum
value: 65535

ipv4-mappedip Range of mapped IP addresses. Specify the user Not Specified

start IP address followed by a space and the
end IP address.

ipv4- IPv4 port number range on the destination user Not Specified
mappedport network to which the external port number
range is mapped.

ldb-method Method used to distribute sessions to real option - static

servers.

Option Description

static Distribute sessions based on source IP.

round-robin Distribute sessions based round robin order.

weighted Distribute sessions based on weight.

least-session Sends new sessions to the server with the lowest session count.

least-rtt Distribute new sessions to the server with lowest Round-Trip-Time.

first-alive Distribute sessions to the first server that is alive.

http-host Distribute sessions to servers based on host field in HTTP header.

mappedip Mapped IPv6 address range in the format user Not Specified
startIP-endIP.

FortiOS 7.0.9 CLI Reference 452

Fortinet Inc.
Parameter Description Type Size Default

mappedport Port number range on the destination network user Not Specified
to which the external port number range is
mapped.

max- Maximum number of incomplete connections. integer Minimum 1000

embryonic- value: 0
connections Maximum
value: 100000

monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's length: 79
connectivity status.
Health monitor name.

name Virtual ip6 name. string Not Specified

nat-source-vip Enable to perform SNAT on traffic from option - disable

mappedip to the extip for all egress interfaces.

Option Description

disable Disable nat-source-vip.

enable Perform SNAT on traffic from mappedip to the extip for all egress interfaces.

nat64 Enable/disable DNAT64. option - disable

Option Description

disable Disable DNAT64.

enable Enable DNAT64.

nat66 Enable/disable DNAT66. option - enable

Option Description

disable Disable DNAT66.

enable Enable DNAT66.

ndp-reply Enable/disable this FortiGate unit's ability to option - enable

respond to NDP requests for this virtual IP
address.

Option Description

disable Disable this FortiGate unit's ability to respond to NDP requests for this virtual
IP address.

enable Enable this FortiGate unit's ability to respond to NDP requests for this virtual
IP address.

FortiOS 7.0.9 CLI Reference 453

Fortinet Inc.
Parameter Description Type Size Default

protocol Protocol to use when forwarding packets. option - tcp

Option Description

tcp TCP.

udp UDP.

sctp SCTP.

server-type Protocol to be load balanced by the virtual option -

server (also called the server load balance
virtual IP).

Option Description

http HTTP.

https HTTPS.

imaps IMAPS.

pop3s POP3S.

FortiOS 7.0.9 CLI Reference 454

Fortinet Inc.
Parameter Description Type Size Default

Option Description

smtps SMTPS.

ssl SSL.

tcp TCP.

udp UDP.

ip IP.

src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate string Maximum

<range> addresses with spaces. length: 79
Source-filter range.

ssl-accept- Enable/disable FFDHE cipher suite for SSL option - enable

ffdhe-groups key exchange.

Option Description

enable Accept FFDHE groups.

disable Do not accept FFDHE groups.

ssl-algorithm Permitted encryption algorithms for SSL option - high

sessions according to encryption strength.

Option Description

high Use AES.

medium Use AES, 3DES, or RC4.

low Use AES, 3DES, RC4, or DES.

custom Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-certificate The name of the certificate to use for SSL string Not Specified
handshake.

ssl-client- Enable/disable support for preventing option - enable

fallback Downgrade Attacks on client connections
(RFC 7507).

disable Do not add a HPKP header to each HTTP response.

enable Add a HPKP header to each a HTTP response.

report-only Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-age Number of minutes the web browser should integer Minimum 5184000
keep HPKP. value: 60
Maximum
value:
157680000

ssl-hpkp- Certificate to generate backup HPKP pin from. string Not Specified
backup

ssl-hpkp- Indicate that HPKP header applies to all option - disable

include- subdomains.
subdomains

Option Description

disable HPKP header does not apply to subdomains.

enable HPKP header applies to subdomains.

ssl-hpkp- Certificate to generate primary HPKP pin from. string Not Specified
primary

ssl-hpkp- URL to report HPKP violations to. var-string Not Specified

report-uri

ssl-hsts Enable/disable including HSTS header in option - disable

response.

Option Description

disable Do not add a HSTS header to each a HTTP response.

enable Add a HSTS header to each HTTP response.

FortiOS 7.0.9 CLI Reference 457

Fortinet Inc.
Parameter Description Type Size Default

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-min-version Lowest SSL/TLS version acceptable from a option - tls-1.1

client.

FortiOS 7.0.9 CLI Reference 458

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-mode Apply SSL offloading between the client and option - half
the FortiGate (half) or from the client to the
FortiGate and from the FortiGate to the server
(full).

Option Description

half Client to FortiGate SSL.

full Client to FortiGate and FortiGate to Server SSL.

ssl-pfs Select the cipher suites that can be used for option - require
SSL perfect forward secrecy (PFS). Applies to
both client and server sessions.

Option Description

require Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow Allow use of any cipher suite so PFS may or may not be used depending on
the cipher suite selected.

ssl-send- Enable/disable sending empty fragments to option - enable

empty-frags avoid CBC IV attacks (SSL 3.0 & TLS 1.0
only). May need to be disabled for compatibility
with older systems.

Option Description

enable Send empty fragments.

disable Do not send empty fragments.

ssl-server- Permitted encryption algorithms for the server option - client

algorithm side of SSL full mode sessions according to
encryption strength.

FortiOS 7.0.9 CLI Reference 459

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high Use AES.

medium Use AES, 3DES, or RC4.

low Use AES, 3DES, RC4, or DES.

custom Use config ssl-server-cipher-suites to select the cipher suites that are
allowed.

client Use the same encryption algorithms for client and server sessions.

ssl-server-max- Highest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

client Use same value as client configuration.

ssl-server-min- Lowest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

client Use same value as client configuration.

ssl-server- Maximum number of FortiGate to Server SSL integer Minimum 100

session-state- session states to keep. value: 1
max Maximum
value: 10000

FortiOS 7.0.9 CLI Reference 460

Fortinet Inc.
Parameter Description Type Size Default

ssl-server- Number of minutes to keep FortiGate to Server integer Minimum 60

session-state- SSL session state. value: 1
timeout Maximum
value: 14400

ssl-server- How to expire SSL sessions for the segment of option - both
session-state- the SSL connection between the server and
type the FortiGate.

Option Description

disable Do not keep session states.

time Expire session states after this many minutes.

count Expire session states when this maximum is reached.

both Expire session states based on time or count, whichever occurs first.

type Configure a static NAT server load balance option - static-nat

VIP or access proxy.

Option Description

static-nat Static NAT.

server-load- Server load balance.

balance

access-proxy Access proxy.

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

weblogic- Enable to add an HTTP header to indicate SSL option - disable

server offloading for a WebLogic server.

Option Description

disable Do not add HTTP header indicating SSL offload for WebLogic server.

enable Add HTTP header indicating SSL offload for WebLogic server.

websphere- Enable to add an HTTP header to indicate SSL option - disable

server offloading for a WebSphere server.

Option Description

disable Do not add HTTP header indicating SSL offload for WebSphere server.

enable Add HTTP header indicating SSL offload for WebSphere server.

FortiOS 7.0.9 CLI Reference 461

Fortinet Inc.
config realservers

Parameter Description Type Size Default

id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip IP address of the real server. user Not Specified

port Port for communicating with the real server. Required integer Minimum 0
if port forwarding is enabled. value: 1
Maximum
value: 65535

status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic
is sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

holddown- Time in seconds that the health check monitor integer Minimum 300
interval continues to monitor an unresponsive server that value: 30
should be active. Maximum
value: 65535

healthcheck Enable to check the responsiveness of the real option - vip

server before forwarding traffic.

Option Description

disable Disable per server health check.

enable Enable per server health check.

vip Use health check defined in VIP.

http-host HTTP server domain name in HTTP header. string Not Specified

FortiOS 7.0.9 CLI Reference 462

Fortinet Inc.
Parameter Description Type Size Default

max- Max number of active connections that can directed integer Minimum 0
connections to the real server. When reached, sessions are sent value: 0
to other real servers. Maximum
value:
2147483647

monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's connectivity length: 79
status.
Health monitor name.

client-ip Only clients in this IP range can connect to this real user Not Specified
server.

config ssl-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

FortiOS 7.0.9 CLI Reference 463

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

FortiOS 7.0.9 CLI Reference 464

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

FortiOS 7.0.9 CLI Reference 465

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

FortiOS 7.0.9 CLI Reference 466

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

FortiOS 7.0.9 CLI Reference 467

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

FortiOS 7.0.9 CLI Reference 468

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

FortiOS 7.0.9 CLI Reference 469

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - ssl-3.0 tls-
with. 1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config ssl-server-cipher-suites

Parameter Description Type Size Default

priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

FortiOS 7.0.9 CLI Reference 470

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

FortiOS 7.0.9 CLI Reference 471

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

FortiOS 7.0.9 CLI Reference 472

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

FortiOS 7.0.9 CLI Reference 473

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

FortiOS 7.0.9 CLI Reference 474

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

FortiOS 7.0.9 CLI Reference 475

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

FortiOS 7.0.9 CLI Reference 476

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used option - ssl-3.0 tls-
with. 1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

config firewall vipgrp6

Configure IPv6 virtual IP groups.

config firewall vipgrp6
Description: Configure IPv6 virtual IP groups.
edit <name>
set color {integer}
set comments {var-string}
set member <name1>, <name2>, ...
set name {string}
set uuid {uuid}
next
end

config firewall vipgrp6

Parameter Description Type Size Default

color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

FortiOS 7.0.9 CLI Reference 478

Fortinet Inc.
Parameter Description Type Size Default

comments Comment. var-string Not

Specified

member Member VIP objects of the group (Separate string Maximum

<name> multiple objects with a space). length: 79
IPv6 VIP name.

name IPv6 VIP group name. string Not

Specified

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

config firewall wildcard-fqdn custom

config firewall wildcard-fqdn group

Parameter Description Type Size Default

color GUI icon color. integer Minimum 0

value: 0
Maximum
value: 32

comment Comment. var-string Not

Specified

member Address group members. string Maximum

<name> Address name. length: 79

name Address group name. string Not

Specified

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

FortiOS 7.0.9 CLI Reference 480

Fortinet Inc.
ftp-proxy

This section includes syntax for the following commands:

l config ftp-proxy explicit on page 481

config ftp-proxy explicit

Configure explicit FTP proxy settings.

config ftp-proxy explicit
Description: Configure explicit FTP proxy settings.
set incoming-ip {ipv4-address-any}
set incoming-port {user}
set outgoing-ip {ipv4-address-any}
set sec-default-action [accept|deny]
set ssl [enable|disable]
set ssl-algorithm [high|medium|...]
set ssl-cert {string}
set ssl-dh-bits [768|1024|...]
set status [enable|disable]
end

config ftp-proxy explicit

Parameter Description Type Size Default

incoming-ip Accept incoming FTP requests from this IP address. An ipv4- Not 0.0.0.0
interface must have this IP address. address- Specified
any

incoming-port Accept incoming FTP requests on one or more ports. user Not
Specified

outgoing-ip Outgoing FTP requests will leave from this IP address. ipv4- Not
An interface must have this IP address. address- Specified
any

sec-default- Accept or deny explicit FTP proxy sessions when no option - deny
action FTP proxy firewall policy exists.

Option Description

accept Accept requests. All explicit FTP proxy traffic is accepted whether there is an
explicit FTP proxy policy or not

deny Deny requests unless there is a matching explicit FTP proxy policy.

ssl Enable/disable the explicit FTPS proxy. option - disable

FortiOS 7.0.9 CLI Reference 481

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable the explicit FTPS proxy.

disable Disable the explicit FTPS proxy.

ssl-algorithm Relative strength of encryption algorithms accepted in option - high

negotiation.

Option Description

high High encryption. Allow only AES and ChaCha

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-cert Name of certificate for SSL connections to this server. string Not Fortinet_
Specified CA_SSL

ssl-dh-bits Bit-size of Diffie-Hellman. option - 2048

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

status Enable/disable the explicit FTP proxy. option - disable

Option Description

enable Enable the explicit FTP proxy.

disable Disable the explicit FTP proxy.

FortiOS 7.0.9 CLI Reference 482

Fortinet Inc.
hardware

This section includes syntax for the following commands:

l config hardware cpu on page 483
l config hardware memory on page 483
l config hardware nic on page 483
l config hardware npu np6 dce on page 484
l config hardware npu np6 ipsec-stats on page 485
l config hardware npu np6 port-list on page 486
l config hardware npu np6 session-stats on page 487
l config hardware npu np6 sse-stats on page 488
l config hardware npu np6 synproxy-stats on page 489
l config hardware status on page 489

config hardware cpu

Display detailed information for all installed CPU(s).

config hardware cpu
Description: Display detailed information for all installed CPU(s).
end

config hardware memory

Display system memory information.

config hardware memory
Description: Display system memory information.
end

config hardware nic

Display NIC information.

config hardware nic
Description: Display NIC information.
set <nic> {string}
end

FortiOS 7.0.9 CLI Reference 483

Fortinet Inc.
config hardware nic

Parameter Description Type Size Default

<nic> NIC name. string Not

Specified

config hardware npu np6 dce

This command is available for model(s): FortiGate 1000D, FortiGate 1100E, FortiGate 1101E,
FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D, FortiGate 2000E, FortiGate 2200E,
FortiGate 2201E, FortiGate 2500E, FortiGate 3000D, FortiGate 300E, FortiGate 301E,
FortiGate 3100D, FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D,
FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 601E, FortiGate 800D, FortiGate 900D.
It is not available for: FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 101E,
FortiGate 101F, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F,
FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2600F, FortiGate
2601F, FortiGate 3500F, FortiGate 3501F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate
4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 60E DSLJ, FortiGate
60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F,
FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate
80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 90E,
FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F,
FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F,
FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F
2R-POE, FortiWiFi 81F 2R.

Show NP6 non-zero subengine drop counters.

config hardware npu np6 dce
Description: Show NP6 non-zero subengine drop counters.
set <dev_id> {string}
end

config hardware npu np6 dce

Parameter Description Type Size Default

<dev_id> NP6 ID string Not

Specified

FortiOS 7.0.9 CLI Reference 484

Fortinet Inc.
config hardware npu np6 ipsec-stats

Show NP6 IPsec offloading statistics.

config hardware npu np6 ipsec-stats
Description: Show NP6 IPsec offloading statistics.
end

FortiOS 7.0.9 CLI Reference 485

Fortinet Inc.
config hardware npu np6 port-list

Show NP6 port list.

config hardware npu np6 port-list
Description: Show NP6 port list.
end

FortiOS 7.0.9 CLI Reference 486

Fortinet Inc.
config hardware npu np6 session-stats

Show NP6 session offloading statistics counters.

config hardware npu np6 session-stats
Description: Show NP6 session offloading statistics counters.
set <dev_id> {string}
end

config hardware npu np6 session-stats

Parameter Description Type Size Default

<dev_id> NP6 ID string Not

Specified

FortiOS 7.0.9 CLI Reference 487

Fortinet Inc.
config hardware npu np6 sse-stats

Show NP6 hardware session statistics counters.

config hardware npu np6 sse-stats
Description: Show NP6 hardware session statistics counters.
set <dev_id> {string}
end

config hardware npu np6 sse-stats

Parameter Description Type Size Default

<dev_id> NP6 ID string Not

Specified

FortiOS 7.0.9 CLI Reference 488

Fortinet Inc.
config hardware npu np6 synproxy-stats

This command is available for model(s): FortiGate 1100E, FortiGate 1101E, FortiGate 1200D,
FortiGate 1500DT, FortiGate 1500D, FortiGate 2000E, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D, FortiGate 3960E,
FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 5001E1,
FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 601E.
It is not available for: FortiGate 1000D, FortiGate 100EF, FortiGate 100E, FortiGate 100F,
FortiGate 101E, FortiGate 101F, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F,
FortiGate 1801F, FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate
2600F, FortiGate 2601F, FortiGate 3500F, FortiGate 3501F, FortiGate 40F 3G4G, FortiGate
40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 60E
DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass,
FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE,
FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64,
FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F,
FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F
2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

Show NP6 synproxy statistics.

config hardware npu np6 synproxy-stats
Description: Show NP6 synproxy statistics.
end

config hardware status

Hardware status.
config hardware status
Description: Hardware status.
end

FortiOS 7.0.9 CLI Reference 489

Fortinet Inc.
icap

This section includes syntax for the following commands:

l config icap profile on page 490
l config icap server on page 495

config icap profile

Configure ICAP profiles.

config icap profile
Description: Configure ICAP profiles.
edit <name>
set chunk-encap [disable|enable]
set extension-feature {option1}, {option2}, ...
set icap-block-log [disable|enable]
config icap-headers
Description: Configure ICAP forwarded request headers.
edit <id>
set id {integer}
set name {string}
set content {string}
set base64-encoding [disable|enable]
next
end
set methods {option1}, {option2}, ...
set name {string}
set preview [disable|enable]
set preview-data-length {integer}
set replacemsg-group {string}
set request [disable|enable]
set request-failure [error|bypass]
set request-path {string}
set request-server {string}
set respmod-default-action [forward|bypass]
config respmod-forward-rules
Description: ICAP response mode forward rules.
edit <name>
set name {string}
set host {string}
config header-group
Description: HTTP header group.
edit <id>
set id {integer}
set header-name {string}
set header {string}
set case-sensitivity [disable|enable]
next
end
set action [forward|bypass]

FortiOS 7.0.9 CLI Reference 490

Fortinet Inc.
set http-resp-status-code <code1>, <code2>, ...
next
end
set response [disable|enable]
set response-failure [error|bypass]
set response-path {string}
set response-req-hdr [disable|enable]
set response-server {string}
set scan-progress-interval {integer}
set streaming-content-bypass [disable|enable]
next
end

config icap profile

Parameter Description Type Size Default

chunk-encap Enable/disable chunked encapsulation. option - disable

Option Description

disable Do not encapsulate chunked data.

enable Encapsulate chunked data into a new chunk.

extension- Enable/disable ICAP extension features. option -

feature

Option Description

scan-progress Support X-Scan-Progress-Interval ICAP header.

icap-block-log Enable/disable UTM log when infection found. option - disable

Option Description

disable Disable UTM log when infection found.

enable Enable UTM log when infection found.

methods The allowed HTTP methods that will be sent to ICAP option - delete get
server for further processing. head
options
post put
trace other

Option Description

delete Forward HTTP request or response with DELETE method to ICAP server for
further processing.

get Forward HTTP request or response with GET method to ICAP server for
further processing.

