0% found this document useful (0 votes)

15 views

FortiOS 7.2.1 CLI Reference

This document provides a summary of commands for configuring various firewall and security features in the FortiOS 7.2.1 CLI, organized by topic. It includes sections on commands for configurations like antivirus, application control, authentication, DLP, DNS filtering, email filtering, firewall policies and addresses, proxy policies, schedules, and more.

Uploaded by

menap42333

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

15 views

FortiOS 7.2.1 CLI Reference

Uploaded by

menap42333

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1852

CLI Reference

FortiOS 7.2.1
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

August 4, 2022
FortiOS 7.2.1 CLI Reference
01-721-791773-20220804
TABLE OF CONTENTS

Change Log 18
FortiOS CLI reference 19
Creation of the CLI reference 19
Availability of commands and options 19
Command tree 20
CLI configuration commands 21
alertemail 22
config alertemail setting 22
antivirus 29
config antivirus settings 29
config antivirus quarantine 30
config antivirus profile 35
application 66
config application name 66
config application custom 68
config application rule-settings 69
config application list 69
config application group 77
authentication 79
config authentication scheme 79
config authentication rule 81
config authentication setting 83
automation 87
config automation setting 87
certificate 88
config certificate ca 88
config certificate remote 89
config certificate local 90
config certificate crl 94
dlp 96
config dlp data-type 96
config dlp dictionary 97
config dlp sensor 98
config dlp filepattern 100
config dlp sensitivity 102
config dlp profile 103
dnsfilter 108
config dnsfilter domain-filter 108
config dnsfilter profile 109
emailfilter 114
config emailfilter bword 114
config emailfilter block-allow-list 116
config emailfilter mheader 118
config emailfilter dnsbl 119

FortiOS 7.2.1 CLI Reference 3

Fortinet Inc.
config emailfilter iptrust 120
config emailfilter profile 121
config emailfilter fortishield 128
config emailfilter options 129
endpoint-control 130
config endpoint-control fctems 130
extender 135
config extender sys-info 135
config extender staging-status 135
config extender extender-info 136
config extender session-info 136
config extender lanextension-vdom-status 136
config extender datachannel-info 136
config extender fexwan 137
config extender modem-status 137
config extender lte-carrier-list 137
config extender lte-carrier-by-mcc-mnc 137
extension-controller 139
config extension-controller dataplan 139
config extension-controller extender-profile 141
config extension-controller extender 153
config extension-controller fortigate-profile 156
config extension-controller fortigate 157
file-filter 159
config file-filter profile 159
firewall 162
config firewall address 164
config firewall multicast-address 169
config firewall address6-template 170
config firewall address6 172
config firewall multicast-address6 175
config firewall addrgrp 176
config firewall addrgrp6 178
config firewall wildcard-fqdn custom 179
config firewall wildcard-fqdn group 180
config firewall traffic-class 180
config firewall service category 181
config firewall service custom 181
config firewall service group 185
config firewall city 186
config firewall region 187
config firewall country 187
config firewall internet-service 188
config firewall internet-service-name 189
config firewall internet-service-group 190
config firewall internet-service-extension 191
config firewall internet-service-reputation 194
config firewall internet-service-custom 194
config firewall internet-service-addition 196

FortiOS 7.2.1 CLI Reference 4

Fortinet Inc.
config firewall internet-service-append 197
config firewall internet-service-custom-group 198
config firewall internet-service-sld 198
config firewall internet-service-ipbl-vendor 199
config firewall internet-service-ipbl-reason 199
config firewall internet-service-owner 200
config firewall internet-service-list 200
config firewall internet-service-definition 200
config firewall internet-service-botnet 201
config firewall network-service-dynamic 202
config firewall vendor-mac 202
config firewall vendor-mac-summary 203
config firewall shaper traffic-shaper 203
config firewall shaper per-ip-shaper 205
config firewall shaper traffic 207
config firewall shaper per-ip 207
config firewall proxy-address 207
config firewall proxy-addrgrp 211
config firewall schedule onetime 212
config firewall schedule recurring 213
config firewall schedule group 214
config firewall ippool 214
config firewall ippool6 217
config firewall ldb-monitor 218
config firewall vip 220
config firewall vip6 250
config firewall vipgrp 279
config firewall vipgrp6 280
config firewall ssh local-key 280
config firewall ssh local-ca 281
config firewall ssh setting 282
config firewall ssh host-key 283
config firewall decrypted-traffic-mirror 285
config firewall access-proxy-virtual-host 285
config firewall access-proxy-ssh-client-cert 286
config firewall access-proxy 288
config firewall access-proxy6 309
config firewall ipmacbinding setting 330
config firewall ipmacbinding table 331
config firewall profile-protocol-options 332
config firewall ssl-ssh-profile 356
config firewall profile-group 384
config firewall ssl-server 385
config firewall identity-based-route 388
config firewall auth-portal 389
config firewall security-policy 389
config firewall policy 398
config firewall shaping-policy 418
config firewall shaping-profile 423

FortiOS 7.2.1 CLI Reference 5

Fortinet Inc.
config firewall local-in-policy 425
config firewall local-in-policy6 427
config firewall ttl-policy 429
config firewall proxy-policy 430
config firewall dnstranslation 438
config firewall multicast-policy 438
config firewall multicast-policy6 440
config firewall interface-policy 442
config firewall interface-policy6 445
config firewall DoS-policy 448
config firewall DoS-policy6 450
config firewall sniffer 453
config firewall acl 458
config firewall acl6 459
config firewall central-snat-map 460
config firewall ssl setting 462
config firewall ip-translation 464
config firewall ipv6-eh-filter 465
config firewall global 466
config firewall iprope list 467
config firewall iprope appctrl list 467
config firewall iprope appctrl status 467
config firewall proute 468
config firewall proute6 468
ftp-proxy 469
config ftp-proxy explicit 469
hardware 471
config hardware status 471
config hardware cpu 471
config hardware memory 471
config hardware nic 471
icap 473
config icap server 473
config icap server-group 474
config icap profile 475
ips 482
config ips sensor 482
config ips view-map 487
config ips decoder 488
config ips rule 488
config ips rule-settings 490
config ips custom 491
config ips global 492
config ips settings 496
config ips session 497
ipsec 498
config ipsec tunnel 498
log 499

FortiOS 7.2.1 CLI Reference 6

Fortinet Inc.
config log threat-weight 500
config log custom-field 510
config log syslogd setting 511
config log syslogd override-setting 514
config log syslogd filter 518
config log syslogd override-filter 521
config log syslogd2 setting 524
config log syslogd2 override-setting 528
config log syslogd2 filter 531
config log syslogd2 override-filter 534
config log syslogd3 setting 537
config log syslogd3 override-setting 541
config log syslogd3 filter 544
config log syslogd3 override-filter 547
config log syslogd4 setting 550
config log syslogd4 override-setting 554
config log syslogd4 filter 557
config log syslogd4 override-filter 560
config log webtrends setting 563
config log webtrends filter 563
config log memory global-setting 566
config log memory setting 567
config log memory filter 568
config log disk setting 570
config log disk filter 576
config log eventfilter 578
config log fortiguard setting 581
config log fortiguard override-setting 584
config log fortiguard filter 586
config log fortiguard override-filter 588
config log tacacs+accounting setting 591
config log tacacs+accounting filter 592
config log tacacs+accounting2 setting 593
config log tacacs+accounting2 filter 593
config log tacacs+accounting3 setting 594
config log tacacs+accounting3 filter 595
config log null-device setting 596
config log null-device filter 596
config log setting 599
config log gui-display 603
config log fortianalyzer setting 604
config log fortianalyzer override-setting 608
config log fortianalyzer filter 612
config log fortianalyzer override-filter 615
config log fortianalyzer2 setting 618
config log fortianalyzer2 override-setting 622
config log fortianalyzer2 filter 626
config log fortianalyzer2 override-filter 629
config log fortianalyzer3 setting 632

FortiOS 7.2.1 CLI Reference 7

Fortinet Inc.
config log fortianalyzer3 override-setting 636
config log fortianalyzer3 filter 640
config log fortianalyzer3 override-filter 643
config log fortianalyzer-cloud setting 646
config log fortianalyzer-cloud override-setting 650
config log fortianalyzer-cloud filter 650
config log fortianalyzer-cloud override-filter 653
mgmt-data 657
config mgmt-data status 657
router 658
config router access-list 658
config router access-list6 659
config router aspath-list 660
config router prefix-list 661
config router prefix-list6 662
config router key-chain 663
config router community-list 664
config router route-map 665
config router rip 671
config router ripng 677
config router static 682
config router policy 684
config router policy6 687
config router static6 689
config router ospf 691
config router ospf6 707
config router bgp 721
config router isis 768
config router multicast-flow 781
config router multicast 782
config router multicast6 790
config router info 792
config router info6 792
config router auth-path 792
config router setting 793
config router bfd 793
config router bfd6 794
sctp-filter 797
config sctp-filter profile 797
ssh-filter 799
config ssh-filter profile 799
switch-controller 802
config switch-controller traffic-policy 803
config switch-controller fortilink-settings 804
config switch-controller switch-interface-tag 805
config switch-controller 802-1X-settings 806
config switch-controller security-policy 802-1X 807
config switch-controller security-policy local-access 809
config switch-controller location 810

FortiOS 7.2.1 CLI Reference 8

Fortinet Inc.
config switch-controller lldp-settings 814
config switch-controller lldp-profile 815
config switch-controller qos dot1p-map 819
config switch-controller qos ip-dscp-map 822
config switch-controller qos queue-policy 824
config switch-controller qos qos-policy 826
config switch-controller storm-control-policy 827
config switch-controller auto-config policy 828
config switch-controller auto-config default 829
config switch-controller auto-config custom 830
config switch-controller initial-config template 830
config switch-controller initial-config vlans 831
config switch-controller switch-profile 832
config switch-controller custom-command 833
config switch-controller virtual-port-pool 834
config switch-controller ptp settings 834
config switch-controller ptp policy 835
config switch-controller vlan-policy 835
config switch-controller dynamic-port-policy 836
config switch-controller managed-switch 838
config switch-controller switch-group 872
config switch-controller stp-settings 873
config switch-controller stp-instance 874
config switch-controller storm-control 874
config switch-controller global 875
config switch-controller system 879
config switch-controller switch-log 881
config switch-controller igmp-snooping 881
config switch-controller sflow 882
config switch-controller quarantine 882
config switch-controller network-monitor-settings 883
config switch-controller flow-tracking 884
config switch-controller snmp-sysinfo 887
config switch-controller snmp-trap-threshold 887
config switch-controller snmp-community 888
config switch-controller snmp-user 891
config switch-controller traffic-sniffer 892
config switch-controller remote-log 894
config switch-controller mac-policy 896
system 898
config system vdom 901
config system global 902
config system accprofile 949
config system npu 960
config system vdom-link 965
config system switch-interface 966
config system object-tagging 967
config system lte-modem 969
config system interface 970

FortiOS 7.2.1 CLI Reference 9

Fortinet Inc.
config system physical-switch 1018
config system virtual-switch 1019
config system stp 1021
config system password-policy 1022
config system password-policy-guest-admin 1024
config system sms-server 1026
config system custom-language 1026
config system admin 1027
config system api-user 1033
config system sso-admin 1035
config system sso-forticloud-admin 1035
config system settings 1036
config system sit-tunnel 1058
config system fsso-polling 1059
config system ha 1060
config system ha-monitor 1071
config system storage 1071
config system dedicated-mgmt 1073
config system arp-table 1073
config system ipv6-neighbor-cache 1074
config system dns 1074
config system ddns 1077
config system sflow 1080
config system vdom-sflow 1081
config system netflow 1082
config system vdom-netflow 1083
config system vdom-dns 1084
config system replacemsg-image 1086
config system replacemsg mail 1087
config system replacemsg http 1088
config system replacemsg webproxy 1088
config system replacemsg ftp 1089
config system replacemsg fortiguard-wf 1090
config system replacemsg spam 1091
config system replacemsg alertmail 1091
config system replacemsg admin 1092
config system replacemsg auth 1093
config system replacemsg sslvpn 1094
config system replacemsg nac-quar 1095
config system replacemsg traffic-quota 1095
config system replacemsg utm 1096
config system replacemsg icap 1097
config system replacemsg automation 1098
config system replacemsg-group 1099
config system snmp sysinfo 1110
config system snmp mib-view 1111
config system snmp community 1111
config system snmp user 1119
config system autoupdate schedule 1125

FortiOS 7.2.1 CLI Reference 10

Fortinet Inc.
config system autoupdate tunneling 1126
config system session-ttl 1127
config system dhcp server 1128
config system dhcp6 server 1141
config system modem 1144
config system 3g-modem custom 1151
config system status 1151
config system performance status 1152
config system performance top 1152
config system performance firewall packet-distribution 1152
config system performance firewall statistics 1152
config system session 1152
config system session6 1153
config system cmdb 1153
config system fortiguard-service 1153
config system fortianalyzer-connectivity 1153
config system checksum status 1153
config system mgmt-csum 1153
config system ha-nonsync-csum 1154
config system fortiguard-log-service 1154
config system central-mgmt 1154
config system alias 1154
config system auto-script 1154
config system info admin status 1155
config system info admin ssh 1156
config system management-tunnel 1156
config system central-management 1157
config system zone 1161
config system geoip-country 1162
config system sdn-connector 1163
config system ipv6-tunnel 1170
config system external-resource 1171
config system ips-urlfilter-dns 1172
config system ips-urlfilter-dns6 1173
config system network-visibility 1174
config system sdwan 1175
config system gre-tunnel 1196
config system ipsec-aggregate 1199
config system ipip-tunnel 1199
config system mobile-tunnel 1200
config system pppoe-interface 1202
config system vxlan 1204
config system geneve 1206
config system virtual-wire-pair 1207
config system dns-database 1207
config system dns-server 1210
config system resource-limits 1211
config system vdom-property 1213
config system speed-test-server 1215

FortiOS 7.2.1 CLI Reference 11

Fortinet Inc.
config system lldp network-policy 1216
config system speed-test-schedule 1223
config system standalone-cluster 1225
config system fortiguard 1228
config system ips 1237
config system arp 1238
config system email-server 1238
config system alarm 1240
config system mac-address-table 1243
config system session-helper 1244
config system proxy-arp 1245
config system fips-cc 1245
config system tos-based-priority 1246
config system dscp-based-priority 1247
config system probe-response 1248
config system link-monitor 1249
config system auto-install 1254
config system console 1255
config system ntp 1256
config system ptp 1259
config system wccp 1260
config system dns64 1264
config system vdom-radius-server 1265
config system startup-error-log 1265
config system source-ip status 1265
config system auto-update status 1265
config system auto-update versions 1266
config system session-info list 1266
config system session-info expectation 1266
config system session-info full-stat 1266
config system session-info statistics 1266
config system session-info ttl 1266
config system session-helper-info list 1267
config system ip-conflict status 1267
config system ftm-push 1267
config system geoip-override 1268
config system fortisandbox 1269
config system fortindr 1271
config system vdom-exception 1272
config system csf 1273
config system automation-trigger 1277
config system automation-action 1282
config system automation-destination 1287
config system automation-stitch 1287
config system nd-proxy 1289
config system saml 1289
config system federated-upgrade 1292
config system vne-tunnel 1295
config system ike 1297

FortiOS 7.2.1 CLI Reference 12

Fortinet Inc.
config system acme 1310
config system ipam 1311
test 1314
config test smtp 1315
config test pop3 1316
config test imap 1316
config test nntp 1316
config test harelay 1317
config test hasync 1317
config test hatalk 1317
config test sessionsync 1318
config test forticldd 1318
config test miglogd 1318
config test syslogd 1319
config test fgtlogd 1319
config test urlfilter 1319
config test wf_monitor 1320
config test ovrd 1320
config test iotd 1320
config test ipsmonitor 1321
config test ipsengine 1321
config test ipldbd 1321
config test ddnscd 1322
config test snmpd 1322
config test acd 1322
config test dnsproxy 1323
config test sflowd 1323
config test init 1323
config test l2tpcd 1324
config test dhcprelay 1324
config test pptpcd 1324
config test wccpd 1325
config test wad 1325
config test radiusd 1325
config test fsd 1326
config test ipsufd 1326
config test lted 1326
config test forticron 1327
config test uploadd 1327
config test quarantined 1327
config test dhcp6c 1328
config test dsd 1328
config test ipmc_sensord 1329
config test lnkmtd 1329
config test dhcp6r 1329
config test updated 1330
config test awsd 1330
config test netxd 1330
config test fnbamd 1331

FortiOS 7.2.1 CLI Reference 13

Fortinet Inc.
config test mrd 1331
config test zebos_launcher 1331
config test radius-das 1332
config test wiredapd 1332
config test csfd 1332
config test fsvrd 1333
config test radvd 1333
config test fcnacd 1333
config test sdncd 1334
config test azd 1334
config test gcpd 1334
config test ocid 1335
config test kubed 1335
config test autod 1335
config test bfd 1336
config test openstackd 1336
config test fas 1336
config test sepmd 1337
config test ipamd 1337
config test sdnd 1337
config test acsd 1338
config test ibmd 1338
config test vned 1338
config test sfupgraded 1339
config test fds_notify 1339
config test ipamsd 1339
config test eap_supp 1340
user 1341
config user certificate 1341
config user radius 1342
config user tacacs+ 1354
config user exchange 1356
config user ldap 1358
config user krb-keytab 1365
config user domain-controller 1365
config user pop3 1368
config user saml 1369
config user fsso 1373
config user adgrp 1377
config user fsso-polling 1377
config user fortitoken 1379
config user password-policy 1380
config user local 1381
config user setting 1384
config user peer 1388
config user peergrp 1390
config user quarantine 1390
config user group 1392
config user security-exempt-list 1396

FortiOS 7.2.1 CLI Reference 14

Fortinet Inc.
config user nac-policy 1397
videofilter 1400
config videofilter youtube-key 1400
config videofilter youtube-channel-filter 1400
config videofilter profile 1402
voip 1404
config voip profile 1404
vpn 1429
config vpn certificate ca 1430
config vpn certificate remote 1431
config vpn certificate local 1432
config vpn certificate crl 1435
config vpn certificate ocsp-server 1437
config vpn certificate setting 1437
config vpn ssl web realm 1443
config vpn ssl web host-check-software 1444
config vpn ssl web portal 1445
config vpn ssl web user-group-bookmark 1463
config vpn ssl web user-bookmark 1469
config vpn ssl settings 1475
config vpn ssl client 1488
config vpn ssl monitor 1490
config vpn ipsec phase1 1490
config vpn ipsec phase2 1510
config vpn ipsec manualkey 1519
config vpn ipsec concentrator 1520
config vpn ipsec fec 1521
config vpn ipsec phase1-interface 1522
config vpn ipsec phase2-interface 1547
config vpn ipsec manualkey-interface 1556
config vpn ipsec forticlient 1558
config vpn ipsec stats crypto 1559
config vpn ipsec stats tunnel 1559
config vpn ipsec tunnel details 1559
config vpn ipsec tunnel summary 1559
config vpn ipsec tunnel name 1560
config vpn pptp 1560
config vpn l2tp 1561
config vpn ocvpn 1562
config vpn ike gateway 1566
config vpn status l2tp 1566
config vpn status pptp 1566
config vpn status ssl list 1567
waf 1568
config waf main-class 1568
config waf sub-class 1568
config waf signature 1569
config waf profile 1569
web-proxy 1594

FortiOS 7.2.1 CLI Reference 15

Fortinet Inc.
config web-proxy profile 1594
config web-proxy global 1598
config web-proxy explicit 1601
config web-proxy forward-server 1606
config web-proxy forward-server-group 1607
config web-proxy debug-url 1608
config web-proxy wisp 1609
config web-proxy url-match 1610
webfilter 1612
config webfilter ftgd-local-cat 1612
config webfilter content 1613
config webfilter content-header 1614
config webfilter urlfilter 1615
config webfilter ips-urlfilter-setting 1618
config webfilter ips-urlfilter-setting6 1619
config webfilter ips-urlfilter-cache-setting 1619
config webfilter profile 1620
config webfilter fortiguard 1636
config webfilter categories 1638
config webfilter override 1638
config webfilter ftgd-local-rating 1640
config webfilter search-engine 1640
config webfilter ftgd-statistics 1641
config webfilter status 1642
config webfilter override-usr 1642
wireless-controller 1643
config wireless-controller inter-controller 1644
config wireless-controller global 1646
config wireless-controller hotspot20 anqp-venue-name 1649
config wireless-controller hotspot20 anqp-venue-url 1650
config wireless-controller hotspot20 anqp-network-auth-type 1650
config wireless-controller hotspot20 anqp-roaming-consortium 1651
config wireless-controller hotspot20 anqp-nai-realm 1651
config wireless-controller hotspot20 anqp-3gpp-cellular 1654
config wireless-controller hotspot20 anqp-ip-address-type 1655
config wireless-controller hotspot20 h2qp-operator-name 1656
config wireless-controller hotspot20 h2qp-wan-metric 1657
config wireless-controller hotspot20 h2qp-conn-capability 1658
config wireless-controller hotspot20 icon 1661
config wireless-controller hotspot20 h2qp-osu-provider 1662
config wireless-controller hotspot20 qos-map 1663
config wireless-controller hotspot20 h2qp-advice-of-charge 1664
config wireless-controller hotspot20 h2qp-osu-provider-nai 1665
config wireless-controller hotspot20 h2qp-terms-and-conditions 1666
config wireless-controller hotspot20 hs-profile 1666
config wireless-controller vap 1674
config wireless-controller timers 1703
config wireless-controller setting 1705
config wireless-controller log 1714

FortiOS 7.2.1 CLI Reference 16

Fortinet Inc.
config wireless-controller apcfg-profile 1719
config wireless-controller bonjour-profile 1721
config wireless-controller arrp-profile 1722
config wireless-controller region 1725
config wireless-controller vap-group 1726
config wireless-controller wids-profile 1726
config wireless-controller ble-profile 1734
config wireless-controller syslog-profile 1735
config wireless-controller wtp-profile 1737
config wireless-controller wtp 1809
config wireless-controller wtp-group 1831
config wireless-controller qos-profile 1834
config wireless-controller wag-profile 1838
config wireless-controller utm-profile 1839
config wireless-controller snmp 1840
config wireless-controller mpsk-profile 1844
config wireless-controller nac-profile 1845
config wireless-controller ssid-policy 1846
config wireless-controller access-control-list 1846
config wireless-controller scan 1848
config wireless-controller ap-status 1849
config wireless-controller wlchanlistlic 1849
config wireless-controller status 1849
config wireless-controller wtp-status 1850
config wireless-controller client-info 1850
config wireless-controller vap-status 1850
config wireless-controller rf-analysis 1851
config wireless-controller spectral-info 1851

FortiOS 7.2.1 CLI Reference 17

Fortinet Inc.
Change Log

Date Change Description

2022-08-04 First automated release of the FortiOS 7.2.1 CLI Reference.

FortiOS 7.2.1 CLI Reference 18

Fortinet Inc.
FortiOS CLI reference

This document describes FortiOS 7.2.1 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI). For information on using the CLI, see the FortiOS 7.2.1 Administration Guide, which
contains information such as:
l Connecting to the CLI
l CLI basics
l Command syntax
l Subcommands
l Permissions

Creation of the CLI reference

The CLI syntax is created by processing the schema from FortiGate models running FortiOS 7.2.1 and reformatting the
resultant CLI output. The following reference models were used to create this CLI reference:
l FGT_140E_POE: a POE model with 40 x GE RJ45 (including 24 x RJ45 GE POE/POE+ ports, 14 x switch ports, 1 x
MGMT port, 1x HA port, 2 x WAN ports), 2 x GE SFP DMZ slots.
l FWF_61F: a WiFi/desktop model with 10x GE RJ45 ports (including 7x Internal Ports, 2x WAN Ports, 1x DMZ Port),
Wireless (802.11 a/b/g/n/ac-W2), 128GB SSD onboard storage.
l FGT_601E: a mid-range model with 2x 240GB SSD storage, NP6 and CP9 acceleration, 2x 10GE SFP+ slots, 8x
GE SFP slots and 10x GE RJ45 ports.
l FGT_2201E: a high-end model with 2x 1TB SSD storage, NP6 and CP9 acceleration, dual AC power supplies, 4x
40GE QSFP+ slots, 20x 10GE SFP+ slots and 14x GE RJ45 ports.
l FGT_VM64: a Virtual Machine model running on VMware ESXi.
If you have comments on this content, its format, or requests for commands that are not included, contact us at
[email protected].

Availability of commands and options

Some FortiOS CLI commands and options are not available on all FortiGate units. The CLI displays an error message if
you attempt to enter a command or option that is not available. You can use the question mark ‘?’ to verify the commands
and options that are available.
Commands and options may not be available for the following reasons:

FortiGate model

All commands are not available on all FortiGate models. For example, a hardware switch can be configured only on
models which have the corresponding hardware switch chipset.

FortiOS 7.2.1 CLI Reference 19

Fortinet Inc.
FortiOS CLI reference

Hardware configuration

For example, settings like mediatype would only be available on units with SFPs.

FortiOS Carrier, FortiGate 5K/6K/7K, FortiGate with LTE, etc.

Commands for extended functionality are not available on all FortiGate models. The CLI Reference may not include all
commands.

Command tree

Enter tree to display the entire FortiOS CLI command tree. To capture the full output, connect to your device using a
terminal emulation program, such as PuTTY, and capture the output to a log file.
l To view all available commands, enter tree.
l To view a specific configuration branch of a tree, enter tree <branch>, for example: tree system.
l To view all available diagnose commands, enter tree diagnose.
l To view all available execute commands, enter tree execute.

FortiOS 7.2.1 CLI Reference 20

Fortinet Inc.
CLI configuration commands

Use configuration commands to configure and manage a FortiGate unit from the command line interface (CLI).
The CLI syntax is created by processing the schema from FortiGate models running FortiOS 7.2.1 and reformatting the
resultant CLI output. The following reference models were used to create this CLI reference:
l FGT_140E_POE: a POE model with 40 x GE RJ45 (including 24 x RJ45 GE POE/POE+ ports, 14 x switch ports, 1 x
MGMT port, 1x HA port, 2 x WAN ports), 2 x GE SFP DMZ slots.
l FWF_61F: a WiFi/desktop model with 10x GE RJ45 ports (including 7x Internal Ports, 2x WAN Ports, 1x DMZ Port),
Wireless (802.11 a/b/g/n/ac-W2), 128GB SSD onboard storage.
l FGT_601E: a mid-range model with 2x 240GB SSD storage, NP6 and CP9 acceleration, 2x 10GE SFP+ slots, 8x
GE SFP slots and 10x GE RJ45 ports.
l FGT_2201E: a high-end model with 2x 1TB SSD storage, NP6 and CP9 acceleration, dual AC power supplies, 4x
40GE QSFP+ slots, 20x 10GE SFP+ slots and 14x GE RJ45 ports.
l FGT_VM64: a Virtual Machine model running on VMware ESXi.

The command branches are in alphabetical order. The commands beneath each branch are
not in alphabetical order.

If you have comments on this content, its format, or requests for commands that are not included, contact us at
[email protected].

FortiOS 7.2.1 CLI Reference 21

Fortinet Inc.
alertemail

This section includes syntax for the following commands:

l config alertemail setting on page 22

config alertemail setting

Configure alert email settings.

config alertemail setting
Description: Configure alert email settings.
set username {string}
set mailto1 {string}
set mailto2 {string}
set mailto3 {string}
set filter-mode [category|threshold]
set email-interval {integer}
set IPS-logs [enable|disable]
set firewall-authentication-failure-logs [enable|disable]
set HA-logs [enable|disable]
set IPsec-errors-logs [enable|disable]
set FDS-update-logs [enable|disable]
set PPP-errors-logs [enable|disable]
set sslvpn-authentication-errors-logs [enable|disable]
set antivirus-logs [enable|disable]
set webfilter-logs [enable|disable]
set configuration-changes-logs [enable|disable]
set violation-traffic-logs [enable|disable]
set admin-login-logs [enable|disable]
set FDS-license-expiring-warning [enable|disable]
set log-disk-usage-warning [enable|disable]
set fortiguard-log-quota-warning [enable|disable]
set amc-interface-bypass-mode [enable|disable]
set FIPS-CC-errors [enable|disable]
set FSSO-disconnect-logs [enable|disable]
set ssh-logs [enable|disable]
set FDS-license-expiring-days {integer}
set local-disk-usage {integer}
set emergency-interval {integer}
set alert-interval {integer}
set critical-interval {integer}
set error-interval {integer}
set warning-interval {integer}
set notification-interval {integer}
set information-interval {integer}
set debug-interval {integer}
set severity [emergency|alert|...]
end

FortiOS 7.2.1 CLI Reference 22

Fortinet Inc.
config alertemail setting

Parameter Description Type Size Default

username Name that appears in the From: field of alert emails string Not
(max. 63 characters). Specified

mailto1 Email address to send alert email to (usually a string Not

system administrator) (max. 63 characters). Specified

mailto2 Optional second email address to send alert email to string Not
(max. 63 characters). Specified

mailto3 Optional third email address to send alert email to string Not
(max. 63 characters). Specified

filter-mode How to filter log messages that are sent to alert option - category
emails.