FortiOS 7.0.9 CLI Reference 491

Fortinet Inc.
Parameter Description Type Size Default

Option Description

head Forward HTTP request or response with HEAD method to ICAP server for
further processing.

options Forward HTTP request or response with OPTIONS method to ICAP server for
further processing.

post Forward HTTP request or response with POST method to ICAP server for
further processing.

put Forward HTTP request or response with PUT method to ICAP server for
further processing.

trace Forward HTTP request or response with TRACE method to ICAP server for
further processing.

other Forward HTTP request or response with All other methods to ICAP server for
further processing.

name ICAP profile name. string Not

Specified

preview Enable/disable preview of data to ICAP server. option - disable

Option Description

disable Disable preview of data to ICAP server.

enable Enable preview of data to ICAP server.

preview-data- Preview data length to be sent to ICAP server. integer Minimum 0

length value: 0
Maximum
value: 4096

replacemsg- Replacement message group. string Not

group Specified

request Enable/disable whether an HTTP request is passed to option - disable

an ICAP server.

Option Description

disable Disable HTTP request passing to ICAP server.

enable Enable HTTP request passing to ICAP server.

request-failure Action to take if the ICAP server cannot be contacted option - error
when processing an HTTP request.

FortiOS 7.0.9 CLI Reference 492

Fortinet Inc.
Parameter Description Type Size Default

Option Description

error Error.

bypass Bypass.

request-path Path component of the ICAP URI that identifies the string Not
HTTP request processing service. Specified

request-server ICAP server to use for an HTTP request. string Not

Specified

respmod- Default action to ICAP response modification option - forward

default-action (respmod) processing.

Option Description

forward Forward response to icap server unless a rule specifies not to.

bypass Don't forward request to icap server unless a rule specifies to forward the
request.

response Enable/disable whether an HTTP response is passed to option - disable

an ICAP server.

Option Description

disable Disable HTTP response passing to ICAP server.

enable Enable HTTP response passing to ICAP server.

response- Action to take if the ICAP server cannot be contacted option - error
failure when processing an HTTP response.

Option Description

error Error.

bypass Bypass.

response-path Path component of the ICAP URI that identifies the string Not
HTTP response processing service. Specified

response-req- Enable/disable addition of req-hdr for ICAP response option - enable

hdr modification (respmod) processing.

Option Description

disable Do not add req-hdr for response modification (respmod) processing.

enable Add req-hdr for response modification (respmod) processing.

FortiOS 7.0.9 CLI Reference 493

Fortinet Inc.
Parameter Description Type Size Default

response- ICAP server to use for an HTTP response. string Not

server Specified

scan- Scan progress interval value. integer Minimum 10

progress- value: 5
interval Maximum
value: 30

streaming- Enable/disable bypassing of ICAP server for streaming option - disable

content- content.
bypass

Option Description

disable Disable bypassing of ICAP server for streaming content.

enable Enable bypassing of ICAP server for streaming content.

config icap-headers

Parameter Description Type Size Default

id HTTP forwarded header ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name HTTP forwarded header name. string Not Specified

content HTTP header content. string Not Specified

base64- Enable/disable use of base64 encoding of HTTP option - disable

encoding content.

Option Description

disable Disable use of base64 encoding of HTTP content.

enable Enable use of base64 encoding of HTTP content.

config respmod-forward-rules

Parameter Description Type Size Default

name Address name. string Not

Specified

host Address object for the host. string Not

Specified

FortiOS 7.0.9 CLI Reference 494

Fortinet Inc.
Parameter Description Type Size Default

action Action to be taken for ICAP server. option - forward

Option Description

forward Forward request to ICAP server when this rule is matched.

bypass Don't forward request to ICAP server when this rule is matched.

http-resp- HTTP response status code. integer Minimum 440275604 **

status-code HTTP response status code. value: 100
<code> Maximum
value: 599

** Values may differ between models.

config header-group

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

header-name HTTP header. string Not Specified

header HTTP header regular expression. string Not Specified

case- Enable/disable case sensitivity when matching option - disable

sensitivity header.

Option Description

disable Ignore case when matching header.

enable Do not ignore case when matching header.

config icap server

Configure ICAP servers.

config icap server
Description: Configure ICAP servers.
edit <name>
set ip-address {ipv4-address-any}
set ip-version [4|6]
set ip6-address {ipv6-address}
set max-connections {integer}
set name {string}
set port {integer}
set secure [enable|disable]

FortiOS 7.0.9 CLI Reference 495

Fortinet Inc.
set ssl-cert {string}
next
end

config icap server

Parameter Description Type Size Default

ip-address IPv4 address of the ICAP server. ipv4- Not 0.0.0.0

address- Specified
any

ip-version IP version. option - 4

Option Description

4 IPv4 ICAP address.

6 IPv6 ICAP address.

ip6-address IPv6 address of the ICAP server. ipv6- Not ::

address Specified

max- Maximum number of concurrent connections to ICAP integer Minimum 100

connections server. Must not be less than wad-worker-count. value: 1
Maximum
value:
65535

name Server name. string Not

Specified

port ICAP server port. integer Minimum 1344

value: 1
Maximum
value:
65535

secure Enable/disable secure connection to ICAP server. option - disable

Option Description

enable Enable secure connection to ICAP server.

disable Disable secure connection to ICAP server.

ssl-cert CA certificate name. string Not

Specified

FortiOS 7.0.9 CLI Reference 496

Fortinet Inc.
ips

This section includes syntax for the following commands:

l config ips custom on page 497
l config ips decoder on page 499
l config ips global on page 499
l config ips rule-settings on page 503
l config ips rule on page 503
l config ips sensor on page 506
l config ips session on page 510
l config ips settings on page 511
l config ips view-map on page 511

config ips custom

Configure IPS custom signature.

config ips custom
Description: Configure IPS custom signature.
edit <tag>
set action [pass|block]
set application {user}
set comment {string}
set location {user}
set log [disable|enable]
set log-packet [disable|enable]
set os {user}
set protocol {user}
set rule-id {integer}
set severity {user}
set signature {var-string}
set status [disable|enable]
set tag {string}
next
end

config ips custom

Parameter Description Type Size Default

action Default action (pass or block) for this signature. option - pass

Option Description

status Enable/disable this signature. option - enable

Option Description

disable Disable status.

enable Enable status.

tag Signature tag. string Not Specified

FortiOS 7.0.9 CLI Reference 498

Fortinet Inc.
config ips decoder

Configure IPS decoder.

config ips decoder
Description: Configure IPS decoder.
edit <name>
set name {string}
config parameter
Description: IPS group parameters.
edit <name>
set name {string}
set value {string}
next
end
next
end

config ips decoder

Parameter Description Type Size Default

name Decoder name. string Not

Specified

config parameter

Parameter Description Type Size Default

name Parameter name. string Not

Specified

value Parameter value. string Not

Specified

config ips global

Configure IPS global parameter.

config ips global
Description: Configure IPS global parameter.
set anomaly-mode [periodical|continuous]
set cp-accel-mode [none|basic|...]
set database [regular|extended]
set deep-app-insp-db-limit {integer}
set deep-app-insp-timeout {integer}
set engine-count {integer}
set exclude-signatures [none|industrial]
set fail-open [enable|disable]
set ips-reserve-cpu [disable|enable]
set ngfw-max-scan-range {integer}
set np-accel-mode [none|basic]

FortiOS 7.0.9 CLI Reference 499

Fortinet Inc.
set packet-log-queue-depth {integer}
set session-limit-mode [accurate|heuristic]
set socket-size {integer}
set sync-session-ttl [enable|disable]
config tls-active-probe
Description: TLS active probe configuration.
set interface-select-method [auto|sdwan|...]
set interface {string}
set vdom {string}
set source-ip {ipv4-address}
set source-ip6 {ipv6-address}
end
set traffic-submit [enable|disable]
end

config ips global

Parameter Description Type Size Default

anomaly- Global blocking mode for rate-based anomalies. option - continuous

mode

Option Description

periodical After an anomaly is detected, allow the number of packets per second
according to the anomaly configuration.

continuous Block packets once an anomaly is detected. Overrides individual anomaly

settings.

cp-accel- IPS Pattern matching acceleration/offloading to CPx option - advanced

mode * processors.

Option Description

none CPx acceleration/offloading disabled.

basic Offload basic pattern matching to CPx processors.

advanced Offload more types of pattern matching resulting in higher throughput than
basic mode. Requires two CP8s or one CP9.

database Regular or extended IPS database. Regular option - extended **

protects against the latest common and in-the-wild
attacks. Extended includes protection from legacy
attacks.

Option Description

regular IPS regular database package.

extended IPS extended database package.

FortiOS 7.0.9 CLI Reference 500

Fortinet Inc.
Parameter Description Type Size Default

deep-app- Limit on number of entries in deep application integer Minimum 0

insp-db-limit inspection database. value: 0
Maximum
value:
2147483647

deep-app- Timeout for Deep application inspection. integer Minimum 0

insp-timeout value: 0
Maximum
value:
2147483647

engine-count Number of IPS engines running. If set to the default integer Minimum 0
value of 0, FortiOS sets the number to optimize value: 0
performance depending on the number of CPU Maximum
cores. value: 255

exclude- Excluded signatures. option - industrial

disable Disable use of kernel session TTL for IPS sessions.

traffic-submit Enable/disable submitting attack data found by this option - disable

FortiGate to FortiGuard.

Option Description

enable Enable traffic submit.

disable Disable traffic submit.

* This parameter may not exist in some models.

** Values may differ between models.

FortiOS 7.0.9 CLI Reference 502

Fortinet Inc.
config tls-active-probe

Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

vdom Virtual domain name for TLS active probe. string Not
Specified

source-ip Source IP address used for TLS active probe. ipv4- Not 0.0.0.0
address Specified

source-ip6 Source IPv6 address used for TLS active probe. ipv6- Not ::
address Specified

config ips rule-settings

Configure IPS rule setting.

config ips rule-settings
Description: Configure IPS rule setting.
edit <id>
set id {integer}
next
end

config ips rule-settings

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config ips rule

Configure IPS rules.

FortiOS 7.0.9 CLI Reference 503

Fortinet Inc.
config ips rule
Description: Configure IPS rules.
edit <name>
set action [pass|block]
set application {user}
set date {integer}
set group {string}
set location {user}
set log [disable|enable]
set log-packet [disable|enable]
config metadata
Description: Meta data.
edit <id>
set id {integer}
set metaid {integer}
set valueid {integer}
next
end
set name {string}
set os {user}
set rev {integer}
set rule-id {integer}
set service {user}
set severity {user}
set status [disable|enable]
next
end

config ips rule

Parameter Description Type Size Default

action Action. option - pass

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

application Vulnerable applications. user Not Specified

date Date. integer Minimum 0

value: 0
Maximum
value:
4294967295

group Group. string Not Specified

location Vulnerable location. user Not Specified

log Enable/disable logging. option - enable

FortiOS 7.0.9 CLI Reference 504

Fortinet Inc.
Parameter Description Type Size Default

enable Enable status.

config metadata

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 505

Fortinet Inc.
Parameter Description Type Size Default

metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config ips sensor

Configure IPS sensor.

config ips sensor
Description: Configure IPS sensor.
edit <name>
set block-malicious-url [disable|enable]
set comment {var-string}
config entries
Description: IPS sensor filter.
edit <id>
set id {integer}
set rule <id1>, <id2>, ...
set location {user}
set severity {user}
set protocol {user}
set os {user}
set application {user}
set cve <cve-entry1>, <cve-entry2>, ...
set status [disable|enable|...]
set log [disable|enable]
set log-packet [disable|enable]
set log-attack-context [disable|enable]
set action [pass|block|...]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]
set rate-track [none|src-ip|...]
config exempt-ip
Description: Traffic from selected source or destination IP addresses is
exempt from this signature.
edit <id>
set id {integer}
set src-ip {ipv4-classnet}
set dst-ip {ipv4-classnet}
next
end
set quarantine [none|attacker]
set quarantine-expiry {user}

FortiOS 7.0.9 CLI Reference 506

Fortinet Inc.
set quarantine-log [disable|enable]
next
end
set extended-log [enable|disable]
set name {string}
set replacemsg-group {string}
set scan-botnet-connections [disable|block|...]
next
end

config ips sensor

Parameter Description Type Size Default

block- Enable/disable malicious URL blocking. option - disable

malicious-url

Option Description

disable Disable malicious URL blocking.

enable Enable malicious URL blocking.

comment Comment. var-string Not

Specified

extended-log Enable/disable extended logging. option - disable

Option Description

enable Enable setting.

disable Disable setting.

name Sensor name. string Not

Specified

replacemsg- Replacement message group. string Not

group Specified

scan-botnet- Block or monitor connections to Botnet servers, or option - disable

connections disable Botnet scanning.

Option Description

disable Do not scan connections to botnet servers.

block Block connections to botnet servers.

monitor Log connections to botnet servers.

FortiOS 7.0.9 CLI Reference 507

Fortinet Inc.
config entries

Parameter Description Type Size Default

id Rule ID in IPS database. integer Minimum 0

value: 0
Maximum
value:
4294967295

rule <id> Identifies the predefined or custom IPS signatures integer Minimum
to add to the sensor. value: 0
Rule IPS. Maximum
value:
4294967295

location Protect client or server traffic. user Not Specified all

severity Relative severity of the signature, from info to user Not Specified all
critical. Log messages generated by the signature
include the severity.

protocol Protocols to be examined. Use all for every protocol user Not Specified all
and other for unlisted protocols.

os Operating systems to be protected. Use all for every user Not Specified all
operating system and other for unlisted operating
systems.

application Operating systems to be protected. Use all for every user Not Specified all
application and other for unlisted application.

cve <cve- List of CVE IDs of the signatures to add to the string Maximum
entry> sensor. length: 19
CVE IDs or CVE wildcards.

status Status of the signatures included in filter. Only those option - default
filters with a status to enable are used.

Option Description

disable Disable status of selected rules.

enable Enable status of selected rules.

default Default.

log Enable/disable logging of signatures included in option - enable

filter.

Option Description

disable Disable logging of selected rules.

enable Enable logging of selected rules.

FortiOS 7.0.9 CLI Reference 508

Fortinet Inc.
Parameter Description Type Size Default

log-packet Enable/disable packet logging. Enable to save the option - disable

packet that triggers the filter. You can download the
packets in pcap format for diagnostic use.

Option Description

disable Disable packet logging of selected rules.

enable Enable packet logging of selected rules.

log-attack- Enable/disable logging of attack context: URL option - disable

context buffer, header buffer, body buffer, packet buffer.

Option Description

disable Disable logging of detailed attack context.

enable Enable logging of detailed attack context.

action Action taken with traffic in which signatures are option - default
detected.

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

default Pass or drop matching traffic, depending on the default action of the signature.

rate-count Count of the rate. integer Minimum 0

value: 0
Maximum
value: 65535

rate-duration Duration (sec) of the rate. integer Minimum 60

value: 1
Maximum
value: 65535

rate-mode Rate limit mode. option - continuous

Option Description

periodical Allow configured number of packets every rate-duration.

continuous Block packets once the rate is reached.

rate-track Track the packet protocol field. option - none

FortiOS 7.0.9 CLI Reference 509

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none none

src-ip Source IP.

dest-ip Destination IP.

dhcp-client-mac DHCP client.

dns-domain DNS domain.

quarantine Quarantine method. option - none

Option Description

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine.. Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

config exempt-ip

Parameter Description Type Size Default

id Exempt IP ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

src-ip Source IP address and netmask (applies to packet ipv4- Not Specified 0.0.0.0
matching the signature). classnet 0.0.0.0

dst-ip Destination IP address and netmask (applies to ipv4- Not Specified 0.0.0.0
packet matching the signature). classnet 0.0.0.0

config ips session

Session status.

FortiOS 7.0.9 CLI Reference 510

Fortinet Inc.
config ips session
Description: Session status.
end

config ips settings

Configure IPS VDOM parameter.

config ips settings
Description: Configure IPS VDOM parameter.
set ips-packet-quota {integer}
set packet-log-history {integer}
set packet-log-memory {integer}
set packet-log-post-attack {integer}
end

config ips settings

Parameter Description Type Size Default

ips-packet- Maximum amount of disk space in MB for logged integer Minimum 0

quota packets when logging to disk. Range depends on disk value: 0
size. Maximum
value:
4294967295

packet-log- Number of packets to capture before and including integer Minimum 1

history the one in which the IPS signature is detected. value: 1
Maximum
value: 255

packet-log- Maximum memory can be used by packet log. integer Minimum 256
memory value: 64
Maximum
value: 8192

packet-log- Number of packets to log after the IPS signature is integer Minimum 0
post-attack detected. value: 0
Maximum
value: 255

config ips view-map

Configure IPS view-map.

config ips view-map
Description: Configure IPS view-map.
edit <id>
set id {integer}
set id-policy-id {integer}
set policy-id {integer}

FortiOS 7.0.9 CLI Reference 511

Fortinet Inc.
set vdom-id {integer}
set which [firewall|interface|...]
next
end

config ips view-map

Parameter Description Type Size Default

id View ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

id-policy-id ID-based policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

policy-id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

vdom-id VDOM ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

which Policy. option - firewall

Option Description

firewall Firewall policy.

interface Interface policy.

interface6 Interface policy6.

sniffer Sniffer policy.

sniffer6 Sniffer policy6.

explicit explicit proxy policy.

FortiOS 7.0.9 CLI Reference 512

Fortinet Inc.
ipsec

This section includes syntax for the following commands:

l config ipsec tunnel on page 513

config ipsec tunnel

IPsec tunnel.
config ipsec tunnel
Description: IPsec tunnel.
end

FortiOS 7.0.9 CLI Reference 513

Fortinet Inc.
log

This section includes syntax for the following commands:

l config log custom-field on page 515
l config log disk filter on page 516
l config log disk setting on page 519
l config log eventfilter on page 525
l config log fortianalyzer-cloud filter on page 527
l config log fortianalyzer-cloud override-filter on page 531
l config log fortianalyzer-cloud override-setting on page 534
l config log fortianalyzer-cloud setting on page 535
l config log fortianalyzer2 filter on page 538
l config log fortianalyzer2 override-filter on page 542
l config log fortianalyzer2 override-setting on page 545
l config log fortianalyzer2 setting on page 549
l config log fortianalyzer3 filter on page 553
l config log fortianalyzer3 override-filter on page 556
l config log fortianalyzer3 override-setting on page 560
l config log fortianalyzer3 setting on page 564
l config log fortianalyzer filter on page 568
l config log fortianalyzer override-filter on page 571
l config log fortianalyzer override-setting on page 574
l config log fortianalyzer setting on page 578
l config log fortiguard filter on page 582
l config log fortiguard override-filter on page 585
l config log fortiguard override-setting on page 589
l config log fortiguard setting on page 590
l config log gui-display on page 593
l config log memory filter on page 594
l config log memory global-setting on page 597
l config log memory setting on page 598
l config log null-device filter on page 598
l config log null-device setting on page 601
l config log setting on page 602
l config log syslogd2 filter on page 606
l config log syslogd2 override-filter on page 609
l config log syslogd2 override-setting on page 612
l config log syslogd2 setting on page 616
l config log syslogd3 filter on page 620
l config log syslogd3 override-filter on page 623

FortiOS 7.0.9 CLI Reference 514

Fortinet Inc.
l config log syslogd3 override-setting on page 626
l config log syslogd3 setting on page 630
l config log syslogd4 filter on page 634
l config log syslogd4 override-filter on page 637
l config log syslogd4 override-setting on page 640
l config log syslogd4 setting on page 644
l config log syslogd filter on page 648
l config log syslogd override-filter on page 651
l config log syslogd override-setting on page 654
l config log syslogd setting on page 658
l config log tacacs+accounting2 filter on page 662
l config log tacacs+accounting2 setting on page 663
l config log tacacs+accounting3 filter on page 663
l config log tacacs+accounting3 setting on page 664
l config log tacacs+accounting filter on page 665
l config log tacacs+accounting setting on page 666
l config log threat-weight on page 666
l config log webtrends filter on page 677
l config log webtrends setting on page 680

config log custom-field

Configure custom log fields.

config log custom-field
Description: Configure custom log fields.
edit <id>
set id {string}
set name {string}
set value {string}
next
end

config log custom-field

Parameter Description Type Size Default

id Field ID string. string Not

Specified

name Field name (max: 15 characters). string Not

Specified

value Field value (max: 15 characters). string Not

Specified

FortiOS 7.0.9 CLI Reference 515

Fortinet Inc.
config log disk filter

Configure filters for local disk logging. Use these filters to determine the log messages to record according to severity
and type.
config log disk filter
Description: Configure filters for local disk logging. Use these filters to determine
the log messages to record according to severity and type.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log disk filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Log to disk every message above and including this option - information
severity level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.0.9 CLI Reference 517

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

FortiOS 7.0.9 CLI Reference 518

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log disk setting

Settings for local disk logging.

config log disk setting
Description: Settings for local disk logging.
set diskfull [overwrite|nolog]
set dlp-archive-quota {integer}
set full-final-warning-threshold {integer}
set full-first-warning-threshold {integer}
set full-second-warning-threshold {integer}
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set log-quota {integer}
set max-log-file-size {integer}
set max-policy-packet-capture-size {integer}
set maximum-log-age {integer}
set report-quota {integer}
set roll-day {option1}, {option2}, ...
set roll-schedule [daily|weekly]
set roll-time {user}
set source-ip {ipv4-address}
set status [enable|disable]
set upload [enable|disable]
set upload-delete-files [enable|disable]

FortiOS 7.0.9 CLI Reference 519

Fortinet Inc.
set upload-destination {option}
set upload-ssl-conn [default|high|...]
set uploaddir {string}
set uploadip {ipv4-address}
set uploadpass {password}
set uploadport {integer}
set uploadsched [disable|enable]
set uploadtime {user}
set uploadtype {option1}, {option2}, ...
set uploaduser {string}
end

config log disk setting

Parameter Description Type Size Default

diskfull Action to take when disk is full. The system can option - overwrite
overwrite the oldest log messages or stop logging
when the disk is full.

Option Description

overwrite Overwrite the oldest logs when the log disk is full.

nolog Stop logging when the log disk is full.

dlp-archive- DLP archive quota (MB). integer Minimum 0

quota value: 0
Maximum
value:
4294967295

full-final- Log full final warning threshold as a percent. integer Minimum 95

warning- value: 3
threshold Maximum
value: 100

full-first- Log full first warning threshold as a percent. integer Minimum 75

warning- value: 1
threshold Maximum
value: 98

full-second- Log full second warning threshold as a percent. integer Minimum 90

warning- value: 2
threshold Maximum
value: 99

interface Specify outgoing interface to reach server. string Not Specified

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

FortiOS 7.0.9 CLI Reference 520

Fortinet Inc.
Parameter Description Type Size Default

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archiving to the local option - enable

disk.

Option Description

enable Enable IPS packet archiving.

disable Disable IPS packet archiving.

log-quota Disk log quota (MB). integer Minimum 0

value: 0
Maximum
value:
4294967295

max-log-file- Maximum log file size before rolling. integer Minimum 20

size value: 1
Maximum
value: 100

max-policy- Maximum size of policy sniffer in MB (0 means integer Minimum 100

packet- unlimited). value: 0
capture-size Maximum
value:
4294967295

maximum-log- Delete log files older than (days). integer Minimum 7

age value: 0
Maximum
value: 3650

report-quota * Report db quota (MB). integer Minimum 0

value: 0
Maximum
value:
4294967295

roll-day Day of week on which to roll log file. option - sunday

Option Description

sunday Sunday

FortiOS 7.0.9 CLI Reference 521

Fortinet Inc.
Parameter Description Type Size Default

Option Description

monday Monday

tuesday Tuesday

wednesday Wednesday

thursday Thursday

friday Friday

saturday Saturday

roll-schedule Frequency to check log file for rolling. option - daily

Option Description

daily Check the log file once a day.

weekly Check the log file once a week.

roll-time Time of day to roll the log file (hh:mm). user Not Specified

source-ip Source IP address to use for uploading disk log ipv4- Not Specified 0.0.0.0
files. address

status Enable/disable local disk logging. option - disable **

default FTPS with high and medium encryption algorithms.

high FTPS with high encryption algorithms.

low FTPS with low encryption algorithms.

disable Disable FTPS communication.

uploaddir The remote directory on the FTP server to upload string Not Specified
log files to.

uploadip IP address of the FTP server to upload log files to. ipv4- Not Specified 0.0.0.0
address

uploadpass Password required to log into the FTP server to password Not Specified
upload disk log files.

uploadport TCP port to use for communicating with the FTP integer Minimum 21
server. value: 0
Maximum
value: 65535

uploadsched Set the schedule for uploading log files to the FTP option - disable
server.

Option Description

disable Upload when rolling.

enable Scheduled upload.

uploadtime Time of day at which log files are uploaded if user Not Specified
uploadsched is enabled (hh:mm or hh).

FortiOS 7.0.9 CLI Reference 523

Fortinet Inc.
Parameter Description Type Size Default

uploadtype Types of log files to upload. Separate multiple option - traffic event
entries with a space. virus
webfilter
IPS
emailfilter
dlp-archive
anomaly
voip dlp
app-ctrl waf
dns ssh ssl
**

Option Description

traffic Upload traffic log.

event Upload event log.

virus Upload anti-virus log.

webfilter Upload web filter log.

IPS Upload IPS log.

emailfilter Upload spam filter log.

dlp-archive Upload DLP archive.

anomaly Upload anomaly log.

voip Upload VoIP log.

dlp Upload DLP log.

app-ctrl Upload application control log.

waf Upload web application firewall log.

dns Upload DNS log.

ssh Upload SSH log.

ssl Upload SSL log.

file-filter Upload file-filter log.

icap Upload ICAP log.

uploaduser Username required to log into the FTP server to string Not Specified
upload disk log files.

* This parameter may not exist in some models.

** Values may differ between models.

FortiOS 7.0.9 CLI Reference 524

Fortinet Inc.
config log eventfilter

Configure log event filters.

config log eventfilter

Parameter Description Type Size Default

cifs Enable/disable CIFS logging. option - enable

Option Description

enable Enable CIFS logging.

disable Disable CIFS logging.

connector Enable/disable SDN connector logging. option - enable

disable Disable WAN optimization event logging.

wireless- Enable/disable wireless event logging. option - enable

activity

Option Description

enable Enable wireless event logging.

disable Disable wireless event logging.

config log fortianalyzer-cloud filter

Filters for FortiAnalyzer Cloud.

FortiOS 7.0.9 CLI Reference 527

Fortinet Inc.
config log fortianalyzer-cloud filter
Description: Filters for FortiAnalyzer Cloud.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortianalyzer-cloud filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

dlp-archive Enable/disable DLP archive logging. option - disable

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

FortiOS 7.0.9 CLI Reference 529

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.0.9 CLI Reference 530

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer-cloud override-filter

Override filters for FortiAnalyzer Cloud.

config log fortianalyzer-cloud override-filter
Description: Override filters for FortiAnalyzer Cloud.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

FortiOS 7.0.9 CLI Reference 531

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

FortiOS 7.0.9 CLI Reference 532

Fortinet Inc.
Parameter Description Type Size Default

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 533

Fortinet Inc.
Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer-cloud override-setting

Override FortiAnalyzer Cloud settings.

config log fortianalyzer-cloud override-setting
Description: Override FortiAnalyzer Cloud settings.
set status [enable|disable]
end

FortiOS 7.0.9 CLI Reference 534

Fortinet Inc.
config log fortianalyzer-cloud override-setting

Parameter Description Type Size Default

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

config log fortianalyzer-cloud setting

Global FortiAnalyzer Cloud settings.

config log fortianalyzer-cloud setting
Description: Global FortiAnalyzer Cloud settings.
set access-config [enable|disable]
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set hmac-algorithm [sha256|sha1]
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set serial <name1>, <name2>, ...
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
end

config log fortianalyzer-cloud setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

FortiOS 7.0.9 CLI Reference 535

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

Specified

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared- Preshared-key used for auto-authorization on string Not

key FortiAnalyzer. Specified

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

source-ip Source IPv4 or IPv6 address used to communicate with string Not
FortiAnalyzer. Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

FortiOS 7.0.9 CLI Reference 537

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

upload-day Day of week (month) to upload logs. user Not

Specified

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-time Time to upload logs (hh:mm). user Not

Specified

config log fortianalyzer2 filter

Filters for FortiAnalyzer.

FortiOS 7.0.9 CLI Reference 538

Fortinet Inc.
config log fortianalyzer2 filter
Description: Filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortianalyzer2 filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

dlp-archive Enable/disable DLP archive logging. option - enable

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Log every message above and including this severity option - information
level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

FortiOS 7.0.9 CLI Reference 540

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.0.9 CLI Reference 541

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer2 override-filter

Override filters for FortiAnalyzer.

config log fortianalyzer2 override-filter
Description: Override filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

FortiOS 7.0.9 CLI Reference 542

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Log every message above and including this severity option - information
level.

FortiOS 7.0.9 CLI Reference 543

Fortinet Inc.
Parameter Description Type Size Default

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 544

Fortinet Inc.
Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer2 override-setting

Override FortiAnalyzer settings.

config log fortianalyzer2 override-setting
Description: Override FortiAnalyzer settings.
set access-config [enable|disable]
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]

FortiOS 7.0.9 CLI Reference 545

Fortinet Inc.
set hmac-algorithm [sha256|sha1]
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
set use-management-vdom [enable|disable]
end

config log fortianalyzer2 override-setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

conn-timeout FortiAnalyzer connection time-out in seconds (for integer Minimum 10

status and log buffer). value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

FortiOS 7.0.9 CLI Reference 546

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. option - sha256

Option Description

sha256 Use SHA256 as HMAC algorithm.

sha1 Step down to SHA1 as the HMAC algorithm.

interface Specify outgoing interface to reach server. string Not

Specified

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = integer Minimum 0

unlimited). value: 0
Maximum
value:
100000

monitor-failure- Time between FortiAnalyzer connection retries in integer Minimum 5

retry-period seconds (for status and log buffer). value: 1
Maximum
value:
86400

FortiOS 7.0.9 CLI Reference 547

Fortinet Inc.
Parameter Description Type Size Default

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared-key Preshared-key used for auto-authorization on string Not

FortiAnalyzer. Specified

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate string Not

with FortiAnalyzer. Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

upload-time Time to upload logs (hh:mm). user Not

Specified

use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom

Option Description

enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

config log fortianalyzer2 setting

Global FortiAnalyzer settings.

config log fortianalyzer2 setting
Description: Global FortiAnalyzer settings.
set access-config [enable|disable]
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]

FortiOS 7.0.9 CLI Reference 549

config log fortianalyzer2 setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

conn-timeout FortiAnalyzer connection time-out in seconds (for status integer Minimum 10

and log buffer). value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

FortiOS 7.0.9 CLI Reference 551

Fortinet Inc.
Parameter Description Type Size Default

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared- Preshared-key used for auto-authorization on string Not

key FortiAnalyzer. Specified

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate with string Not
FortiAnalyzer. Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

FortiOS 7.0.9 CLI Reference 552

Fortinet Inc.
Parameter Description Type Size Default

upload-day Day of week (month) to upload logs. user Not

Specified

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-time Time to upload logs (hh:mm). user Not

Specified

config log fortianalyzer3 filter

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 555

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer3 override-filter

Override filters for FortiAnalyzer.

FortiOS 7.0.9 CLI Reference 556

Fortinet Inc.
config log fortianalyzer3 override-filter
Description: Override filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortianalyzer3 override-filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

dlp-archive Enable/disable DLP archive logging. option - enable

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

FortiOS 7.0.9 CLI Reference 558

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.0.9 CLI Reference 559

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer3 override-setting

Override FortiAnalyzer settings.

config log fortianalyzer3 override-setting
Description: Override FortiAnalyzer settings.
set access-config [enable|disable]
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set hmac-algorithm [sha256|sha1]
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
set use-management-vdom [enable|disable]
end

FortiOS 7.0.9 CLI Reference 560

Fortinet Inc.
config log fortianalyzer3 override-setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

sha1 Step down to SHA1 as the HMAC algorithm.

interface Specify outgoing interface to reach server. string Not

Specified

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

FortiOS 7.0.9 CLI Reference 561

Fortinet Inc.
Parameter Description Type Size Default

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = integer Minimum 0

unlimited). value: 0
Maximum
value:
100000

monitor-failure- Time between FortiAnalyzer connection retries in integer Minimum 5

retry-period seconds (for status and log buffer). value: 1
Maximum
value:
86400

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared-key Preshared-key used for auto-authorization on string Not

FortiAnalyzer. Specified

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

FortiOS 7.0.9 CLI Reference 562

Fortinet Inc.
Parameter Description Type Size Default

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate string Not

with FortiAnalyzer. Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-interval Frequency to upload log files to FortiAnalyzer. option - daily

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then option - 5-minute

uploading to FortiAnalyzer.