Option Description

category Filter based on category.

threshold Filter based on severity.

email-interval Interval between sending alert emails . integer Minimum 5

value: 1
Maximum
value:
99999

IPS-logs Enable/disable IPS logs in alert email. option - disable

Option Description

enable Enable IPS logs in alert email.

disable Disable IPS logs in alert email.

firewall- Enable/disable firewall authentication failure logs in option - disable

authentication- alert email.
failure-logs

Option Description

enable Enable firewall authentication failure logs in alert email.

disable Disable firewall authentication failure logs in alert email.

HA-logs Enable/disable HA logs in alert email. option - disable

Option Description

enable Enable HA logs in alert email.

disable Disable HA logs in alert email.

FortiOS 7.2.1 CLI Reference 23

Fortinet Inc.
Parameter Description Type Size Default

IPsec-errors-logs Enable/disable IPsec error logs in alert email. option - disable

Option Description

enable Enable IPsec error logs in alert email.

disable Disable IPsec error logs in alert email.

FDS-update-logs Enable/disable FortiGuard update logs in alert email. option - disable

Option Description

enable Enable FortiGuard update logs in alert email.

disable Disable FortiGuard update logs in alert email.

PPP-errors-logs Enable/disable PPP error logs in alert email. option - disable

Option Description

enable Enable PPP error logs in alert email.

disable Disable PPP error logs in alert email.

sslvpn- Enable/disable SSL-VPN authentication error logs in option - disable

authentication- alert email.
errors-logs

Option Description

enable Enable SSL-VPN authentication error logs in alert email.

disable Disable SSL-VPN authentication error logs in alert email.

antivirus-logs Enable/disable antivirus logs in alert email. option - disable

Option Description

enable Enable antivirus logs in alert email.

disable Disable antivirus logs in alert email.

webfilter-logs Enable/disable web filter logs in alert email. option - disable

Option Description

enable Enable web filter logs in alert email.

disable Disable web filter logs in alert email.

enable Enable FortiCloud log quota warnings in alert email.

disable Disable FortiCloud log quota warnings in alert email.

amc-interface- Enable/disable Fortinet Advanced Mezzanine Card option - disable

bypass-mode (AMC) interface bypass mode logs in alert email.

FortiOS 7.2.1 CLI Reference 25

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable Fortinet Advanced Mezzanine Card (AMC) interface bypass mode
logs in alert email.

disable Disable Fortinet Advanced Mezzanine Card (AMC) interface bypass mode
logs in alert email.

FIPS-CC-errors Enable/disable FIPS and Common Criteria error logs option - disable
in alert email.

Option Description

enable Enable FIPS and Common Criteria error logs in alert email.

disable Disable FIPS and Common Criteria error logs in alert email.

FSSO- Enable/disable logging of FSSO collector agent option - disable

disconnect-logs disconnect.

Option Description

enable Enable logging of FSSO collector agent disconnect.

disable Disable logging of FSSO collector agent disconnect.

ssh-logs Enable/disable SSH logs in alert email. option - disable

Option Description

enable Enable SSH logs in alert email.

disable Disable SSH logs in alert email.

FDS-license- Number of days to send alert email prior to integer Minimum 15

debug-interval Debug alert interval in minutes. integer Minimum 60

value: 1
Maximum
value:
99999

severity Lowest severity level to log. option - alert

Option Description

emergency Emergency level.

alert Alert level.

FortiOS 7.2.1 CLI Reference 27

Fortinet Inc.
Parameter Description Type Size Default

Option Description

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

FortiOS 7.2.1 CLI Reference 28

Fortinet Inc.
antivirus

This section includes syntax for the following commands:

l config antivirus profile on page 35
l config antivirus quarantine on page 30
l config antivirus settings on page 29

config antivirus settings

Configure AntiVirus settings.

config antivirus settings
Description: Configure AntiVirus settings.
set machine-learning-detection [enable|monitor|...]
set use-extreme-db [enable|disable]
set grayware [enable|disable]
set override-timeout {integer}
set cache-infected-result [enable|disable]
end

config antivirus settings

Parameter Description Type Size Default

machine- Use machine learning based malware detection. option - enable

learning-
detection

Option Description

enable Enable machine learning based malware detection.

monitor Enable machine learning based malware detection for monitoring only.

disable Disable machine learning based malware detection.

use-extreme- Enable/disable the use of Extreme AVDB. option - disable

Option Description

enable Enable extreme AVDB.

disable Disable extreme AVDB.

grayware Enable/disable grayware detection when an AntiVirus option - disable

profile is applied to traffic.

FortiOS 7.2.1 CLI Reference 29

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable grayware detection.

disable Disable grayware detection.

override- Override the large file scan timeout value in seconds . integer Minimum 0
timeout Zero is the default value and is used to disable this value: 30
command. When disabled, the daemon adjusts the Maximum
large file scan timeout based on the file size. value: 3600

cache- Enable/disable cache of infected scan results . option - enable

infected-result

Option Description

enable Enable cache of infected scan results.

disable Disable cache of infected scan results.

config antivirus quarantine

Configure quarantine options.

config antivirus quarantine
Description: Configure quarantine options.
set agelimit {integer}
set maxfilesize {integer}
set quarantine-quota {integer}
set drop-infected {option1}, {option2}, ...
set store-infected {option1}, {option2}, ...
set drop-blocked {option1}, {option2}, ...
set store-blocked {option1}, {option2}, ...
set drop-machine-learning {option1}, {option2}, ...
set store-machine-learning {option1}, {option2}, ...
set lowspace [drop-new|ovrw-old]
set destination [NULL|disk|...]
end

config antivirus quarantine

Parameter Description Type Size Default

agelimit Age limit for quarantined files . integer Minimum 0

value: 0
Maximum
value: 479

FortiOS 7.2.1 CLI Reference 30

Fortinet Inc.
Parameter Description Type Size Default

maxfilesize Maximum file size to quarantine . integer Minimum 0

value: 0
Maximum
value: 500

quarantine- The amount of disk space to reserve for quarantining integer Minimum 0
quota files . value: 0
Maximum
value:
4294967295

drop-infected Do not quarantine infected files found in sessions option -

using the selected protocols. Dropped files are deleted
instead of being quarantined.

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

store-infected Quarantine infected files found in sessions using the option - imap smtp
selected protocols. pop3 http
ftp nntp
imaps
smtps
pop3s
https ftps
mapi cifs
ssh

FortiOS 7.2.1 CLI Reference 31

Fortinet Inc.
Parameter Description Type Size Default

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

drop-blocked Do not quarantine dropped files found in sessions option -

using the selected protocols. Dropped files are deleted
instead of being quarantined.

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

ftps FTPS.

mapi MAPI.

FortiOS 7.2.1 CLI Reference 32

Fortinet Inc.
Parameter Description Type Size Default

Option Description

cifs CIFS.

ssh SSH.

store-blocked Quarantine blocked files found in sessions using the option - imap smtp
selected protocols. pop3 http
ftp nntp
imaps
smtps
pop3s ftps
mapi cifs
ssh

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

drop- Do not quarantine files detected by machine learning option -

machine- found in sessions using the selected protocols.
learning Dropped files are deleted instead of being
quarantined.

Option Description

imap IMAP.

smtp SMTP.

FortiOS 7.2.1 CLI Reference 33

Fortinet Inc.
Parameter Description Type Size Default

Option Description

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

store- Quarantine files detected by machine learning found in option - imap smtp
machine- sessions using the selected protocols. pop3 http
learning ftp nntp
imaps
smtps
pop3s
https ftps
mapi cifs
ssh

Option Description

imap IMAP.

smtp SMTP.

pop3 POP3.

http HTTP.

ftp FTP.

nntp NNTP.

imaps IMAPS.

smtps SMTPS.

pop3s POP3S.

FortiOS 7.2.1 CLI Reference 34

Fortinet Inc.
Parameter Description Type Size Default

Option Description

https HTTPS.

ftps FTPS.

mapi MAPI.

cifs CIFS.

ssh SSH.

lowspace Select the method for handling additional files when option - ovrw-old
running low on disk space.

Option Description

drop-new Drop (delete) the most recently quarantined files.

ovrw-old Overwrite the oldest quarantined files. That is, the files that are closest to
being deleted from the quarantine.

destination Choose whether to quarantine files to the FortiGate option - NULL **

disk or to FortiAnalyzer or to delete them instead of
quarantining them.

Option Description

NULL Files that would be quarantined are deleted.

disk Quarantine files to the FortiGate hard disk.

FortiAnalyzer FortiAnalyzer

** Values may differ between models.

config antivirus profile

Configure AntiVirus profiles.

config antivirus profile
Description: Configure AntiVirus profiles.
edit <name>
set comment {var-string}
set replacemsg-group {string}
set feature-set [flow|proxy]
set fortisandbox-mode [inline|analytics-suspicious|...]
set fortisandbox-max-upload {integer}
set analytics-ignore-filetype {integer}
set analytics-accept-filetype {integer}
set analytics-db [disable|enable]
set mobile-malware-db [disable|enable]
config http
Description: Configure HTTP AntiVirus options.

FortiOS 7.2.1 CLI Reference 35

Fortinet Inc.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set unknown-content-encoding [block|inspect|...]
set content-disarm [disable|enable]
end
config ftp
Description: Configure FTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
config imap
Description: Configure IMAP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
set content-disarm [disable|enable]
end
config pop3
Description: Configure POP3 AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
set content-disarm [disable|enable]
end
config smtp
Description: Configure SMTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]

FortiOS 7.2.1 CLI Reference 36

Fortinet Inc.
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
set content-disarm [disable|enable]
end
config mapi
Description: Configure MAPI AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
set executables [default|virus]
end
config nntp
Description: Configure NNTP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
config cifs
Description: Configure CIFS AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
config ssh
Description: Configure SFTP and SCP AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set fortisandbox [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]

FortiOS 7.2.1 CLI Reference 37

Fortinet Inc.
end
config nac-quar
Description: Configure AntiVirus quarantine settings.
set infected [none|quar-src-ip]
set expiry {user}
set log [enable|disable]
end
config content-disarm
Description: AV Content Disarm and Reconstruction settings.
set original-file-destination [fortisandbox|quarantine|...]
set error-action [block|log-only|...]
set office-macro [disable|enable]
set office-hylink [disable|enable]
set office-linked [disable|enable]
set office-embed [disable|enable]
set office-dde [disable|enable]
set office-action [disable|enable]
set pdf-javacode [disable|enable]
set pdf-embedfile [disable|enable]
set pdf-hyperlink [disable|enable]
set pdf-act-gotor [disable|enable]
set pdf-act-launch [disable|enable]
set pdf-act-sound [disable|enable]
set pdf-act-movie [disable|enable]
set pdf-act-java [disable|enable]
set pdf-act-form [disable|enable]
set cover-page [disable|enable]
set detect-only [disable|enable]
end
set outbreak-prevention-archive-scan [disable|enable]
set external-blocklist-enable-all [disable|enable]
set external-blocklist <name1>, <name2>, ...
set ems-threat-feed [disable|enable]
set fortindr-error-action [log-only|block|...]
set fortindr-timeout-action [log-only|block|...]
set fortisandbox-error-action [log-only|block|...]
set fortisandbox-timeout-action [log-only|block|...]
set av-virus-log [enable|disable]
set av-block-log [enable|disable]
set extended-log [enable|disable]
set scan-mode [default|legacy]
next
end

config antivirus profile

Parameter Description Type Size Default

comment Comment. var-string Not Specified

replacemsg- Replacement message group customized for this string Not Specified
group profile.

feature-set Flow/proxy feature set. option - flow

FortiOS 7.2.1 CLI Reference 38

Fortinet Inc.
Parameter Description Type Size Default

Option Description

flow Flow feature set.

proxy Proxy feature set.

fortisandbox- FortiSandbox scan modes. option - analytics-

mode everything

Option Description

inline FortiSandbox inline scan.

analytics- FortiSandbox post-transfer scan: submit supported files if heuristics or other

suspicious methods determine they are suspicious.

analytics- FortiSandbox post-transfer scan: submit supported files and known infected
everything files.

fortisandbox- Maximum size of files that can be uploaded to integer Minimum 10

max-upload FortiSandbox. value: 1
Maximum
value: 383 **

analytics- Do not submit files matching this DLP file-pattern to integer Minimum 0
ignore-filetype FortiSandbox (post-transfer scan only). value: 0
Maximum
value:
4294967295

analytics- Only submit files matching this DLP file-pattern to integer Minimum 0
accept-filetype FortiSandbox (post-transfer scan only). value: 0
Maximum
value:
4294967295

analytics-db Enable/disable using the FortiSandbox signature option - disable

database to supplement the AV signature
databases.

Option Description

disable Use only the standard AV signature databases.

enable Also use the FortiSandbox signature database.

disable Use configured external blocklists.

enable Enable all external blocklists.

external- One or more external malware block lists. string Maximum

blocklist External blocklist. length: 79
<name>

ems-threat- Enable/disable use of EMS threat feed when option - disable

feed performing AntiVirus scan. Analyzes files including
the content of archives.

Option Description

disable Disable use of EMS threat feed when performing AntiVirus scan.

enable Enable use of EMS threat feed when performing AntiVirus scan.

fortindr-error- Action to take if FortiNDR encounters an error. option - log-only

action

Option Description

log-only Log FortiNDR error, but allow the file.

block Block the file on FortiNDR error.

ignore Do nothing on FortiNDR error.

fortindr- Action to take if FortiNDR encounters a scan option - log-only

timeout-action timeout.

FortiOS 7.2.1 CLI Reference 41

Fortinet Inc.
Parameter Description Type Size Default

scan-mode Configure scan mode . option - default

Option Description

default On the fly decompression and scanning of certain archive files.

legacy Scan archive files only after the entire file is received.

** Values may differ between models.

config http

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

FortiOS 7.2.1 CLI Reference 43

Fortinet Inc.
Parameter Description Type Size Default

Option Description

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

unknown- Configure the action the FortiGate unit will take on option - block
content- unknown content-encoding.
encoding

Option Description

block Block HTTP session when unknown content-encoding is detected.

inspect Inspect HTTP traffic as plain-text with AV scan when unknown content-
encoding is detected.

bypass Bypass AV scan when unknown content-encoding is detected.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

Option Description

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config ftp

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

block Block the virus infected files.

monitor Log the virus infected files.

FortiOS 7.2.1 CLI Reference 44

Fortinet Inc.
Parameter Description Type Size Default

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

block Block the matched files.

block Block the FortiSandbox detected infections.

monitor Log the FortiSandbox detected infections.

quarantine Enable/disable quarantine for infected files. option - disable

Option Description

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

FortiOS 7.2.1 CLI Reference 45

Fortinet Inc.
Parameter Description Type Size Default

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

config imap

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

FortiOS 7.2.1 CLI Reference 46

Fortinet Inc.
Parameter Description Type Size Default

Option Description

block Block the virus infected files.

monitor Log the virus infected files.

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

block Block the matched files.

block Block the FortiSandbox detected infections.

monitor Log the FortiSandbox detected infections.

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config pop3

fortindr Enable scanning of files by FortiNDR. option - disable

Option Description

disable Disable.

block Block the FortiNDR detected infections.

monitor Log the FortiNDR detected infections.

FortiOS 7.2.1 CLI Reference 49

Fortinet Inc.
Parameter Description Type Size Default

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

FortiOS 7.2.1 CLI Reference 50

Fortinet Inc.
Parameter Description Type Size Default

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

Option Description

disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.

enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.

config smtp

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

Option Description

disable Disable.

block Block the virus infected files.

monitor Log the virus infected files.

outbreak- Enable virus outbreak prevention service. option - disable

prevention

Option Description

disable Disable.

block Block the matched files.

monitor Log the matched files.

external- Enable external-blocklist. Analyzes files including the option - disable

blocklist content of archives.

FortiOS 7.2.1 CLI Reference 51

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable.

block Block the matched files.

monitor Log the matched files.

fortindr Enable scanning of files by FortiNDR. option - disable

Option Description

disable Disable.

block Block the FortiNDR detected infections.

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

FortiOS 7.2.1 CLI Reference 52

Fortinet Inc.
Parameter Description Type Size Default

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.

block Block the FortiSandbox detected infections.

monitor Log the FortiSandbox detected infections.

quarantine Enable/disable quarantine for infected files. option - disable

FortiOS 7.2.1 CLI Reference 54

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.

FortiOS 7.2.1 CLI Reference 55

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Perform standard AntiVirus scanning of Windows executable files.

virus Treat Windows executables as viruses.

config nntp

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

FortiOS 7.2.1 CLI Reference 57

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

config cifs

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

FortiOS 7.2.1 CLI Reference 59

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

config ssh

Parameter Description Type Size Default

av-scan Enable AntiVirus scan service. option - disable

disable Disable quarantine for infected files.

enable Enable quarantine for infected files.

archive-block Select the archive types to block. option -

Option Description

encrypted Block encrypted archives.

corrupted Block corrupted archives.

partiallycorrupted Block partially corrupted archives.

multipart Block multipart archives.

nested Block nested archives that exceed uncompressed nest limit.

mailbomb Block mail bomb archives.

timeout Block scan timeout.

unhandled Block archives that FortiOS cannot open.

archive-log Select the archive types to log. option -

Option Description

encrypted Log encrypted archives.

corrupted Log corrupted archives.

partiallycorrupted Log partially corrupted archives.

multipart Log multipart archives.

nested Log nested archives that exceed uncompressed nest limit.

mailbomb Log mail bomb archives.

timeout Log scan timeout.

unhandled Log archives that FortiOS cannot open.

emulator Enable/disable the virus emulator. option - enable

FortiOS 7.2.1 CLI Reference 61

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable the virus emulator.

disable Disable the virus emulator.

config nac-quar

Parameter Description Type Size Default

infected Enable/Disable quarantining infected hosts to the option - none

banned user list.

Option Description

none Do not quarantine infected hosts.

quar-src-ip Quarantine all traffic from the infected hosts source IP.

expiry Duration of quarantine. user Not 5m

Specified

log Enable/disable AntiVirus quarantine logging. option - disable

Option Description

enable Enable AntiVirus quarantine logging.

disable Disable AntiVirus quarantine logging.

config content-disarm

Parameter Description Type Size Default

original-file- Destination to send original file if active content is option - discard

destination removed.

Option Description

fortisandbox Send original file to configured FortiSandbox.

quarantine Send original file to quarantine.

discard Original file will be discarded after content disarm.

error-action Action to be taken if CDR engine encounters an option - log-only

unrecoverable error.

FortiOS 7.2.1 CLI Reference 62

Fortinet Inc.
Parameter Description Type Size Default

Fortinet Inc.
Parameter Description Type Size Default

office-action Enable/disable stripping of PowerPoint action events in option - enable

enable Enable this Content Disarm and Reconstruction feature.

cover-page Enable/disable inserting a cover page into the disarmed option - enable
document.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

detect-only Enable/disable only detect disarmable files, do not alter option - disable
content.

Option Description

disable Disable this Content Disarm and Reconstruction feature.

enable Enable this Content Disarm and Reconstruction feature.

FortiOS 7.2.1 CLI Reference 65

Fortinet Inc.
application

This section includes syntax for the following commands:

l config application list on page 69
l config application custom on page 68
l config application name on page 66
l config application group on page 77
l config application rule-settings on page 69

config application name

Configure application signatures.

config application name
Description: Configure application signatures.
edit <name>
set id {integer}
set category {integer}
set popularity {integer}
set risk {integer}
set weight {integer}
set protocol {user}
set technology {user}
set behavior {user}
set vendor {user}
config parameters
Description: Application parameters.
edit <name>
set default value {string}
next
end
config metadata
Description: Meta data.
edit <id>
set metaid {integer}
set valueid {integer}
next
end
next
end

FortiOS 7.2.1 CLI Reference 66

Fortinet Inc.
config application name

Parameter Description Type Size Default

behavior Application behavior. user Not Specified

vendor Application vendor. user Not Specified

config parameters

Parameter Description Type Size Default

default value Parameter default value. string Not

Specified

FortiOS 7.2.1 CLI Reference 67

Fortinet Inc.
config metadata

Parameter Description Type Size Default

metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config application custom

Configure custom application signatures.

config application custom
Description: Configure custom application signatures.
edit <tag>
set id {integer}
set comment {string}
set signature {var-string}
set category {integer}
set protocol {user}
set technology {user}
set behavior {user}
set vendor {user}
next
end

config application custom

Parameter Description Type Size Default

id Custom application category ID (use ? to view integer Minimum 0

available options). value: 0
Maximum
value:
4294967295

comment Comment. string Not Specified

signature The text that makes up the actual custom application var-string Not Specified
signature.

FortiOS 7.2.1 CLI Reference 68

Fortinet Inc.
Parameter Description Type Size Default

category Custom application category ID (use ? to view integer Minimum 0

available options). value: 0
Maximum
value:
4294967295

protocol Custom application signature protocol. user Not Specified

technology Custom application signature technology. user Not Specified

behavior Custom application signature behavior. user Not Specified

vendor Custom application signature vendor. user Not Specified

config application rule-settings

Configure application rule settings.

config application rule-settings
Description: Configure application rule settings.
edit <id>
next
end

config application list

Configure application control lists.

config application list
Description: Configure application control lists.
edit <name>
set comment {var-string}
set replacemsg-group {string}
set extended-log [enable|disable]
set other-application-action [pass|block]
set app-replacemsg [disable|enable]
set other-application-log [disable|enable]
set enforce-default-app-port [disable|enable]
set force-inclusion-ssl-di-sigs [disable|enable]
set unknown-application-action [pass|block]
set unknown-application-log [disable|enable]
set p2p-block-list {option1}, {option2}, ...
set deep-app-inspection [disable|enable]
set options {option1}, {option2}, ...
config entries
Description: Application list entries.
edit <id>
set risk <level1>, <level2>, ...
set category <id1>, <id2>, ...
set application <id1>, <id2>, ...
set protocols {user}
set vendor {user}
set technology {user}

FortiOS 7.2.1 CLI Reference 69

Fortinet Inc.
set behavior {user}
set popularity {option1}, {option2}, ...
set exclusion <id1>, <id2>, ...
config parameters
Description: Application parameters.
edit <id>
config members
Description: Parameter tuple members.
edit <id>
set name {string}
set value {string}
next
end
next
end
set action [pass|block|...]
set log [disable|enable]
set log-packet [disable|enable]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]
set rate-track [none|src-ip|...]
set session-ttl {integer}
set shaper {string}
set shaper-reverse {string}
set per-ip-shaper {string}
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
next
end
set control-default-network-services [disable|enable]
config default-network-services
Description: Default network service entries.
edit <id>
set port {integer}
set services {option1}, {option2}, ...
set violation-action [pass|monitor|...]
next
end
next
end

config application list

Parameter Description Type Size Default

comment Comments. var-string Not

Specified

replacemsg- Replacement message group. string Not

disable Disable default application port enforcement.

enable Enable default application port enforcement.

edonkey Edonkey.

bittorrent Bit torrent.

deep-app- Enable/disable deep application inspection. option - enable

control- Enable/disable enforcement of protocols over selected option - disable

default- ports.
network-
services

Option Description

disable Disable protocol enforcement over selected ports.

enable Enable protocol enforcement over selected ports.

config entries

Parameter Description Type Size Default

risk <level> Risk, or impact, of allowing traffic from this integer Minimum
application to occur (1 - 5; Low, Elevated, Medium, value: 0
High, and Critical). Maximum
Risk, or impact, of allowing traffic from this value:
application to occur (1 - 5; Low, Elevated, Medium, 4294967295
High, and Critical).

category Category ID list. integer Minimum

<id> Application category ID. value: 0
Maximum
value:
4294967295

application ID of allowed applications. integer Minimum

<id> Application IDs. value: 0
Maximum
value:
4294967295

protocols Application protocol filter. user Not Specified all

vendor Application vendor filter. user Not Specified all

technology Application technology filter. user Not Specified all

behavior Application behavior filter. user Not Specified all

FortiOS 7.2.1 CLI Reference 73

Fortinet Inc.
Parameter Description Type Size Default

popularity Application popularity filter . option - 12345

Option Description

1 Popularity level 1.

2 Popularity level 2.

3 Popularity level 3.

4 Popularity level 4.

5 Popularity level 5.

exclusion ID of excluded applications. integer Minimum

<id> Excluded application IDs. value: 0
Maximum
value:
4294967295

action Pass or block traffic, or reset connection for traffic option - block
from this application.

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

reset Reset sessions for matching traffic.

log Enable/disable logging for this application list. option - enable

Option Description

disable Disable logging.

enable Enable logging.

log-packet Enable/disable packet logging. option - disable

Option Description

disable Disable packet logging.

enable Enable packet logging.

rate-count Count of the rate. integer Minimum 0

value: 0
Maximum
value: 65535

FortiOS 7.2.1 CLI Reference 74

Fortinet Inc.
Parameter Description Type Size Default

rate-duration Duration (sec) of the rate. integer Minimum 60

value: 1
Maximum
value: 65535

rate-mode Rate limit mode. option - continuous

Option Description

periodical Allow configured number of packets every rate-duration.

continuous Block packets once the rate is reached.

rate-track Track the packet protocol field. option - none

Option Description

none none

src-ip Source IP.

dest-ip Destination IP.

dhcp-client-mac DHCP client.

dns-domain DNS domain.

session-ttl Session TTL . integer Minimum 0

value: 0
Maximum
value:
4294967295

shaper Traffic shaper. string Not Specified

shaper- Reverse traffic shaper. string Not Specified

reverse

per-ip-shaper Per-IP traffic shaper. string Not Specified

quarantine Quarantine method. option - none

Option Description

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine. . Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

FortiOS 7.2.1 CLI Reference 75

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

config members

Parameter Description Type Size Default

name Parameter name. string Not

Specified

value Parameter value. string Not

Specified

config default-network-services

Parameter Description Type Size Default

port Port number. integer Minimum 0

value: 0
Maximum
value:
65535

services Network protocols. option -

Option Description

http HTTP.

ssh SSH.

telnet TELNET.

ftp FTP.

dns DNS.

smtp SMTP.

pop3 POP3.

imap IMAP.

snmp SNMP.

nntp NNTP.

https HTTPS.

FortiOS 7.2.1 CLI Reference 76

Fortinet Inc.
Parameter Description Type Size Default

violation- Action for protocols not in the allowlist for selected port. option - block
action

Option Description

pass Allow protocols not in the allowlist for selected port.

monitor Monitor protocols not in the allowlist for selected port.

block Block protocols not in the allowlist for selected port.

config application group

Configure firewall application groups.

config application group
Description: Configure firewall application groups.
edit <name>
set comment {var-string}
set type [application|filter]
set application <id1>, <id2>, ...
set category <id1>, <id2>, ...
set risk <level1>, <level2>, ...
set protocols {user}
set vendor {user}
set technology {user}
set behavior {user}
set popularity {option1}, {option2}, ...
next
end

config application group

Parameter Description Type Size Default

comment Comments. var-string Not Specified

type Application group type. option - application

Option Description

application Application ID.

filter Application filter.

application Application ID list. integer Minimum

<id> Application IDs. value: 0
Maximum
value:
4294967295

FortiOS 7.2.1 CLI Reference 77

Fortinet Inc.
Parameter Description Type Size Default

category Application category ID list. integer Minimum

<id> Category IDs. value: 0
Maximum
value:
4294967295

protocols Application protocol filter. user Not Specified all

vendor Application vendor filter. user Not Specified all

technology Application technology filter. user Not Specified all

behavior Application behavior filter. user Not Specified all

popularity Application popularity filter . option - 12345

Option Description

1 Popularity level 1.

2 Popularity level 2.

3 Popularity level 3.

4 Popularity level 4.

5 Popularity level 5.

FortiOS 7.2.1 CLI Reference 78

Fortinet Inc.
authentication

This section includes syntax for the following commands:

l config authentication scheme on page 79
l config authentication rule on page 81
l config authentication setting on page 83

config authentication scheme

Configure Authentication Schemes.

config authentication scheme
Description: Configure Authentication Schemes.
edit <name>
set method {option1}, {option2}, ...
set negotiate-ntlm [enable|disable]
set kerberos-keytab {string}
set domain-controller {string}
set saml-server {string}
set saml-timeout {integer}
set fsso-agent-for-ntlm {string}
set require-tfa [enable|disable]
set fsso-guest [enable|disable]
set user-cert [enable|disable]
set user-database <name1>, <name2>, ...
set ssh-ca {string}
next
end

config authentication scheme

Parameter Description Type Size Default

method Authentication methods . option -

Option Description

ntlm NTLM authentication.

basic Basic HTTP authentication.

digest Digest HTTP authentication.

form Form-based HTTP authentication.

negotiate Negotiate authentication.

fsso Fortinet Single Sign-On (FSSO) authentication.

FortiOS 7.2.1 CLI Reference 79

Fortinet Inc.
Parameter Description Type Size Default

Option Description

rsso RADIUS Single Sign-On (RSSO) authentication.

ssh-publickey Public key based SSH authentication.

cert Client certificate authentication.

saml SAML authentication.

negotiate- Enable/disable negotiate authentication for NTLM . option - enable

ntlm

Option Description

enable Enable negotiate authentication for NTLM.

disable Disable negotiate authentication for NTLM.

kerberos- Kerberos keytab setting. string Not

keytab Specified

domain- Domain controller setting. string Not

controller Specified

saml-server SAML configuration. string Not

Specified

saml-timeout SAML authentication timeout in seconds. integer Minimum 120

value: 30
Maximum
value: 1200

fsso-agent- FSSO agent to use for NTLM authentication. string Not

for-ntlm Specified

require-tfa Enable/disable two-factor authentication . option - disable

ssh-ca SSH CA name. string Not

Specified

config authentication rule

Configure Authentication Rules.

config authentication rule
Description: Configure Authentication Rules.
edit <name>
set status [enable|disable]
set protocol [http|ftp|...]
set srcintf <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set ip-based [enable|disable]
set active-auth-method {string}
set sso-auth-method {string}
set web-auth-cookie [enable|disable]
set transaction-based [enable|disable]
set web-portal [enable|disable]
set comments {var-string}
next
end

config authentication rule

Parameter Description Type Size Default

status Enable/disable this authentication rule. option - enable

Option Description

enable Enable this authentication rule.

disable Disable this authentication rule.

protocol Authentication is required for the selected protocol . option - http

FortiOS 7.2.1 CLI Reference 81

Fortinet Inc.
Parameter Description Type Size Default

Option Description

http HTTP traffic is matched and authentication is required.

ftp FTP traffic is matched and authentication is required.

socks SOCKS traffic is matched and authentication is required.

ssh SSH traffic is matched and authentication is required.

srcintf Incoming (ingress) interface. string Maximum

<name> Interface name. length: 79

srcaddr Authentication is required for the selected IPv4 source string Maximum
<name> address. length: 79
Address name.

dstaddr Select an IPv4 destination address from available string Maximum

<name> options. Required for web proxy authentication. length: 79
Address name.

srcaddr6 Authentication is required for the selected IPv6 source string Maximum
<name> address. length: 79
Address name.

dstaddr6 Select an IPv6 destination address from available string Maximum

<name> options. Required for web proxy authentication. length: 79
Address name.

ip-based Enable/disable IP-based authentication. When enabled, option - enable

previously authenticated users from the same IP
address will be exempted.

Option Description

enable Enable IP-based authentication.

disable Disable IP-based authentication.

active-auth- Select an active authentication method. string Not

method Specified

sso-auth- Select a single-sign on (SSO) authentication method. string Not

method Specified

web-auth- Enable/disable Web authentication cookies . option - disable

Option Description

enable Enable Web authentication cookie.

disable Disable Web authentication cookie.

FortiOS 7.2.1 CLI Reference 82

Fortinet Inc.
Parameter Description Type Size Default

transaction- Enable/disable transaction based authentication . option - disable

based

Option Description

enable Enable transaction based authentication.

disable Disable transaction based authentication.

web-portal Enable/disable web portal for proxy transparent policy . option - enable

Option Description

enable Enable web-portal.

disable Disable web-portal.

comments Comment. var-string Not

Specified

config authentication setting

Configure authentication setting.

config authentication setting
Description: Configure authentication setting.
set active-auth-scheme {string}
set sso-auth-scheme {string}
set update-time {user}
set persistent-cookie [enable|disable]
set ip-auth-cookie [enable|disable]
set cookie-max-age {integer}
set cookie-refresh-div {integer}
set captive-portal-type [fqdn|ip]
set captive-portal-ip {ipv4-address-any}
set captive-portal-ip6 {ipv6-address}
set captive-portal {string}
set captive-portal6 {string}
set cert-auth [enable|disable]
set cert-captive-portal {string}
set cert-captive-portal-ip {ipv4-address-any}
set cert-captive-portal-port {integer}
set captive-portal-port {integer}
set auth-https [enable|disable]
set captive-portal-ssl-port {integer}
set user-cert-ca <name1>, <name2>, ...
set dev-range <name1>, <name2>, ...
end

FortiOS 7.2.1 CLI Reference 83

Fortinet Inc.
config authentication setting

Parameter Description Type Size Default

active-auth- Active authentication method (scheme name). string Not

scheme Specified

sso-auth- Single-Sign-On authentication method (scheme name). string Not

scheme Specified

update-time Time of the last update. user Not

Specified

persistent- Enable/disable persistent cookie on web portal option - enable

cookie authentication .

Option Description

enable Enable persistent cookie.

disable Disable persistent cookie.

ip-auth-cookie Enable/disable persistent cookie on IP based web portal option - disable

authentication .

Option Description

enable Enable persistent cookie for IP-based authentication.

disable Disable persistent cookie for IP-based authentication.

cookie-max- Persistent web portal cookie maximum age in minutes . integer Minimum 480
age value: 30
Maximum
value:
10080

cookie- Refresh rate divider of persistent web portal cookie . integer Minimum 2
refresh-div Refresh value = cookie-max-age/cookie-refresh-div. value: 2
Maximum
value: 4

captive- Captive portal type. option - fqdn

portal-type

Option Description

fqdn Use FQDN for captive portal.

ip Use an IP address for captive portal.

captive- Captive portal IP address. ipv4- Not 0.0.0.0

portal-ip address- Specified
any

FortiOS 7.2.1 CLI Reference 84

Fortinet Inc.
Parameter Description Type Size Default

captive- Captive portal IPv6 address. ipv6- Not ::

portal-ip6 address Specified

captive-portal Captive portal host name. string Not

Specified

captive- IPv6 captive portal host name. string Not

portal6 Specified

cert-auth Enable/disable redirecting certificate authentication to option - disable

HTTPS portal.

Option Description

enable Enable setting.

disable Disable setting.

cert-captive- Certificate captive portal host name. string Not

portal Specified

cert-captive- Certificate captive portal IP address. ipv4- Not 0.0.0.0

portal-ip address- Specified
any

cert-captive- Certificate captive portal port number . integer Minimum 7832

portal-port value: 1
Maximum
value:
65535

captive- Captive portal port number . integer Minimum 7830

portal-port value: 1
Maximum
value:
65535

auth-https Enable/disable redirecting HTTP user authentication to option - enable

HTTPS.

Option Description

enable Enable setting.

disable Disable setting.

captive- Captive portal SSL port number . integer Minimum 7831

portal-ssl-port value: 1
Maximum
value:
65535

FortiOS 7.2.1 CLI Reference 85

Fortinet Inc.
Parameter Description Type Size Default

user-cert-ca CA certificate used for client certificate verification. string Maximum

<name> CA certificate list. length: 79

dev-range Address range for the IP based device query. string Maximum
<name> Address name. length: 79

FortiOS 7.2.1 CLI Reference 86

Fortinet Inc.
automation

This section includes syntax for the following commands:

l config automation setting on page 87

config automation setting

Automation setting configuration.

config automation setting
Description: Automation setting configuration.
set max-concurrent-stitches {integer}
end

config automation setting

Parameter Description Type Size Default

max- Maximum number of automation stitches that are integer Minimum 256 **
concurrent- allowed to run concurrently. value: 32
stitches Maximum
value: 512
**

** Values may differ between models.

FortiOS 7.2.1 CLI Reference 87

Fortinet Inc.
certificate

This section includes syntax for the following commands:

l config certificate crl on page 94
l config certificate local on page 90
l config certificate remote on page 89
l config certificate ca on page 88

config certificate ca

CA certificate.
config certificate ca
Description: CA certificate.
edit <name>
set ca {user}
set range [global|vdom]
set source [factory|user|...]
set ssl-inspection-trusted [enable|disable]
set scep-url {string}
set auto-update-days {integer}
set auto-update-days-warning {integer}
set source-ip {ipv4-address}
set ca-identifier {string}
set obsolete [disable|enable]
next
end

disable Untrusted CA for SSL inspection.

scep-url URL of the SCEP server. string Not Specified

auto-update- Number of days to wait before requesting an updated integer Minimum 0

days CA certificate . value: 0
Maximum
value:
4294967295

auto-update- Number of days before an expiry-warning message is integer Minimum 0

days-warning generated . value: 0
Maximum
value:
4294967295

source-ip Source IP address for communications to the SCEP ipv4- Not Specified 0.0.0.0
server. address

ca-identifier CA identifier of the SCEP server. string Not Specified

obsolete Enable/disable this CA as obsoleted. option - disable

Option Description

disable Alive.

enable Obsolete.

config certificate remote

Remote certificate as a PEM file.

config certificate remote
Description: Remote certificate as a PEM file.
edit <name>
set remote {user}
set range [global|vdom]

FortiOS 7.2.1 CLI Reference 89

Fortinet Inc.
set source [factory|user|...]
next
end

config certificate remote

Parameter Description Type Size Default

remote Remote certificate. user Not

Specified

range Either the global or VDOM IP address range for the option - global
remote certificate.

Option Description

global Global range.

vdom VDOM IP address range.

source Remote certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

config certificate local

Local keys and certificates.

config certificate local
Description: Local keys and certificates.
edit <name>
set password {password}
set comments {string}
set private-key {user}
set certificate {user}
set csr {user}
set state {user}
set scep-url {string}
set range [global|vdom]
set source [factory|user|...]
set auto-regenerate-days {integer}
set auto-regenerate-days-warning {integer}
set scep-password {password}
set ca-identifier {string}
set name-encoding [printable|utf8]
set source-ip {ipv4-address}
set ike-localid {string}
set ike-localid-type [asn1dn|fqdn]
set enroll-protocol [none|scep|...]

FortiOS 7.2.1 CLI Reference 90

Fortinet Inc.
set private-key-retain [enable|disable]
set cmp-server {string}
set cmp-path {string}
set cmp-server-cert {string}
set cmp-regeneration-method [keyupate|renewal]
set acme-ca-url {string}
set acme-domain {string}
set acme-email {string}
set acme-rsa-key-size {integer}
set acme-renew-window {integer}
next
end

config certificate local

Parameter Description Type Size Default

password Password as a PEM file. password Not Specified

comments Comment. string Not Specified

private-key PEM format key encrypted user Not Specified

with a password.

certificate PEM format certificate. user Not Specified

csr Certificate Signing Request. user Not Specified

state Certificate Signing Request user Not Specified

State.

scep-url SCEP server URL. string Not Specified

range Either a global or VDOM IP option - global

address range for the
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

source Certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

FortiOS 7.2.1 CLI Reference 91

Fortinet Inc.
Parameter Description Type Size Default

auto- Number of days to wait integer Minimum 0

regenerate- before expiry of an updated value: 0
days local certificate is requested Maximum
(0 = disabled). value:
4294967295

auto- Number of days to wait integer Minimum 0

regenerate- before an expiry warning value: 0
days-warning message is generated (0 = Maximum
disabled). value:
4294967295

scep-password SCEP server challenge password Not Specified

password for auto-
regeneration.

ca-identifier CA identifier of the CA string Not Specified

server for signing via SCEP.

name-encoding Name encoding method for option - printable

auto-regeneration.

Option Description

printable Printable encoding (default).

utf8 UTF-8 encoding.

source-ip Source IP address for ipv4- Not Specified 0.0.0.0

communications to the address
SCEP server.

ike-localid Local ID the FortiGate uses string Not Specified

for authentication as a VPN
client.

ike-localid-type IKE local ID type. option - asn1dn

cmp-path Path location inside CMP string Not Specified

server.

cmp-server-cert CMP server certificate. string Not Specified

cmp- CMP auto-regeneration option - keyupate

regeneration- method.
method

Option Description

keyupate Key Update.

renewal Renewal.

acme-ca-url The URL for the ACME CA string Not Specified https://acme-
server . v02.api.letsencrypt.org/directory

acme-domain A valid domain that resolves string Not Specified

to this FortiGate unit.

acme-email Contact email address that string Not Specified

is required by some CAs like
LetsEncrypt.

acme-rsa-key- Length of the RSA private integer Minimum 2048

size key of the generated cert value: 2048
(Minimum 2048 bits). Maximum
value: 4096

acme-renew- Beginning of the renewal integer Minimum 30

window window . value: 1
Maximum
value: 100 **

FortiOS 7.2.1 CLI Reference 93

Fortinet Inc.
** Values may differ between models.

config certificate crl

Certificate Revocation List as a PEM file.

config certificate crl
Description: Certificate Revocation List as a PEM file.
edit <name>
set crl {user}
set range [global|vdom]
set source [factory|user|...]
set update-vdom {string}
set ldap-server {string}
set ldap-username {string}
set ldap-password {password}
set http-url {string}
set scep-url {string}
set scep-cert {string}
set update-interval {integer}
set source-ip {ipv4-address}
next
end

config certificate crl

Parameter Description Type Size Default

crl Certificate Revocation List as a PEM file. user Not Specified

range Either global or VDOM IP address range for the option - global
certificate.

Option Description

global Global range.

vdom VDOM IP address range.

source Certificate source type. option - user

Option Description

factory Factory installed certificate.

user User generated certificate.

bundle Bundle file certificate.

update-vdom VDOM for CRL update. string Not Specified root

ldap-server LDAP server name for CRL auto-update. string Not Specified

ldap- LDAP server user name. string Not Specified

username

FortiOS 7.2.1 CLI Reference 94

Fortinet Inc.
Parameter Description Type Size Default

ldap- LDAP server user password. password Not Specified

password

http-url HTTP server URL for CRL auto-update. string Not Specified

scep-url SCEP server URL for CRL auto-update. string Not Specified

scep-cert Local certificate for SCEP communication for CRL string Not Specified Fortinet_
auto-update. CA_SSL

update- Time in seconds before the FortiGate checks for an integer Minimum 0
interval updated CRL. Set to 0 to update only when it expires. value: 0
Maximum
value:
4294967295

source-ip Source IP address for communications to a HTTP or ipv4- Not Specified 0.0.0.0
SCEP CA server. address

FortiOS 7.2.1 CLI Reference 95

Fortinet Inc.
dlp

This section includes syntax for the following commands:

l config dlp profile on page 103
l config dlp data-type on page 96
l config dlp sensor on page 98
l config dlp sensitivity on page 102
l config dlp filepattern on page 100
l config dlp dictionary on page 97

config dlp data-type

Configure predefined data type used by DLP blocking.

config dlp data-type
Description: Configure predefined data type used by DLP blocking.
edit <name>
set pattern {string}
set verify {string}
set look-back {integer}
set look-ahead {integer}
set transform {string}
set verify-transformed-pattern [enable|disable]
set comment {var-string}
next
end

config dlp data-type

Parameter Description Type Size Default

pattern Regular expression pattern string without look around. string Not
Specified

verify Regular expression pattern string used to verify the string Not
data type. Specified

look-back Number of characters required to save for verification . integer Minimum 1

value: 1
Maximum
value: 255

look-ahead Number of characters to obtain in advance for integer Minimum 1

verification . value: 1
Maximum
value: 255

FortiOS 7.2.1 CLI Reference 96

Fortinet Inc.
Parameter Description Type Size Default

transform Template to transform user input to a pattern using string Not

capture group from 'pattern'. Specified

verify- Enable/disable verification for transformed pattern. option - disable

transformed-
pattern

Option Description

enable Enable verification for transformed pattern.

disable Disable verification for transformed pattern.

comment Optional comments. var-string Not

Specified

config dlp dictionary

Configure dictionaries used by DLP blocking.

config dlp dictionary
Description: Configure dictionaries used by DLP blocking.
edit <name>
set uuid {uuid}
set match-type [match-all|match-any]
set comment {var-string}
config entries
Description: DLP dictionary entries.
edit <id>
set type {string}
set pattern {string}
set ignore-case [enable|disable]
set repeat [enable|disable]
set status [enable|disable]
set comment {var-string}
next
end
next
end

config dlp dictionary

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

match-type Logical relation between entries . option - match-any

FortiOS 7.2.1 CLI Reference 97

Fortinet Inc.
Parameter Description Type Size Default

Option Description

match-all Match all entries.

match-any Match any entries.

comment Optional comments. var-string Not

Specified

config entries

Parameter Description Type Size Default

type Pattern type to match. string Not

Specified

pattern Pattern to match. string Not

Specified

ignore-case Enable/disable ignore case. option - disable

Option Description

enable Enable ignore case.

disable Disable ignore case.

repeat Enable/disable repeat match. option - disable

Option Description

enable Enable repeat match.

disable Disable repeat match.

status Enable/disable this pattern. option - enable

Option Description

enable Enable this pattern.

disable Disable this pattern.

comment Optional comments. var-string Not

Specified

config dlp sensor

Configure sensors used by DLP blocking.

config dlp sensor
Description: Configure sensors used by DLP blocking.
edit <name>

FortiOS 7.2.1 CLI Reference 98

Fortinet Inc.
set match-type [match-all|match-any|...]
set eval {string}
set comment {var-string}
config entries
Description: DLP sensor entries.
edit <id>
set dictionary {string}
set count {integer}
set status [enable|disable]
next
end
next
end

config dlp sensor

Parameter Description Type Size Default

match-type Logical relation between entries . option - match-any

Option Description

match-all Match all entries.

match-any Match any entries.

match-eval Match an expression evaluation.

eval Expression to evaluate. string Not

Specified

comment Optional comments. var-string Not

Specified

config entries

Parameter Description Type Size Default

dictionary Select a DLP dictionary. string Not

Specified

count Count of dictionary matches to trigger sensor entry integer Minimum 1

match . value: 1
Maximum
value: 255

status Enable/disable this entry. option - enable

Option Description

enable Enable this entry.

disable Disable this entry.

FortiOS 7.2.1 CLI Reference 99

Fortinet Inc.
config dlp filepattern

Configure file patterns used by DLP blocking.

config dlp filepattern
Description: Configure file patterns used by DLP blocking.
edit <id>
set name {string}
set comment {var-string}
config entries
Description: Configure file patterns used by DLP blocking.
edit <pattern>
set filter-type [pattern|type]
set file-type [7z|arj|...]
next
end
next
end

config dlp filepattern

Parameter Description Type Size Default

name Name of table containing the file pattern list. string Not
Specified

comment Optional comments. var-string Not

Specified

config entries

Parameter Description Type Size Default

filter-type Filter by file name pattern or by file type. option - pattern

Option Description

pattern Filter by file name pattern.

type Filter by file type.

file-type Select a file type. option - unknown

Option Description

7z Match 7-zip files.

arj Match arj compressed files.

cab Match Windows cab files.

lzh Match lzh compressed files.

FortiOS 7.2.1 CLI Reference 100

Fortinet Inc.
Parameter Description Type Size Default

Option Description

rar Match rar archives.

tar Match tar files.

zip Match zip files.

bzip Match bzip files.

gzip Match gzip files.

bzip2 Match bzip2 files.

xz Match xz files.

bat Match Windows batch files.

uue Match uue files.

mime Match mime files.

base64 Match base64 files.

binhex Match binhex files.

elf Match elf files.

exe Match Windows executable files.

hta Match hta files.

html Match html files.

jad Match jad files.

class Match class files.

cod Match cod files.

javascript Match javascript files.

msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.

msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.

fsg Match fsg files.

upx Match upx files.

petite Match petite files.

aspack Match aspack files.

sis Match sis files.

hlp Match Windows help files.

activemime Match activemime files.

FortiOS 7.2.1 CLI Reference 101

Fortinet Inc.
Parameter Description Type Size Default

Option Description

jpeg Match jpeg files.

gif Match gif files.

tiff Match tiff files.

png Match png files.

bmp Match bmp files.

unknown Match unknown files.

mpeg Match mpeg files.

mov Match mov files.

mp3 Match mp3 files.

wma Match wma files.

wav Match wav files.

pdf Match Acrobat PDF files.

avi Match avi files.

rm Match rm files.

torrent Match torrent files.

hibun Match special-file-23-support files.

msi Match Windows Installer msi files.

mach-o Match Mach object files.

dmg Match Apple disk image files.

.net Match .NET files.

xar Match xar archive files.

chm Match Windows compiled HTML help files.

iso Match ISO archive files.

crx Match Chrome extension files.

flac Match flac files.

config dlp sensitivity

Create self-explanatory DLP sensitivity levels to be used when setting sensitivity under config fp-doc-source.
config dlp sensitivity
Description: Create self-explanatory DLP sensitivity levels to be used when setting
sensitivity under config fp-doc-source.

FortiOS 7.2.1 CLI Reference 102

Fortinet Inc.
edit <name>
next
end

config dlp profile

Configure DLP profiles.

config dlp profile
Description: Configure DLP profiles.
edit <name>
set comment {var-string}
set feature-set [flow|proxy]
set replacemsg-group {string}
config rule
Description: Set up DLP rules for this profile.
edit <id>
set name {string}
set severity [info|low|...]
set type [file|message]
set proto {option1}, {option2}, ...
set filter-by [sensor|mip|...]
set file-size {integer}
set sensitivity <name1>, <name2>, ...
set file-type {integer}
set sensor <name1>, <name2>, ...
set label {string}
set archive [disable|enable]
set action [allow|log-only|...]
set expiry {user}
next
end
set dlp-log [enable|disable]
set extended-log [enable|disable]
set nac-quar-log [enable|disable]
set full-archive-proto {option1}, {option2}, ...
set summary-proto {option1}, {option2}, ...
next
end

config dlp profile

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

feature-set Flow/proxy feature set. option - flow

Option Description

flow Flow feature set.

FortiOS 7.2.1 CLI Reference 103

Fortinet Inc.
Parameter Description Type Size Default

Option Description

proxy Proxy feature set.

replacemsg- Replacement message group used by this DLP profile. string Not
group Specified

dlp-log Enable/disable DLP logging. option - enable

Option Description

pop3 POP3.

imap IMAP.

http-get HTTP GET.

http-post HTTP POST.

ftp FTP.

nntp NNTP.

mapi MAPI.

ssh SFTP and SCP.

FortiOS 7.2.1 CLI Reference 104

Fortinet Inc.
Parameter Description Type Size Default

Option Description

cifs CIFS.

summary- Protocols to always log summary. option -

proto

Option Description

smtp SMTP.

pop3 POP3.

imap IMAP.

http-get HTTP GET.

http-post HTTP POST.

ftp FTP.

nntp NNTP.

mapi MAPI.

ssh SFTP and SCP.

cifs CIFS.

config rule

Parameter Description Type Size Default

name Filter name. string Not Specified

severity Select the severity or threat level that matches this option - medium
filter.

Option Description

info Informational.

low Low.

medium Medium.

high High.

critical Critical.

type Select whether to check the content of messages (an option - file
email message) or files (downloaded files or email
attachments).

FortiOS 7.2.1 CLI Reference 105

Fortinet Inc.
Parameter Description Type Size Default

Option Description

file Check the contents of downloaded or attached files.

message Check the contents of email messages, web pages, etc.

proto Check messages or files over one or more of these option -

protocols.

Option Description

smtp SMTP.

pop3 POP3.

imap IMAP.

http-get HTTP GET.

http-post HTTP POST.

ftp FTP.

nntp NNTP.

mapi MAPI.

ssh SFTP and SCP.

cifs CIFS.

filter-by Select the type of content to match. option - none

Option Description

sensor Use DLP sensors to match content.

mip Use MIP label dictionary to match content.

encrypted Look for encrypted files.

none No content scan.

file-size Match files this size or larger . integer Minimum 0

value: 0
Maximum
value:
4294967295

sensitivity Select a DLP file pattern sensitivity to match. string Maximum

<name> Select a DLP sensitivity. length: 35

FortiOS 7.2.1 CLI Reference 106

Fortinet Inc.
Parameter Description Type Size Default

file-type Select the number of a DLP file pattern table to integer Minimum 0
match. value: 0
Maximum
value:
4294967295

sensor Select DLP sensors. string Maximum

<name> Address name. length: 35

label MIP label dictionary. string Not Specified

archive Enable/disable DLP archiving. option - disable

Option Description

disable No DLP archiving.

enable Enable full DLP archiving.

action Action to take with content that this DLP profile option - allow
matches.

Option Description

allow Allow the content to pass through the FortiGate and do not create a log
message.

log-only Allow the content to pass through the FortiGate, but write a log message.

block Block the content and write a log message.

quarantine-ip Quarantine all traffic from the IP address and write a log message.

expiry Quarantine duration in days, hours, minutes (format = user Not Specified 5m
dddhhmm).

FortiOS 7.2.1 CLI Reference 107

Fortinet Inc.
dnsfilter

This section includes syntax for the following commands:

l config dnsfilter profile on page 109
l config dnsfilter domain-filter on page 108

config dnsfilter domain-filter

Configure DNS domain filters.

config dnsfilter domain-filter
Description: Configure DNS domain filters.
edit <id>
set name {string}
set comment {var-string}
config entries
Description: DNS domain filter entries.
edit <id>
set domain {string}
set type [simple|regex|...]
set action [block|allow|...]
set status [enable|disable]
next
end
next
end

config dnsfilter domain-filter

Parameter Description Type Size Default

name Name of table. string Not

Specified

comment Optional comments. var-string Not

Specified

config entries

Parameter Description Type Size Default

domain Domain entries to be filtered. string Not

Specified

type DNS domain filter type. option - simple

FortiOS 7.2.1 CLI Reference 108

Fortinet Inc.
Parameter Description Type Size Default

Option Description

simple Simple domain string.

regex Regular expression domain string.

wildcard Wildcard domain string.

action Action to take for domain filter matches. option - block

Option Description

block Block DNS requests matching the domain filter.

allow Allow DNS requests matching the domain filter without logging.

monitor Allow DNS requests matching the domain filter with logging.

status Enable/disable this domain filter. option - enable

Option Description

enable Enable this domain filter.

disable Disable this domain filter.

config dnsfilter profile

Configure DNS domain filter profile.

config dnsfilter profile
Description: Configure DNS domain filter profile.
edit <name>
set comment {var-string}
config domain-filter
Description: Domain filter settings.
set domain-filter-table {integer}
end
config ftgd-dns
Description: FortiGuard DNS Filter settings.
set options {option1}, {option2}, ...
config filters
Description: FortiGuard DNS domain filters.
edit <id>
set category {integer}
set action [block|monitor]
set log [enable|disable]
next
end
end
set log-all-domain [enable|disable]
set sdns-ftgd-err-log [enable|disable]
set sdns-domain-log [enable|disable]
set block-action [block|redirect|...]

FortiOS 7.2.1 CLI Reference 109

Fortinet Inc.
set redirect-portal {ipv4-address}
set redirect-portal6 {ipv6-address}
set block-botnet [disable|enable]
set safe-search [disable|enable]
set youtube-restrict [strict|moderate]
set external-ip-blocklist <name1>, <name2>, ...
config dns-translation
Description: DNS translation settings.
edit <id>
set addr-type [ipv4|ipv6]
set src {ipv4-address}
set dst {ipv4-address}
set netmask {ipv4-netmask}
set status [enable|disable]
set src6 {ipv6-address}
set dst6 {ipv6-address}
set prefix {integer}
next
end
next
end

config dnsfilter profile

Parameter Description Type Size Default

enable Enable domain filtering and botnet domain logging.

disable Disable domain filtering and botnet domain logging.

FortiOS 7.2.1 CLI Reference 110

Fortinet Inc.
Parameter Description Type Size Default

block-action Action to take for blocked domains. option - redirect

Option Description

block Return NXDOMAIN for blocked domains.

redirect Redirect blocked domains to SDNS portal.

block-sevrfail Return SERVFAIL for blocked domains.

redirect-portal IPv4 address of the SDNS redirect portal. ipv4- Not 0.0.0.0
address Specified

redirect- IPv6 address of the SDNS redirect portal. ipv6- Not ::

portal6 address Specified

block-botnet Enable/disable blocking botnet C&C DNS lookups. option - disable

Option Description

disable Disable blocking botnet C&C DNS lookups.

enable Enable blocking botnet C&C DNS lookups.

safe-search Enable/disable Google, Bing, YouTube, Qwant, option - disable

DuckDuckGo safe search.

Option Description

disable Disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

enable Enable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

youtube- Set safe search for YouTube restriction level. option - strict
restrict

Option Description

strict Enable strict safe seach for YouTube.

moderate Enable moderate safe search for YouTube.

external-ip- One or more external IP block lists. string Maximum

blocklist External domain block list name. length: 79
<name>

FortiOS 7.2.1 CLI Reference 111

Fortinet Inc.
config domain-filter

Parameter Description Type Size Default

domain-filter- DNS domain filter table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295

config ftgd-dns

Parameter Description Type Size Default

options FortiGuard DNS filter options. option -

Option Description

error-allow Allow all domains when FortiGuard DNS servers fail.

ftgd-disable Disable FortiGuard DNS domain rating.

config filters

Parameter Description Type Size Default

category Category number. integer Minimum 0

value: 0
Maximum
value: 255

action Action to take for DNS requests matching the category. option - monitor

Option Description

block Block DNS requests matching the category.

monitor Allow DNS requests matching the category and log the result.

log Enable/disable DNS filter logging for this DNS profile. option - enable

Option Description

enable Enable DNS filter logging.

disable Disable DNS filter logging.