Option Description

store-and- Log to hard disk and then upload to FortiAnalyzer.

upload

FortiOS 7.0.9 CLI Reference 563

Fortinet Inc.
Parameter Description Type Size Default

Option Description

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-time Time to upload logs (hh:mm). user Not

Specified

use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom

Option Description

enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

config log fortianalyzer3 setting

Global FortiAnalyzer settings.

config log fortianalyzer3 setting
Description: Global FortiAnalyzer settings.
set access-config [enable|disable]
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set hmac-algorithm [sha256|sha1]
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]

FortiOS 7.0.9 CLI Reference 564

Fortinet Inc.
set upload-time {user}
end

config log fortianalyzer3 setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

Specified

FortiOS 7.0.9 CLI Reference 565

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared- Preshared-key used for auto-authorization on string Not

key FortiAnalyzer. Specified

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

FortiOS 7.0.9 CLI Reference 566

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate with string Not
FortiAnalyzer. Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable logging to FortiAnalyzer. option - disable

config log fortianalyzer filter

Filters for FortiAnalyzer.

config log fortianalyzer filter
Description: Filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortianalyzer filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

FortiOS 7.0.9 CLI Reference 568

Fortinet Inc.
Parameter Description Type Size Default

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

FortiOS 7.0.9 CLI Reference 570

Fortinet Inc.
Parameter Description Type Size Default

Option Description

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer override-filter

Override filters for FortiAnalyzer.

config log fortianalyzer override-filter
Description: Override filters for FortiAnalyzer.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]

FortiOS 7.0.9 CLI Reference 571

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 573

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer override-setting

Override FortiAnalyzer settings.

FortiOS 7.0.9 CLI Reference 574

Fortinet Inc.
config log fortianalyzer override-setting
Description: Override FortiAnalyzer settings.
set access-config [enable|disable]
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set hmac-algorithm [sha256|sha1]
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
set use-management-vdom [enable|disable]
end

config log fortianalyzer override-setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

FortiOS 7.0.9 CLI Reference 575

Fortinet Inc.
Parameter Description Type Size Default

conn-timeout FortiAnalyzer connection time-out in seconds (for integer Minimum 10

status and log buffer). value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. option - sha256

Option Description

sha256 Use SHA256 as HMAC algorithm.

sha1 Step down to SHA1 as the HMAC algorithm.

interface Specify outgoing interface to reach server. string Not

Specified

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = integer Minimum 0

unlimited). value: 0
Maximum
value:
100000

FortiOS 7.0.9 CLI Reference 576

Fortinet Inc.
Parameter Description Type Size Default

monitor-failure- Time between FortiAnalyzer connection retries in integer Minimum 5

retry-period seconds (for status and log buffer). value: 1
Maximum
value:
86400

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared-key Preshared-key used for auto-authorization on string Not

FortiAnalyzer. Specified

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate string Not

with FortiAnalyzer. Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

FortiOS 7.0.9 CLI Reference 577

Fortinet Inc.
Parameter Description Type Size Default

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-interval Frequency to upload log files to FortiAnalyzer. option - daily

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then option - 5-minute

uploading to FortiAnalyzer.

Option Description

store-and- Log to hard disk and then upload to FortiAnalyzer.

upload

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-time Time to upload logs (hh:mm). user Not

Specified

use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom

Option Description

enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

config log fortianalyzer setting

Global FortiAnalyzer settings.

FortiOS 7.0.9 CLI Reference 578

Fortinet Inc.
config log fortianalyzer setting
Description: Global FortiAnalyzer settings.
set access-config [enable|disable]
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set hmac-algorithm [sha256|sha1]
set interface {string}
set interface-select-method [auto|sdwan|...]
set ips-archive [enable|disable]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set reliable [enable|disable]
set serial <name1>, <name2>, ...
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
end

config log fortianalyzer setting

Parameter Description Type Size Default

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

FortiOS 7.0.9 CLI Reference 579

Fortinet Inc.
Parameter Description Type Size Default

specify Set outgoing interface manually.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

FortiOS 7.0.9 CLI Reference 580

Fortinet Inc.
Parameter Description Type Size Default

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

preshared- Preshared-key used for auto-authorization on string Not

key FortiAnalyzer. Specified

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

server The remote FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate with string Not
FortiAnalyzer. Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

FortiOS 7.0.9 CLI Reference 581

Fortinet Inc.
Parameter Description Type Size Default

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

upload-day Day of week (month) to upload logs. user Not

Specified

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-time Time to upload logs (hh:mm). user Not

Specified

config log fortiguard filter

Filters for FortiCloud.

config log fortiguard filter
Description: Filters for FortiCloud.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next

FortiOS 7.0.9 CLI Reference 582

config log fortiguard filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 584

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortiguard override-filter

Override filters for FortiCloud.

FortiOS 7.0.9 CLI Reference 585

Fortinet Inc.
config log fortiguard override-filter
Description: Override filters for FortiCloud.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log fortiguard override-filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forward-traffic Enable/disable forward traffic logging. option - enable

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

FortiOS 7.0.9 CLI Reference 588

Fortinet Inc.
Parameter Description Type Size Default

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortiguard override-setting

Override global FortiCloud logging settings for this VDOM.

config log fortiguard override-setting
Description: Override global FortiCloud logging settings for this VDOM.
set access-config [enable|disable]
set max-log-rate {integer}
set override [enable|disable]
set priority [default|low]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
end

config log fortiguard override-setting

Parameter Description Type Size Default

access-config Enable/disable FortiCloud access to configuration and option - enable

enable Enable logging to FortiCloud.

disable Disable logging to FortiCloud.

upload-day Day of week to roll logs. user Not

Specified

upload- Frequency of uploading log files to FortiCloud. option - daily

interval

Option Description

daily Upload log files to FortiCloud once a day.

weekly Upload log files to FortiCloud once a week.

monthly Upload log files to FortiCloud once a month.

upload-option Configure how log messages are sent to FortiCloud. option - 5-minute

Option Description

store-and-upload Log to the hard disk and then upload logs to FortiCloud.

realtime Log directly to FortiCloud in real time.

1-minute Log directly to FortiCloud at 1-minute intervals.

5-minute Log directly to FortiCloud at 5-minute intervals.

upload-time Time of day to roll logs (hh:mm). user Not

Specified

config log fortiguard setting

Configure logging to FortiCloud.

config log fortiguard setting
Description: Configure logging to FortiCloud.
set access-config [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]

FortiOS 7.0.9 CLI Reference 590

Fortinet Inc.
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set priority [default|low]
set source-ip {ipv4-address}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
end

config log fortiguard setting

Parameter Description Type Size Default

access-config Enable/disable FortiCloud access to configuration and option - enable

data.

Option Description

enable Enable FortiCloud access to configuration and data.

disable Disable FortiCloud access to configuration and data.

conn-timeout FortiGate Cloud connection timeout in seconds. integer Minimum 10

value: 1
Maximum
value: 3600

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiCloud.

Option Description

high-medium Encrypt logs using high and medium encryption.

high Encrypt logs using high encryption.

low Encrypt logs using low encryption.

interface Specify outgoing interface to reach server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.0.9 CLI Reference 591

Fortinet Inc.
Parameter Description Type Size Default

max-log-rate FortiCloud maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

priority Set log transmission priority. option - default

Option Description

default Set FortiCloud log transmission priority to default.

low Set FortiCloud log transmission priority to low.

source-ip Source IP address used to connect FortiCloud. ipv4- Not 0.0.0.0

address Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable logging to FortiCloud. option - disable

Option Description

enable Enable logging to FortiCloud.

disable Disable logging to FortiCloud.

upload-day Day of week to roll logs. user Not

Specified

upload- Frequency of uploading log files to FortiCloud. option - daily

interval

Option Description

daily Upload log files to FortiCloud once a day.

weekly Upload log files to FortiCloud once a week.

monthly Upload log files to FortiCloud once a month.

FortiOS 7.0.9 CLI Reference 592

Fortinet Inc.
Parameter Description Type Size Default

upload-option Configure how log messages are sent to FortiCloud. option - 5-minute

Option Description

store-and-upload Log to the hard disk and then upload logs to FortiCloud.

realtime Log directly to FortiCloud in real time.

1-minute Log directly to FortiCloud at 1-minute intervals.

5-minute Log directly to FortiCloud at 5-minute intervals.

upload-time Time of day to roll logs (hh:mm). user Not

Specified

config log gui-display

Configure how log messages are displayed on the GUI.

config log gui-display
Description: Configure how log messages are displayed on the GUI.
set fortiview-unscanned-apps [enable|disable]
set resolve-apps [enable|disable]
set resolve-hosts [enable|disable]
end

config log gui-display

Parameter Description Type Size Default

fortiview- Enable/disable showing unscanned traffic in FortiView option - disable

unscanned- application charts.
apps

Option Description

enable Enable showing unscanned traffic.

disable Disable showing unscanned traffic.

resolve-apps Resolve unknown applications on the GUI using option - enable

Fortinet's remote application database.

Option Description

enable Enable unknown applications on the GUI.

disable Disable unknown applications on the GUI.

resolve-hosts Enable/disable resolving IP addresses to hostname in option - enable

log messages on the GUI using reverse DNS lookup.

FortiOS 7.0.9 CLI Reference 593

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable resolving IP addresses to hostnames.

disable Disable resolving IP addresses to hostnames.

config log memory filter

Filters for memory buffer.

config log memory filter
Description: Filters for memory buffer.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log memory filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

FortiOS 7.0.9 CLI Reference 594

Fortinet Inc.
Parameter Description Type Size Default

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable **

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Log every message above and including this severity option - information
level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

FortiOS 7.0.9 CLI Reference 595

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

** Values may differ between models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

FortiOS 7.0.9 CLI Reference 596

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log memory global-setting

Global settings for memory logging.

config log memory global-setting
Description: Global settings for memory logging.
set full-final-warning-threshold {integer}
set full-first-warning-threshold {integer}
set full-second-warning-threshold {integer}
set max-size {integer}
end

config log memory global-setting

Parameter Description Type Size Default

full-final- Log full final warning threshold as a percent. integer Minimum 95

warning- value: 3
threshold Maximum
value: 100

full-first- Log full first warning threshold as a percent. integer Minimum 75

warning- value: 1
threshold Maximum
value: 98

FortiOS 7.0.9 CLI Reference 597

Fortinet Inc.
Parameter Description Type Size Default

full-second- Log full second warning threshold as a percent. integer Minimum 90

warning- value: 2
threshold Maximum
value: 99

max-size Maximum amount of memory that can be used for integer Minimum 168441200 **
memory logging in bytes. value: 0
Maximum
value:
4294967295

** Values may differ between models.

config log memory setting

Settings for memory buffer.

config log memory setting
Description: Settings for memory buffer.
set status [enable|disable]
end

config log memory setting

Parameter Description Type Size Default

status Enable/disable logging to the FortiGate's memory. option - enable **

Option Description

enable Enable logging to memory.

disable Disable logging to memory.

** Values may differ between models.

config log null-device filter

FortiOS 7.0.9 CLI Reference 599

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 600

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log null-device setting

Settings for null device logging.

FortiOS 7.0.9 CLI Reference 601

Fortinet Inc.
config log null-device setting
Description: Settings for null device logging.
set status [enable|disable]
end

config log null-device setting

Parameter Description Type Size Default

status Enable/disable statistics collection for when no external option - disable

logging destination, such as FortiAnalyzer, is present
(data is not saved).

Option Description

enable Enable statistics collection for when no external logging destination, such as
FortiAnalyzer, is present (data is not saved).

disable Disable statistics collection for when no external logging destination, such as
FortiAnalyzer, is present (data is not saved).

config log setting

Configure general log settings.

config log setting
Description: Configure general log settings.
set anonymization-hash {string}
set brief-traffic-format [enable|disable]
set custom-log-fields <field-id1>, <field-id2>, ...
set daemon-log [enable|disable]
set expolicy-implicit-log [enable|disable]
set faz-override [enable|disable]
set fortiview-weekly-data [enable|disable]
set fwpolicy-implicit-log [enable|disable]
set fwpolicy6-implicit-log [enable|disable]
set local-in-allow [enable|disable]
set local-in-deny-broadcast [enable|disable]
set local-in-deny-unicast [enable|disable]
set local-out [enable|disable]
set log-invalid-packet [enable|disable]
set log-policy-comment [enable|disable]
set log-user-in-upper [enable|disable]
set neighbor-event [enable|disable]
set resolve-ip [enable|disable]
set resolve-port [enable|disable]
set rest-api-get [enable|disable]
set rest-api-set [enable|disable]
set syslog-override [enable|disable]
set user-anonymize [enable|disable]
end

FortiOS 7.0.9 CLI Reference 602

Fortinet Inc.
config log setting

Parameter Description Type Size Default

anonymization- User name anonymization hash salt. string Not

hash Specified

brief-traffic-format Enable/disable brief format traffic logging. option - disable

Option Description

enable Enable brief format traffic logging.

disable Disable brief format traffic logging.

custom-log-fields Custom fields to append to all log messages. string Maximum

<field-id> Custom log field. length: 35

daemon-log Enable/disable daemon logging. option - disable

Option Description

enable Enable daemon logging.

disable Disable daemon logging.

expolicy-implicit- Enable/disable explicit proxy firewall implicit policy option - disable

log logging.

Option Description

enable Enable explicit proxy firewall implicit policy logging.

disable Disable explicit proxy firewall implicit policy logging.

faz-override Enable/disable override FortiAnalyzer settings. option - disable

Option Description

enable Enable override FortiAnalyzer settings.

disable Disable override FortiAnalyzer settings.

fortiview-weekly- Enable/disable FortiView weekly data. option - disable

data *

Option Description

enable Enable FortiView weekly data.

disable Disable FortiView weekly data.

fwpolicy-implicit- Enable/disable implicit firewall policy logging. option - disable

log

Option Description

enable Enable logs with user-in-upper.

disable Disable logs with user-in-upper.

neighbor-event Enable/disable neighbor event logging. option - disable

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable GET REST API logging.

disable Disable GET REST API logging.

rest-api-set Enable/disable REST API POST/PUT/DELETE option - disable

request logging.

Option Description

enable Enable POST/PUT/DELETE REST API logging.

disable Disable POST/PUT/DELETE REST API logging.

syslog-override Enable/disable override Syslog settings. option - disable

Option Description

enable Enable override Syslog settings.

disable Disable override Syslog settings.

user-anonymize Enable/disable anonymizing user names in log option - disable

messages.

Option Description

enable Enable anonymizing user names in log messages.

disable Disable anonymizing user names in log messages.

* This parameter may not exist in some models.

config log syslogd2 filter

Filters for remote system server.

config log syslogd2 filter
Description: Filters for remote system server.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]

FortiOS 7.0.9 CLI Reference 606

config log syslogd2 filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

FortiOS 7.0.9 CLI Reference 607

Fortinet Inc.
Parameter Description Type Size Default

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 608

Fortinet Inc.
Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd2 override-filter

FortiOS 7.0.9 CLI Reference 610

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 611

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd2 override-setting

Override settings for remote syslog server.

FortiOS 7.0.9 CLI Reference 612

Fortinet Inc.
config log syslogd2 override-setting
Description: Override settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

config log syslogd2 override-setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Not

Specified

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

FortiOS 7.0.9 CLI Reference 613

Fortinet Inc.
Parameter Description Type Size Default

Option Description

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

interface Specify outgoing interface to reach server. string Not

Specified

FortiOS 7.0.9 CLI Reference 614

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Not

Specified

source-ip Source IP address of syslog. string Not

Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

FortiOS 7.0.9 CLI Reference 615

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

name Field name. string Not

Specified

custom Field custom name. string Not

Specified

config log syslogd2 setting

Global settings for remote syslog server.

config log syslogd2 setting
Description: Global settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]

FortiOS 7.0.9 CLI Reference 616

Fortinet Inc.
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

config log syslogd2 setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Not

Specified

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

FortiOS 7.0.9 CLI Reference 617

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

interface Specify outgoing interface to reach server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.0.9 CLI Reference 618

Fortinet Inc.
Parameter Description Type Size Default

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Not

Specified

source-ip Source IP address of syslog. string Not

Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable remote syslog logging. option - disable

FortiOS 7.0.9 CLI Reference 619

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

name Field name. string Not

Specified

custom Field custom name. string Not

Specified

config log syslogd3 filter

Filters for remote system server.

config log syslogd3 filter
Description: Filters for remote system server.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

FortiOS 7.0.9 CLI Reference 620

Fortinet Inc.
config log syslogd3 filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

FortiOS 7.0.9 CLI Reference 621

Fortinet Inc.
Parameter Description Type Size Default

Option Description

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

FortiOS 7.0.9 CLI Reference 622

Fortinet Inc.
Parameter Description Type Size Default

Option Description

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd3 override-filter

Override filters for remote system server.

config log syslogd3 override-filter
Description: Override filters for remote system server.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}

FortiOS 7.0.9 CLI Reference 623

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 625

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd3 override-setting

Override settings for remote syslog server.