FortiOS 7.2.1 CLI Reference 112

Fortinet Inc.
config dns-translation

Parameter Description Type Size Default

addr-type DNS translation type (IPv4 or IPv6). option - ipv4

Option Description

ipv4 IPv4 address type.

ipv6 IPv6 address type.

src IPv4 address or subnet on the internal network to ipv4- Not 0.0.0.0
compare with the resolved address in DNS query address Specified
replies. If the resolved address matches, the
resolved address is substituted with dst.

dst IPv4 address or subnet on the external network ipv4- Not 0.0.0.0
to substitute for the resolved address in DNS address Specified
query replies. Can be single IP address or
subnet on the external network, but number of
addresses must equal number of mapped IP
addresses in src.

netmask If src and dst are subnets rather than single IP ipv4- Not 255.255.255.255
addresses, enter the netmask for both src and netmask Specified
dst.

status Enable/disable this DNS translation entry. option - enable

Option Description

enable Enable this DNS translation.

disable Disable this DNS translation.

src6 IPv6 address or subnet on the internal network to ipv6- Not ::

compare with the resolved address in DNS query address Specified
replies. If the resolved address matches, the
resolved address is substituted with dst6.

dst6 IPv6 address or subnet on the external network ipv6- Not ::

to substitute for the resolved address in DNS address Specified
query replies. Can be single IP address or
subnet on the external network, but number of
addresses must equal number of mapped IP
addresses in src6.

prefix If src6 and dst6 are subnets rather than single IP integer Minimum 128
addresses, enter the prefix for both src6 and dst6 value: 1
. Maximum
value: 128

FortiOS 7.2.1 CLI Reference 113

Fortinet Inc.
emailfilter

This section includes syntax for the following commands:

l config emailfilter block-allow-list on page 116
l config emailfilter fortishield on page 128
l config emailfilter dnsbl on page 119
l config emailfilter bword on page 114
l config emailfilter options on page 129
l config emailfilter iptrust on page 120
l config emailfilter mheader on page 118
l config emailfilter profile on page 121

config emailfilter bword

Configure AntiSpam banned word list.

config emailfilter bword
Description: Configure AntiSpam banned word list.
edit <id>
set name {string}
set comment {var-string}
config entries
Description: Spam filter banned word.
edit <id>
set status [enable|disable]
set pattern {string}
set pattern-type [wildcard|regexp]
set action [spam|clear]
set where [subject|body|...]
set language [western|simch|...]
set score {integer}
next
end
next
end

config emailfilter bword

Parameter Description Type Size Default

name Name of table. string Not

Specified

comment Optional comments. var-string Not

Specified

FortiOS 7.2.1 CLI Reference 114

Fortinet Inc.
config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

subject Banned word in email subject.

body Banned word in email body.

all Banned word in both subject and body.

language Language for the banned word. option - western

Option Description

western Western.

simch Simplified Chinese.

trach Traditional Chinese.

japanese Japanese.

korean Korean.

french French.

FortiOS 7.2.1 CLI Reference 115

Fortinet Inc.
Parameter Description Type Size Default

Option Description

thai Thai.

spanish Spanish.

score Score value. integer Minimum 10

value: 1
Maximum
value:
99999

config emailfilter block-allow-list

Configure anti-spam block/allow list.

config emailfilter block-allow-list
Description: Configure anti-spam block/allow list.
edit <id>
set name {string}
set comment {var-string}
config entries
Description: Anti-spam block/allow entries.
edit <id>
set status [enable|disable]
set type [ip|email-to|...]
set action [reject|spam|...]
set addr-type [ipv4|ipv6]
set ip4-subnet {ipv4-classnet}
set ip6-subnet {ipv6-network}
set pattern-type [wildcard|regexp]
set pattern {string}
next
end
next
end

config emailfilter block-allow-list

Parameter Description Type Size Default

name Name of table. string Not

Specified

comment Optional comments. var-string Not

Specified

FortiOS 7.2.1 CLI Reference 116

Fortinet Inc.
config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

ip6-subnet IPv6 network address/subnet mask bits. ipv6- Not ::/128

network Specified

pattern-type Wildcard pattern or regular expression. option - wildcard

Option Description

wildcard Wildcard pattern.

regexp Perl regular expression.

pattern Pattern to match. string Not

Specified

FortiOS 7.2.1 CLI Reference 117

Fortinet Inc.
config emailfilter mheader

Configure AntiSpam MIME header.

config emailfilter mheader
Description: Configure AntiSpam MIME header.
edit <id>
set name {string}
set comment {var-string}
config entries
Description: Spam filter mime header content.
edit <id>
set status [enable|disable]
set fieldname {string}
set fieldbody {string}
set pattern-type [wildcard|regexp]
set action [spam|clear]
next
end
next
end

config emailfilter mheader

Parameter Description Type Size Default

name Name of table. string Not

Specified

comment Optional comments. var-string Not

Specified

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

fieldname Pattern for header field name. string Not

Specified

fieldbody Pattern for the header field body. string Not

Specified

pattern-type Wildcard pattern or regular expression. option - wildcard

FortiOS 7.2.1 CLI Reference 118

Fortinet Inc.
Parameter Description Type Size Default

Option Description

wildcard Wildcard pattern.

regexp Perl regular expression.

action Mark spam or good. option - spam

Option Description

spam Mark as spam email.

clear Mark as good email.

config emailfilter dnsbl

Configure AntiSpam DNSBL/ORBL.

config emailfilter dnsbl
Description: Configure AntiSpam DNSBL/ORBL.
edit <id>
set name {string}
set comment {var-string}
config entries
Description: Spam filter DNSBL and ORBL server.
edit <id>
set status [enable|disable]
set server {string}
set action [reject|spam]
next
end
next
end

config emailfilter dnsbl

Parameter Description Type Size Default

name Name of table. string Not

Specified

comment Optional comments. var-string Not

Specified

config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

FortiOS 7.2.1 CLI Reference 119

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable status.

disable Disable status.

server DNSBL or ORBL server name. string Not

Specified

action Reject connection or mark as spam email. option - spam

Option Description

reject Reject the connection.

spam Mark as spam email.

config emailfilter iptrust

Configure AntiSpam IP trust.

config emailfilter iptrust
Description: Configure AntiSpam IP trust.
edit <id>
set name {string}
set comment {var-string}
config entries
Description: Spam filter trusted IP addresses.
edit <id>
set status [enable|disable]
set addr-type [ipv4|ipv6]
set ip4-subnet {ipv4-classnet}
set ip6-subnet {ipv6-network}
next
end
next
end

config emailfilter iptrust

Parameter Description Type Size Default

name Name of table. string Not

Specified

comment Optional comments. var-string Not

Specified

FortiOS 7.2.1 CLI Reference 120

Fortinet Inc.
config entries

Parameter Description Type Size Default

status Enable/disable status. option - enable

Option Description

enable Enable status.

disable Disable status.

addr-type Type of address. option - ipv4

Option Description

ipv4 IPv4 Address type.

ipv6 IPv6 Address type.

ip4-subnet IPv4 network address or network address/subnet mask ipv4- Not 0.0.0.0
bits. classnet Specified 0.0.0.0

ip6-subnet IPv6 network address/subnet mask bits. ipv6- Not ::/128

network Specified

config emailfilter profile

Configure Email Filter profiles.

config emailfilter profile
Description: Configure Email Filter profiles.
edit <name>
set comment {var-string}
set feature-set [flow|proxy]
set replacemsg-group {string}
set spam-log [disable|enable]
set spam-log-fortiguard-response [disable|enable]
set spam-filtering [enable|disable]
set external [enable|disable]
set options {option1}, {option2}, ...
config imap
Description: IMAP.
set log-all [disable|enable]
set action [pass|tag]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
end
config pop3
Description: POP3.
set log-all [disable|enable]
set action [pass|tag]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
end
config smtp

FortiOS 7.2.1 CLI Reference 121

Fortinet Inc.
Description: SMTP.
set log-all [disable|enable]
set action [pass|tag|...]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
set hdrip [disable|enable]
set local-override [disable|enable]
end
config mapi
Description: MAPI.
set log-all [disable|enable]
set action [pass|discard]
end
config msn-hotmail
Description: MSN Hotmail.
set log-all [disable|enable]
end
config yahoo-mail
Description: Yahoo! Mail.
set log-all [disable|enable]
end
config gmail
Description: Gmail.
set log-all [disable|enable]
end
config other-webmails
Description: Other supported webmails.
set log-all [disable|enable]
end
set spam-bword-threshold {integer}
set spam-bword-table {integer}
set spam-bal-table {integer}
set spam-mheader-table {integer}
set spam-rbl-table {integer}
set spam-iptrust-table {integer}
next
end

config emailfilter profile

Parameter Description Type Size Default

comment Comment. var-string Not Specified

feature-set Flow/proxy feature set. option - flow

Option Description

flow Flow feature set.

proxy Proxy feature set.

replacemsg- Replacement message group. string Not Specified

group

FortiOS 7.2.1 CLI Reference 122

Fortinet Inc.
Parameter Description Type Size Default

spam-log Enable/disable spam logging for email filtering. option - enable

Option Description

disable Disable spam logging for email filtering.

bannedword Content block.

spambal Block/allow list.

spamfsip Email IP address FortiGuard AntiSpam block list check.

spamfssubmit Add FortiGuard AntiSpam spam submission text.

spamfschksum Email checksum FortiGuard AntiSpam check.

spamfsurl Email content URL FortiGuard AntiSpam check.

spamhelodns Email helo/ehlo domain DNS check.

spamraddrdns Email return address DNS check.

FortiOS 7.2.1 CLI Reference 123

Fortinet Inc.
Parameter Description Type Size Default

Option Description

spamrbl Email DNSBL & ORBL check.

spamhdrcheck Email mime header check.

spamfsphish Email content phishing URL FortiGuard AntiSpam check.

spam-bword- Spam banned word threshold. integer Minimum 10

threshold value: 0
Maximum
value:
2147483647

spam-bword- Anti-spam banned word table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295

spam-bal-table Anti-spam block/allow list table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

spam- Anti-spam MIME header table ID. integer Minimum 0

mheader-table value: 0
Maximum
value:
4294967295

spam-rbl-table Anti-spam DNSBL table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

spam-iptrust- Anti-spam IP trust table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295

config imap

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

FortiOS 7.2.1 CLI Reference 124

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

action Action for spam email. option - tag

Option Description

pass Allow spam email to pass through.

tag Tag spam email with configured text in subject or header.

tag-type Tag subject or header for spam email. option - subject

spaminfo

Option Description

subject Prepend text to spam email subject.

header Append a user defined mime header to spam email.

spaminfo Append spam info to spam email header.

tag-msg Subject text or header added to spam email. string Not Spam
Specified

config pop3

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

action Action for spam email. option - tag

Option Description

pass Allow spam email to pass through.

tag Tag spam email with configured text in subject or header.

tag-type Tag subject or header for spam email. option - subject

spaminfo

FortiOS 7.2.1 CLI Reference 125

Fortinet Inc.
Parameter Description Type Size Default

Option Description

subject Prepend text to spam email subject.

header Append a user defined mime header to spam email.

spaminfo Append spam info to spam email header.

tag-msg Subject text or header added to spam email. string Not Spam
Specified

config smtp

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

hdrip Enable/disable SMTP email header IP checks for option - disable

spamfsip, spamrbl, and spambal filters.

FortiOS 7.2.1 CLI Reference 126

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable SMTP email header IP checks for spamfsip, spamrbl, and spambal
filters.

enable Enable SMTP email header IP checks for spamfsip, spamrbl, and spambal
filters.

local-override Enable/disable local filter to override SMTP remote option - disable

check result.

Option Description

disable Disable local filter to override SMTP remote check result.

enable Enable local filter to override SMTP remote check result.

config mapi

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

action Action for spam email. option - pass

Option Description

pass Allow spam email to pass through.

discard Discard (block) spam email.

config msn-hotmail

Parameter Description Type Size Default

log-all Enable/disable logging of all email traffic. option - disable

Option Description

disable Disable logging of all email traffic.

disable Disable logging of all email traffic.

enable Enable logging of all email traffic.

config emailfilter fortishield

Configure FortiGuard - AntiSpam.

config emailfilter fortishield
Description: Configure FortiGuard - AntiSpam.
set spam-submit-srv {string}
set spam-submit-force [enable|disable]
set spam-submit-txt2htm [enable|disable]
end

FortiOS 7.2.1 CLI Reference 128

Fortinet Inc.
config emailfilter fortishield

Parameter Description Type Size Default

spam-submit- Hostname of the spam submission server. string Not www.nospammer.net

srv Specified

spam-submit- Enable/disable force insertion of a new mime option - enable

force entity for the submission text.

Option Description

enable Enable setting.

disable Disable setting.

spam-submit- Enable/disable conversion of text email to option - enable

txt2htm HTML email.

Option Description

enable Enable setting.

disable Disable setting.

config emailfilter options

Configure AntiSpam options.

config emailfilter options
Description: Configure AntiSpam options.
set dns-timeout {integer}
end

config emailfilter options

Parameter Description Type Size Default

dns-timeout DNS query time out . integer Minimum 7

value: 1
Maximum
value: 30

FortiOS 7.2.1 CLI Reference 129

Fortinet Inc.
endpoint-control

This section includes syntax for the following commands:

l config endpoint-control fctems on page 130

config endpoint-control fctems

Configure FortiClient Enterprise Management Server (EMS) entries.

config endpoint-control fctems
Description: Configure FortiClient Enterprise Management Server (EMS) entries.
edit <ems-id>
set status [enable|disable]
set name {string}
set dirty-reason [none|mismatched-ems-sn]
set fortinetone-cloud-authentication [enable|disable]
set server {string}
set https-port {integer}
set serial-number {string}
set tenant-id {string}
set source-ip {ipv4-address-any}
set pull-sysinfo [enable|disable]
set pull-vulnerabilities [enable|disable]
set pull-avatars [enable|disable]
set pull-tags [enable|disable]
set pull-malware-hash [enable|disable]
set cloud-server-type [production|alpha|...]
set capabilities {option1}, {option2}, ...
set call-timeout {integer}
set out-of-sync-threshold {integer}
set websocket-override [disable|enable]
set preserve-ssl-session [enable|disable]
set interface-select-method [auto|sdwan|...]
set interface {string}
next
end

config endpoint-control fctems

Parameter Description Type Size Default

status Enable or disable this EMS configuration. option - disable

Option Description

enable Enable EMS configuration and operation.

disable Disable EMS configuration and operation.

FortiOS 7.2.1 CLI Reference 130

Fortinet Inc.
Parameter Description Type Size Default

address- Specified
any

pull-sysinfo Enable/disable pulling SysInfo from EMS. option - enable

Option Description

enable Enable pulling FortiClient user SysInfo from EMS.

disable Disable pulling FortiClient user SysInfo from EMS.

pull- Enable/disable pulling vulnerabilities from EMS. option - enable

vulnerabilities

FortiOS 7.2.1 CLI Reference 131

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable pulling client vulnerabilities from EMS.

disable Disable pulling client vulnerabilities from EMS.

pull-avatars Enable/disable pulling avatars from EMS. option - enable

Option Description

fabric-auth Allow this FortiGate unit to load the authentication page provided by EMS to
authenticate itself with EMS.

silent-approval Allow silent approval of non-root or FortiGate HA clusters on EMS in the

Security Fabric.

FortiOS 7.2.1 CLI Reference 132

Fortinet Inc.
Parameter Description Type Size Default

Option Description

websocket Enable/disable websockets for this FortiGate unit. Override behavior using
websocket-override.

websocket- Allow this FortiGate unit to request malware hash notifications over
malware websocket.

push-ca-certs Enable/disable syncing deep inspection certificates with EMS.

common-tags- Can recieve tag information from New Common Tags API from EMS.
api

tenant-id Allow this FortiGate to retrieve Tenant-ID from EMS.

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

FortiOS 7.2.1 CLI Reference 134

Fortinet Inc.
extender

This section includes syntax for the following commands:

l config extender extender-info on page 136
l config extender lte-carrier-list on page 137
l config extender lanextension-vdom-status on page 136
l config extender fexwan on page 137
l config extender session-info on page 136
l config extender datachannel-info on page 136
l config extender modem-status on page 137
l config extender lte-carrier-by-mcc-mnc on page 137
l config extender sys-info on page 135
l config extender staging-status on page 135

config extender sys-info

Display detailed FortiExtender system information.

config extender sys-info
Description: Display detailed FortiExtender system information.
set <sn> {string}
end

config extender sys-info

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Maximum

length: 1

config extender staging-status

Display detailed FortiExtender staging image status.

config extender staging-status
Description: Display detailed FortiExtender staging image status.
set <sn> {string}
end

FortiOS 7.2.1 CLI Reference 135

Fortinet Inc.
config extender staging-status

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Maximum

length: 1

config extender extender-info

Display FortiExtender struct information.

config extender extender-info
Description: Display FortiExtender struct information.
set <sn> {string}
end

config extender extender-info

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Maximum

length: 1

config extender session-info

Display FortiExtender session information.

config extender session-info
Description: Display FortiExtender session information.
end

config extender lanextension-vdom-status

Display FortiExtender session information.

config extender lanextension-vdom-status
Description: Display FortiExtender session information.
end

config extender datachannel-info

Display extender kernel data channel information.

config extender datachannel-info
Description: Display extender kernel data channel information.
end

FortiOS 7.2.1 CLI Reference 136

Fortinet Inc.
config extender fexwan

Display extender wan-extesion interface status.

config extender fexwan
Description: Display extender wan-extesion interface status.
end

config extender modem-status

Display detailed FortiExtender modem status.

config extender modem-status
Description: Display detailed FortiExtender modem status.
set <sn> {string}
end

config extender modem-status

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Maximum

length: 1

config extender lte-carrier-list

Display FortiExtender modem carrier list.

config extender lte-carrier-list
Description: Display FortiExtender modem carrier list.
set <sn> {string}
end

config extender lte-carrier-list

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Maximum

length: 1

config extender lte-carrier-by-mcc-mnc

Display FortiExtender modem carrier based on MCC and MNC.

config extender lte-carrier-by-mcc-mnc
Description: Display FortiExtender modem carrier based on MCC and MNC.
set <sn> {string}
end

FortiOS 7.2.1 CLI Reference 137

Fortinet Inc.
config extender lte-carrier-by-mcc-mnc

Parameter Description Type Size Default

<sn> FortiExtender serial number. string Maximum

length: 1

FortiOS 7.2.1 CLI Reference 138

Fortinet Inc.
extension-controller

This section includes syntax for the following commands:

l config extension-controller extender on page 153
l config extension-controller extender-profile on page 141
l config extension-controller dataplan on page 139
l config extension-controller fortigate on page 157
l config extension-controller fortigate-profile on page 156

config extension-controller dataplan

FortiExtender dataplan configuration.

config extension-controller dataplan
Description: FortiExtender dataplan configuration.
edit <name>
set modem-id [modem1|modem2|...]
set type [carrier|slot|...]
set slot [sim1|sim2]
set iccid {string}
set carrier {string}
set apn {string}
set auth-type [none|pap|...]
set username {string}
set password {password}
set pdn [ipv4-only|ipv6-only|...]
set signal-threshold {integer}
set signal-period {integer}
set capacity {integer}
set monthly-fee {integer}
set billing-date {integer}
set overage [disable|enable]
set preferred-subnet {integer}
set private-network [disable|enable]
next
end

config extension-controller dataplan

Parameter Description Type Size Default

modem-id Dataplan's modem specifics, if any. option - all

generic Compatible with any SIM. Assigned if no other dataplan matches the chosen
SIM.

slot SIM slot configuration. option -

Option Description

sim1 Sim slot one.

sim2 Sim slot two.

iccid ICCID configuration. string Not Specified

carrier Carrier configuration. string Not Specified

apn APN configuration. string Not Specified

auth-type Authentication type. option - none

Option Description

none No authentication.

pap PAP.

chap CHAP.

username Username. string Not Specified

password Password. password Not Specified

pdn PDN type. option - ipv4-only

Option Description

ipv4-only IPv4 only PDN activation.

ipv6-only IPv6 only PDN activation.

ipv4-ipv6 Both IPv4 and IPv6 PDN activations.

FortiOS 7.2.1 CLI Reference 140

Fortinet Inc.
Parameter Description Type Size Default

signal- Signal threshold. Specify the range between 50 - 100, integer Minimum 100
threshold where 50/100 means -50/-100 dBm. value: 50
Maximum
value: 100

signal-period Signal period (600 to 18000 seconds). integer Minimum 3600

value: 600
Maximum
value: 18000

capacity Capacity in MB . integer Minimum 0

value: 0
Maximum
value:
102400000

monthly-fee Monthly fee of dataplan . integer Minimum 0

value: 0
Maximum
value:
1000000

billing-date Billing day of the month . integer Minimum 1

value: 1
Maximum
value: 31

overage Enable/disable dataplan overage detection. option - disable

Option Description

disable Disable dataplan overage detection.

enable Enable dataplan overage detection.

preferred- Preferred subnet mask . integer Minimum 0

subnet value: 0
Maximum
value: 32

private- Enable/disable dataplan private network support. option - disable

network

Option Description

disable Disable dataplan private network support.

enable Enable dataplan private network support.

config extension-controller extender-profile

FortiExtender extender profile configuration.

FortiOS 7.2.1 CLI Reference 141

Fortinet Inc.
config extension-controller extender-profile
Description: FortiExtender extender profile configuration.
edit <name>
set id {integer}
set model [FX201E|FX211E|...]
set extension [wan-extension|lan-extension]
set allowaccess {option1}, {option2}, ...
set login-password-change [yes|default|...]
set login-password {password}
set enforce-bandwidth [enable|disable]
set bandwidth-limit {integer}
config cellular
Description: FortiExtender cellular configuration.
set dataplan <name1>, <name2>, ...
config controller-report
Description: FortiExtender controller report configuration.
set status [disable|enable]
set interval {integer}
set signal-threshold {integer}
end
config sms-notification
Description: FortiExtender cellular SMS notification configuration.
set status [disable|enable]
config alert
Description: SMS alert list.
set system-reboot {string}
set data-exhausted {string}
set session-disconnect {string}
set low-signal-strength {string}
set os-image-fallback {string}
set mode-switch {string}
set fgt-backup-mode-switch {string}
end
config receiver
Description: SMS notification receiver list.
edit <name>
set status [disable|enable]
set phone-number {string}
set alert {option1}, {option2}, ...
next
end
end
config modem1
Description: Configuration options for modem 1.
set redundant-mode [disable|enable]
set redundant-intf {string}
set conn-status {integer}
set default-sim [sim1|sim2|...]
set gps [disable|enable]
set sim1-pin [disable|enable]
set sim2-pin [disable|enable]
set sim1-pin-code {password}
set sim2-pin-code {password}
set preferred-carrier {string}
config auto-switch
Description: FortiExtender auto switch configuration.
set disconnect [disable|enable]

FortiOS 7.2.1 CLI Reference 142

Fortinet Inc.
set disconnect-threshold {integer}
set disconnect-period {integer}
set signal [disable|enable]
set dataplan [disable|enable]
set switch-back {option1}, {option2}, ...
set switch-back-time {string}
set switch-back-timer {integer}
end
end
config modem2
Description: Configuration options for modem 2.
set redundant-mode [disable|enable]
set redundant-intf {string}
set conn-status {integer}
set default-sim [sim1|sim2|...]
set gps [disable|enable]
set sim1-pin [disable|enable]
set sim2-pin [disable|enable]
set sim1-pin-code {password}
set sim2-pin-code {password}
set preferred-carrier {string}
config auto-switch
Description: FortiExtender auto switch configuration.
set disconnect [disable|enable]
set disconnect-threshold {integer}
set disconnect-period {integer}
set signal [disable|enable]
set dataplan [disable|enable]
set switch-back {option1}, {option2}, ...
set switch-back-time {string}
set switch-back-timer {integer}
end
end
end
config lan-extension
Description: FortiExtender lan extension configuration.
set link-loadbalance [activebackup|loadbalance]
set ipsec-tunnel {string}
set backhaul-interface {string}
set backhaul-ip {string}
config backhaul
Description: LAN extension backhaul tunnel configuration.
edit <name>
set port [wan|lte1|...]
set role [primary|secondary]
set weight {integer}
next
end
end
next
end

FortiOS 7.2.1 CLI Reference 143

Fortinet Inc.
config extension-controller extender-profile

Parameter Description Type Size Default

id ID. integer Minimum 32

value: 0
Maximum
value:
102400000

model Model. option - FX201E

Option Description

FX201E FEX-201E model.

FX211E FEX-211E model.

FX200F FEX-200F model.

FXA11F FEX-101F-AM model.

FXE11F FEX-101F-EA model.

FXA21F FEX-201F-AM model.

FXE21F FEX-201F-EA model.

FXA22F FEX-202F-AM model.

FXE22F FEX-202F-EA model.

FX212F FEX-212F model.

FX311F FEX-311F model.

FX312F FEX-312F model.

FX511F FEX-511F model.

FVG21F FEV-211F model.

FVA21F FEV-211F-AM model.

FVG22F FEV-212F model.

FVA22F FEV-212F-AM model.

FX04DA FX40D-AMEU model.

extension Extension option. option - wan-

extension

Option Description

wan-extension WAN extension.

lan-extension LAN extension.

FortiOS 7.2.1 CLI Reference 144

Fortinet Inc.
Parameter Description Type Size Default

allowaccess Control management access to the managed option -

extender. Separate entries with a space.

Option Description

ping PING access.

telnet TELNET access.

http HTTP access.

https HTTPS access.

ssh SSH access.

snmp SNMP access.

login- Change or reset the administrator password of a option - no

password- managed extender .
change

Option Description

yes Change the managed extender's administrator password. Use the login-
password option to set the password.

default Keep the managed extender's administrator password set to the factory
default.

no Do not change the managed extender's administrator password.

enforce- Enable/disable enforcement of bandwidth on LAN option - disable

bandwidth extension interface.

Option Description

enable Enable to enforce bandwidth limit on LAN extension interface.

disable Disable to enforce bandwidth limit on LAN extension interface.

bandwidth- FortiExtender LAN extension bandwidth limit (Mbps). integer Minimum 1024
limit value: 1
Maximum
value:
16776000

FortiOS 7.2.1 CLI Reference 145

Fortinet Inc.
config cellular

Parameter Description Type Size Default

dataplan Dataplan names. string Maximum

<name> Dataplan name. length: 79

config controller-report

Parameter Description Type Size Default

status FortiExtender controller report status. option - disable

Option Description

disable Controller is configured to not provide service to this FortiExtender.

enable Controller is configured to provide service to this FortiExtender.

interval Controller report interval. integer Minimum 300

value: 0
Maximum
value:
4294967295

signal- Controller report signal threshold. integer Minimum 10

threshold value: 10
Maximum
value: 50

config sms-notification

Parameter Description Type Size Default

status FortiExtender SMS notification status. option - disable

Option Description

disable SMS notification is configured to not provide service to this FortiExtender.

enable SMS notification is configured to provide service to this FortiExtender.

config alert

Parameter Description Type Size Default

system- Display string when system rebooted. string Not system will
reboot Specified reboot

data- Display string when data exhausted. string Not data plan is
exhausted Specified exhausted

FortiOS 7.2.1 CLI Reference 146

Fortinet Inc.
Parameter Description Type Size Default

session- Display string when session disconnected. string Not LTE data
disconnect Specified session is
disconnected

low-signal- Display string when signal strength is low. string Not LTE signal
strength Specified strength is too
low

os-image- Display string when falling back to a previous OS string Not system start to
fallback image. Specified fallback OS
image

mode-switch Display string when mode is switched. string Not system

Specified networking
mode switched

fgt-backup- Display string when FortiGate backup mode string Not FortiGate
mode-switch switched. Specified backup work
mode switched

config receiver

Parameter Description Type Size Default

os-image- System networking mode switched.

fallback

fgt-backup- FortiGate backup work mode switched.

mode-switch

config modem1

Parameter Description Type Size Default

redundant- FortiExtender mode. option - disable

mode

Option Description

disable Disable interface redundancy.

enable Enable interface redundancy.

redundant-intf Redundant interface. string Not Specified

conn-status Connection status. integer Minimum 0

value: 0
Maximum
value:
4294967295

default-sim Default SIM selection. option - sim1

Option Description

sim1 Use SIM #1 by default.

sim2 Use SIM #2 by default.

carrier Assign default SIM based on carrier.

cost Assign default SIM based on cost.

gps FortiExtender GPS enable/disable. option - enable

Option Description

disable Disable GPS.

enable Enable GPS.

sim1-pin SIM #1 PIN status. option - disable

FortiOS 7.2.1 CLI Reference 148

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable SIM #1 PIN.

enable Enable SIM #1 PIN.

sim2-pin SIM #2 PIN status. option - disable

Option Description

disable Disable SIM #2 PIN.

enable Enable SIM #2 PIN.

sim1-pin-code SIM #1 PIN password. password Not Specified

sim2-pin-code SIM #2 PIN password. password Not Specified

preferred- Preferred carrier. string Not Specified

carrier

config auto-switch

Parameter Description Type Size Default

disconnect Auto switch by disconnect. option - disable

Option Description

disable Disable switching of SIM card based on cellular disconnections.

enable Enable switching of SIM card based on cellular disconnections.

disconnect- Automatically switch based on disconnect threshold. integer Minimum 3

threshold value: 1
Maximum
value: 100

disconnect- Automatically switch based on disconnect period. integer Minimum 600

period value: 600
Maximum
value: 18000

signal Automatically switch based on signal strength. option - disable

Option Description

disable Disable switching of SIM card based on cellular signal quality.

enable Enable switching of SIM card based on cellular signal quality.

dataplan Automatically switch based on data usage. option - disable

FortiOS 7.2.1 CLI Reference 149

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable switching of SIM card based on cellular data usage.

enable Enable switching of SIM card based on cellular data usage.

switch-back Auto switch with switch back multi-options. option -

Option Description

time Switch back based on specific time in UTC (HH:MM).

timer Switch back based on an interval.

switch-back- Automatically switch over to preferred SIM/carrier at a string Not Specified 00:01
time specified time in UTC (HH:MM).

switch-back- Automatically switch over to preferred SIM/carrier integer Minimum 86400

timer after the given time . value: 3600
Maximum
value:
2147483647

config modem2

Parameter Description Type Size Default

redundant- FortiExtender mode. option - disable

mode

Option Description

disable Disable interface redundancy.

enable Enable interface redundancy.

redundant-intf Redundant interface. string Not Specified

conn-status Connection status. integer Minimum 0

value: 0
Maximum
value:
4294967295

default-sim Default SIM selection. option - sim1

Option Description

sim1 Use SIM #1 by default.

disable Disable SIM #2 PIN.

enable Enable SIM #2 PIN.

sim1-pin-code SIM #1 PIN password. password Not Specified

sim2-pin-code SIM #2 PIN password. password Not Specified

preferred- Preferred carrier. string Not Specified

carrier

config auto-switch

Parameter Description Type Size Default

disconnect Auto switch by disconnect. option - disable

disconnect- Automatically switch based on disconnect threshold. integer Minimum 3

threshold value: 1
Maximum
value: 100

disconnect- Automatically switch based on disconnect period. integer Minimum 600

period value: 600
Maximum
value: 18000

FortiOS 7.2.1 CLI Reference 151

Fortinet Inc.
Parameter Description Type Size Default

signal Automatically switch based on signal strength. option - disable

dataplan Automatically switch based on data usage. option - disable

switch-back Auto switch with switch back multi-options. option -

switch-back- Automatically switch over to preferred SIM/carrier at a string Not Specified 00:01
time specified time in UTC (HH:MM).

switch-back- Automatically switch over to preferred SIM/carrier integer Minimum 86400

timer after the given time . value: 3600
Maximum
value:
2147483647

config lan-extension

Parameter Description Type Size Default

link- LAN extension link load balance strategy. option - activebackup

loadbalance

Option Description

activebackup FortiExtender LAN extension active-backup.

loadbalance FortiExtender LAN extension load-balance.

ipsec-tunnel IPsec tunnel name. string Not

Specified

backhaul- IPsec phase1 interface. string Not

interface Specified

backhaul-ip IPsec phase1 IPv4/FQDN. Used to specify the string Not

external IP/FQDN when the FortiGate unit is behind Specified
a NAT device.

config backhaul

Parameter Description Type Size Default

port FortiExtender uplink port. option - wan

Option Description

wan FortiExtender WAN port.

lte1 FortiExtender LTE1 port.

lte2 FortiExtender LTE2 port.

FortiOS 7.2.1 CLI Reference 152

Fortinet Inc.
Parameter Description Type Size Default

Option Description

port1 FortiExtender port1 port.

port2 FortiExtender port2 port.

port3 FortiExtender port3 port.

port4 FortiExtender port4 port.

port5 FortiExtender port5 port.

sfp FortiExtender SFP port.

role FortiExtender uplink port. option - primary

Option Description

primary FortiExtender LAN extension primary role.

secondary FortiExtender LAN extension secondary role.

weight WRR weight parameter. integer Minimum 1

value: 1
Maximum
value: 256

config extension-controller extender

Extender controller configuration.

config extension-controller extender
Description: Extender controller configuration.
edit <name>
set id {string}
set authorized [disable|enable]
set ext-name {string}
set description {string}
set vdom {integer}
set device-id {integer}
set extension-type [wan-extension|lan-extension]
set profile {string}
set override-allowaccess [enable|disable]
set allowaccess {option1}, {option2}, ...
set override-login-password-change [enable|disable]
set login-password-change [yes|default|...]
set login-password {password}
set override-enforce-bandwidth [enable|disable]
set enforce-bandwidth [enable|disable]
set bandwidth-limit {integer}
config wan-extension
Description: FortiExtender wan extension configuration.
set modem1-extension {string}
set modem2-extension {string}

FortiOS 7.2.1 CLI Reference 153

Fortinet Inc.
end
set firmware-provision-latest [disable|once]
next
end

config extension-controller extender

Parameter Description Type Size Default

id FortiExtender serial number. string Not Specified

authorized FortiExtender Administration (enable or disable). option - disable

Option Description

disable Controller is configured to not provide service to this FortiExtender.

enable Controller is configured to provide service to this FortiExtender.

ext-name FortiExtender name. string Not Specified

description Description. string Not Specified

vdom VDOM. integer Minimum 0

value: 0
Maximum
value:
4294967295

device-id Device ID. integer Minimum 1024

value: 0
Maximum
value:
4294967295

extension-type Extension type for this FortiExtender. option -

Option Description

wan-extension FortiExtender wan-extension.

lan-extension FortiExtender lan-extension.

profile FortiExtender profile configuration. string Not Specified

override- Enable to override the extender profile management option - disable

allowaccess access configuration.

Option Description

enable Override the extender profile management access configuration.

disable Use the extender profile management access configuration.

FortiOS 7.2.1 CLI Reference 154

Fortinet Inc.
Parameter Description Type Size Default

allowaccess Control management access to the managed option -

extender. Separate entries with a space.

Option Description

ping PING access.

telnet TELNET access.

http HTTP access.

https HTTPS access.

ssh SSH access.

snmp SNMP access.

override-login- Enable to override the extender profile login- option - disable

password- password (administrator password) setting.
change

Option Description

enable Override the WTP profile login-password (administrator password) setting.

disable Use the the WTP profile login-password (administrator password) setting.

login- Change or reset the administrator password of a option - no

password- managed extender .
change

Option Description

yes Change the managed extender's administrator password. Use the login-
password option to set the password.

default Keep the managed extender's administrator password set to the factory
default.

no Do not change the managed extender's administrator password.

override- Enable to override the extender profile enforce- option - disable

enforce- bandwidth setting.
bandwidth

Option Description

enable Enable override of FortiExtender profile bandwidth setting.

disable Disable override of FortiExtender profile bandwidth setting.

FortiOS 7.2.1 CLI Reference 155

Fortinet Inc.
Parameter Description Type Size Default

enforce- Enable/disable enforcement of bandwidth on LAN option - disable

bandwidth extension interface.

Option Description

enable Enable to enforce bandwidth limit on LAN extension interface.

disable Disable to enforce bandwidth limit on LAN extension interface.

bandwidth- FortiExtender LAN extension bandwidth limit (Mbps). integer Minimum 1024
limit value: 1
Maximum
value:
16776000

firmware- Enable/disable one-time automatic provisioning of option - disable

provision- the latest firmware version.
latest

Option Description

disable Do not automatically provision the latest available firmware.

once Automatically attempt a one-time upgrade to the latest available firmware

version.

config wan-extension

Parameter Description Type Size Default

modem1- FortiExtender interface name. string Not

extension Specified

modem2- FortiExtender interface name. string Not

extension Specified

config extension-controller fortigate-profile

FortiGate connector profile configuration.

config extension-controller fortigate-profile
Description: FortiGate connector profile configuration.
edit <name>
set id {integer}
set extension {option}
config lan-extension
Description: FortiGate connector LAN extension configuration.
set ipsec-tunnel {string}
set backhaul-interface {string}
set backhaul-ip {string}
end
next

FortiOS 7.2.1 CLI Reference 156

Fortinet Inc.
end

config extension-controller fortigate-profile

Parameter Description Type Size Default

id ID. integer Minimum 32

value: 0
Maximum
value:
102400000

extension Extension option. option - lan-

extension

Option Description

lan-extension LAN extension.

config lan-extension

Parameter Description Type Size Default

ipsec-tunnel IPsec tunnel name. string Not

Specified

backhaul- IPsec phase1 interface. string Not

interface Specified

backhaul-ip IPsec phase1 IPv4/FQDN. Used to specify the external string Not
IP/FQDN when the FortiGate unit is behind a NAT Specified
device.

config extension-controller fortigate

FortiGate controller configuration.

config extension-controller fortigate
Description: FortiGate controller configuration.
edit <name>
set id {string}
set authorized [disable|enable]
set hostname {string}
set description {string}
set vdom {integer}
set device-id {integer}
set profile {string}
next
end

FortiOS 7.2.1 CLI Reference 157

Fortinet Inc.
config extension-controller fortigate

Parameter Description Type Size Default

id FortiGate serial number. string Not Specified

authorized Enable/disable FortiGate administration. option - disable

Option Description

disable Controller is configured to not provide service to this FortiGate.

enable Controller is configured to provide service to this FortiGate.

hostname FortiGate hostname. string Not Specified

description Description. string Not Specified

vdom VDOM. integer Minimum 0

value: 0
Maximum
value:
4294967295

device-id device-id integer Minimum 1024

value: 0
Maximum
value:
4294967295

profile FortiGate profile configuration. string Not Specified

FortiOS 7.2.1 CLI Reference 158

Fortinet Inc.
file-filter

This section includes syntax for the following commands:

l config file-filter profile on page 159

config file-filter profile

Configure file-filter profiles.

config file-filter profile
Description: Configure file-filter profiles.
edit <name>
set comment {var-string}
set feature-set [flow|proxy]
set replacemsg-group {string}
set log [disable|enable]
set extended-log [disable|enable]
set scan-archive-contents [disable|enable]
config rules
Description: File filter rules.
edit <name>
set comment {var-string}
set protocol {option1}, {option2}, ...
set action [log-only|block]
set direction [incoming|outgoing|...]
set password-protected [yes|any]
set file-type <name1>, <name2>, ...
next
end
next
end

config file-filter profile

Parameter Description Type Size Default

scan-archive- Enable/disable archive contents scan. option - enable

contents

Option Description

disable Disable scanning archive contents.

enable Enable scanning archive contents.

config rules

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

protocol Protocols to apply rule to. option - http ftp

smtp imap
pop3 mapi
cifs ssh

Option Description

http Filter on HTTP.

ftp Filter on FTP.

smtp Filter on SMTP.

imap Filter on IMAP.

pop3 Filter on POP3.

mapi Filter on MAPI. (Proxy mode only.)

cifs Filter on CIFS.

ssh Filter on SFTP and SCP. (Proxy mode only.)

FortiOS 7.2.1 CLI Reference 160

Fortinet Inc.
Parameter Description Type Size Default

action Action taken for matched file. option - log-only

Option Description

log-only Allow the content and write a log message.

block Block the content and write a log message.

direction Traffic direction (HTTP, FTP, SSH, CIFS only). option - any

Option Description

incoming Match files transmitted in the session's reply direction.

outgoing Match files transmitted in the session's originating direction.

any Match files transmitted in the session's originating and reply directions.

password- Match password-protected files. option - any

protected

Option Description

yes Match only password-protected files.

any Match any file.

file-type Select file type. string Maximum

<name> File type name. length: 39

FortiOS 7.2.1 CLI Reference 161

Fortinet Inc.
firewall

This section includes syntax for the following commands:

l config firewall address6-template on page 170
l config firewall internet-service-ipbl-reason on page 199
l config firewall multicast-address6 on page 175
l config firewall proxy-addrgrp on page 211
l config firewall internet-service-extension on page 191
l config firewall proute on page 468
l config firewall internet-service-ipbl-vendor on page 199
l config firewall proxy-address on page 207
l config firewall region on page 187
l config firewall traffic-class on page 180
l config firewall ldb-monitor on page 218
l config firewall local-in-policy6 on page 427
l config firewall interface-policy on page 442
l config firewall vip6 on page 250
l config firewall ipmacbinding setting on page 330
l config firewall internet-service-custom on page 194
l config firewall access-proxy6 on page 309
l config firewall shaper traffic-shaper on page 203
l config firewall network-service-dynamic on page 202
l config firewall city on page 186
l config firewall internet-service-custom-group on page 198
l config firewall policy on page 398
l config firewall schedule group on page 214
l config firewall dnstranslation on page 438
l config firewall ttl-policy on page 429
l config firewall schedule onetime on page 212
l config firewall wildcard-fqdn group on page 180
l config firewall interface-policy6 on page 445
l config firewall access-proxy-ssh-client-cert on page 286
l config firewall shaper per-ip-shaper on page 205
l config firewall vipgrp6 on page 280
l config firewall internet-service-addition on page 196
l config firewall ssh local-ca on page 281
l config firewall ipv6-eh-filter on page 465
l config firewall ssh host-key on page 283
l config firewall sniffer on page 453
l config firewall identity-based-route on page 388
l config firewall ippool6 on page 217
l config firewall acl on page 458

FortiOS 7.2.1 CLI Reference 162

Fortinet Inc.
l config firewall profile-group on page 384
l config firewall proute6 on page 468
l config firewall iprope appctrl list on page 467
l config firewall internet-service-reputation on page 194
l config firewall profile-protocol-options on page 332
l config firewall ipmacbinding table on page 331
l config firewall internet-service-append on page 197
l config firewall internet-service-botnet on page 201
l config firewall iprope list on page 467
l config firewall vendor-mac on page 202
l config firewall decrypted-traffic-mirror on page 285
l config firewall access-proxy-virtual-host on page 285
l config firewall internet-service-group on page 190
l config firewall internet-service-definition on page 200
l config firewall addrgrp6 on page 178
l config firewall ssh local-key on page 280
l config firewall shaper traffic on page 207
l config firewall shaping-profile on page 423
l config firewall auth-portal on page 389
l config firewall ip-translation on page 464
l config firewall internet-service-sld on page 198
l config firewall schedule recurring on page 213
l config firewall ssl-ssh-profile on page 356
l config firewall global on page 466
l config firewall central-snat-map on page 460
l config firewall service custom on page 181
l config firewall DoS-policy6 on page 450
l config firewall multicast-policy6 on page 440
l config firewall internet-service-name on page 189
l config firewall service group on page 185
l config firewall ssl-server on page 385
l config firewall ssh setting on page 282
l config firewall internet-service on page 188
l config firewall wildcard-fqdn custom on page 179
l config firewall service category on page 181
l config firewall internet-service-owner on page 200
l config firewall security-policy on page 389
l config firewall vendor-mac-summary on page 203
l config firewall multicast-policy on page 438
l config firewall addrgrp on page 176
l config firewall address on page 164
l config firewall local-in-policy on page 425
l config firewall multicast-address on page 169
l config firewall vip on page 220
l config firewall internet-service-list on page 200

FortiOS 7.2.1 CLI Reference 163

Fortinet Inc.
l config firewall shaper per-ip on page 207
l config firewall ippool on page 214
l config firewall vipgrp on page 279
l config firewall ssl setting on page 462
l config firewall acl6 on page 459
l config firewall iprope appctrl status on page 467
l config firewall shaping-policy on page 418
l config firewall proxy-policy on page 430
l config firewall DoS-policy on page 448
l config firewall access-proxy on page 288
l config firewall address6 on page 172
l config firewall country on page 187

config firewall address

Configure IPv4 addresses.

config firewall address
Description: Configure IPv4 addresses.
edit <name>
set uuid {uuid}
set subnet {ipv4-classnet-any}
set type [ipmask|iprange|...]
set sub-type [sdn|clearpass-spt|...]
set clearpass-spt [unknown|healthy|...]
set macaddr <macaddr1>, <macaddr2>, ...
set start-ip {ipv4-address-any}
set end-ip {ipv4-address-any}
set fqdn {string}
set country {string}
set wildcard-fqdn {string}
set cache-ttl {integer}
set wildcard {ipv4-classnet-any}
set sdn {string}
set fsso-group <name1>, <name2>, ...
set interface {string}
set tenant {string}
set organization {string}
set epg-name {string}
set subnet-name {string}
set sdn-tag {string}
set policy-group {string}
set obj-tag {string}
set obj-type [ip|mac]
set tag-detection-level {string}
set tag-type {string}
set comment {var-string}
set associated-interface {string}
set color {integer}
set filter {var-string}
set sdn-addr-type [private|public|...]
set node-ip-only [enable|disable]
set obj-id {var-string}

FortiOS 7.2.1 CLI Reference 164

Fortinet Inc.
config list
Description: IP address list.
edit <ip>
next
end
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set allow-routing [enable|disable]
set fabric-object [enable|disable]
next
end

config firewall address

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

subnet IP address and subnet mask of address. ipv4- Not 0.0.0.0 0.0.0.0
classnet- Specified
any

type Type of address. option - ipmask

Option Description

ipmask Standard IPv4 address with subnet mask.

iprange Range of IPv4 addresses between two specified addresses (inclusive).

fqdn Fully Qualified Domain Name address.

geography IP addresses from a specified country.

wildcard Standard IPv4 using a wildcard subnet mask.

dynamic Dynamic address object.

interface-subnet IP and subnet of interface.

mac Range of MAC addresses.

sub-type Sub-type of address. option - sdn

Option Description

sdn SDN address.

FortiOS 7.2.1 CLI Reference 165

Fortinet Inc.
Parameter Description Type Size Default

Option Description

clearpass-spt ClearPass SPT (System Posture Token) address.

fsso FSSO address.

ems-tag FortiClient EMS tag.

fortivoice-tag FortiVoice tag.

fortinac-tag FortiNAC tag.

swc-tag Switch Controller NAC policy tag.

clearpass-spt SPT (System Posture Token) value. option - unknown

Option Description

unknown UNKNOWN.

healthy HEALTHY.

quarantine QUARANTINE.

checkup CHECKUP.

transient TRANSIENT.

Specified

sdn-addr-type Type of addresses to collect. option - private

Option Description

private Collect private addresses only.

public Collect public addresses only.

all Collect both public and private addresses.

node-ip-only Enable/disable collection of node addresses only option - disable

in Kubernetes.

Option Description

enable Enable collection of node addresses only in Kubernetes.

disable Disable collection of node addresses only in Kubernetes.

obj-id Object ID for NSX. var-string Not

Specified

allow-routing Enable/disable use of this address in the static option - disable

route configuration.

Option Description

enable Enable use of this address in the static route configuration.

disable Disable use of this address in the static route configuration.

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

FortiOS 7.2.1 CLI Reference 168

Fortinet Inc.
config tagging

Parameter Description Type Size Default

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall multicast-address

Configure multicast addresses.

config firewall multicast-address
Description: Configure multicast addresses.
edit <name>
set type [multicastrange|broadcastmask]
set subnet {ipv4-classnet-any}
set start-ip {ipv4-address-any}
set end-ip {ipv4-address-any}
set comment {var-string}
set associated-interface {string}
set color {integer}
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
next
end

config firewall multicast-address

Parameter Description Type Size Default

type Type of address object: multicast IP address range option - multicastrange

or broadcast IP/mask to be treated as a multicast
address.

Option Description

multicastrange Multicast range.

broadcastmask Broadcast IP/mask.

subnet Broadcast address and subnet. ipv4- Not 0.0.0.0 0.0.0.0

classnet- Specified
any

FortiOS 7.2.1 CLI Reference 169

Fortinet Inc.
Parameter Description Type Size Default

start-ip First IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address. address- Specified
any

end-ip Final IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address. address- Specified
any

comment Comment. var-string Not

Specified

associated- Interface associated with the address object. When string Not
interface setting up a policy, only addresses associated with Specified
this interface are available.

color Integer value to determine the color of the icon in integer Minimum 0
the GUI . value: 0
Maximum
value: 32

config tagging

Parameter Description Type Size Default

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall address6-template

Configure IPv6 address templates.

config firewall address6-template
Description: Configure IPv6 address templates.
edit <name>
set ip6 {ipv6-network}
set subnet-segment-count {integer}
config subnet-segment
Description: IPv6 subnet segments.
edit <id>
set name {string}
set bits {integer}
set exclusive [enable|disable]
config values
Description: Subnet segment values.
edit <name>
set value {string}
next
end
next

FortiOS 7.2.1 CLI Reference 170

Fortinet Inc.
end
set fabric-object [enable|disable]
next
end

config firewall address6-template

Parameter Description Type Size Default

ip6 IPv6 address prefix. ipv6- Not ::/0

network Specified

subnet- Number of IPv6 subnet segments. integer Minimum 0

segment- value: 1
count Maximum
value: 6

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

config subnet-segment

Parameter Description Type Size Default

name Subnet segment name. string Not

Specified

bits Number of bits. integer Minimum 0

value: 1
Maximum
value: 16

exclusive Enable/disable exclusive value. option - disable

Option Description

enable Enable exclusive value.

disable Disable exclusive value.

config values

Parameter Description Type Size Default

value Subnet segment value. string Not

Specified

FortiOS 7.2.1 CLI Reference 171

Fortinet Inc.
config firewall address6

Configure IPv6 firewall addresses.

config firewall address6
Description: Configure IPv6 firewall addresses.
edit <name>
set uuid {uuid}
set type [ipprefix|iprange|...]
set macaddr <macaddr1>, <macaddr2>, ...
set sdn {string}
set ip6 {ipv6-network}
set start-ip {ipv6-address}
set end-ip {ipv6-address}
set fqdn {string}
set country {string}
set cache-ttl {integer}
set color {integer}
set obj-id {var-string}
config list
Description: IP address list.
edit <ip>
next
end
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set comment {var-string}
set template {string}
config subnet-segment
Description: IPv6 subnet segments.
edit <name>
set type [any|specific]
set value {string}
next
end
set host-type [any|specific]
set host {ipv6-address}
set tenant {string}
set epg-name {string}
set sdn-tag {string}
set fabric-object [enable|disable]
next
end

FortiOS 7.2.1 CLI Reference 172

Fortinet Inc.
config firewall address6

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

type Type of IPv6 address object . option - ipprefix

Option Description

ipprefix Uses the IP prefix to define a range of IPv6 addresses.

iprange Range of IPv6 addresses between two specified addresses (inclusive).

fqdn Fully qualified domain name.

geography IPv6 addresses from a specified country.

dynamic Dynamic address object for SDN.

template Template.

mac Range of MAC addresses.

macaddr Multiple MAC address ranges. string Maximum

<macaddr> MAC address ranges <start>[-<end>] separated length: 127
by space.

sdn SDN. string Not

Specified

ip6 IPv6 address prefix (format: ipv6- Not ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx). network Specified

start-ip First IP address (inclusive) in the range for the ipv6- Not ::
address (format: address Specified
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).

end-ip Final IP address (inclusive) in the range for the ipv6- Not ::
address (format: address Specified
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).

fqdn Fully qualified domain name. string Not

Specified

country IPv6 addresses associated to a specific country. string Not

Specified

cache-ttl Minimal TTL of individual IPv6 addresses in FQDN integer Minimum 0

cache. value: 0
Maximum
value:
86400

FortiOS 7.2.1 CLI Reference 173

Fortinet Inc.
Parameter Description Type Size Default

color Integer value to determine the color of the icon in integer Minimum 0
the GUI . value: 0
Maximum
value: 32

obj-id Object ID for NSX. var-string Not

disable Object is local to this security fabric member.

config tagging

Parameter Description Type Size Default

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

FortiOS 7.2.1 CLI Reference 174

Fortinet Inc.
config subnet-segment

Parameter Description Type Size Default

type Subnet segment type. option - any

Option Description

any Wildcard.

specific Specific subnet segment address.

value Subnet segment value. string Not

Specified

config firewall multicast-address6

Configure IPv6 multicast address.

config firewall multicast-address6
Description: Configure IPv6 multicast address.
edit <name>
set ip6 {ipv6-network}
set comment {var-string}
set color {integer}
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
next
end

config firewall multicast-address6

Parameter Description Type Size Default

ip6 IPv6 address prefix (format: ipv6- Not ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx). network Specified

comment Comment. var-string Not

Specified

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

FortiOS 7.2.1 CLI Reference 175

Fortinet Inc.
config tagging

Parameter Description Type Size Default

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall addrgrp

Configure IPv4 address groups.

config firewall addrgrp
Description: Configure IPv4 address groups.
edit <name>
set type [default|folder]
set category [default|ztna-ems-tag|...]
set uuid {uuid}
set member <name1>, <name2>, ...
set comment {var-string}
set exclude [enable|disable]
set exclude-member <name1>, <name2>, ...
set color {integer}
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set allow-routing [enable|disable]
set fabric-object [enable|disable]
next
end

config firewall addrgrp

Parameter Description Type Size Default

type Address group type. option - default

Option Description

default Default address group type (address may belong to multiple groups).

folder Address folder group (members may not belong to any other group).

category Address group category. option - default

FortiOS 7.2.1 CLI Reference 176

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Default address group category (cannot be used as ztna-ems-tag/ztna-geo-

tag in policy).

ztna-ems-tag Members must be ztna-ems-tag group or ems-tag address, can be used as

ztna-ems-tag in policy.

ztna-geo-tag Members must be ztna-geo-tag group or geographic address, can be used as

ztna-geo-tag in policy.

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall addrgrp6

Configure IPv6 address groups.

config firewall addrgrp6
Description: Configure IPv6 address groups.
edit <name>
set uuid {uuid}
set color {integer}
set comment {var-string}
set member <name1>, <name2>, ...
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set fabric-object [enable|disable]
next
end

config firewall addrgrp6

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

color Integer value to determine the color of the icon in integer Minimum 0
the GUI . value: 0
Maximum
value: 32

comment Comment. var-string Not

Specified

member Address objects contained within the group. string Maximum

<name> Address6/addrgrp6 name. length: 79

fabric-object Security Fabric global object setting. option - disable

FortiOS 7.2.1 CLI Reference 178

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

config tagging

Parameter Description Type Size Default

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall wildcard-fqdn custom

Config global/VDOM Wildcard FQDN address.

config firewall wildcard-fqdn custom
Description: Config global/VDOM Wildcard FQDN address.
edit <name>
set uuid {uuid}
set wildcard-fqdn {string}
set color {integer}
set comment {var-string}
next
end

config firewall wildcard-fqdn custom

Parameter Description Type Size Default

config firewall traffic-class
Description: Configure names for shaping classes.
edit <class-id>
set class-name {string}
next
end

config firewall traffic-class

Parameter Description Type Size Default

class-name Define the name for this class-id. string Not

Specified

FortiOS 7.2.1 CLI Reference 180

Fortinet Inc.
config firewall service category

Configure service categories.

config firewall service category
Description: Configure service categories.
edit <name>
set comment {var-string}
set fabric-object [enable|disable]
next
end

config firewall service category

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

config firewall service custom

Configure custom services.

config firewall service custom
Description: Configure custom services.
edit <name>
set proxy [enable|disable]
set category {string}
set protocol [TCP/UDP/SCTP|ICMP|...]
set helper [auto|disable|...]
set iprange {user}
set fqdn {string}
set protocol-number {integer}
set icmptype {integer}
set icmpcode {integer}
set tcp-portrange {user}
set udp-portrange {user}
set sctp-portrange {user}
set tcp-halfclose-timer {integer}
set tcp-halfopen-timer {integer}
set tcp-timewait-timer {integer}
set tcp-rst-timer {integer}
set udp-idle-timer {integer}
set session-ttl {user}
set check-reset-range [disable|strict|...]
set comment {var-string}

FortiOS 7.2.1 CLI Reference 181

Fortinet Inc.
set color {integer}
set visibility [enable|disable]
set app-service-type [disable|app-id|...]
set app-category <id1>, <id2>, ...
set application <id1>, <id2>, ...
set fabric-object [enable|disable]
next
end

config firewall service custom

Parameter Description Type Size Default

proxy Enable/disable web proxy service. option - disable

Option Description

enable Enable setting.

disable Disable setting.

category Service category. string Not Specified

protocol Protocol type based on IANA numbers. option - TCP/UDP/SCTP

Option Description

TCP/UDP/SCTP TCP, UDP and SCTP.

ICMP ICMP.

ICMP6 ICMP6.

IP IP.

HTTP HTTP - for web proxy.

FTP FTP - for web proxy.

CONNECT Connect - for web proxy.

SOCKS-TCP Socks TCP - for web proxy.

SOCKS-UDP Socks UDP - for web proxy.

ALL All - for web proxy.

helper Helper name. option - auto

Option Description

auto Automatically select helper based on protocol and port.

disable Disable helper.

ftp FTP.