FortiOS 7.0.9 CLI Reference 626

Fortinet Inc.
config log syslogd3 override-setting
Description: Override settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

config log syslogd3 override-setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Not

Specified

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

FortiOS 7.0.9 CLI Reference 627

Fortinet Inc.
Parameter Description Type Size Default

Option Description

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

interface Specify outgoing interface to reach server. string Not

Specified

FortiOS 7.0.9 CLI Reference 628

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Not

Specified

source-ip Source IP address of syslog. string Not

Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

FortiOS 7.0.9 CLI Reference 629

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

FortiOS 7.0.9 CLI Reference 631

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

interface Specify outgoing interface to reach server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.0.9 CLI Reference 632

Fortinet Inc.
Parameter Description Type Size Default

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Not

Specified

source-ip Source IP address of syslog. string Not

Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable remote syslog logging. option - disable

FortiOS 7.0.9 CLI Reference 633

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

name Field name. string Not

Specified

custom Field custom name. string Not

Specified

config log syslogd4 filter

Filters for remote system server.

config log syslogd4 filter
Description: Filters for remote system server.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

FortiOS 7.0.9 CLI Reference 634

Fortinet Inc.
config log syslogd4 filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

FortiOS 7.0.9 CLI Reference 635

Fortinet Inc.
Parameter Description Type Size Default

Option Description

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

FortiOS 7.0.9 CLI Reference 636

Fortinet Inc.
Parameter Description Type Size Default

Option Description

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd4 override-filter

Override filters for remote system server.

config log syslogd4 override-filter
Description: Override filters for remote system server.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}

FortiOS 7.0.9 CLI Reference 637

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 639

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd4 override-setting

Override settings for remote syslog server.

FortiOS 7.0.9 CLI Reference 640

Fortinet Inc.
config log syslogd4 override-setting
Description: Override settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

config log syslogd4 override-setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Not

Specified

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

FortiOS 7.0.9 CLI Reference 641

Fortinet Inc.
Parameter Description Type Size Default

Option Description

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

interface Specify outgoing interface to reach server. string Not

Specified

FortiOS 7.0.9 CLI Reference 642

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Not

Specified

source-ip Source IP address of syslog. string Not

Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

FortiOS 7.0.9 CLI Reference 643

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

FortiOS 7.0.9 CLI Reference 645

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

interface Specify outgoing interface to reach server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.0.9 CLI Reference 646

Fortinet Inc.
Parameter Description Type Size Default

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Not

Specified

source-ip Source IP address of syslog. string Not

Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable remote syslog logging. option - disable

FortiOS 7.0.9 CLI Reference 647

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

name Field name. string Not

Specified

custom Field custom name. string Not

Specified

config log syslogd filter

Filters for remote system server.

config log syslogd filter
Description: Filters for remote system server.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

FortiOS 7.0.9 CLI Reference 648

Fortinet Inc.
config log syslogd filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

gtp * Enable/disable GTP messages logging. option - enable

Option Description

enable Enable GTP messages logging.

disable Disable GTP messages logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

FortiOS 7.0.9 CLI Reference 649

Fortinet Inc.
Parameter Description Type Size Default

Option Description

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

FortiOS 7.0.9 CLI Reference 650

Fortinet Inc.
Parameter Description Type Size Default

Option Description

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd override-filter

Override filters for remote system server.

config log syslogd override-filter
Description: Override filters for remote system server.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}

FortiOS 7.0.9 CLI Reference 651

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

FortiOS 7.0.9 CLI Reference 653

Fortinet Inc.
config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd override-setting

Override settings for remote syslog server.

FortiOS 7.0.9 CLI Reference 654

Fortinet Inc.
config log syslogd override-setting
Description: Override settings for remote syslog server.
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end
set enc-algorithm [high-medium|high|...]
set facility [kernel|user|...]
set format [default|csv|...]
set interface {string}
set interface-select-method [auto|sdwan|...]
set max-log-rate {integer}
set mode [udp|legacy-reliable|...]
set port {integer}
set priority [default|low]
set server {string}
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set status [enable|disable]
end

config log syslogd override-setting

Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Not

Specified

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

FortiOS 7.0.9 CLI Reference 655

Fortinet Inc.
Parameter Description Type Size Default

Option Description

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

interface Specify outgoing interface to reach server. string Not

Specified

FortiOS 7.0.9 CLI Reference 656

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Not

Specified

source-ip Source IP address of syslog. string Not

Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

FortiOS 7.0.9 CLI Reference 657

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

FortiOS 7.0.9 CLI Reference 659

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

interface Specify outgoing interface to reach server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.0.9 CLI Reference 660

Fortinet Inc.
Parameter Description Type Size Default

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

server Address of remote syslog server. string Not

Specified

source-ip Source IP address of syslog. string Not

Specified

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

status Enable/disable remote syslog logging. option - disable

FortiOS 7.0.9 CLI Reference 661

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

config custom-field-name

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

name Field name. string Not

Specified

custom Field custom name. string Not

Specified

config log tacacs+accounting2 filter

Settings for TACACS+ accounting events filter.

config log tacacs+accounting2 filter
Description: Settings for TACACS+ accounting events filter.
set cli-cmd-audit [enable|disable]
set config-change-audit [enable|disable]
set login-audit [enable|disable]
end

config log tacacs+accounting2 filter

Parameter Description Type Size Default

cli-cmd-audit Enable/disable TACACS+ accounting for CLI option - enable

commands audit.

Option Description

enable Enable TACACS+ accounting for CLI commands audit.

disable Disable TACACS+ accounting for CLI commands audit.

config- Enable/disable TACACS+ accounting for configuration option - enable

change-audit change events audit.

FortiOS 7.0.9 CLI Reference 662

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable TACACS+ accounting for configuration change events audit.

disable Disable TACACS+ accounting for configuration change events audit.

login-audit Enable/disable TACACS+ accounting for login events option - enable

audit.

Option Description

enable Enable TACACS+ accounting for login events audit.

disable Disable TACACS+ accounting for login events audit.

config log tacacs+accounting2 setting

Settings for TACACS+ accounting.

config log tacacs+accounting2 setting
Description: Settings for TACACS+ accounting.
set server {string}
set server-key {password}
set status [enable|disable]
end

config log tacacs+accounting2 setting

Parameter Description Type Size Default

server Address of TACACS+ server. string Not

Specified

server-key Key to access the TACACS+ server. password Not

Specified

status Enable/disable TACACS+ accounting. option - disable

Option Description

enable Enable TACACS+ accounting.

disable Disable TACACS+ accounting.

config log tacacs+accounting3 filter

Settings for TACACS+ accounting events filter.

FortiOS 7.0.9 CLI Reference 663

Fortinet Inc.
config log tacacs+accounting3 filter
Description: Settings for TACACS+ accounting events filter.
set cli-cmd-audit [enable|disable]
set config-change-audit [enable|disable]
set login-audit [enable|disable]
end

config log tacacs+accounting3 filter

Parameter Description Type Size Default

cli-cmd-audit Enable/disable TACACS+ accounting for CLI option - enable

commands audit.

Option Description

enable Enable TACACS+ accounting for CLI commands audit.

disable Disable TACACS+ accounting for CLI commands audit.

config- Enable/disable TACACS+ accounting for configuration option - enable

change-audit change events audit.

Option Description

enable Enable TACACS+ accounting for configuration change events audit.

disable Disable TACACS+ accounting for configuration change events audit.

login-audit Enable/disable TACACS+ accounting for login events option - enable

audit.

Option Description

enable Enable TACACS+ accounting for login events audit.

disable Disable TACACS+ accounting for login events audit.

config log tacacs+accounting3 setting

Settings for TACACS+ accounting.

config log tacacs+accounting3 setting
Description: Settings for TACACS+ accounting.
set server {string}
set server-key {password}
set status [enable|disable]
end

FortiOS 7.0.9 CLI Reference 664

Fortinet Inc.
config log tacacs+accounting3 setting

Parameter Description Type Size Default

server Address of TACACS+ server. string Not

Specified

server-key Key to access the TACACS+ server. password Not

Specified

status Enable/disable TACACS+ accounting. option - disable

Option Description

enable Enable TACACS+ accounting.

disable Disable TACACS+ accounting.

config log tacacs+accounting filter

Settings for TACACS+ accounting events filter.

config log tacacs+accounting filter
Description: Settings for TACACS+ accounting events filter.
set cli-cmd-audit [enable|disable]
set config-change-audit [enable|disable]
set login-audit [enable|disable]
end

config log tacacs+accounting filter

Parameter Description Type Size Default

cli-cmd-audit Enable/disable TACACS+ accounting for CLI option - enable

commands audit.

Option Description

enable Enable TACACS+ accounting for CLI commands audit.

disable Disable TACACS+ accounting for CLI commands audit.

config- Enable/disable TACACS+ accounting for configuration option - enable

change-audit change events audit.

Option Description

enable Enable TACACS+ accounting for configuration change events audit.

disable Disable TACACS+ accounting for configuration change events audit.

FortiOS 7.0.9 CLI Reference 665

Fortinet Inc.
Parameter Description Type Size Default

login-audit Enable/disable TACACS+ accounting for login events option - enable

audit.

Option Description

enable Enable TACACS+ accounting for login events audit.

disable Disable TACACS+ accounting for login events audit.

config log tacacs+accounting setting

Settings for TACACS+ accounting.

config log tacacs+accounting setting
Description: Settings for TACACS+ accounting.
set server {string}
set server-key {password}
set status [enable|disable]
end

config log tacacs+accounting setting

Parameter Description Type Size Default

server Address of TACACS+ server. string Not

Specified

server-key Key to access the TACACS+ server. password Not

Specified

status Enable/disable TACACS+ accounting. option - disable

Option Description

enable Enable TACACS+ accounting.

disable Disable TACACS+ accounting.

config log threat-weight

Configure threat weight settings.

config log threat-weight
Description: Configure threat weight settings.
config application
Description: Application-control threat weight settings.
edit <id>
set id {integer}
set category {integer}

FortiOS 7.0.9 CLI Reference 666

Fortinet Inc.
set level [disable|low|...]
next
end
set blocked-connection [disable|low|...]
set botnet-connection-detected [disable|low|...]
set failed-connection [disable|low|...]
config geolocation
Description: Geolocation-based threat weight settings.
edit <id>
set id {integer}
set country {string}
set level [disable|low|...]
next
end
config ips
Description: IPS threat weight settings.
set info-severity [disable|low|...]
set low-severity [disable|low|...]
set medium-severity [disable|low|...]
set high-severity [disable|low|...]
set critical-severity [disable|low|...]
end
config level
Description: Score mapping for threat weight levels.
set low {integer}
set medium {integer}
set high {integer}
set critical {integer}
end
config malware
Description: Anti-virus malware threat weight settings.
set virus-infected [disable|low|...]
set fortindr [disable|low|...]
set file-blocked [disable|low|...]
set command-blocked [disable|low|...]
set oversized [disable|low|...]
set virus-scan-error [disable|low|...]
set switch-proto [disable|low|...]
set mimefragmented [disable|low|...]
set virus-file-type-executable [disable|low|...]
set virus-outbreak-prevention [disable|low|...]
set content-disarm [disable|low|...]
set malware-list [disable|low|...]
set ems-threat-feed [disable|low|...]
set fsa-malicious [disable|low|...]
set fsa-high-risk [disable|low|...]
set fsa-medium-risk [disable|low|...]
end
set status [enable|disable]
set url-block-detected [disable|low|...]
config web
Description: Web filtering threat weight settings.
edit <id>
set id {integer}
set category {integer}
set level [disable|low|...]

FortiOS 7.0.9 CLI Reference 667

Fortinet Inc.
next
end
end

config log threat-weight

Parameter Description Type Size Default

blocked- Threat weight score for blocked connections. option - high

connection

Option Description

disable Disable threat weight scoring for blocked connections.

low Use the low level score for blocked connections.

medium Use the medium level score for blocked connections.

high Use the high level score for blocked connections.

critical Use the critical level score for blocked connections.

botnet- Threat weight score for detected botnet connections. option - critical
connection-
detected

Option Description

disable Disable threat weight scoring for detected botnet connections.

low Use the low level score for detected botnet connections.

medium Use the medium level score for detected botnet connections.

high Use the high level score for detected botnet connections.

critical Use the critical level score for detected botnet connections.

failed- Threat weight score for failed connections. option - low

connection

Option Description

disable Disable threat weight scoring for failed connections.

low Use the low level score for failed connections.

medium Use the medium level score for failed connections.

high Use the high level score for failed connections.

critical Use the critical level score for failed connections.

status Enable/disable the threat weight feature. option - enable

FortiOS 7.0.9 CLI Reference 668

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable the threat weight feature.

disable Disable the threat weight feature.

url-block- Threat weight score for URL blocking. option - high

detected

Option Description

disable Disable threat weight scoring for URL blocking.

low Use the low level score for URL blocking.

medium Use the medium level score for URL blocking.

high Use the high level score for URL blocking.

critical Use the critical level score for URL blocking.

config application

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

category Application category. integer Minimum 0

value: 0
Maximum
value:
65535

level Threat weight score for Application events. option - low

Option Description

disable Disable threat weight scoring for Application events.

low Use the low level score for Application events.

medium Use the medium level score for Application events.

high Use the high level score for Application events.

critical Use the critical level score for Application events.

FortiOS 7.0.9 CLI Reference 669

Fortinet Inc.
config geolocation

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

country Country code. string Not

Specified

level Threat weight score for Geolocation-based events. option - low

Option Description

disable Disable threat weight scoring for Geolocation-based events.

low Use the low level score for Geolocation-based events.

medium Use the medium level score for Geolocation-based events.

high Use the high level score for Geolocation-based events.

critical Use the critical level score for Geolocation-based events.

config ips

Parameter Description Type Size Default

info-severity Threat weight score for IPS info severity events. option - disable

Option Description

disable Disable threat weight scoring for IPS info severity events.

low Use the low level score for IPS info severity events.

medium Use the medium level score for IPS info severity events.

high Use the high level score for IPS info severity events.

critical Use the critical level score for IPS info severity events.

low-severity Threat weight score for IPS low severity events. option - low

Option Description

disable Disable threat weight scoring for IPS low severity events.

low Use the low level score for IPS low severity events.

medium Use the medium level score for IPS low severity events.

high Use the high level score for IPS low severity events.

critical Use the critical level score for IPS low severity events.

FortiOS 7.0.9 CLI Reference 670

Fortinet Inc.
Parameter Description Type Size Default

medium- Threat weight score for IPS medium severity events. option - medium
severity

Option Description

disable Disable threat weight scoring for IPS medium severity events.

low Use the low level score for IPS medium severity events.

medium Use the medium level score for IPS medium severity events.

high Use the high level score for IPS medium severity events.

critical Use the critical level score for IPS medium severity events.

high-severity Threat weight score for IPS high severity events. option - high

Option Description

disable Disable threat weight scoring for IPS high severity events.

low Use the low level score for IPS high severity events.

medium Use the medium level score for IPS high severity events.

high Use the high level score for IPS high severity events.

critical Use the critical level score for IPS high severity events.

critical- Threat weight score for IPS critical severity events. option - critical
severity

Option Description

disable Disable threat weight scoring for IPS critical severity events.

low Use the low level score for IPS critical severity events.

medium Use the medium level score for IPS critical severity events.

high Use the high level score for IPS critical severity events.

critical Use the critical level score for IPS critical severity events.

config level

Parameter Description Type Size Default

low Low level score value. integer Minimum 5

value: 1
Maximum
value: 100

FortiOS 7.0.9 CLI Reference 671

Fortinet Inc.
Parameter Description Type Size Default

medium Medium level score value. integer Minimum 10

value: 1
Maximum
value: 100

high High level score value. integer Minimum 30

value: 1
Maximum
value: 100

critical Critical level score value. integer Minimum 50

value: 1
Maximum
value: 100

config malware

Parameter Description Type Size Default

virus-infected Threat weight score for virus (infected) detected. option - critical

Option Description

disable Disable threat weight scoring for virus (infected) detected.

low Use the low level score for virus (infected) detected.

medium Use the medium level score for virus (infected) detected.

high Use the high level score for virus (infected) detected.

critical Use the critical level score for virus (infected) detected.

fortindr Threat weight score for FortiNDR-detected virus. option - critical

Option Description

disable Disable threat weight scoring for virus detected by FortiNDR.

low Use the low level score for virus detected by FortiNDR.

medium Use the medium level score for virus detected by FortiNDR.

high Use the high level score for virus detected by FortiNDR.

critical Use the critical level score for virus detected by FortiNDR.

file-blocked Threat weight score for blocked file detected. option - low

Option Description

disable Disable threat weight scoring for blocked file detected.

low Use the low level score for blocked file detected.

FortiOS 7.0.9 CLI Reference 672

Fortinet Inc.
Parameter Description Type Size Default

Option Description

medium Use the medium level score for blocked file detected.

high Use the high level score for blocked file detected.

critical Use the critical level score for blocked file detected.

command-blocked Threat weight score for blocked command detected. option - disable

Option Description

disable Disable threat weight scoring for blocked command detected.

low Use the low level score for blocked command detected.

medium Use the medium level score for blocked command detected.

high Use the high level score for blocked command detected.

critical Use the critical level score for blocked command detected.

oversized Threat weight score for oversized file detected. option - disable

Option Description

disable Disable threat weight scoring for oversized file detected.

low Use the low level score for oversized file detected.

medium Use the medium level score for oversized file detected.

high Use the high level score for oversized file detected.

critical Use the critical level score for oversized file detected.

virus-scan-error Threat weight score for virus (scan error) detected. option - high

Option Description

disable Disable threat weight scoring for virus (scan error) detected.

low Use the low level score for virus (scan error) detected.

medium Use the medium level score for virus (scan error) detected.

high Use the high level score for virus (scan error) detected.

critical Use the critical level score for virus (scan error) detected.

switch-proto Threat weight score for switch proto detected. option - disable

Option Description

disable Disable threat weight scoring for switch proto detected.