FortiOS 7.2.1 CLI Reference 182

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tftp TFTP.

ras RAS.

h323 H323.

tns TNS.

mms MMS.

sip SIP.

pptp PPTP.

rtsp RTSP.

dns-udp DNS UDP.

dns-tcp DNS TCP.

pmap PMAP.

rsh RSH.

dcerpc DCERPC.

mgcp MGCP.

iprange Start and end of the IP range associated with user Not Specified
service.

fqdn Fully qualified domain name. string Not Specified

protocol- IP protocol number. integer Minimum 0

number value: 0
Maximum
value: 254

icmptype ICMP type. integer Minimum

value: 0
Maximum
value:
4294967295

icmpcode ICMP code. integer Minimum

value: 0
Maximum
value: 255

tcp-portrange Multiple TCP port ranges. user Not Specified

udp-portrange Multiple UDP port ranges. user Not Specified

FortiOS 7.2.1 CLI Reference 183

Fortinet Inc.
Parameter Description Type Size Default

sctp- Multiple SCTP port ranges. user Not Specified

portrange

tcp-halfclose- Wait time to close a TCP session waiting for an integer Minimum 0
timer unanswered FIN packet . value: 0
Maximum
value: 86400

tcp-halfopen- Wait time to close a TCP session waiting for an integer Minimum 0
timer unanswered open session packet . value: 0
Maximum
value: 86400

tcp-timewait- Set the length of the TCP TIME-WAIT state in integer Minimum 0
timer seconds . value: 0
Maximum
value: 300

tcp-rst-timer Set the length of the TCP CLOSE state in integer Minimum 0
seconds . value: 5
Maximum
value: 300

udp-idle-timer UDP half close timeout . integer Minimum 0

value: 0
Maximum
value: 86400

session-ttl Session TTL . user Not Specified

check-reset- Configure the type of ICMP error message option - default

range verification.

Option Description

disable Disable RST range check.

strict Check RST range strictly.

default Using system default setting.

comment Comment. var-string Not Specified

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

visibility Enable/disable the visibility of the service on option - enable

the GUI.

FortiOS 7.2.1 CLI Reference 184

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Show in service selection.

disable Hide from service selection.

app-service- Application service type. option - disable

type

Option Description

disable Disable application type.

app-id Application ID.

app-category Applicatin category.

app-category Application category ID. integer Minimum

<id> Application category id. value: 0
Maximum
value:
4294967295

application Application ID. integer Minimum

<id> Application id. value: 0
Maximum
value:
4294967295

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

config firewall service group

Configure service groups.

config firewall service group
Description: Configure service groups.
edit <name>
set proxy [enable|disable]
set member <name1>, <name2>, ...
set comment {var-string}
set color {integer}
set fabric-object [enable|disable]
next
end

FortiOS 7.2.1 CLI Reference 185

Fortinet Inc.
config firewall service group

Parameter Description Type Size Default

proxy Enable/disable web proxy service group. option - disable

Option Description

enable Enable setting.

disable Disable setting.

member Service objects contained within the group. string Maximum

<name> Address name. length: 79

comment Comment. var-string Not

Specified

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

config firewall city

Define city table.

config firewall city
Description: Define city table.
edit <id>
set name {string}
next
end

config firewall city

Parameter Description Type Size Default

name City name. string Not

Specified

FortiOS 7.2.1 CLI Reference 186

Fortinet Inc.
config firewall region

Define region table.

config firewall region
Description: Define region table.
edit <id>
set name {string}
set city <id1>, <id2>, ...
next
end

config firewall region

Parameter Description Type Size Default

name Region name. string Not

Specified

city <id> City ID list. integer Minimum

City ID. value: 0
Maximum
value:
65535

config firewall country

Define country table.

config firewall country
Description: Define country table.
edit <id>
set name {string}
set region <id1>, <id2>, ...
next
end

config firewall country

Parameter Description Type Size Default

name Country name. string Not

Specified

region <id> Region ID list. integer Minimum

Region ID. value: 0
Maximum
value:
65535

FortiOS 7.2.1 CLI Reference 187

Fortinet Inc.
config firewall internet-service

Show Internet Service application.

config firewall internet-service
Description: Show Internet Service application.
edit <id>
set name {string}
set icon-id {integer}
set direction [src|dst|...]
set database [isdb|irdb]
set ip-range-number {integer}
set extra-ip-range-number {integer}
set ip-number {integer}
set ip6-range-number {integer}
set extra-ip6-range-number {integer}
set singularity {integer}
set obsolete {integer}
next
end

config firewall internet-service

Parameter Description Type Size Default

name Internet Service name. string Not Specified

icon-id Icon ID of Internet Service. integer Minimum 0

value: 0
Maximum
value:
4294967295

direction How this service may be used in a firewall policy option - both
(source, destination or both).

Option Description

src As source in the firewall policy.

dst As destination in the firewall policy.

both Both directions in the firewall policy.

database Database name this Internet Service belongs to. option - isdb

Option Description

isdb Internet Service Database.

irdb Internet RRR Database.

FortiOS 7.2.1 CLI Reference 188

Fortinet Inc.
Parameter Description Type Size Default

ip-range- Number of IPv4 ranges. integer Minimum 0

number value: 0
Maximum
value:
4294967295

extra-ip- Extra number of IPv4 ranges. integer Minimum 0

range-number value: 0
Maximum
value:
4294967295

ip-number Total number of IPv4 addresses. integer Minimum 0

value: 0
Maximum
value:
4294967295

ip6-range- Number of IPv6 ranges. integer Minimum 0

number value: 0
Maximum
value:
4294967295

extra-ip6- Extra number of IPv6 ranges. integer Minimum 0

range-number value: 0
Maximum
value:
4294967295

singularity Singular level of the Internet Service. integer Minimum 0

value: 0
Maximum
value: 65535

obsolete Indicates whether the Internet Service can be used. integer Minimum 0
value: 0
Maximum
value: 255

config firewall internet-service-name

Define internet service names.

config firewall internet-service-name
Description: Define internet service names.
edit <name>
set type [default|location]
set internet-service-id {integer}
set country-id {integer}
set region-id {integer}

FortiOS 7.2.1 CLI Reference 189

Fortinet Inc.
set city-id {integer}
next
end

config firewall internet-service-name

Parameter Description Type Size Default

type Internet Service name type. option - default

Option Description

default Automatically generated Internet Service.

location Geography location based Internet Service.

internet- Internet Service ID. integer Minimum 0

service-id value: 0
Maximum
value:
4294967295

country-id Country or Area ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

region-id Region ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

city-id City ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config firewall internet-service-group

Configure group of Internet Service.

config firewall internet-service-group
Description: Configure group of Internet Service.
edit <name>
set comment {var-string}
set direction [source|destination|...]
set member <name1>, <name2>, ...
next
end

FortiOS 7.2.1 CLI Reference 190

Fortinet Inc.
config firewall internet-service-group

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

direction How this service may be used (source, destination or option - both
both).

Option Description

source As source when applied.

destination As destination when applied.

both Both directions when applied.

member Internet Service group member. string Maximum

<name> Internet Service name. length: 79

config firewall internet-service-extension

Configure Internet Services Extension.

config firewall internet-service-extension
Description: Configure Internet Services Extension.
edit <id>
set comment {var-string}
config entry
Description: Entries added to the Internet Service extension database.
edit <id>
set addr-mode [ipv4|ipv6]
set protocol {integer}
config port-range
Description: Port ranges in the custom entry.
edit <id>
set start-port {integer}
set end-port {integer}
next
end
set dst <name1>, <name2>, ...
set dst6 <name1>, <name2>, ...
next
end
config disable-entry
Description: Disable entries in the Internet Service database.
edit <id>
set addr-mode [ipv4|ipv6]
set protocol {integer}
config port-range
Description: Port ranges in the disable entry.
edit <id>
set start-port {integer}
set end-port {integer}

FortiOS 7.2.1 CLI Reference 191

Fortinet Inc.
next
end
config ip-range
Description: IPv4 ranges in the disable entry.
edit <id>
set start-ip {ipv4-address-any}
set end-ip {ipv4-address-any}
next
end
config ip6-range
Description: IPv6 ranges in the disable entry.
edit <id>
set start-ip6 {ipv6-address}
set end-ip6 {ipv6-address}
next
end
next
end
next
end

config firewall internet-service-extension

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

config entry

Parameter Description Type Size Default

addr-mode Address mode (IPv4 or IPv6) option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

protocol Integer value for the protocol type as defined by IANA . integer Minimum 0
value: 0
Maximum
value: 255

dst <name> Destination address or address group name. string Maximum

Select the destination address or address group object length: 79
from available options.

dst6 <name> Destination address6 or address6 group name. string Maximum

Select the destination address6 or address group object length: 79
from available options.

FortiOS 7.2.1 CLI Reference 192

Fortinet Inc.
config port-range

Parameter Description Type Size Default

start-port Starting TCP/UDP/SCTP destination port (0 to 65535). integer Minimum 1

value: 0
Maximum
value:
65535

end-port Ending TCP/UDP/SCTP destination port (0 to 65535). integer Minimum 65535

value: 0
Maximum
value:
65535

config disable-entry

Parameter Description Type Size Default

addr-mode Address mode (IPv4 or IPv6) option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

protocol Integer value for the protocol type as defined by IANA . integer Minimum 0
value: 0
Maximum
value: 255

config port-range

Parameter Description Type Size Default

start-port Starting TCP/UDP/SCTP destination port (0 to 65535). integer Minimum 1

value: 0
Maximum
value:
65535

end-port Ending TCP/UDP/SCTP destination port (0 to 65535). integer Minimum 65535

value: 0
Maximum
value:
65535

FortiOS 7.2.1 CLI Reference 193

Fortinet Inc.
config ip-range

Parameter Description Type Size Default

start-ip Start IPv4 address. ipv4- Not 0.0.0.0

address- Specified
any

end-ip End IPv4 address. ipv4- Not 0.0.0.0

address- Specified
any

config ip6-range

Parameter Description Type Size Default

start-ip6 Start IPv6 address. ipv6- Not 75:6da3:3c50:be33:54aa:be33:3c50:be33 **

address Specified

end-ip6 End IPv6 address. ipv6- Not f7e2:1:78aa:be33:1850:be33:100:0 **

address Specified

** Values may differ between models.

config firewall internet-service-reputation

Show Internet Service reputation.

config firewall internet-service-reputation
Description: Show Internet Service reputation.
edit <id>
set description {string}
next
end

config firewall internet-service-reputation

Parameter Description Type Size Default

description Description. string Not

Specified

config firewall internet-service-custom

Configure custom Internet Services.

config firewall internet-service-custom
Description: Configure custom Internet Services.
edit <name>
set reputation {integer}
set comment {var-string}

FortiOS 7.2.1 CLI Reference 194

Fortinet Inc.
config entry
Description: Entries added to the Internet Service database and custom database.
edit <id>
set addr-mode [ipv4|ipv6]
set protocol {integer}
config port-range
Description: Port ranges in the custom entry.
edit <id>
set start-port {integer}
set end-port {integer}
next
end
set dst <name1>, <name2>, ...
set dst6 <name1>, <name2>, ...
next
end
next
end

config firewall internet-service-custom

Parameter Description Type Size Default

reputation Reputation level of the custom Internet Service. integer Minimum 3

value: 0
Maximum
value:
4294967295

comment Comment. var-string Not Specified

config entry

Parameter Description Type Size Default

addr-mode Address mode (IPv4 or IPv6) option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

protocol Integer value for the protocol type as defined by IANA . integer Minimum 0
value: 0
Maximum
value: 255

dst <name> Destination address or address group name. string Maximum

Select the destination address or address group object length: 79
from available options.

FortiOS 7.2.1 CLI Reference 195

Fortinet Inc.
Parameter Description Type Size Default

dst6 <name> Destination address6 or address6 group name. string Maximum

Select the destination address6 or address group object length: 79
from available options.

config port-range

Parameter Description Type Size Default

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value:
65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value:
65535

config firewall internet-service-addition

Configure Internet Services Addition.

config firewall internet-service-addition
Description: Configure Internet Services Addition.
edit <id>
set comment {var-string}
config entry
Description: Entries added to the Internet Service addition database.
edit <id>
set addr-mode [ipv4|ipv6]
set protocol {integer}
config port-range
Description: Port ranges in the custom entry.
edit <id>
set start-port {integer}
set end-port {integer}
next
end
next
end
next
end

FortiOS 7.2.1 CLI Reference 196

Fortinet Inc.
config firewall internet-service-addition

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

config entry

Parameter Description Type Size Default

addr-mode Address mode (IPv4 or IPv6) option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

protocol Integer value for the protocol type as defined by IANA . integer Minimum 0
value: 0
Maximum
value: 255

config port-range

Parameter Description Type Size Default

start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value:
65535

end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
port in range (0 to 65535). value: 0
Maximum
value:
65535

config firewall internet-service-append

Configure additional port mappings for Internet Services.

config firewall internet-service-append
Description: Configure additional port mappings for Internet Services.
set addr-mode [ipv4|ipv6|...]
set match-port {integer}
set append-port {integer}
end

FortiOS 7.2.1 CLI Reference 197

Fortinet Inc.
config firewall internet-service-append

Parameter Description Type Size Default

addr-mode Address mode (IPv4 or IPv6) option - ipv4

Option Description

ipv4 IPv4 mode.

ipv6 IPv6 mode.

both Both IPv4 and IPv6 mode.

match-port Matching TCP/UDP/SCTP destination port (0 to 65535, integer Minimum 0

0 means any port). value: 0
Maximum
value:
65535

append-port Appending TCP/UDP/SCTP destination port (1 to integer Minimum 0

65535). value: 1
Maximum
value:
65535

config firewall internet-service-custom-group

Configure custom Internet Service group.

config firewall internet-service-custom-group
Description: Configure custom Internet Service group.
edit <name>
set comment {var-string}
set member <name1>, <name2>, ...
next
end

config firewall internet-service-custom-group

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

member Custom Internet Service group members. string Maximum

<name> Group member name. length: 79

config firewall internet-service-sld

FortiOS 7.2.1 CLI Reference 199

Fortinet Inc.
config firewall internet-service-owner

Internet Service owner.

config firewall internet-service-owner
Description: Internet Service owner.
edit <id>
set name {string}
next
end

config firewall internet-service-owner

Parameter Description Type Size Default

name Internet Service owner name. string Not

Specified

config firewall internet-service-list

Internet Service list.

config firewall internet-service-list
Description: Internet Service list.
edit <id>
set name {string}
next
end

config firewall internet-service-list

Parameter Description Type Size Default

name Internet Service category name. string Not

Specified

config firewall internet-service-definition

Configure Internet Service definition.

config firewall internet-service-definition
Description: Configure Internet Service definition.
edit <id>
config entry
Description: Protocol and port information in an Internet Service entry.
edit <seq-num>
set category-id {integer}
set name {string}
set protocol {integer}
config port-range
Description: Port ranges in the definition entry.

FortiOS 7.2.1 CLI Reference 200

Fortinet Inc.
edit <id>
set start-port {integer}
set end-port {integer}
next
end
next
end
next
end

config entry

Parameter Description Type Size Default

category-id Internet Service category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

name Internet Service name. string Not Specified

protocol Integer value for the protocol type as defined by IANA integer Minimum 0
. value: 0
Maximum
value: 255

config port-range

Parameter Description Type Size Default

start-port Starting TCP/UDP/SCTP destination port (1 to 65535). integer Minimum 1

value: 1
Maximum
value:
65535

end-port Ending TCP/UDP/SCTP destination port (1 to 65535). integer Minimum 65535

value: 1
Maximum
value:
65535

config firewall internet-service-botnet

Show Internet Service botnet.

config firewall internet-service-botnet
Description: Show Internet Service botnet.
edit <id>
set name {string}
next
end

FortiOS 7.2.1 CLI Reference 201

Fortinet Inc.
config firewall internet-service-botnet

Parameter Description Type Size Default

name Internet Service Botnet name. string Not

Specified

config firewall network-service-dynamic

Parameter Description Type Size Default

sdn SDN connector name. string Not

Specified

comment Comment. var-string Not

Specified

filter Match criteria filter. var-string Not

Specified

config firewall vendor-mac

Show vendor and the MAC address they have.

config firewall vendor-mac
Description: Show vendor and the MAC address they have.
edit <id>
set name {string}
set mac-number {integer}
set obsolete {integer}
next
end

FortiOS 7.2.1 CLI Reference 202

Fortinet Inc.
config firewall vendor-mac

Parameter Description Type Size Default

name Vendor name. string Not Specified

mac-number Total number of MAC addresses. integer Minimum 0

value: 0
Maximum
value:
4294967295

obsolete Indicates whether the Vendor ID can be used. integer Minimum 0

value: 0
Maximum
value: 255

config firewall vendor-mac-summary

Vendor MAC database summary.

config firewall vendor-mac-summary
Description: Vendor MAC database summary.
end

config firewall shaper traffic-shaper

Configure shared traffic shaper.

config firewall shaper traffic-shaper
Description: Configure shared traffic shaper.
edit <name>
set guaranteed-bandwidth {integer}
set maximum-bandwidth {integer}
set bandwidth-unit [kbps|mbps|...]
set priority [low|medium|...]
set per-policy [disable|enable]
set diffserv [enable|disable]
set diffservcode {user}
set dscp-marking-method [multi-stage|static]
set exceed-bandwidth {integer}
set exceed-dscp {user}
set maximum-dscp {user}
set overhead {integer}
set exceed-class-id {integer}
next
end

FortiOS 7.2.1 CLI Reference 203

Fortinet Inc.
config firewall shaper traffic-shaper

Parameter Description Type Size Default

guaranteed- Amount of bandwidth guaranteed for this shaper . integer Minimum 0

bandwidth Units depend on the bandwidth-unit setting. value: 0
Maximum
value:
80000000

enable Each referring policy has its own traffic shaper.

diffserv Enable/disable changing the DiffServ setting applied option - disable

to traffic accepted by this shaper.

FortiOS 7.2.1 CLI Reference 204

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting traffic DiffServ.

disable Disable setting traffic DiffServ.

diffservcode DiffServ setting to be applied to traffic accepted by user Not Specified

this shaper.

dscp-marking- Select DSCP marking method. option - static

method

Option Description

multi-stage Multistage marking.

static Static marking.

exceed- Exceed bandwidth used for DSCP multi-stage integer Minimum 0

bandwidth marking. Units depend on the bandwidth-unit setting. value: 0
Maximum
value:
80000000

exceed-dscp DSCP mark for traffic in guaranteed-bandwidth and user Not Specified
exceed-bandwidth.

maximum- DSCP mark for traffic in exceed-bandwidth and user Not Specified
dscp maximum-bandwidth.

overhead Per-packet size overhead used in rate computations. integer Minimum 0

value: 0
Maximum
value: 100

exceed-class- Class ID for traffic in guaranteed-bandwidth and integer Minimum 0

id maximum-bandwidth. value: 0
Maximum
value:
4294967295

config firewall shaper per-ip-shaper

Configure per-IP traffic shaper.

config firewall shaper per-ip-shaper
Description: Configure per-IP traffic shaper.
edit <name>
set max-bandwidth {integer}
set bandwidth-unit [kbps|mbps|...]
set max-concurrent-session {integer}
set max-concurrent-tcp-session {integer}
set max-concurrent-udp-session {integer}

FortiOS 7.2.1 CLI Reference 205

Fortinet Inc.
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
next
end

config firewall shaper per-ip-shaper

Parameter Description Type Size Default

max-bandwidth Upper bandwidth limit enforced by this shaper . 0 integer Minimum 0

means no limit. Units depend on the bandwidth-unit value: 0
setting. Maximum
value:
80000000

bandwidth-unit Unit of measurement for maximum bandwidth for this option - kbps
shaper (Kbps, Mbps or Gbps).

Option Description

kbps Kilobits per second.

mbps Megabits per second.

gbps Gigabits per second.

max- Maximum number of concurrent sessions allowed by integer Minimum 0

concurrent- this shaper . 0 means no limit. value: 0
session Maximum
value:
2097000

max- Maximum number of concurrent TCP sessions allowed integer Minimum 0

concurrent-tcp- by this shaper . 0 means no limit. value: 0
session Maximum
value:
2097000

max- Maximum number of concurrent UDP sessions integer Minimum 0

concurrent- allowed by this shaper . 0 means no limit. value: 0
udp-session Maximum
value:
2097000

diffserv- Enable/disable changing the Forward (original) option - disable

forward DiffServ setting applied to traffic accepted by this
shaper.

FortiOS 7.2.1 CLI Reference 206

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting forward (original) traffic DiffServ.

disable Disable setting forward (original) traffic DiffServ.

diffserv- Enable/disable changing the Reverse (reply) DiffServ option - disable

reverse setting applied to traffic accepted by this shaper.

Option Description

enable Enable setting reverse (reply) traffic DiffServ.

disable Disable setting reverse (reply) traffic DiffServ.

diffservcode- Forward (original) DiffServ setting to be applied to user Not

forward traffic accepted by this shaper. Specified

diffservcode- Reverse (reply) DiffServ setting to be applied to traffic user Not

rev accepted by this shaper. Specified

config firewall shaper traffic

Shared traffic shapers.

config firewall shaper traffic
Description: Shared traffic shapers.
end

config firewall shaper per-ip

Per-IP traffic shapers.

config firewall shaper per-ip
Description: Per-IP traffic shapers.
end

config firewall proxy-address

Configure web proxy address.

config firewall proxy-address
Description: Configure web proxy address.
edit <name>
set uuid {uuid}
set type [host-regex|url|...]
set host {string}
set host-regex {string}
set path {string}
set query {string}
set referrer [enable|disable]

FortiOS 7.2.1 CLI Reference 207

Fortinet Inc.
set category <id1>, <id2>, ...
set method {option1}, {option2}, ...
set ua {option1}, {option2}, ...
set header-name {string}
set header {string}
set case-sensitivity [disable|enable]
config header-group
Description: HTTP header group.
edit <id>
set header-name {string}
set header {string}
set case-sensitivity [disable|enable]
next
end
set color {integer}
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set comment {var-string}
set application <name1>, <name2>, ...
next
end

config firewall proxy-address

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

type Proxy address type. option - url

Option Description

host-regex Host regular expression.

url HTTP URL.

category FortiGuard URL catgegory.

method HTTP request method.

ua HTTP request user agent.

header HTTP request header.

src-advanced HTTP advanced source criteria.

dst-advanced HTTP advanced destination criteria.

saas SaaS application.

FortiOS 7.2.1 CLI Reference 208

Fortinet Inc.
Parameter Description Type Size Default

host Address object for the host. string Not Specified

host-regex Host name as a regular expression. string Not Specified

path URL path as a regular expression. string Not Specified

query Match the query part of the URL as a regular string Not Specified
expression.

referrer Enable/disable use of referrer field in the HTTP option - disable

header to match the address.

ms Microsoft Internet Explorer or EDGE.

firefox Mozilla Firefox.

safari Apple Safari.

FortiOS 7.2.1 CLI Reference 209

Fortinet Inc.
Parameter Description Type Size Default

Option Description

other Other browsers.

header-name Name of HTTP header. string Not Specified

header HTTP header name as a regular expression. string Not Specified

case- Enable to make the pattern case sensitive. option - disable

sensitivity

Option Description

disable Case insensitive in pattern.

enable Case sensitive in pattern.

color Integer value to determine the color of the icon in integer Minimum 0
the GUI . value: 0
Maximum
value: 32

comment Optional comments. var-string Not Specified

application SaaS application. string Maximum

<name> SaaS applicaton name. length: 79

config header-group

Parameter Description Type Size Default

header-name HTTP header. string Not

Specified

header HTTP header regular expression. string Not

Specified

case-sensitivity Case sensitivity in pattern. option - disable

Option Description

disable Case insensitive in pattern.

enable Case sensitive in pattern.

config tagging

Parameter Description Type Size Default

category Tag category. string Not

Specified

FortiOS 7.2.1 CLI Reference 210

Fortinet Inc.
Parameter Description Type Size Default

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall proxy-addrgrp

Configure web proxy address group.

config firewall proxy-addrgrp
Description: Configure web proxy address group.
edit <name>
set type [src|dst]
set uuid {uuid}
set member <name1>, <name2>, ...
set color {integer}
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
set comment {var-string}
next
end

config firewall proxy-addrgrp

Parameter Description Type Size Default

type Source or destination address group type. option - src

Option Description

src Source group.

dst Destination group.

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

member Members of address group. string Maximum

<name> Address name. length: 79

color Integer value to determine the color of the icon in integer Minimum 0
the GUI . value: 0
Maximum
value: 32

comment Optional comments. var-string Not

Specified

FortiOS 7.2.1 CLI Reference 211

Fortinet Inc.
config tagging

Parameter Description Type Size Default

category Tag category. string Not

Specified

tags <name> Tags. string Maximum

Tag name. length: 79

config firewall schedule onetime

Onetime schedule configuration.

config firewall schedule onetime
Description: Onetime schedule configuration.
edit <name>
set start {user}
set end {user}
set color {integer}
set expiration-days {integer}
set fabric-object [enable|disable]
next
end

config firewall schedule onetime

Parameter Description Type Size Default

start Schedule start date and time, format hh:mm user Not
yyyy/mm/dd. Specified

end Schedule end date and time, format hh:mm user Not
yyyy/mm/dd. Specified

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

expiration- Write an event log message this many days before the integer Minimum 3
days schedule expires. value: 0
Maximum
value: 100

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

FortiOS 7.2.1 CLI Reference 212

Fortinet Inc.
config firewall schedule recurring

Recurring schedule configuration.

config firewall schedule recurring
Description: Recurring schedule configuration.
edit <name>
set start {user}
set end {user}
set day {option1}, {option2}, ...
set color {integer}
set fabric-object [enable|disable]
next
end

config firewall schedule recurring

Parameter Description Type Size Default

start Time of day to start the schedule, format hh:mm. user Not
Specified

end Time of day to end the schedule, format hh:mm. user Not
Specified

day One or more days of the week on which the schedule is option - none
valid. Separate the names of the days with a space.

Option Description

sunday Sunday.

monday Monday.

tuesday Tuesday.

wednesday Wednesday.

thursday Thursday.

friday Friday.

saturday Saturday.

none None.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

fabric-object Security Fabric global object setting. option - disable

FortiOS 7.2.1 CLI Reference 213

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

config firewall schedule group

Schedule group configuration.

config firewall schedule group
Description: Schedule group configuration.
edit <name>
set member <name1>, <name2>, ...
set color {integer}
set fabric-object [enable|disable]
next
end

config firewall schedule group

Parameter Description Type Size Default

member Schedules added to the schedule group. string Maximum

<name> Schedule name. length: 79

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

fabric-object Security Fabric global object setting. option - disable

Option Description

enable Object is set as a security fabric-wide global object.

disable Object is local to this security fabric member.

config firewall ippool

Configure IPv4 IP pools.

config firewall ippool
Description: Configure IPv4 IP pools.
edit <name>
set type [overload|one-to-one|...]
set startip {ipv4-address-any}
set endip {ipv4-address-any}
set startport {integer}

FortiOS 7.2.1 CLI Reference 214

Fortinet Inc.
set endport {integer}
set source-startip {ipv4-address-any}
set source-endip {ipv4-address-any}
set block-size {integer}
set port-per-user {integer}
set num-blocks-per-user {integer}
set pba-timeout {integer}
set permit-any-host [disable|enable]
set arp-reply [disable|enable]
set arp-intf {string}
set associated-interface {string}
set comments {var-string}
set nat64 [disable|enable]
set add-nat64-route [disable|enable]
next
end

config firewall ippool

Parameter Description Type Size Default

type IP pool type (overload, one-to-one, fixed port range, or option - overload
port block allocation).

Option Description

overload IP addresses in the IP pool can be shared by clients.

one-to-one One to one mapping.

fixed-port-range Fixed port range.

port-block- Port block allocation.

allocation

startip First IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). address- Specified
any

endip Final IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). address- Specified
any

startport First port number (inclusive) in the range for the address integer Minimum 5117
pool (Default: 5117). value: 5117
Maximum
value:
65533

endport Final port number (inclusive) in the range for the integer Minimum 65533
address pool (Default: 65533). value: 5117
Maximum
value:
65533

FortiOS 7.2.1 CLI Reference 215

Fortinet Inc.
Parameter Description Type Size Default

source-startip First IPv4 address . ipv4- Not 0.0.0.0

address- Specified
any

source-endip Final IPv4 address (inclusive) in the range of the source ipv4- Not 0.0.0.0
addresses to be translated (format xxx.xxx.xxx.xxx, address- Specified
Default: 0.0.0.0). any

block-size Number of addresses in a block . integer Minimum 128

value: 64
Maximum
value: 4096

port-per-user Number of port for each user . integer Minimum 0

value: 32
Maximum
value:
60416

num-blocks- Number of addresses blocks that can be used by a user integer Minimum 8
per-user . value: 1
Maximum
value: 128

pba-timeout Port block allocation timeout (seconds). integer Minimum 30

value: 3
Maximum
value:
86400

permit-any- Enable/disable full cone NAT. option - disable

host

Option Description

disable Disable full cone NAT.

enable Enable full cone NAT.

arp-reply Enable/disable replying to ARP requests when an IP option - enable

Pool is added to a policy .

Option Description

disable Disable ARP reply.

enable Enable ARP reply.

arp-intf Select an interface from available options that will reply string Not
to ARP requests. (If blank, any is selected). Specified

FortiOS 7.2.1 CLI Reference 216

Fortinet Inc.
Parameter Description Type Size Default

associated- Associated interface name. string Not

interface Specified

comments Comment. var-string Not

Specified

nat64 Enable/disable NAT64. option - disable

Option Description

disable Disable DNAT64.

enable Enable DNAT64.

add-nat64- Enable/disable adding NAT64 route. option - enable

route

Option Description

disable Disable adding NAT64 route.

enable Enable adding NAT64 route.

config firewall ippool6

Configure IPv6 IP pools.

config firewall ippool6
Description: Configure IPv6 IP pools.
edit <name>
set startip {ipv6-address}
set endip {ipv6-address}
set comments {var-string}
set nat46 [disable|enable]
set add-nat46-route [disable|enable]
next
end

config firewall ippool6

Parameter Description Type Size Default

startip First IPv6 address . ipv6- Not ::

address Specified

endip Final IPv6 address . ipv6- Not ::

address Specified

comments Comment. var-string Not

Specified

FortiOS 7.2.1 CLI Reference 217

Fortinet Inc.
Parameter Description Type Size Default

nat46 Enable/disable NAT46. option - disable

Option Description

disable Disable NAT46.

enable Enable NAT46.

add-nat46-route Enable/disable adding NAT46 route. option - enable

Option Description

disable Disable adding NAT46 route.

enable Enable adding NAT46 route.

config firewall ldb-monitor

Configure server load balancing health monitors.

config firewall ldb-monitor
Description: Configure server load balancing health monitors.
edit <name>
set type [ping|tcp|...]
set interval {integer}
set timeout {integer}
set retry {integer}
set port {integer}
set src-ip {ipv4-address}
set http-get {string}
set http-match {string}
set http-max-redirects {integer}
set dns-protocol [udp|tcp]
set dns-request-domain {string}
set dns-match-ip {ipv4-address}
next
end

config firewall ldb-monitor

Parameter Description Type Size Default

type Select the Monitor type used by the health check option -
monitor to check the health of the server (PING | TCP |
HTTP | HTTPS | DNS).

Option Description

ping PING health monitor.

FortiOS 7.2.1 CLI Reference 218

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tcp TCP-connect health monitor.

http HTTP-GET health monitor.

https HTTP-GET health monitor with SSL.

dns DNS health monitor.

interval Time between health checks . integer Minimum 10

value: 5
Maximum
value:
65535

timeout Time to wait to receive response to a health check from integer Minimum 2
a server. Reaching the timeout means the health check value: 1
failed . Maximum
value: 255

retry Number health check attempts before the server is integer Minimum 3
considered down . value: 1
Maximum
value: 255

port Service port used to perform the health check. If 0, integer Minimum 0
health check monitor inherits port configured for the value: 0
server . Maximum
value:
65535

src-ip Source IP for ldb-monitor. ipv4- Not 0.0.0.0

address Specified

http-get URL used to send a GET request to check the health of string Not
an HTTP server. Specified

http-match String to match the value expected in response to an string Not

HTTP-GET request. Specified

http-max- The maximum number of HTTP redirects to be allowed . integer Minimum 0

redirects value: 0
Maximum
value: 5

dns-protocol Select the protocol used by the DNS health check option - udp
monitor to check the health of the server (UDP | TCP).

FortiOS 7.2.1 CLI Reference 219

Fortinet Inc.
Parameter Description Type Size Default

Option Description

udp UDP.

tcp TCP.

dns-request- Fully qualified domain name to resolve for the DNS string Not
domain probe. Specified

dns-match-ip Response IP expected from DNS server. ipv4- Not 0.0.0.0

address Specified

config firewall vip

Configure virtual IP for IPv4.

config firewall vip
Description: Configure virtual IP for IPv4.
edit <name>
set id {integer}
set uuid {uuid}
set comment {var-string}
set type [static-nat|load-balance|...]
set dns-mapping-ttl {integer}
set ldb-method [static|round-robin|...]
set src-filter <range1>, <range2>, ...
set service <name1>, <name2>, ...
set extip {user}
set extaddr <name1>, <name2>, ...
set nat44 [disable|enable]
set nat46 [disable|enable]
set add-nat46-route [disable|enable]
set mappedip <range1>, <range2>, ...
set mapped-addr {string}
set extintf {string}
set arp-reply [disable|enable]
set server-type [http|https|...]
set http-redirect [enable|disable]
set persistence [none|http-cookie|...]
set nat-source-vip [disable|enable]
set portforward [disable|enable]
set status [disable|enable]
set protocol [tcp|udp|...]
set extport {user}
set mappedport {user}
set gratuitous-arp-interval {integer}
set srcintf-filter <interface-name1>, <interface-name2>, ...
set portmapping-type [1-to-1|m-to-n]
config realservers
Description: Select the real servers that this server load balancing VIP will
distribute traffic to.
edit <id>
set type [ip|address]

FortiOS 7.2.1 CLI Reference 220

Fortinet Inc.
set address {string}
set ip {user}
set port {integer}
set status [active|standby|...]
set weight {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set http-host {string}
set max-connections {integer}
set monitor <name1>, <name2>, ...
set client-ip {user}
next
end
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set http-multiplex [enable|disable]
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set outlook-web-access [disable|enable]
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
set ssl-mode [half|full]
set ssl-certificate {string}
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-server-algorithm [high|medium|...]
config ssl-server-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-pfs [require|deny|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-accept-ffdhe-groups [enable|disable]
set ssl-send-empty-frags [enable|disable]
set ssl-client-fallback [disable|enable]
set ssl-client-renegotiation [allow|deny|...]
set ssl-client-session-state-type [disable|time|...]
set ssl-client-session-state-timeout {integer}
set ssl-client-session-state-max {integer}

FortiOS 7.2.1 CLI Reference 221

Fortinet Inc.
set ssl-client-rekey-count {integer}
set ssl-server-session-state-type [disable|time|...]
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-max {integer}
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-primary {string}
set ssl-hpkp-backup {string}
set ssl-hpkp-age {integer}
set ssl-hpkp-report-uri {var-string}
set ssl-hpkp-include-subdomains [disable|enable]
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set monitor <name1>, <name2>, ...
set max-embryonic-connections {integer}
set color {integer}
set ipv6-mappedip {user}
set ipv6-mappedport {user}
next
end

config firewall vip

Parameter Description Type Size Default

id Custom defined ID. integer Minimum 0

value: 0
Maximum
value: 65535

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

comment Comment. var-string Not Specified

type Configure a static NAT, load balance, server option - static-nat

load balance, access proxy, DNS translation,
or FQDN VIP.

Option Description

static-nat Static NAT.

load-balance Load balance.

server-load- Server load balance.

balance

dns-translation DNS translation.

fqdn Fully qualified domain name.

FortiOS 7.2.1 CLI Reference 222

Fortinet Inc.
Parameter Description Type Size Default

Option Description

access-proxy Access proxy.

dns-mapping-ttl DNS mapping TTL . integer Minimum 0

value: 0
Maximum
value: 604800

ldb-method Method used to distribute sessions to real option - static

servers.

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

least-session Distribute to server with lowest session count.

least-rtt Distribute to server with lowest Round-Trip-Time.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

src-filter Source address filter. Each address must be string Maximum

<range> either an IP/subnet (x.x.x.x/n) or a range length: 79
(x.x.x.x-y.y.y.y). Separate addresses with
spaces.
Source-filter range.

service <name> Service name. string Maximum

Service name. length: 79

extip IP address or address range on the external user Not Specified

interface that you want to map to an address
or address range on the destination network.

extaddr <name> External FQDN address name. string Maximum

Address name. length: 79

nat44 Enable/disable NAT44. option - enable

Option Description

disable Disable NAT44.

enable Enable NAT44.

nat46 Enable/disable NAT46. option - disable

FortiOS 7.2.1 CLI Reference 223

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable NAT46.

enable Enable NAT46.

add-nat46-route Enable/disable adding NAT46 route. option - enable

Option Description

disable Disable adding NAT46 route.

enable Enable adding NAT46 route.

mappedip IP address or address range on the string Maximum

<range> destination network to which the external IP length: 79
address is mapped.
Mapped IP range.

mapped-addr Mapped FQDN address name. string Not Specified

extintf Interface connected to the source network string Not Specified

that receives the packets that will be
forwarded to the destination network.

arp-reply Enable to respond to ARP requests for this option - enable

virtual IP address. Enabled by default.

Option Description

disable Disable ARP reply.

enable Enable ARP reply.

server-type Protocol to be load balanced by the virtual option -

server (also called the server load balance
virtual IP).

Option Description

http HTTP.

https HTTPS.

imaps IMAPS.

pop3s POP3S.

smtps SMTPS.

ssl SSL.

tcp TCP.

FortiOS 7.2.1 CLI Reference 224

Fortinet Inc.
Parameter Description Type Size Default

Option Description

udp UDP.

ip IP.

http-redirect Enable/disable redirection of HTTP to option - disable

HTTPS.

Option Description

enable Enable redirection of HTTP to HTTPS.

disable Disable redirection of HTTP to HTTPS.

persistence Configure how to make sure that clients option - none

connect to the same server every time they
make a request that is part of the same
session.

Option Description

none None.

http-cookie HTTP cookie.

ssl-session-id SSL session ID.

nat-source-vip Enable/disable forcing the source NAT option - disable

mapped IP to the external IP for all traffic.

Option Description

disable Force only the source NAT mapped IP to the external IP for traffic
egressing the external interface of the VIP.

enable Force the source NAT mapped IP to the external IP for all traffic.

portforward Enable/disable port forwarding. option - disable

Option Description

disable Disable port forward.

enable Enable port forward.

status Enable/disable VIP. option - enable

Option Description

disable Disable the VIP.

enable Enable the VIP.

FortiOS 7.2.1 CLI Reference 225

Fortinet Inc.
Parameter Description Type Size Default

protocol Protocol to use when forwarding packets. option - tcp

Option Description

tcp TCP.

udp UDP.

sctp SCTP.

icmp ICMP.

extport Incoming port number range that you want to user Not Specified
map to a port number range on the
destination network.

mappedport Port number range on the destination user Not Specified

network to which the external port number
range is mapped.

gratuitous-arp- Enable to have the VIP send gratuitous integer Minimum 0

interval ARPs. 0=disabled. Set from 5 up to 8640000 value: 5
seconds to enable. Maximum
value:
8640000

srcintf-filter Interfaces to which the VIP applies. Separate string Maximum

<interface- the names with spaces. length: 79
name> Interface name.

portmapping- Port mapping type. option - 1-to-1

type

Option Description

1-to-1 One to one.

m-to-n Many to many.

http-cookie- Enable/disable use of HTTP cookie domain option - disable

domain-from- from host field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-
cooke-domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence string Not Specified

domain should apply to.

FortiOS 7.2.1 CLI Reference 226

Fortinet Inc.
Parameter Description Type Size Default

http-cookie-path Limit HTTP cookie persistence to the string Not Specified

specified path.

http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

enable Enable HTTP session multiplexing.

disable Disable HTTP session multiplexing.

http-ip-header For HTTP multiplexing, enable to add the option - disable

original client IP address in the XForwarded-
For HTTP header.

Option Description

enable Enable adding HTTP header.

FortiOS 7.2.1 CLI Reference 227

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable adding HTTP header.

disable Do not add HTTP header indicating SSL offload for WebSphere server.

enable Add HTTP header indicating SSL offload for WebSphere server.

ssl-mode Apply SSL offloading between the client and option - half
the FortiGate (half) or from the client to the
FortiGate and from the FortiGate to the
server (full).

Option Description

half Client to FortiGate SSL.

full Client to FortiGate and FortiGate to Server SSL.

ssl-certificate The name of the certificate to use for SSL string Not Specified
handshake.

FortiOS 7.2.1 CLI Reference 228

Fortinet Inc.
Parameter Description Type Size Default

ssl-dh-bits Number of bits to use in the Diffie-Hellman option - 2048

exchange for RSA encryption of SSL
sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for SSL option - high

sessions according to encryption strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom Custom encryption. Use config ssl-cipher-suites to select the cipher suites
that are allowed.

ssl-server- Permitted encryption algorithms for the option - client

algorithm server side of SSL full mode sessions
according to encryption strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom Custom encryption. Use ssl-server-cipher-suites to select the cipher suites

that are allowed.

client Use the same encryption algorithms for both client and server sessions.

ssl-pfs Select the cipher suites that can be used for option - require
SSL perfect forward secrecy (PFS). Applies
to both client and server sessions.

FortiOS 7.2.1 CLI Reference 229

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

client Use same value as client configuration.

FortiOS 7.2.1 CLI Reference 230

Fortinet Inc.
Parameter Description Type Size Default

ssl-server-max- Highest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

disable Disable.

enable Enable.

ssl-client- Allow, deny, or require secure renegotiation option - secure

renegotiation of client sessions to comply with RFC 5746.

FortiOS 7.2.1 CLI Reference 231

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow a SSL client to renegotiate.

deny Abort any client initiated SSL re-negotiation attempt.

secure Abort any client initiated SSL re-negotiation attempt that does not use RFC
5746 Secure Renegotiation.

ssl-client- How to expire SSL sessions for the segment option - both
session-state- of the SSL connection between the client and
type the FortiGate.

Option Description

disable Do not keep session states.

time Expire session states after this many minutes.

count Expire session states when this maximum is reached.

both Expire session states based on time or count, whichever occurs first.

ssl-client- Number of minutes to keep client to integer Minimum 30

session-state- FortiGate SSL session state. value: 1
timeout Maximum
value: 14400

ssl-client- Maximum number of client to FortiGate SSL integer Minimum 1000

session-state- session states to keep. value: 1
max Maximum
value: 10000

ssl-client-rekey- Maximum length of data in MB before integer Minimum 0

count triggering a client rekey (0 = disable). value: 200
Maximum
value:
1048576

ssl-server- How to expire SSL sessions for the segment option - both
session-state- of the SSL connection between the server
type and the FortiGate.

Option Description

disable Do not keep session states.

time Expire session states after this many minutes.

count Expire session states when this maximum is reached.

both Expire session states based on time or count, whichever occurs first.

FortiOS 7.2.1 CLI Reference 232

Fortinet Inc.
Parameter Description Type Size Default

ssl-server- Number of minutes to keep FortiGate to integer Minimum 60

session-state- Server SSL session state. value: 1
timeout Maximum
value: 14400

ssl-server- Maximum number of FortiGate to Server SSL integer Minimum 100

session-state- session states to keep. value: 1
max Maximum
value: 10000

ssl-http-location- Enable to replace HTTP with HTTPS in the option - disable

conversion reply's Location HTTP header field.

Option Description

enable Enable HTTP location conversion.

disable Disable HTTP location conversion.

ssl-http-match- Enable/disable HTTP host matching for option - enable

host location conversion.

Option Description

enable Match HTTP host in response header.

disable Do not match HTTP host.

ssl-hpkp Enable/disable including HPKP header in option - disable

response.

Option Description

disable Do not add a HPKP header to each HTTP response.

enable Add a HPKP header to each a HTTP response.

report-only Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-primary Certificate to generate primary HPKP pin string Not Specified

from.

ssl-hpkp-backup Certificate to generate backup HPKP pin string Not Specified

from.

ssl-hpkp-age Number of seconds the client should honor integer Minimum 5184000
the HPKP setting. value: 60
Maximum
value:
157680000

ssl-hpkp-report- URL to report HPKP violations to. var-string Not Specified

uri

FortiOS 7.2.1 CLI Reference 233

Fortinet Inc.
Parameter Description Type Size Default

ssl-hpkp-include- Indicate that HPKP header applies to all option - disable

subdomains subdomains.

Option Description

disable HPKP header does not apply to subdomains.

enable HPKP header applies to subdomains.

ssl-hsts Enable/disable including HSTS header in option - disable

response.

Option Description

disable Do not add a HSTS header to each a HTTP response.

enable Add a HSTS header to each HTTP response.

ssl-hsts-age Number of seconds the client should honor integer Minimum 5184000
the HSTS setting. value: 60
Maximum
value:
157680000

ssl-hsts-include- Indicate that HSTS header applies to all option - disable

subdomains subdomains.

Option Description

disable HSTS header does not apply to subdomains.

enable HSTS header applies to subdomains.

monitor <name> Name of the health check monitor to use string Maximum
when polling to determine a virtual server's length: 79
connectivity status.
Health monitor name.

max-embryonic- Maximum number of incomplete integer Minimum 1000

connections connections. value: 0
Maximum
value: 100000

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

ipv6-mappedip Range of mapped IPv6 addresses. Specify user Not Specified

the start IPv6 address followed by a space
and the end IPv6 address.

FortiOS 7.2.1 CLI Reference 234

Fortinet Inc.
Parameter Description Type Size Default

ipv6-mappedport IPv6 port number range on the destination user Not Specified
network to which the external port number
range is mapped.

config realservers

Parameter Description Type Size Default

type Type of address. option - ip

Option Description

ip Standard IPv4 address.

address Dynamic address object.

address Dynamic address of the real server. string Not Specified

ip IP address of the real server. user Not Specified

port Port for communicating with the real server. Required integer Minimum 0
if port forwarding is enabled. value: 1
Maximum
value: 65535

status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic
is sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

holddown- Time in seconds that the health check monitor integer Minimum 300
interval continues to monitor and unresponsive server that value: 30
should be active. Maximum
value: 65535

healthcheck Enable to check the responsiveness of the real option - vip

server before forwarding traffic.

FortiOS 7.2.1 CLI Reference 235

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable per server health check.

enable Enable per server health check.

vip Use health check defined in VIP.

http-host HTTP server domain name in HTTP header. string Not Specified

max- Max number of active connections that can be integer Minimum 0

connections directed to the real server. When reached, sessions value: 0
are sent to other real servers. Maximum
value:
2147483647

monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's connectivity length: 79
status.
Health monitor name.

client-ip Only clients in this IP range can connect to this real user Not Specified
server.

config ssl-cipher-suites

Parameter Description Type Size Default

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

FortiOS 7.2.1 CLI Reference 236

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 237

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

FortiOS 7.2.1 CLI Reference 238

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

FortiOS 7.2.1 CLI Reference 239

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 240

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

FortiOS 7.2.1 CLI Reference 241

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

FortiOS 7.2.1 CLI Reference 242

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used with. option - ssl-3.0 tls-
1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config ssl-server-cipher-suites

Parameter Description Type Size Default

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

FortiOS 7.2.1 CLI Reference 243

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 244

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

FortiOS 7.2.1 CLI Reference 245

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

FortiOS 7.2.1 CLI Reference 246

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 247

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

FortiOS 7.2.1 CLI Reference 248

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

FortiOS 7.2.1 CLI Reference 249

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used with. option - ssl-3.0 tls-
1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config firewall vip6

Configure virtual IP for IPv6.

config firewall vip6
Description: Configure virtual IP for IPv6.
edit <name>
set id {integer}
set uuid {uuid}
set comment {var-string}
set type [static-nat|server-load-balance|...]
set src-filter <range1>, <range2>, ...
set extip {user}
set mappedip {user}
set nat-source-vip [disable|enable]
set arp-reply [disable|enable]
set portforward [disable|enable]
set protocol [tcp|udp|...]
set extport {user}
set mappedport {user}
set color {integer}
set ldb-method [static|round-robin|...]
set server-type [http|https|...]
set http-redirect [enable|disable]
set persistence [none|http-cookie|...]
set nat66 [disable|enable]
set nat64 [disable|enable]

FortiOS 7.2.1 CLI Reference 250

Fortinet Inc.
set add-nat64-route [disable|enable]
config realservers
Description: Select the real servers that this server load balancing VIP will
distribute traffic to.
edit <id>
set ip {user}
set port {integer}
set status [active|standby|...]
set weight {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set http-host {string}
set max-connections {integer}
set monitor <name1>, <name2>, ...
set client-ip {user}
next
end
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set http-multiplex [enable|disable]
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set outlook-web-access [disable|enable]
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
set ssl-mode [half|full]
set ssl-certificate {string}
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-server-algorithm [high|medium|...]
config ssl-server-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-pfs [require|deny|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-accept-ffdhe-groups [enable|disable]
set ssl-send-empty-frags [enable|disable]
set ssl-client-fallback [disable|enable]

FortiOS 7.2.1 CLI Reference 251

Fortinet Inc.
set ssl-client-renegotiation [allow|deny|...]
set ssl-client-session-state-type [disable|time|...]
set ssl-client-session-state-timeout {integer}
set ssl-client-session-state-max {integer}
set ssl-client-rekey-count {integer}
set ssl-server-session-state-type [disable|time|...]
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-max {integer}
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-primary {string}
set ssl-hpkp-backup {string}
set ssl-hpkp-age {integer}
set ssl-hpkp-report-uri {var-string}
set ssl-hpkp-include-subdomains [disable|enable]
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set monitor <name1>, <name2>, ...
set max-embryonic-connections {integer}
set embedded-ipv4-address [disable|enable]
set ipv4-mappedip {user}
set ipv4-mappedport {user}
next
end

config firewall vip6

Parameter Description Type Size Default

id Custom defined ID. integer Minimum 0

value: 0
Maximum
value: 65535

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

comment Comment. var-string Not Specified

type Configure a static NAT server load balance option - static-nat

VIP or access proxy.

Option Description

static-nat Static NAT.

server-load- Server load balance.

balance

access-proxy Access proxy.

FortiOS 7.2.1 CLI Reference 252

Fortinet Inc.
Parameter Description Type Size Default

src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate string Maximum

<range> addresses with spaces. length: 79
Source-filter range.

extip IPv6 address or address range on the external user Not Specified
interface that you want to map to an address or
address range on the destination network.

mappedip Mapped IPv6 address range in the format user Not Specified
startIP-endIP.

nat-source-vip Enable to perform SNAT on traffic from option - disable

mappedip to the extip for all egress interfaces.

Option Description

disable Disable nat-source-vip.

enable Perform SNAT on traffic from mappedip to the extip for all egress interfaces.

arp-reply Enable to respond to ARP requests for this option - enable

virtual IP address. Enabled by default.

Option Description

disable Disable ARP reply.

enable Enable ARP reply.

portforward Enable port forwarding. option - disable

Option Description

disable Disable port forward.

enable Enable/disable port forwarding.

protocol Protocol to use when forwarding packets. option - tcp

Option Description

tcp TCP.

udp UDP.

sctp SCTP.

extport Incoming port number range that you want to user Not Specified
map to a port number range on the destination
network.

FortiOS 7.2.1 CLI Reference 253

Fortinet Inc.
Parameter Description Type Size Default

mappedport Port number range on the destination network user Not Specified
to which the external port number range is
mapped.

color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

ldb-method Method used to distribute sessions to real option - static

servers.

Option Description

static Distribute sessions based on source IP.

round-robin Distribute sessions based round robin order.

weighted Distribute sessions based on weight.

least-session Sends new sessions to the server with the lowest session count.

least-rtt Distribute new sessions to the server with lowest Round-Trip-Time.

first-alive Distribute sessions to the first server that is alive.

http-host Distribute sessions to servers based on host field in HTTP header.

server-type Protocol to be load balanced by the virtual option -

server (also called the server load balance
virtual IP).

Option Description

http HTTP.

https HTTPS.

imaps IMAPS.

pop3s POP3S.

smtps SMTPS.

ssl SSL.

tcp TCP.

udp UDP.

ip IP.

http-redirect Enable/disable redirection of HTTP to HTTPS. option - disable

FortiOS 7.2.1 CLI Reference 254

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable redirection of HTTP to HTTPS.

disable Disable redirection of HTTP to HTTPS.

persistence Configure how to make sure that clients option - none

connect to the same server every time they
make a request that is part of the same
session.

add-nat64- Enable/disable adding NAT64 route. option - enable

route

Option Description

disable Disable adding NAT64 route.

enable Enable adding NAT64 route.

http-cookie- Enable/disable use of HTTP cookie domain option - disable

domain-from- from host field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

FortiOS 7.2.1 CLI Reference 255

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence should string Not Specified
domain apply to.

http-cookie- Limit HTTP cookie persistence to the specified string Not Specified
path path.

http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

enable Enable HTTP session multiplexing.

disable Disable HTTP session multiplexing.

FortiOS 7.2.1 CLI Reference 256

Fortinet Inc.
Parameter Description Type Size Default

http-ip-header For HTTP multiplexing, enable to add the option - disable

original client IP address in the XForwarded-
For HTTP header.

Option Description

enable Enable adding HTTP header.

disable Do not add HTTP header indicating SSL offload for WebSphere server.

enable Add HTTP header indicating SSL offload for WebSphere server.

ssl-mode Apply SSL offloading between the client and option - half
the FortiGate (half) or from the client to the
FortiGate and from the FortiGate to the server
(full).

Option Description

half Client to FortiGate SSL.

full Client to FortiGate and FortiGate to Server SSL.

FortiOS 7.2.1 CLI Reference 257

Fortinet Inc.
Parameter Description Type Size Default

ssl-certificate The name of the certificate to use for SSL string Not Specified
handshake.

ssl-dh-bits Number of bits to use in the Diffie-Hellman option - 2048

exchange for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for SSL option - high

sessions according to encryption strength.

Option Description

high Use AES.

medium Use AES, 3DES, or RC4.

low Use AES, 3DES, RC4, or DES.

custom Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-server- Permitted encryption algorithms for the server option - client

algorithm side of SSL full mode sessions according to
encryption strength.

Option Description

high Use AES.

medium Use AES, 3DES, or RC4.

low Use AES, 3DES, RC4, or DES.

custom Use config ssl-server-cipher-suites to select the cipher suites that are
allowed.

client Use the same encryption algorithms for client and server sessions.

ssl-pfs Select the cipher suites that can be used for option - require
SSL perfect forward secrecy (PFS). Applies to
both client and server sessions.

FortiOS 7.2.1 CLI Reference 258

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

client Use same value as client configuration.

FortiOS 7.2.1 CLI Reference 259

Fortinet Inc.
Parameter Description Type Size Default

ssl-server-max- Highest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

disable Disable.

enable Enable.

ssl-client- Allow, deny, or require secure renegotiation of option - secure

renegotiation client sessions to comply with RFC 5746.

FortiOS 7.2.1 CLI Reference 260

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow a SSL client to renegotiate.

deny Abort any SSL connection that attempts to renegotiate.

secure Reject any SSL connection that does not offer a RFC 5746 Secure
Renegotiation Indication.

ssl-client- How to expire SSL sessions for the segment of option - both
session-state- the SSL connection between the client and the
type FortiGate.

Option Description

disable Do not keep session states.

time Expire session states after this many minutes.

count Expire session states when this maximum is reached.

both Expire session states based on time or count, whichever occurs first.

ssl-client- Number of minutes to keep client to FortiGate integer Minimum 30

session-state- SSL session state. value: 1
timeout Maximum
value: 14400

ssl-client- Maximum number of client to FortiGate SSL integer Minimum 1000

session-state- session states to keep. value: 1
max Maximum
value: 10000

ssl-client- Maximum length of data in MB before integer Minimum 0

rekey-count triggering a client rekey (0 = disable). value: 200
Maximum
value:
1048576

ssl-server- How to expire SSL sessions for the segment of option - both
session-state- the SSL connection between the server and
type the FortiGate.

Option Description

disable Do not keep session states.

time Expire session states after this many minutes.

count Expire session states when this maximum is reached.

both Expire session states based on time or count, whichever occurs first.

FortiOS 7.2.1 CLI Reference 261

Fortinet Inc.
Parameter Description Type Size Default

ssl-server- Number of minutes to keep FortiGate to Server integer Minimum 60

session-state- SSL session state. value: 1
timeout Maximum
value: 14400

ssl-server- Maximum number of FortiGate to Server SSL integer Minimum 100

session-state- session states to keep. value: 1
max Maximum
value: 10000

ssl-http- Enable to replace HTTP with HTTPS in the option - disable

location- reply's Location HTTP header field.
conversion

Option Description

enable Enable HTTP location conversion.

disable Disable HTTP location conversion.

ssl-http-match- Enable/disable HTTP host matching for option - enable

host location conversion.

Option Description

enable Match HTTP host in response header.

disable Do not match HTTP host.

ssl-hpkp Enable/disable including HPKP header in option - disable

response.

Option Description

disable Do not add a HPKP header to each HTTP response.

enable Add a HPKP header to each a HTTP response.

report-only Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp- Certificate to generate primary HPKP pin from. string Not Specified
primary

ssl-hpkp- Certificate to generate backup HPKP pin from. string Not Specified
backup

ssl-hpkp-age Number of minutes the web browser should integer Minimum 5184000
keep HPKP. value: 60
Maximum
value:
157680000

FortiOS 7.2.1 CLI Reference 262

Fortinet Inc.
Parameter Description Type Size Default

ssl-hpkp- URL to report HPKP violations to. var-string Not Specified

report-uri

ssl-hpkp- Indicate that HPKP header applies to all option - disable

include- subdomains.
subdomains

Option Description

disable HPKP header does not apply to subdomains.

enable HPKP header applies to subdomains.

ssl-hsts Enable/disable including HSTS header in option - disable

response.