FortiOS 7.0.9 CLI Reference 673

Fortinet Inc.
Parameter Description Type Size Default

Option Description

low Use the low level score for switch proto detected.

medium Use the medium level score for switch proto detected.

high Use the high level score for switch proto detected.

critical Use the critical level score for switch proto detected.

mimefragmented Threat weight score for mimefragmented detected. option - disable

Option Description

disable Disable threat weight scoring for mimefragmented detected.

low Use the low level score for mimefragmented detected.

medium Use the medium level score for mimefragmented detected.

high Use the high level score for mimefragmented detected.

critical Use the critical level score for mimefragmented detected.

virus-file-type- Threat weight score for virus (file type executable) option - medium
executable detected.

Option Description

disable Disable threat weight scoring for virus (filetype executable) detected.

low Use the low level score for virus (filetype executable) detected.

medium Use the medium level score for virus (filetype executable) detected.

high Use the high level score for virus (filetype executable) detected.

critical Use the critical level score for virus (filetype executable) detected.

virus-outbreak- Threat weight score for virus (outbreak prevention) option - critical
prevention event.

Option Description

disable Disable threat weight scoring for virus (outbreak prevention) event.

low Use the low level score for virus (outbreak prevention) event.

medium Use the medium level score for virus (outbreak prevention) event.

high Use the high level score for virus (outbreak prevention) event.

critical Use the critical level score for virus (outbreak prevention) event.

content-disarm Threat weight score for virus (content disarm) option - medium
detected.

FortiOS 7.0.9 CLI Reference 674

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable threat weight scoring for virus (content disarm) detected.

low Use the low level score for virus (content disarm) detected.

medium Use the medium level score for virus (content disarm) detected.

high Use the high level score for virus (content disarm) detected.

critical Use the critical level score for virus (content disarm) detected.

malware-list Threat weight score for virus (malware list) detected. option - medium

Option Description

disable Disable threat weight scoring for virus (malware list) detected.

low Use the low level score for virus (malware list) detected.

medium Use the medium level score for virus (malware list) detected.

high Use the high level score for virus (malware list) detected.

critical Use the critical level score for virus (malware list) detected.

ems-threat-feed Threat weight score for virus (EMS threat feed) option - medium
detected.

Option Description

disable Disable threat weight scoring for virus (EMS threat feed) detected.

low Use the low level score for virus (EMS threat feed) detected.

medium Use the medium level score for virus (EMS threat feed) detected.

high Use the high level score for virus (EMS threat feed) detected.

critical Use the critical level score for virus (EMS threat feed) detected.

fsa-malicious Threat weight score for FortiSandbox malicious option - critical

malware detected.

Option Description

disable Disable threat weight scoring for FortiSandbox malicious malware

detected.

low Use the low level score for FortiSandbox malicious malware detected.

medium Use the medium level score for FortiSandbox malicious malware
detected.

high Use the high level score for FortiSandbox malicious malware detected.

FortiOS 7.0.9 CLI Reference 675

Fortinet Inc.
Parameter Description Type Size Default

Option Description

critical Use the critical level score for FortiSandbox malicious malware detected.

fsa-high-risk Threat weight score for FortiSandbox high risk option - high
malware detected.

Option Description

disable Disable threat weight scoring for FortiSandbox high risk malware
detected.

low Use the low level score for FortiSandbox high risk malware detected.

medium Use the medium level score for FortiSandbox high risk malware detected.

high Use the high level score for FortiSandbox high risk malware detected.

critical Use the critical level score for FortiSandbox high risk malware detected.

fsa-medium-risk Threat weight score for FortiSandbox medium risk option - medium
malware detected.

Option Description

disable Disable threat weight scoring for FortiSandbox medium risk malware
detected.

low Use the low level score for FortiSandbox medium risk malware detected.

medium Use the medium level score for FortiSandbox medium risk malware
detected.

high Use the high level score for FortiSandbox medium risk malware detected.

critical Use the critical level score for FortiSandbox medium risk malware
detected.

config web

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value: 255

category Threat weight score for web category filtering matches. integer Minimum 0
value: 0
Maximum
value: 255

level Threat weight score for web category filtering matches. option - low

FortiOS 7.0.9 CLI Reference 676

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable threat weight scoring for web category filtering matches.

low Use the low level score for web category filtering matches.

medium Use the medium level score for web category filtering matches.

high Use the high level score for web category filtering matches.

critical Use the critical level score for web category filtering matches.

config log webtrends filter

Filters for WebTrends.

config log webtrends filter
Description: Filters for WebTrends.
set anomaly [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set severity [emergency|alert|...]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end

config log webtrends filter

Parameter Description Type Size Default

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

forward-traffic Enable/disable forward traffic logging. option - enable

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

severity Lowest severity level to log to WebTrends. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.0.9 CLI Reference 678

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

* This parameter may not exist in some models.

config free-style

Parameter Description Type Size Default

id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

FortiOS 7.0.9 CLI Reference 679

Fortinet Inc.
Parameter Description Type Size Default

Option Description

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log webtrends setting

Settings for WebTrends.

config log webtrends setting
Description: Settings for WebTrends.
set server {string}
set status [enable|disable]
end

config log webtrends setting

Parameter Description Type Size Default

server Address of the remote WebTrends server. string Not

Specified

status Enable/disable logging to WebTrends. option - disable

Option Description

enable Enable logging to WebTrends.

disable Disble logging to WebTrends.

FortiOS 7.0.9 CLI Reference 680

Fortinet Inc.
mgmt-data

This section includes syntax for the following commands:

l config mgmt-data status on page 681

config mgmt-data status

Status for mgmt-data.

config mgmt-data status
Description: Status for mgmt-data.
end

FortiOS 7.0.9 CLI Reference 681

Fortinet Inc.
monitoring

This section includes syntax for the following commands:

l config monitoring np6-ipsec-engine on page 682
l config monitoring npu-hpe on page 683

config monitoring np6-ipsec-engine

Configure NP6 IPsec engine status monitoring.

config monitoring np6-ipsec-engine
Description: Configure NP6 IPsec engine status monitoring.
set interval {integer}
set status [enable|disable]
set threshold {user}
end

FortiOS 7.0.9 CLI Reference 682

Fortinet Inc.
config monitoring np6-ipsec-engine

Parameter Description Type Size Default

interval IPsec engine status check interval. integer Minimum 1

value: 1
Maximum
value: 60

status Enable/disable NP6 IPsec engine status monitoring. option - disable

Option Description

enable Enable setting.

disable Disable setting.

threshold IPsec engine status check threshold. Example: Log is user Not
generated if IPsec engine 0 is busy each of every 15 Specified
consecutive interval checks.

config monitoring npu-hpe

This command is available for model(s): FortiGate 1000D, FortiGate 1100E, FortiGate 1101E,
FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D, FortiGate 1800F, FortiGate 1801F,
FortiGate 2000E, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F,
FortiGate 2601F, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D,
FortiGate 3800D, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate
400E, FortiGate 401E, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 601E, FortiGate 800D, FortiGate 900D.
It is not available for: FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 101E,
FortiGate 101F, FortiGate 140E-POE, FortiGate 140E, FortiGate 200E, FortiGate 200F,
FortiGate 201E, FortiGate 201F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-
POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F,
FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E,
FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE,
FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

Configure npu-hpe status monitoring.

config monitoring npu-hpe
Description: Configure npu-hpe status monitoring.
set interval {integer}
set multipliers {user}

FortiOS 7.0.9 CLI Reference 683

Fortinet Inc.
set status [enable|disable]
end

config monitoring npu-hpe

Parameter Description Type Size Default

interval HPE status check interval. integer Minimum 1

value: 1
Maximum
value: 60

multipliers HPE type interval multipliers. An event log is generated user Not
after every (interval * multiplier)seconds as configured Specified
for any HPE type when drops occur for that HPE type.
An attack log is generated after every (4 * multiplier)
number of continuous event logs.

status Enable/disable HPE status monitoring. option - disable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.0.9 CLI Reference 684

Fortinet Inc.
nsxt

This section includes syntax for the following commands:

l config nsxt service-chain on page 685
l config nsxt setting on page 687

config nsxt service-chain

This command is available for model(s): FortiGate VM64.

Configure NSX-T service chain.

config nsxt service-chain
Description: Configure NSX-T service chain.
edit <id>
set id {integer}
set name {string}
config service-index
Description: Configure service index.
edit <id>
set id {integer}
set reverse-index {integer}
set name {string}
set vd {string}
next
end

FortiOS 7.0.9 CLI Reference 685

Fortinet Inc.
next
end

config nsxt service-chain

Parameter Description Type Size Default

id Chain ID. integer Minimum 0

value: 0
Maximum
value: 1023

name Chain name. string Not

Specified

config service-index

Parameter Description Type Size Default

id Service index. integer Minimum 0

value: 0
Maximum
value: 255

reverse-index Reverse service index. integer Minimum 1

value: 1
Maximum
value: 255

name Index name. string Not

Specified

vd VDOM name. string Not

Specified

FortiOS 7.0.9 CLI Reference 686

Fortinet Inc.
config nsxt setting

This command is available for model(s): FortiGate VM64.

Configure NSX-T setting.

config nsxt setting
Description: Configure NSX-T setting.
set liveness [enable|disable]
set service {string}
end

config nsxt setting

Parameter Description Type Size Default

liveness Enable/disable liveness detection packet forwarding. option - disable

Option Description

enable Enable liveness detection packet forwarding.

disable Disable liveness detection packet forwarding.

service Service name. string Not

Specified

FortiOS 7.0.9 CLI Reference 687

Fortinet Inc.
report

This section includes syntax for the following commands:

l config report layout on page 688
l config report setting on page 696
l config report sql status on page 698

config report layout

This command is available for model(s): FortiGate 1000D, FortiGate 101E, FortiGate 101F,
FortiGate 1101E, FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D, FortiGate 1801F,
FortiGate 2000E, FortiGate 201E, FortiGate 201F, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3301E, FortiGate 3401E, FortiGate 3501F, FortiGate 3601E,
FortiGate 3700D, FortiGate 3800D, FortiGate 401E, FortiGate 4201F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 501E, FortiGate 601E, FortiGate 61E, FortiGate 61F, FortiGate
800D, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate
900D, FortiGate 91E, FortiGate VM64, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 81F 2R 3G4G-
POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 1100E,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 200E, FortiGate 200F,
FortiGate 2200E, FortiGate 300E, FortiGate 3300E, FortiGate 3400E, FortiGate 3500F,
FortiGate 3600E, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4400F, FortiGate 5001E,
FortiGate 500E, FortiGate 600E, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-
POE, FortiGate 60E, FortiGate 60F, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F
Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 90E, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E,
FortiWiFi 60F, FortiWiFi 80F 2R.

Report layout configuration.

config report layout
Description: Report layout configuration.
edit <name>
config body-item
Description: Configure report body item.
edit <id>
set id {integer}
set description {string}
set type [text|image|...]
set style {string}
set top-n {integer}
config parameters
Description: Parameters.
edit <id>

FortiOS 7.0.9 CLI Reference 688

Fortinet Inc.
set id {integer}
set name {string}
set value {string}
next
end
set text-component [text|heading1|...]
set content {string}
set img-src {string}
set chart {string}
set chart-options {option1}, {option2}, ...
set misc-component [hline|page-break|...]
set title {string}
next
end
set cutoff-option [run-time|custom]
set cutoff-time {user}
set day [sunday|monday|...]
set description {string}
set email-recipients {string}
set email-send [enable|disable]
set format {option1}, {option2}, ...
set max-pdf-report {integer}
set name {string}
set options {option1}, {option2}, ...
config page
Description: Configure report page.
set paper [a4|letter]
set column-break-before {option1}, {option2}, ...
set page-break-before {option1}, {option2}, ...
set options {option1}, {option2}, ...
config header
Description: Configure report page header.
set style {string}
config header-item
Description: Configure report header item.
edit <id>
set id {integer}
set description {string}
set type [text|image]
set style {string}
set content {string}
set img-src {string}
next
end
end
config footer
Description: Configure report page footer.
set style {string}
config footer-item
Description: Configure report footer item.
edit <id>
set id {integer}
set description {string}
set type [text|image]
set style {string}
set content {string}

FortiOS 7.0.9 CLI Reference 689

Fortinet Inc.
set img-src {string}
next
end
end
end
set schedule-type [demand|daily|...]
set style-theme {string}
set subtitle {string}
set time {user}
set title {string}
next
end

config report layout

Parameter Description Type Size Default

cutoff-option Cutoff-option is either run-time or custom. option - run-time

Option Description

run-time Run time.

custom Custom.

cutoff-time Custom cutoff time to generate report (format = user Not

hh:mm). Specified

day Schedule days of week to generate report. option - sunday

Option Description

sunday Sunday.

monday Monday.

tuesday Tuesday.

wednesday Wednesday.

thursday Thursday.

friday Friday.

saturday Saturday.

description Description. string Not

Specified

email- Email recipients for generated reports. string Not

recipients Specified

email-send Enable/disable sending emails after reports are option - disable

generated.

FortiOS 7.0.9 CLI Reference 690

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sending emails after generating reports.

disable Disable sending emails after generating reports.

format Report format. option - pdf

Option Description

pdf PDF.

max-pdf- Maximum number of PDF reports to keep at one time integer Minimum 31
report (oldest report is overwritten). value: 1
Maximum
value: 365

name Report layout name. string Not

Specified

options Report layout options. option - include-table-

of-content
auto-
numbering-
heading view-
chart-as-
heading

Option Description

include-table-of- Include table of content in the report.

content

auto-numbering- Prepend heading with auto numbering.

heading

view-chart-as- Auto add heading for each chart.

heading

show-html- Show HTML navigation bar before each heading.

navbar-before-
heading

dummy-option Use this option if you need none of the above options.

schedule-type Report schedule type. option - daily

Option Description

demand Run on demand.

FortiOS 7.0.9 CLI Reference 691

Fortinet Inc.
Parameter Description Type Size Default

Option Description

daily Schedule daily.

weekly Schedule weekly.

style-theme Report style theme. string Not

type Report item type. option - text

Option Description

text Text.

image Image.

chart Chart.

misc Miscellaneous.

style Report item style. string Not Specified

top-n Value of top. integer Minimum 0

value: 0
Maximum
value:
4294967295

text- Report item text component. option - text

component

FortiOS 7.0.9 CLI Reference 692

Fortinet Inc.
Parameter Description Type Size Default

Option Description

text Normal text.

heading1 Heading 1.

heading2 Heading 2.

heading3 Heading 3.

content Report item text content. string Not Specified

img-src Report item image file name. string Not Specified

chart Report item chart name. string Not Specified

chart-options Report chart options. option - include-no-

data hide-
title show-
caption

Option Description

include-no-data Include chart with no data.

hide-title Hide chart title.

show-caption Show chart caption.

misc- Report item miscellaneous component. option - hline

component

Option Description

hline Horizontal line.

page-break Page break.

column-break Column break.

section-start Section start.

title Report section title. string Not Specified

config parameters

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 693

Fortinet Inc.
Parameter Description Type Size Default

name Field name that match field of parameters defined in string Not Specified
dataset.

value Value to replace corresponding field of parameters string Not Specified

defined in dataset.

config page

Parameter Description Type Size Default

paper Report page paper. option - a4

Option Description

a4 A4 paper.

letter Letter paper.

column- Report page auto column break before heading. option -

break-before

Option Description

heading1 Column break before heading 1.

heading2 Column break before heading 2.

heading3 Column break before heading 3.

page-break- Report page auto page break before heading. option -

before

Option Description

heading1 Page break before heading 1.

heading2 Page break before heading 2.

heading3 Page break before heading 3.

options Report page options. option -

Option Description

header-on-first- Show header on first page.

page

footer-on-first- Show footer on first page.

page

FortiOS 7.0.9 CLI Reference 694

Fortinet Inc.
config header

Parameter Description Type Size Default

style Report header style. string Not

Specified

config header-item

Parameter Description Type Size Default

id Report item ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

description Description. string Not Specified

type Report item type. option - text

Option Description

text Text.

image Image.

style Report item style. string Not Specified

content Report item text content. string Not Specified

img-src Report item image file name. string Not Specified

config footer

Parameter Description Type Size Default

style Report footer style. string Not

Specified

config footer-item

Parameter Description Type Size Default

id Report item ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

description Description. string Not Specified

type Report item type. option - text

FortiOS 7.0.9 CLI Reference 695

Fortinet Inc.
Parameter Description Type Size Default

Option Description

text Text.

image Image.

style Report item style. string Not Specified

content Report item text content. string Not Specified

img-src Report item image file name. string Not Specified

config report setting

This command is available for model(s): FortiGate 1000D, FortiGate 101E, FortiGate 101F,
FortiGate 1101E, FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D, FortiGate 1801F,
FortiGate 2000E, FortiGate 201E, FortiGate 201F, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3301E, FortiGate 3401E, FortiGate 3501F, FortiGate 3601E,
FortiGate 3700D, FortiGate 3800D, FortiGate 401E, FortiGate 4201F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 501E, FortiGate 601E, FortiGate 61E, FortiGate 61F, FortiGate
800D, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate
900D, FortiGate 91E, FortiGate VM64, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 81F 2R 3G4G-
POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 1100E,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 200E, FortiGate 200F,
FortiGate 2200E, FortiGate 300E, FortiGate 3300E, FortiGate 3400E, FortiGate 3500F,
FortiGate 3600E, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E,
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4400F, FortiGate 5001E,
FortiGate 500E, FortiGate 600E, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-
POE, FortiGate 60E, FortiGate 60F, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F
Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 90E, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E,
FortiWiFi 60F, FortiWiFi 80F 2R.

Report setting configuration.

config report setting
Description: Report setting configuration.
set fortiview [enable|disable]
set pdf-report [enable|disable]
set report-source {option1}, {option2}, ...
set top-n {integer}
set web-browsing-threshold {integer}
end

FortiOS 7.0.9 CLI Reference 696

Fortinet Inc.
config report setting

Parameter Description Type Size Default

fortiview Enable/disable historical FortiView. option - enable **

Option Description

enable Enable historical FortiView.

disable Disable historical FortiView.

pdf-report Enable/disable PDF report. option - enable **

Option Description

enable Enable PDF report.

disable Disable PDF report.

report-source Report log source. option - forward-

traffic

Option Description

forward-traffic Report includes forward traffic logs.

sniffer-traffic Report includes sniffer traffic logs.

local-deny-traffic Report includes local deny traffic logs.

top-n Number of items to populate. integer Minimum 1000

value: 1000
Maximum
value:
20000

web- Web browsing time calculation threshold. integer Minimum 3

browsing- value: 3
threshold Maximum
value: 15

** Values may differ between models.

FortiOS 7.0.9 CLI Reference 697

Fortinet Inc.
config report sql status

This command is available for model(s): FortiGate 1000D, FortiGate 101E, FortiGate 101F,
FortiGate 1101E, FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D, FortiGate 1801F,
FortiGate 2000E, FortiGate 201E, FortiGate 201F, FortiGate 2201E, FortiGate 2500E,
FortiGate 2601F, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3301E,
FortiGate 3401E, FortiGate 3501F, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D,
FortiGate 401E, FortiGate 4201F, FortiGate 4401F, FortiGate 5001E1, FortiGate 501E,
FortiGate 601E, FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate 81E, FortiGate 81F-
POE, FortiGate 81F, FortiGate 900D, FortiGate 91E, FortiGate VM64, FortiWiFi 61E,
FortiWiFi 61F, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 1100E,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 200E, FortiGate 200F,
FortiGate 2200E, FortiGate 2600F, FortiGate 3000D, FortiGate 300E, FortiGate 3300E,
FortiGate 3400E, FortiGate 3500F, FortiGate 3600E, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate
4200F, FortiGate 4400F, FortiGate 5001E, FortiGate 500E, FortiGate 600E, FortiGate 60E
DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 80E-
POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate
81E-POE, FortiGate 90E, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F
3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 80F 2R.

Show report database status.

config report sql status
Description: Show report database status.
end

FortiOS 7.0.9 CLI Reference 698

Fortinet Inc.
router

This section includes syntax for the following commands:

l config router access-list on page 699
l config router access-list6 on page 701
l config router aspath-list on page 702
l config router auth-path on page 703
l config router bfd on page 703
l config router bfd6 on page 705
l config router bgp on page 706
l config router community-list on page 748
l config router info on page 749
l config router info6 on page 749
l config router isis on page 749
l config router key-chain on page 763
l config router multicast-flow on page 764
l config router multicast on page 765
l config router multicast6 on page 774
l config router ospf on page 776
l config router ospf6 on page 792
l config router policy on page 807
l config router policy6 on page 810
l config router prefix-list on page 812
l config router prefix-list6 on page 813
l config router rip on page 814
l config router ripng on page 821
l config router route-map on page 827
l config router setting on page 833
l config router static on page 833
l config router static6 on page 836

config router access-list

Configure access lists.

config router access-list
Description: Configure access lists.
edit <name>
set comments {string}
set name {string}
config rule

FortiOS 7.0.9 CLI Reference 699

Fortinet Inc.
Description: Rule.
edit <id>
set id {integer}
set action [permit|deny]
set prefix {user}
set wildcard {user}
set exact-match [enable|disable]
next
end
next
end

config router access-list

Parameter Description Type Size Default

comments Comment. string Not

Specified

name Name. string Not

Specified

config rule

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Permit or deny this IP address and netmask prefix. option - permit

Option Description

permit Permit or allow this IP address and netmask prefix.

deny Deny this IP address and netmask prefix.

prefix IPv4 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.

wildcard Wildcard to define Cisco-style wildcard filter criteria. user Not Specified

exact-match Enable/disable exact match. option - disable

Option Description

enable Enable exact match.

disable Disable exact match.

FortiOS 7.0.9 CLI Reference 700

Fortinet Inc.
config router access-list6

Configure IPv6 access lists.

config router access-list6
Description: Configure IPv6 access lists.
edit <name>
set comments {string}
set name {string}
config rule
Description: Rule.
edit <id>
set id {integer}
set action [permit|deny]
set prefix6 {user}
set exact-match [enable|disable]
set flags {integer}
next
end
next
end

config router access-list6

Parameter Description Type Size Default

comments Comment. string Not

Specified

name Name. string Not

Specified

config rule

Parameter Description Type Size Default

id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

action Permit or deny this IP address and netmask prefix. option - permit

Option Description

permit Permit or allow this IP address and netmask prefix.

deny Deny this IP address and netmask prefix.

prefix6 IPv6 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.

FortiOS 7.0.9 CLI Reference 701

Fortinet Inc.
Parameter Description Type Size Default

exact-match Enable/disable exact prefix match. option - disable

Option Description

enable Enable exact match.

disable Disable exact match.

flags Flags. integer Minimum 0

value: 0
Maximum
value:
4294967295

config router aspath-list

Configure Autonomous System (AS) path lists.

config router aspath-list
Description: Configure Autonomous System (AS) path lists.
edit <name>
set name {string}
config rule
Description: AS path list rule.
edit <id>
set id {integer}
set action [deny|permit]
set regexp {string}
next
end
next
end

config router aspath-list

Parameter Description Type Size Default

name AS path list name. string Not

Specified

config rule

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 702

Fortinet Inc.
Parameter Description Type Size Default

action Permit or deny route-based operations, based on the option -

route's AS_PATH attribute.

Option Description

deny Deny route-based operations.

permit Permit route-based operations.

regexp Regular-expression to match the Border Gateway string Not Specified

Protocol (BGP) AS paths.

config router auth-path

Configure authentication based routing.

config router auth-path
Description: Configure authentication based routing.
edit <name>
set device {string}
set gateway {ipv4-address}
set name {string}
next
end

config router auth-path

Parameter Description Type Size Default

device Outgoing interface. string Not

Specified

gateway Gateway IP address. ipv4- Not 0.0.0.0

address Specified

name Name of the entry. string Not

Specified

config router bfd

Configure BFD.
config router bfd
Description: Configure BFD.
config multihop-template
Description: BFD multi-hop template table.
edit <id>
set id {integer}
set src {ipv4-classnet}

FortiOS 7.0.9 CLI Reference 703

Fortinet Inc.
set dst {ipv4-classnet}
set bfd-desired-min-tx {integer}
set bfd-required-min-rx {integer}
set bfd-detect-mult {integer}
set auth-mode [none|md5]
set md5-key {password}
next
end
config neighbor
Description: Neighbor.
edit <ip>
set ip {ipv4-address}
set interface {string}
next
end
end

config multihop-template

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

src Source prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

dst Destination prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

bfd-desired- BFD desired minimal transmit interval (milliseconds). integer Minimum 250
min-tx value: 100
Maximum
value: 30000

bfd-required- BFD required minimal receive interval (milliseconds). integer Minimum 250
min-rx value: 100
Maximum
value: 30000

bfd-detect- BFD detection multiplier. integer Minimum 3

mult value: 3
Maximum
value: 50

auth-mode Authentication mode. option - none

Option Description

none None.

md5 Meticulous MD5 mode.

FortiOS 7.0.9 CLI Reference 704

Fortinet Inc.
Parameter Description Type Size Default

md5-key MD5 key of key ID 1. password Not Specified

config neighbor

Parameter Description Type Size Default

ip IPv4 address of the BFD neighbor. ipv4- Not 0.0.0.0

address Specified

interface Interface name. string Not

Specified

config router bfd6

Configure IPv6 BFD.

config router bfd6
Description: Configure IPv6 BFD.
config multihop-template
Description: BFD IPv6 multi-hop template table.
edit <id>
set id {integer}
set src {ipv6-network}
set dst {ipv6-network}
set bfd-desired-min-tx {integer}
set bfd-required-min-rx {integer}
set bfd-detect-mult {integer}
set auth-mode [none|md5]
set md5-key {password}
next
end
config neighbor
Description: Configure neighbor of IPv6 BFD.
edit <ip6-address>
set ip6-address {ipv6-address}
set interface {string}
next
end
end

config multihop-template

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 705

Fortinet Inc.
Parameter Description Type Size Default

src Source prefix. ipv6- Not Specified ::/0

network

dst Destination prefix. ipv6- Not Specified ::/0

network

bfd-desired- BFD desired minimal transmit interval (milliseconds). integer Minimum 250
min-tx value: 100
Maximum
value: 30000

bfd-required- BFD required minimal receive interval (milliseconds). integer Minimum 250
min-rx value: 100
Maximum
value: 30000

bfd-detect- BFD detection multiplier. integer Minimum 3

mult value: 3
Maximum
value: 50

auth-mode Authentication mode. option - none

Option Description

none None.

md5 Meticulous MD5 mode.

md5-key MD5 key of key ID 1. password Not Specified

config neighbor

Parameter Description Type Size Default

ip6-address IPv6 address of the BFD neighbor. ipv6- Not ::

address Specified

interface Interface to the BFD neighbor. string Not

Specified

config router bgp

Configure BGP.
config router bgp
Description: Configure BGP.
set additional-path [enable|disable]
set additional-path-select {integer}
set additional-path-select6 {integer}
set additional-path6 [enable|disable]
config admin-distance

FortiOS 7.0.9 CLI Reference 706

Fortinet Inc.
Description: Administrative distance modifications.
edit <id>
set id {integer}
set neighbour-prefix {ipv4-classnet}
set route-list {string}
set distance {integer}
next
end
config aggregate-address
Description: BGP aggregate address table.
edit <id>
set id {integer}
set prefix {ipv4-classnet-any}
set as-set [enable|disable]
set summary-only [enable|disable]
next
end
config aggregate-address6
Description: BGP IPv6 aggregate address table.
edit <id>
set id {integer}
set prefix6 {ipv6-prefix}
set as-set [enable|disable]
set summary-only [enable|disable]
next
end
set always-compare-med [enable|disable]
set as {integer}
set bestpath-as-path-ignore [enable|disable]
set bestpath-cmp-confed-aspath [enable|disable]
set bestpath-cmp-routerid [enable|disable]
set bestpath-med-confed [enable|disable]
set bestpath-med-missing-as-worst [enable|disable]
set client-to-client-reflection [enable|disable]
set cluster-id {ipv4-address-any}
set confederation-identifier {integer}
set confederation-peers <peer1>, <peer2>, ...
set dampening [enable|disable]
set dampening-max-suppress-time {integer}
set dampening-reachability-half-life {integer}
set dampening-reuse {integer}
set dampening-route-map {string}
set dampening-suppress {integer}
set dampening-unreachability-half-life {integer}
set default-local-preference {integer}
set deterministic-med [enable|disable]
set distance-external {integer}
set distance-internal {integer}
set distance-local {integer}
set ebgp-multipath [enable|disable]
set enforce-first-as [enable|disable]
set fast-external-failover [enable|disable]
set graceful-end-on-timer [enable|disable]
set graceful-restart [enable|disable]
set graceful-restart-time {integer}
set graceful-stalepath-time {integer}

FortiOS 7.0.9 CLI Reference 707

Fortinet Inc.
set graceful-update-delay {integer}
set holdtime-timer {integer}
set ibgp-multipath [enable|disable]
set ignore-optional-capability [enable|disable]
set keepalive-timer {integer}
set log-neighbour-changes [enable|disable]
set multipath-recursive-distance [enable|disable]
config neighbor
Description: BGP neighbor table.
edit <ip>
set ip {string}
set advertisement-interval {integer}
set allowas-in-enable [enable|disable]
set allowas-in-enable6 [enable|disable]
set allowas-in {integer}
set allowas-in6 {integer}
set attribute-unchanged {option1}, {option2}, ...
set attribute-unchanged6 {option1}, {option2}, ...
set activate [enable|disable]
set activate6 [enable|disable]
set bfd [enable|disable]
set capability-dynamic [enable|disable]
set capability-orf [none|receive|...]
set capability-orf6 [none|receive|...]
set capability-graceful-restart [enable|disable]
set capability-graceful-restart6 [enable|disable]
set capability-route-refresh [enable|disable]
set capability-default-originate [enable|disable]
set capability-default-originate6 [enable|disable]
set dont-capability-negotiate [enable|disable]
set ebgp-enforce-multihop [enable|disable]
set link-down-failover [enable|disable]
set stale-route [enable|disable]
set next-hop-self [enable|disable]
set next-hop-self6 [enable|disable]
set next-hop-self-rr [enable|disable]
set next-hop-self-rr6 [enable|disable]
set override-capability [enable|disable]
set passive [enable|disable]
set remove-private-as [enable|disable]
set remove-private-as6 [enable|disable]
set route-reflector-client [enable|disable]
set route-reflector-client6 [enable|disable]
set route-server-client [enable|disable]
set route-server-client6 [enable|disable]
set shutdown [enable|disable]
set soft-reconfiguration [enable|disable]
set soft-reconfiguration6 [enable|disable]
set as-override [enable|disable]
set as-override6 [enable|disable]
set strict-capability-match [enable|disable]
set default-originate-routemap {string}
set default-originate-routemap6 {string}
set description {string}
set distribute-list-in {string}
set distribute-list-in6 {string}

FortiOS 7.0.9 CLI Reference 708

Fortinet Inc.
set distribute-list-out {string}
set distribute-list-out6 {string}
set ebgp-multihop-ttl {integer}
set filter-list-in {string}
set filter-list-in6 {string}
set filter-list-out {string}
set filter-list-out6 {string}
set interface {string}
set maximum-prefix {integer}
set maximum-prefix6 {integer}
set maximum-prefix-threshold {integer}
set maximum-prefix-threshold6 {integer}
set maximum-prefix-warning-only [enable|disable]
set maximum-prefix-warning-only6 [enable|disable]
set prefix-list-in {string}
set prefix-list-in6 {string}
set prefix-list-out {string}
set prefix-list-out6 {string}
set remote-as {integer}
set local-as {integer}
set local-as-no-prepend [enable|disable]
set local-as-replace-as [enable|disable]
set retain-stale-time {integer}
set route-map-in {string}
set route-map-in6 {string}
set route-map-out {string}
set route-map-out-preferable {string}
set route-map-out6 {string}
set route-map-out6-preferable {string}
set send-community [standard|extended|...]
set send-community6 [standard|extended|...]
set keep-alive-timer {integer}
set holdtime-timer {integer}
set connect-timer {integer}
set unsuppress-map {string}
set unsuppress-map6 {string}
set update-source {string}
set weight {integer}
set restart-time {integer}
set additional-path [send|receive|...]
set additional-path6 [send|receive|...]
set adv-additional-path {integer}
set adv-additional-path6 {integer}
set password {password}
config conditional-advertise
Description: Conditional advertisement.
edit <advertise-routemap>
set advertise-routemap {string}
set condition-routemap <name1>, <name2>, ...
set condition-type [exist|non-exist]
next
end
config conditional-advertise6
Description: IPv6 conditional advertisement.
edit <advertise-routemap>
set advertise-routemap {string}

FortiOS 7.0.9 CLI Reference 709

Fortinet Inc.
set condition-routemap <name1>, <name2>, ...
set condition-type [exist|non-exist]
next
end
next
end
config neighbor-group
Description: BGP neighbor group table.
edit <name>
set name {string}
set advertisement-interval {integer}
set allowas-in-enable [enable|disable]
set allowas-in-enable6 [enable|disable]
set allowas-in {integer}
set allowas-in6 {integer}
set attribute-unchanged {option1}, {option2}, ...
set attribute-unchanged6 {option1}, {option2}, ...
set activate [enable|disable]
set activate6 [enable|disable]
set bfd [enable|disable]
set capability-dynamic [enable|disable]
set capability-orf [none|receive|...]
set capability-orf6 [none|receive|...]
set capability-graceful-restart [enable|disable]
set capability-graceful-restart6 [enable|disable]
set capability-route-refresh [enable|disable]
set capability-default-originate [enable|disable]
set capability-default-originate6 [enable|disable]
set dont-capability-negotiate [enable|disable]
set ebgp-enforce-multihop [enable|disable]
set link-down-failover [enable|disable]
set stale-route [enable|disable]
set next-hop-self [enable|disable]
set next-hop-self6 [enable|disable]
set next-hop-self-rr [enable|disable]
set next-hop-self-rr6 [enable|disable]
set override-capability [enable|disable]
set passive [enable|disable]
set remove-private-as [enable|disable]
set remove-private-as6 [enable|disable]
set route-reflector-client [enable|disable]
set route-reflector-client6 [enable|disable]
set route-server-client [enable|disable]
set route-server-client6 [enable|disable]
set shutdown [enable|disable]
set soft-reconfiguration [enable|disable]
set soft-reconfiguration6 [enable|disable]
set as-override [enable|disable]
set as-override6 [enable|disable]
set strict-capability-match [enable|disable]
set default-originate-routemap {string}
set default-originate-routemap6 {string}
set description {string}
set distribute-list-in {string}
set distribute-list-in6 {string}
set distribute-list-out {string}

FortiOS 7.0.9 CLI Reference 710

Fortinet Inc.
set distribute-list-out6 {string}
set ebgp-multihop-ttl {integer}
set filter-list-in {string}
set filter-list-in6 {string}
set filter-list-out {string}
set filter-list-out6 {string}
set interface {string}
set maximum-prefix {integer}
set maximum-prefix6 {integer}
set maximum-prefix-threshold {integer}
set maximum-prefix-threshold6 {integer}
set maximum-prefix-warning-only [enable|disable]
set maximum-prefix-warning-only6 [enable|disable]
set prefix-list-in {string}
set prefix-list-in6 {string}
set prefix-list-out {string}
set prefix-list-out6 {string}
set remote-as {integer}
set local-as {integer}
set local-as-no-prepend [enable|disable]
set local-as-replace-as [enable|disable]
set retain-stale-time {integer}
set route-map-in {string}
set route-map-in6 {string}
set route-map-out {string}
set route-map-out-preferable {string}
set route-map-out6 {string}
set route-map-out6-preferable {string}
set send-community [standard|extended|...]
set send-community6 [standard|extended|...]
set keep-alive-timer {integer}
set holdtime-timer {integer}
set connect-timer {integer}
set unsuppress-map {string}
set unsuppress-map6 {string}
set update-source {string}
set weight {integer}
set restart-time {integer}
set additional-path [send|receive|...]
set additional-path6 [send|receive|...]
set adv-additional-path {integer}
set adv-additional-path6 {integer}
next
end
config neighbor-range
Description: BGP neighbor range table.
edit <id>
set id {integer}
set prefix {ipv4-classnet}
set max-neighbor-num {integer}
set neighbor-group {string}
next
end
config neighbor-range6
Description: BGP IPv6 neighbor range table.
edit <id>

FortiOS 7.0.9 CLI Reference 711

Fortinet Inc.
set id {integer}
set prefix6 {ipv6-network}
set max-neighbor-num {integer}
set neighbor-group {string}
next
end
config network
Description: BGP network table.
edit <id>
set id {integer}
set prefix {ipv4-classnet}
set network-import-check [global|enable|...]
set backdoor [enable|disable]
set route-map {string}
next
end
set network-import-check [enable|disable]
config network6
Description: BGP IPv6 network table.
edit <id>
set id {integer}
set prefix6 {ipv6-network}
set network-import-check [global|enable|...]
set backdoor [enable|disable]
set route-map {string}
next
end
set recursive-next-hop [enable|disable]
config redistribute
Description: BGP IPv4 redistribute table.
edit <name>
set name {string}
set status [enable|disable]
set route-map {string}
next
end
config redistribute6
Description: BGP IPv6 redistribute table.
edit <name>
set name {string}
set status [enable|disable]
set route-map {string}
next
end
set router-id {ipv4-address-any}
set scan-time {integer}
set synchronization [enable|disable]
set tag-resolve-mode [disable|preferred|...]
config vrf-leak
Description: BGP VRF leaking table.
edit <vrf>
set vrf {string}
config target
Description: Target VRF table.
edit <vrf>
set vrf {string}

FortiOS 7.0.9 CLI Reference 712

Fortinet Inc.
set route-map {string}
set interface {string}
next
end
next
end
config vrf-leak6
Description: BGP IPv6 VRF leaking table.
edit <vrf>
set vrf {string}
config target
Description: Target VRF table.
edit <vrf>
set vrf {string}
set route-map {string}
set interface {string}
next
end
next
end
end

config router bgp

Parameter Description Type Size Default

additional-path Enable/disable selection of BGP IPv4 additional option - disable

paths.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

bestpath-med- Enable/disable treat missing MED as least option - disable

missing-as-worst preferred.

FortiOS 7.0.9 CLI Reference 714

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

client-to-client- Enable/disable client-to-client route reflection. option - enable

reflection

Option Description

enable Enable setting.

disable Disable setting.

cluster-id Route reflector cluster ID. ipv4- Not Specified 0.0.0.0

address-
any

confederation- Confederation identifier. integer Minimum 0

identifier value: 1
Maximum
value:
4294967295

confederation- Confederation peers. string Maximum

peers <peer> Peer ID. length: 79

dampening Enable/disable route-flap dampening. option - disable

Option Description

enable Enable setting.

disable Disable setting.

dampening-max- Maximum minutes a route can be suppressed. integer Minimum 60

suppress-time value: 1
Maximum
value: 255

dampening- Reachability half-life time for penalty (min). integer Minimum 15

reachability-half- value: 1
life Maximum
value: 45

dampening-reuse Threshold to reuse routes. integer Minimum 750

value: 1
Maximum
value: 20000

FortiOS 7.0.9 CLI Reference 715

Fortinet Inc.
Parameter Description Type Size Default

dampening-route- Criteria for dampening. string Not Specified

map

dampening- Threshold to suppress routes. integer Minimum 2000

suppress value: 1
Maximum
value: 20000

dampening- Unreachability half-life time for penalty (min). integer Minimum 15

unreachability- value: 1
half-life Maximum
value: 45

default-local- Default local preference. integer Minimum 100

preference value: 0
Maximum
value:
4294967295

deterministic-med Enable/disable enforce deterministic comparison option - disable

of MED.

Option Description

enable Enable setting.

disable Disable setting.

distance-external Distance for routes external to the AS. integer Minimum 20

value: 1
Maximum
value: 255

distance-internal Distance for routes internal to the AS. integer Minimum 200
value: 1
Maximum
value: 255

distance-local Distance for routes local to the AS. integer Minimum 200
value: 1
Maximum
value: 255

ebgp-multipath Enable/disable EBGP multi-path. option - disable

Option Description

enable Enable setting.

graceful-update- Route advertisement/selection delay after restart integer Minimum 120

delay (sec). value: 1
Maximum
value: 3600

holdtime-timer Number of seconds to mark peer as dead. integer Minimum 180

value: 3
Maximum
value: 65535

FortiOS 7.0.9 CLI Reference 717

Fortinet Inc.
Parameter Description Type Size Default

ibgp-multipath Enable/disable IBGP multi-path. option - disable

Option Description

enable Enable setting.

disable Disable setting.

ignore-optional- Do not send unknown optional capability option - enable

capability notification message.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

recursive-next- Enable/disable recursive resolution of next-hop option - disable

hop using BGP route.

FortiOS 7.0.9 CLI Reference 718

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

router-id Router ID. ipv4- Not Specified

address-
any

scan-time Background scanner interval (sec), 0 to disable it. integer Minimum 60

value: 5
Maximum
value: 60

synchronization Enable/disable only advertise routes from iBGP if option - disable

routes present in an IGP.

Option Description

enable Enable setting.

disable Disable setting.

tag-resolve-mode Configure tag-match mode. Resolves BGP routes option - disable

with other routes containing the same tag.

Option Description

disable Disable tag-match mode.

preferred Use tag-match if a BGP route resolution with another route containing the
same tag is successful.

merge Merge tag-match with best-match if they are using different routes. The
result will exclude the next hops of tag-match whose interfaces have
appeared in best-match.

config admin-distance

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

neighbour- Neighbor address prefix. ipv4- Not Specified 0.0.0.0

prefix classnet 0.0.0.0

route-list Access list of routes to apply new distance to. string Not Specified

FortiOS 7.0.9 CLI Reference 719

Fortinet Inc.
Parameter Description Type Size Default

distance Administrative distance to apply. integer Minimum 0

value: 1
Maximum
value: 255

config aggregate-address

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix Aggregate prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any

as-set Enable/disable generate AS set path information. option - disable

Option Description

enable Enable setting.

disable Disable setting.

summary-only Enable/disable filter more specific routes from option - disable

updates.

Option Description

enable Enable setting.

disable Disable setting.

config aggregate-address6

Parameter Description Type Size Default

id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

prefix6 Aggregate IPv6 prefix. ipv6-prefix Not Specified ::/0

as-set Enable/disable generate AS set path information. option - disable

FortiOS 7.0.9 CLI Reference 720

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

summary-only Enable/disable filter more specific routes from option - disable

updates.

Option Description

enable Enable setting.

disable Disable setting.

config neighbor

Parameter Description Type Size Default

ip IP/IPv6 address of neighbor. string Not Specified

advertisement- Minimum interval (sec) between sending integer Minimum 30

interval updates. value: 0
Maximum
value: 600

allowas-in-enable Enable/disable IPv4 Enable to allow my AS in option - disable

AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in- Enable/disable IPv6 Enable to allow my AS in option - disable

enable6 AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in IPv4 The maximum number of occurrence of integer Minimum 3

my AS number allowed. value: 1
Maximum
value: 10

FortiOS 7.0.9 CLI Reference 721

Fortinet Inc.
Parameter Description Type Size Default

allowas-in6 IPv6 The maximum number of occurrence of integer Minimum 3

my AS number allowed. value: 1
Maximum
value: 10

attribute- IPv4 List of attributes that should be option -

unchanged unchanged.

both Send and receive ORF lists.

capability- Enable/disable advertise IPv4 graceful option - disable

graceful-restart restart capability to this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

capability- Enable/disable advertise IPv6 graceful option - disable

graceful-restart6 restart capability to this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

link-down-failover Enable/disable failover upon link down. option - disable

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

route-server-client Enable/disable IPv4 AS route server client. option - disable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.0.9 CLI Reference 726

Fortinet Inc.
Parameter Description Type Size Default

route-server- Enable/disable IPv6 AS route server client. option - disable

client6

Option Description

enable Enable setting.

disable Disable setting.

shutdown Enable/disable shutdown this neighbor. option - disable

strict-capability- Enable/disable strict capability matching. option - disable

match

Option Description

enable Enable setting.

disable Disable setting.

default-originate- Route map to specify criteria to originate IPv4 string Not Specified
routemap default.

default-originate- Route map to specify criteria to originate IPv6 string Not Specified
routemap6 default.

description Description. string Not Specified

distribute-list-in Filter for IPv4 updates from this neighbor. string Not Specified

distribute-list-in6 Filter for IPv6 updates from this neighbor. string Not Specified

distribute-list-out Filter for IPv4 updates to this neighbor. string Not Specified

distribute-list-out6 Filter for IPv6 updates to this neighbor. string Not Specified

ebgp-multihop-ttl EBGP multihop TTL for this peer. integer Minimum 255
value: 1
Maximum
value: 255

filter-list-in BGP filter for IPv4 inbound routes. string Not Specified

filter-list-in6 BGP filter for IPv6 inbound routes. string Not Specified

filter-list-out BGP filter for IPv4 outbound routes. string Not Specified

filter-list-out6 BGP filter for IPv6 outbound routes. string Not Specified

interface Specify outgoing interface for peer string Not Specified

connection. For IPv6 peer, the interface
should have link-local address.

maximum-prefix Maximum number of IPv4 prefixes to accept integer Minimum 0

from this peer. value: 1
Maximum
value:
4294967295

maximum-prefix6 Maximum number of IPv6 prefixes to accept integer Minimum 0

from this peer. value: 1
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 728

Fortinet Inc.
Parameter Description Type Size Default

maximum-prefix- Maximum IPv4 prefix threshold value. integer Minimum 75

threshold value: 1
Maximum
value: 100

maximum-prefix- Maximum IPv6 prefix threshold value. integer Minimum 75

threshold6 value: 1
Maximum
value: 100

maximum-prefix- Enable/disable IPv4 Only give warning option - disable

warning-only message when limit is exceeded.

Option Description

enable Enable setting.

disable Disable setting.

maximum-prefix- Enable/disable IPv6 Only give warning option - disable

warning-only6 message when limit is exceeded.

Option Description

enable Enable setting.

disable Disable setting.

prefix-list-in IPv4 Inbound filter for updates from this string Not Specified
neighbor.

prefix-list-in6 IPv6 Inbound filter for updates from this string Not Specified
neighbor.

prefix-list-out IPv4 Outbound filter for updates to this string Not Specified
neighbor.

prefix-list-out6 IPv6 Outbound filter for updates to this string Not Specified
neighbor.

remote-as AS number of neighbor. integer Minimum 0

value: 1
Maximum
value:
4294967295

local-as Local AS number of neighbor. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.0.9 CLI Reference 729

Fortinet Inc.
Parameter Description Type Size Default

local-as-no- Do not prepend local-as to incoming updates. option - disable

prepend

Option Description

enable Enable setting.

disable Disable setting.

local-as-replace- Replace real AS with local-as in outgoing option - disable

as updates.

Option Description

enable Enable setting.

disable Disable setting.

retain-stale-time Time to retain stale routes. integer Minimum 0

value: 0
Maximum
value: 65535

route-map-in IPv4 Inbound route map filter. string Not Specified

route-map-in6 IPv6 Inbound route map filter. string Not Specified

route-map-out IPv4 outbound route map filter. string Not Specified

route-map-out- IPv4 outbound route map filter if the peer is string Not Specified
preferable preferred.

route-map-out6 IPv6 Outbound route map filter. string Not Specified

route-map-out6- IPv6 outbound route map filter if the peer is string Not Specified
preferable preferred.

send-community IPv4 Send community attribute to neighbor. option - both

Option Description

standard Standard.

extended Extended.

both Both.

disable Disable

send-community6 IPv6 Send community attribute to neighbor. option - both

Option Description

standard Standard.

FortiOS 7.0.9 CLI Reference 730

Fortinet Inc.
Parameter Description Type Size Default

Option Description

extended Extended.

both Both.

disable Disable

keep-alive-timer Keep alive timer interval (sec). integer Minimum 4294967295

value: 0
Maximum
value: 65535

holdtime-timer Interval (sec) before peer considered dead. integer Minimum 4294967295
value: 3
Maximum
value: 65535

connect-timer Interval (sec) for connect timer. integer Minimum 4294967295

value: 0
Maximum
value: 65535

unsuppress-map IPv4 Route map to selectively unsuppress string Not Specified

suppressed routes.

unsuppress-map6 IPv6 Route map to selectively unsuppress string Not Specified

suppressed routes.

update-source Interface to use as source IP/IPv6 address of string Not Specified

TCP connections.

weight Neighbor weight. integer Minimum 4294967295

value: 0
Maximum
value: 65535

restart-time Graceful restart delay time. integer Minimum 0

value: 0
Maximum
value: 3600

additional-path Enable/disable IPv4 additional-path option - disable

capability.

Option Description

send Enable sending additional paths.

receive Enable receiving additional paths.

both Enable sending and receiving additional paths.

FortiOS 7.0.9 CLI Reference 731

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable additional paths.

additional-path6 Enable/disable IPv6 additional-path option - disable

capability.

Option Description

send Enable sending additional paths.

receive Enable receiving additional paths.

both Enable sending and receiving additional paths.

disable Disable additional paths.

adv-additional- Number of IPv4 additional paths that can be integer Minimum 2

path advertised to this neighbor. value: 2
Maximum
value: 255

adv-additional- Number of IPv6 additional paths that can be integer Minimum 2

path6 advertised to this neighbor. value: 2
Maximum
value: 255

password Password used in MD5 authentication. password Not Specified

config conditional-advertise

Parameter Description Type Size Default

advertise- Name of advertising route map. string Not

routemap Specified

condition- List of conditional route maps. string Maximum

routemap route map length: 79
<name>

condition-type Type of condition. option - exist

Option Description

exist True if condition route map is matched.

non-exist True if condition route map is not matched.

FortiOS 7.0.9 CLI Reference 732

Fortinet Inc.
config conditional-advertise6

Parameter Description Type Size Default

advertise- Name of advertising route map. string Not

routemap Specified

condition- List of conditional route maps. string Maximum

routemap route map length: 79
<name>

condition-type Type of condition. option - exist

Option Description

exist True if condition route map is matched.

non-exist True if condition route map is not matched.

config neighbor-group

Parameter Description Type Size Default

name Neighbor group name. string Not Specified

advertisement- Minimum interval (sec) between sending integer Minimum 30

interval updates. value: 0
Maximum
value: 600

allowas-in-enable Enable/disable IPv4 Enable to allow my AS in option - disable

AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in- Enable/disable IPv6 Enable to allow my AS in option - disable

enable6 AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in IPv4 The maximum number of occurrence of integer Minimum 3

my AS number allowed. value: 1
Maximum
value: 10

FortiOS 7.0.9 CLI Reference 733

Fortinet Inc.
Parameter Description Type Size Default

allowas-in6 IPv6 The maximum number of occurrence of integer Minimum 3

my AS number allowed. value: 1
Maximum
value: 10

attribute- IPv4 List of attributes that should be option -

unchanged unchanged.

both Send and receive ORF lists.

capability- Enable/disable advertise IPv4 graceful restart option - disable

graceful-restart capability to this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

capability- Enable/disable advertise IPv6 graceful restart option - disable

graceful-restart6 capability to this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

link-down-failover Enable/disable failover upon link down. option - disable

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

route-server-client Enable/disable IPv4 AS route server client. option - disable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.0.9 CLI Reference 738