Option Description

disable Do not add a HSTS header to each a HTTP response.

enable Add a HSTS header to each HTTP response.

ssl-hsts-age Number of seconds the client should honor the integer Minimum 5184000
HSTS setting. value: 60
Maximum
value:
157680000

ssl-hsts- Indicate that HSTS header applies to all option - disable

include- subdomains.
subdomains

Option Description

disable HSTS header does not apply to subdomains.

enable HSTS header applies to subdomains.

monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's length: 79
connectivity status.
Health monitor name.

max- Maximum number of incomplete connections. integer Minimum 1000

embryonic- value: 0
connections Maximum
value: 100000

embedded- Enable/disable use of the lower 32 bits of the option - disable

ipv4-address external IPv6 address as mapped IPv4
address.

FortiOS 7.2.1 CLI Reference 263

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable use of the lower 32 bits of the external IPv6 address as mapped IPv4
address.

enable Enable use of the lower 32 bits of the external IPv6 address as mapped IPv4
address.

ipv4-mappedip Range of mapped IP addresses. Specify the user Not Specified

start IP address followed by a space and the
end IP address.

ipv4- IPv4 port number range on the destination user Not Specified
mappedport network to which the external port number
range is mapped.

config realservers

Parameter Description Type Size Default

ip IP address of the real server. user Not Specified

port Port for communicating with the real server. Required integer Minimum 0
if port forwarding is enabled. value: 1
Maximum
value: 65535

status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic
is sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255

holddown- Time in seconds that the health check monitor integer Minimum 300
interval continues to monitor an unresponsive server that value: 30
should be active. Maximum
value: 65535

healthcheck Enable to check the responsiveness of the real option - vip

server before forwarding traffic.

FortiOS 7.2.1 CLI Reference 264

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable per server health check.

enable Enable per server health check.

vip Use health check defined in VIP.

http-host HTTP server domain name in HTTP header. string Not Specified

max- Max number of active connections that can directed integer Minimum 0
connections to the real server. When reached, sessions are sent value: 0
to other real servers. Maximum
value:
2147483647

monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's connectivity length: 79
status.
Health monitor name.

client-ip Only clients in this IP range can connect to this real user Not Specified
server.

config ssl-cipher-suites

Parameter Description Type Size Default

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

FortiOS 7.2.1 CLI Reference 265

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 266

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

FortiOS 7.2.1 CLI Reference 267

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

FortiOS 7.2.1 CLI Reference 268

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 269

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

FortiOS 7.2.1 CLI Reference 270

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

FortiOS 7.2.1 CLI Reference 271

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used with. option - ssl-3.0 tls-
1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config ssl-server-cipher-suites

Parameter Description Type Size Default

cipher Cipher suite name. option -

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

FortiOS 7.2.1 CLI Reference 272

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 273

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

FortiOS 7.2.1 CLI Reference 274

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

FortiOS 7.2.1 CLI Reference 275

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 276

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

FortiOS 7.2.1 CLI Reference 277

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

FortiOS 7.2.1 CLI Reference 278

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used with. option - ssl-3.0 tls-
1.0 tls-1.1
tls-1.2 tls-
1.3

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config firewall vipgrp

Configure IPv4 virtual IP groups.

config firewall vipgrp
Description: Configure IPv4 virtual IP groups.
edit <name>
set uuid {uuid}
set interface {string}
set color {integer}
set comments {var-string}
set member <name1>, <name2>, ...
next
end

config firewall vipgrp

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

interface Interface. string Not

Specified

FortiOS 7.2.1 CLI Reference 279

Fortinet Inc.
Parameter Description Type Size Default

color Integer value to determine the color of the icon in integer Minimum 0
the GUI . value: 0
Maximum
value: 32

comments Comment. var-string Not

Specified

member Member VIP objects of the group (Separate string Maximum

<name> multiple objects with a space). length: 79
VIP name.

config firewall vipgrp6

Configure IPv6 virtual IP groups.

config firewall vipgrp6
Description: Configure IPv6 virtual IP groups.
edit <name>
set uuid {uuid}
set color {integer}
set comments {var-string}
set member <name1>, <name2>, ...
next
end

config firewall vipgrp6

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

color Integer value to determine the color of the icon in integer Minimum 0
the GUI . value: 0
Maximum
value: 32

comments Comment. var-string Not

Specified

member Member VIP objects of the group (Separate string Maximum

<name> multiple objects with a space). length: 79
IPv6 VIP name.

config firewall ssh local-key

SSH proxy local keys.

FortiOS 7.2.1 CLI Reference 280

Fortinet Inc.
config firewall ssh local-key
Description: SSH proxy local keys.
edit <name>
set password {password}
set private-key {user}
set public-key {user}
set source [built-in|user]
next
end

config firewall ssh local-key

Parameter Description Type Size Default

password Password for SSH private key. password Not

Specified

private-key SSH proxy private key, encrypted with a password. user Not
Specified

public-key SSH proxy public key. user Not

Specified

source SSH proxy local key source type. option - user

Option Description

built-in Built-in SSH proxy local keys.

user User imported SSH proxy local keys.

config firewall ssh local-ca

SSH proxy local CA.

config firewall ssh local-ca
Description: SSH proxy local CA.
edit <name>
set password {password}
set private-key {user}
set public-key {user}
set source [built-in|user]
next
end

config firewall ssh local-ca

Parameter Description Type Size Default

password Password for SSH private key. password Not

Specified

FortiOS 7.2.1 CLI Reference 281

Fortinet Inc.
Parameter Description Type Size Default

private-key SSH proxy private key, encrypted with a password. user Not
Specified

public-key SSH proxy public key. user Not

Specified

source SSH proxy local CA source type. option - user

Option Description

built-in Built-in SSH proxy local keys.

user User imported SSH proxy local keys.

config firewall ssh setting

SSH proxy settings.

config firewall ssh setting
Description: SSH proxy settings.
set caname {string}
set untrusted-caname {string}
set hostkey-rsa2048 {string}
set hostkey-dsa1024 {string}
set hostkey-ecdsa256 {string}
set hostkey-ecdsa384 {string}
set hostkey-ecdsa521 {string}
set hostkey-ed25519 {string}
set host-trusted-checking [enable|disable]
end

config firewall ssh setting

Parameter Description Type Size Default

caname CA certificate used by SSH Inspection. string Not

Specified

untrusted- Untrusted CA certificate used by SSH Inspection. string Not

caname Specified

hostkey- RSA certificate used by SSH proxy. string Not

rsa2048 Specified

hostkey- DSA certificate used by SSH proxy. string Not

dsa1024 Specified

hostkey- ECDSA nid256 certificate used by SSH proxy. string Not

ecdsa256 Specified

FortiOS 7.2.1 CLI Reference 282

Fortinet Inc.
Parameter Description Type Size Default

hostkey- ECDSA nid384 certificate used by SSH proxy. string Not

ecdsa384 Specified

hostkey- ECDSA nid384 certificate used by SSH proxy. string Not

ecdsa521 Specified

hostkey- ED25519 hostkey used by SSH proxy. string Not

ed25519 Specified

host-trusted- Enable/disable host trusted checking. option - enable

checking

Option Description

enable Enable host key trusted checking.

disable Disable host key trusted checking.

config firewall ssh host-key

SSH proxy host public keys.

config firewall ssh host-key
Description: SSH proxy host public keys.
edit <name>
set status [trusted|revoked]
set type [RSA|DSA|...]
set nid [256|384|...]
set usage [transparent-proxy|access-proxy]
set ip {ipv4-address-any}
set port {integer}
set hostname {string}
set public-key {var-string}
next
end

config firewall ssh host-key

Parameter Description Type Size Default

status Set the trust status of the public key. option - trusted

Option Description

trusted The public key is trusted.

revoked The public key is revoked.

type Set the type of the public key. option - RSA

FortiOS 7.2.1 CLI Reference 283

Fortinet Inc.
Parameter Description Type Size Default

Option Description

RSA The type of the public key is RSA.

DSA The type of the public key is DSA.

ECDSA The type of the public key is ECDSA.

ED25519 The type of the public key is ED25519.

RSA-CA The type of the public key is from RSA CA.

DSA-CA The type of the public key is from DSA CA.

ECDSA-CA The type of the public key is from ECDSA CA.

ED25519-CA The type of the public key is from ED25519 CA.

nid Set the nid of the ECDSA key. option - 256

Option Description

256 The NID is ecdsa-sha2-nistp256.

384 The NID is ecdsa-sha2-nistp384.

521 The NID is ecdsa-sha2-nistp521.

usage Usage for this public key. option - transparent-

proxy

Option Description

transparent- Transparent proxy uses this public key to validate server.

proxy

access-proxy Access proxy uses this public key to validate server.

ip IP address of the SSH server. ipv4- Not Specified 0.0.0.0

address-
any

port Port of the SSH server. integer Minimum 22

value: 0
Maximum
value:
4294967295

hostname Hostname of the SSH server to match SSH string Not Specified
certificate principals.

public-key SSH public key. var-string Not Specified

FortiOS 7.2.1 CLI Reference 284

Fortinet Inc.
config firewall decrypted-traffic-mirror

Configure decrypted traffic mirror.

config firewall decrypted-traffic-mirror
Description: Configure decrypted traffic mirror.
edit <name>
set dstmac {mac-address}
set traffic-type {option1}, {option2}, ...
set traffic-source [client|server|...]
set interface <name1>, <name2>, ...
next
end

config firewall decrypted-traffic-mirror

Parameter Description Type Size Default

dstmac Set destination MAC address for mirrored traffic. mac- Not ff:ff:ff:ff:ff:ff
address Specified

traffic-type Types of decrypted traffic to be mirrored. option - ssl

Option Description

ssl Mirror decrypted SSL traffic.

ssh Mirror decrypted SSH traffic.

traffic-source Source of decrypted traffic to be mirrored. option - client

Option Description

client Mirror client side decrypted traffic.

server Mirror server side decrypted traffic.

both Mirror both client and server side decrypted traffic.

interface Decrypted traffic mirror interface. string Maximum

<name> Decrypted traffic mirror interface. length: 79

config firewall access-proxy-virtual-host

Configure Access Proxy virtual hosts.

config firewall access-proxy-virtual-host
Description: Configure Access Proxy virtual hosts.
edit <name>
set ssl-certificate {string}
set host {string}
set host-type [sub-string|wildcard]
set replacemsg-group {string}
next

FortiOS 7.2.1 CLI Reference 285

Fortinet Inc.
end

config firewall access-proxy-virtual-host

Parameter Description Type Size Default

ssl-certificate SSL certificate for this host. string Not

Specified

host The host name. string Not

Specified

host-type Type of host pattern. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

replacemsg- Access-proxy-virtual-host replacement message string Not

group override group. Specified

config firewall access-proxy-ssh-client-cert

Configure Access Proxy SSH client certificate.

config firewall access-proxy-ssh-client-cert
Description: Configure Access Proxy SSH client certificate.
edit <name>
set source-address [enable|disable]
set permit-x11-forwarding [enable|disable]
set permit-agent-forwarding [enable|disable]
set permit-port-forwarding [enable|disable]
set permit-pty [enable|disable]
set permit-user-rc [enable|disable]
config cert-extension
Description: Configure certificate extension for user certificate.
edit <name>
set critical [no|yes]
set type [fixed|user]
set data {string}
next
end
set auth-ca {string}
next
end

FortiOS 7.2.1 CLI Reference 286

enable Enable setting.

disable Disable setting.

permit-user-rc Enable/disable appending permit-user-rc certificate option - enable

extension.

FortiOS 7.2.1 CLI Reference 287

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

auth-ca Name of the SSH server public key authentication CA. string Not
Specified

config cert-extension

Parameter Description Type Size Default

critical Critical option. option - no

Option Description

disable Disable to detect unknown device by HTTP user-agent if no client certificate

provided.

enable Enable to detect unknown device by HTTP user-agent if no client certificate

provided.

auth-portal Enable/disable authentication portal. option - disable

Option Description

disable Disable authentication portal.

enable Enable authentication portal.

auth-virtual- Virtual host for authentication portal. string Not

host Specified

empty-cert- Action of an empty client certificate. option - block

action

Option Description

accept Accept the SSL handshake if the client certificate is empty.

block Block the SSL handshake if the client certificate is empty.

accept- Accept the SSL handshake only if the end-point is unmanageable.

unmanageable

log-blocked- Enable/disable logging of blocked traffic. option - disable

traffic

FortiOS 7.2.1 CLI Reference 291

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Log all traffic denied by this access proxy.

disable Do not log all traffic denied by this access proxy.

add-vhost- Enable/disable adding vhost/domain to dnsdb for ztna option - disable

domain-to- dox tunnel.
dnsdb

Option Description

enable add dns entry for all vhosts used by access proxy.

disable Do not add dns entry for all vhosts used by access proxy.

decrypted- Decrypted traffic mirror. string Not

traffic-mirror Specified

config api-gateway

Parameter Description Type Size Default

url-map URL pattern to match. string Not Specified /

service Service. option - https

Option Description

http HTTP.

https HTTPS.

tcp-forwarding TCP-FORWARDING.

samlsp SAML-SP.

web-portal VPN-SSL-WEB-PORTAL.

saas SAAS.

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

FortiOS 7.2.1 CLI Reference 292

Fortinet Inc.
Parameter Description Type Size Default

virtual-host Virtual host. string Not Specified

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

application SaaS application controlled by this Access Proxy. string Maximum

<name> SaaS application name. length: 79

persistence Configure how to make sure that clients connect to option - none
the same server every time they make a request that
is part of the same session.

Option Description

none None.

http-cookie HTTP cookie.

http-cookie- Enable/disable use of HTTP cookie domain from host option - disable
domain-from- field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence should apply string Not Specified
domain to.

http-cookie- Limit HTTP cookie persistence to the specified path. string Not Specified
path

http-cookie- Generation of HTTP cookie to be accepted. Changing integer Minimum 0

generation invalidates all existing cookies. value: 0
Maximum
value:
4294967295

ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange option - 2048

for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

FortiOS 7.2.1 CLI Reference 294

Fortinet Inc.
Parameter Description Type Size Default

ssl-algorithm Permitted encryption algorithms for the server side of option - high
SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min- Lowest SSL/TLS version acceptable from a server. option - tls-1.1

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-vpn-web- SSL-VPN web portal. string Not Specified

portal

config realservers

Parameter Description Type Size Default

addr-type Type of address. option - ip

Option Description

ip Standard IPv4 address.

fqdn Non-wildcard FQDN address object.

FortiOS 7.2.1 CLI Reference 295

Fortinet Inc.
Parameter Description Type Size Default

address Address or address group of the real server. string Not

Specified

ip IPv6 address of the real server. ipv6- Not ::

address Specified

domain Wildcard domain name of the real server. string Not

Specified

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value:
65535

mappedport Port for communicating with the real server. user Not
Specified

status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic is
sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

type TCP forwarding server type. option - tcp-

forwarding

Option Description

tcp-forwarding TCP forwarding.

ssh SSH.

weight Weight of the real server. If weighted load balancing is integer Minimum 1
enabled, the server with the highest weight gets more value: 1
connections. Maximum
value: 255

http-host HTTP server domain name in HTTP header. string Not

Specified

health-check Enable to check the responsiveness of the real server option - disable
before forwarding traffic.

FortiOS 7.2.1 CLI Reference 296

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

cipher Cipher suite name. option -

FortiOS 7.2.1 CLI Reference 297

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 298

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

FortiOS 7.2.1 CLI Reference 299

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

FortiOS 7.2.1 CLI Reference 300

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

FortiOS 7.2.1 CLI Reference 301

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

FortiOS 7.2.1 CLI Reference 302

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

FortiOS 7.2.1 CLI Reference 303

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used with. option - tls-1.0 tls-
1.1 tls-1.2
tls-1.3

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config api-gateway6

Parameter Description Type Size Default

url-map URL pattern to match. string Not Specified /

service Service. option - https

Option Description

http HTTP.

FortiOS 7.2.1 CLI Reference 304

Fortinet Inc.
Parameter Description Type Size Default

Option Description

https HTTPS.

tcp-forwarding TCP-FORWARDING.

samlsp SAML-SP.

web-portal VPN-SSL-WEB-PORTAL.

saas SAAS.

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Not Specified

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

https-cookie- Enable/disable verification that inserted HTTPS option - disable

secure cookies are secure.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

saml-server SAML service provider configuration for VIP string Not Specified
authentication.

saml-redirect Enable/disable SAML redirection after successful option - disable

authentication.

FortiOS 7.2.1 CLI Reference 306

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not support redirection after successful SAML authentication.

enable Support redirection after successful SAML authentication.

ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange option - 2048

for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for the server side of option - high
SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min- Lowest SSL/TLS version acceptable from a server. option - tls-1.1

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

FortiOS 7.2.1 CLI Reference 307

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-vpn-web- SSL-VPN web portal. string Not Specified

portal

config realservers

Parameter Description Type Size Default

addr-type Type of address. option - ip

address Address or address group of the real server. string Not

health-check Enable to check the responsiveness of the real server option - disable
before forwarding traffic.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

ssh-client-cert Set access-proxy SSH client certificate profile. string Not

Specified

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

cipher Cipher suite name. option -

versions SSL/TLS versions that the cipher suite can be used with. option - tls-1.0 tls-
1.1 tls-1.2
tls-1.3

config firewall access-proxy6

Configure IPv6 access proxy.

config firewall access-proxy6
Description: Configure IPv6 access proxy.
edit <name>
set vip {string}
set client-cert [disable|enable]
set user-agent-detect [disable|enable]
set auth-portal [disable|enable]
set auth-virtual-host {string}
set empty-cert-action [accept|block|...]
set log-blocked-traffic [enable|disable]
set add-vhost-domain-to-dnsdb [enable|disable]
set decrypted-traffic-mirror {string}
config api-gateway
Description: Set IPv4 API Gateway.
edit <id>
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]

FortiOS 7.2.1 CLI Reference 309

Fortinet Inc.
config realservers
Description: Select the real servers that this Access Proxy will distribute
traffic to.
edit <id>
set addr-type [ip|fqdn]
set address {string}
set ip {ipv4-address-any}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next
end
set application <name1>, <name2>, ...
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-vpn-web-portal {string}
next
end
config api-gateway6
Description: Set IPv6 API Gateway.
edit <id>
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
config realservers

FortiOS 7.2.1 CLI Reference 310

Fortinet Inc.
Description: Select the real servers that this Access Proxy will distribute
traffic to.
edit <id>
set addr-type [ip|fqdn]
set address {string}
set ip {ipv6-address}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next
end
set application <name1>, <name2>, ...
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-vpn-web-portal {string}
next
end
next
end

config firewall access-proxy6

Parameter Description Type Size Default

vip Virtual IP name. string Not

Specified

FortiOS 7.2.1 CLI Reference 311

Fortinet Inc.
Parameter Description Type Size Default

client-cert Enable/disable to request client certificate. option - enable

Option Description

disable Disable client certificate request.

enable Enable client certificate request.

user-agent- Enable/disable to detect device type by HTTP user- option - enable

detect agent if no client certificate provided.

Option Description

disable Disable to detect unknown device by HTTP user-agent if no client certificate

provided.

enable Enable to detect unknown device by HTTP user-agent if no client certificate

provided.

domain-to- dox tunnel.
dnsdb

Option Description

enable add dns entry for all vhosts used by access proxy.

disable Do not add dns entry for all vhosts used by access proxy.

decrypted- Decrypted traffic mirror. string Not

traffic-mirror Specified

config api-gateway

Parameter Description Type Size Default

url-map URL pattern to match. string Not Specified /

service Service. option - https

Option Description

http HTTP.

https HTTPS.

tcp-forwarding TCP-FORWARDING.

samlsp SAML-SP.

web-portal VPN-SSL-WEB-PORTAL.

saas SAAS.

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Not Specified

url-map-type Type of url-map. option - sub-string

FortiOS 7.2.1 CLI Reference 313

Fortinet Inc.
Parameter Description Type Size Default

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

application SaaS application controlled by this Access Proxy. string Maximum

<name> SaaS application name. length: 79

persistence Configure how to make sure that clients connect to option - none
the same server every time they make a request that
is part of the same session.

Option Description

none None.

http-cookie HTTP cookie.

http-cookie- Enable/disable use of HTTP cookie domain from host option - disable
domain-from- field in HTTP.
host

Option Description

disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).

enable Enable use of HTTP cookie domain from host field in HTTP.

http-cookie- Domain that HTTP cookie persistence should apply string Not Specified
domain to.

http-cookie- Limit HTTP cookie persistence to the specified path. string Not Specified
path

http-cookie- Generation of HTTP cookie to be accepted. Changing integer Minimum 0

generation invalidates all existing cookies. value: 0
Maximum
value:
4294967295

ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange option - 2048

for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

FortiOS 7.2.1 CLI Reference 315

Fortinet Inc.
Parameter Description Type Size Default

ssl-algorithm Permitted encryption algorithms for the server side of option - high
SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min- Lowest SSL/TLS version acceptable from a server. option - tls-1.1

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-vpn-web- SSL-VPN web portal. string Not Specified

portal

config realservers

Parameter Description Type Size Default

addr-type Type of address. option - ip

Option Description

ip Standard IPv4 address.

fqdn Non-wildcard FQDN address object.

FortiOS 7.2.1 CLI Reference 316

Fortinet Inc.
Parameter Description Type Size Default

address Address or address group of the real server. string Not

Specified

ip IPv6 address of the real server. ipv6- Not ::

address Specified

domain Wildcard domain name of the real server. string Not

Specified

port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value:
65535

mappedport Port for communicating with the real server. user Not
Specified

status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic is
sent.

Option Description

active Server status active.

standby Server status standby.

disable Server status disable.

type TCP forwarding server type. option - tcp-

forwarding

Option Description

tcp-forwarding TCP forwarding.

ssh SSH.

weight Weight of the real server. If weighted load balancing is integer Minimum 1
enabled, the server with the highest weight gets more value: 1
connections. Maximum
value: 255

http-host HTTP server domain name in HTTP header. string Not

Specified

health-check Enable to check the responsiveness of the real server option - disable
before forwarding traffic.

FortiOS 7.2.1 CLI Reference 317

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

cipher Cipher suite name. option -

FortiOS 7.2.1 CLI Reference 318

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

TLS-AES-256- Cipher suite TLS-AES-256-GCM-SHA384.

GCM-SHA384

TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

FortiOS 7.2.1 CLI Reference 319

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

WITH-AES-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

WITH-AES-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

WITH-AES-256-
GCM-SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

RSA-WITH-AES-
256-CBC-SHA

FortiOS 7.2.1 CLI Reference 320

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

RSA-WITH-AES-
256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

RSA-WITH-AES-
256-GCM-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

ECDSA-WITH-
AES-256-CBC-
SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

ECDSA-WITH-
AES-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

ECDSA-WITH-
AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

AES-256-CBC-
SHA

FortiOS 7.2.1 CLI Reference 321

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

AES-256-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

AES-256-GCM-
SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

CAMELLIA-256-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

FortiOS 7.2.1 CLI Reference 322

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

WITH-
CAMELLIA-256-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

FortiOS 7.2.1 CLI Reference 323

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

WITH-ARIA-256-
CBC-SHA384

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

RSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

ECDSA-WITH-
ARIA-256-CBC-
SHA384

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA

TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA

FortiOS 7.2.1 CLI Reference 324

Fortinet Inc.
Parameter Description Type Size Default

Option Description

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA

TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA

TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA

versions SSL/TLS versions that the cipher suite can be used with. option - tls-1.0 tls-
1.1 tls-1.2
tls-1.3

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config api-gateway6

Parameter Description Type Size Default

url-map URL pattern to match. string Not Specified /

service Service. option - https

Option Description

http HTTP.

FortiOS 7.2.1 CLI Reference 325

Fortinet Inc.
Parameter Description Type Size Default

Option Description

https HTTPS.

tcp-forwarding TCP-FORWARDING.

samlsp SAML-SP.

web-portal VPN-SSL-WEB-PORTAL.

saas SAAS.

ldb-method Method used to distribute sessions to real servers. option - static

Option Description

static Distribute to server based on source IP.

round-robin Distribute to server based round robin order.

weighted Distribute to server based on weight.

first-alive Distribute to the first server that is alive.

http-host Distribute to server based on host field in HTTP header.

virtual-host Virtual host. string Not Specified

url-map-type Type of url-map. option - sub-string

Option Description

sub-string Match the pattern if a string contains the sub-string.

wildcard Match the pattern with wildcards.

regex Match the pattern with a regular expression.

https-cookie- Enable/disable verification that inserted HTTPS option - disable

secure cookies are secure.

Option Description

disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.

enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.

saml-server SAML service provider configuration for VIP string Not Specified
authentication.

saml-redirect Enable/disable SAML redirection after successful option - disable

authentication.

FortiOS 7.2.1 CLI Reference 327

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Do not support redirection after successful SAML authentication.

enable Support redirection after successful SAML authentication.

ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange option - 2048

for RSA encryption of SSL sessions.

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

3072 3072-bit Diffie-Hellman prime.

4096 4096-bit Diffie-Hellman prime.

ssl-algorithm Permitted encryption algorithms for the server side of option - high
SSL full mode sessions according to encryption
strength.

Option Description

high High encryption. Allow only AES and ChaCha.

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min- Lowest SSL/TLS version acceptable from a server. option - tls-1.1

version

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version

FortiOS 7.2.1 CLI Reference 328

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

ssl-vpn-web- SSL-VPN web portal. string Not Specified

portal

config realservers

Parameter Description Type Size Default

addr-type Type of address. option - ip

address Address or address group of the real server. string Not

health-check Enable to check the responsiveness of the real server option - disable
before forwarding traffic.

health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.

holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).

ssh-client-cert Set access-proxy SSH client certificate profile. string Not

Specified

ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation

ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79

config ssl-cipher-suites

Parameter Description Type Size Default

cipher Cipher suite name. option -

versions SSL/TLS versions that the cipher suite can be used with. option - tls-1.0 tls-
1.1 tls-1.2
tls-1.3

config firewall ipmacbinding setting

Configure IP to MAC binding settings.

config firewall ipmacbinding setting
Description: Configure IP to MAC binding settings.
set bindthroughfw [enable|disable]
set bindtofw [enable|disable]
set undefinedhost [allow|block]
end

config firewall ipmacbinding setting

Parameter Description Type Size Default

allow Allow packets from MAC addresses not in the IP/MAC list.

block Block packets from MAC addresses not in the IP/MAC list.

config firewall ipmacbinding table

Configure IP to MAC address pairs in the IP/MAC binding table.

config firewall ipmacbinding table
Description: Configure IP to MAC address pairs in the IP/MAC binding table.
edit <seq-num>
set ip {ipv4-address}
set mac {mac-address}
set name {string}
set status [enable|disable]
next
end

config firewall ipmacbinding table

Parameter Description Type Size Default

ip IPv4 address portion of the pair (format: ipv4- Not 0.0.0.0

xxx.xxx.xxx.xxx). address Specified

mac MAC address portion of the pair (format = mac- Not 00:00:00:00:00:00
xx:xx:xx:xx:xx:xx in hexadecimal). address Specified

FortiOS 7.2.1 CLI Reference 331

Fortinet Inc.
Parameter Description Type Size Default

name Name of the pair . string Not noname

Specified

status Enable/disable this IP-mac binding pair. option - disable

Option Description

enable Enable this IP-mac binding pair.

disable Disable this IP-mac binding pair.

config firewall profile-protocol-options

Configure protocol options.

config firewall profile-protocol-options
Description: Configure protocol options.
edit <name>
set comment {var-string}
set replacemsg-group {string}
set oversize-log [disable|enable]
set switching-protocols-log [disable|enable]
config http
Description: Configure HTTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set comfort-interval {integer}
set comfort-amount {integer}
set range-block [disable|enable]
set strip-x-forwarded-for [disable|enable]
set post-lang {option1}, {option2}, ...
set streaming-content-bypass [enable|disable]
set switching-protocols [bypass|block]
set unknown-http-version [reject|tunnel|...]
set tunnel-non-http [enable|disable]
set h2c [enable|disable]
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set stream-based-uncompressed-limit {integer}
set scan-bzip2 [enable|disable]
set verify-dns-for-policy-matching [enable|disable]
set block-page-status-code {integer}
set retry-count {integer}
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set ssl-offloaded [no|yes]
set address-ip-rating [enable|disable]

FortiOS 7.2.1 CLI Reference 332

Fortinet Inc.
end
config ftp
Description: Configure FTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set options {option1}, {option2}, ...
set comfort-interval {integer}
set comfort-amount {integer}
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set stream-based-uncompressed-limit {integer}
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set ssl-offloaded [no|yes]
set explicit-ftp-tls [enable|disable]
end
config imap
Description: Configure IMAP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set ssl-offloaded [no|yes]
end
config mapi
Description: Configure MAPI protocol options.
set ports {integer}
set status [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
end
config pop3
Description: Configure POP3 protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set ssl-offloaded [no|yes]
end

FortiOS 7.2.1 CLI Reference 333

Fortinet Inc.
config smtp
Description: Configure SMTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set server-busy [enable|disable]
set ssl-offloaded [no|yes]
end
config nntp
Description: Configure NNTP protocol options.
set ports {integer}
set status [enable|disable]
set inspect-all [enable|disable]
set proxy-after-tcp-handshake [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
end
config ssh
Description: Configure SFTP and SCP protocol options.
set options {option1}, {option2}, ...
set comfort-interval {integer}
set comfort-amount {integer}
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set stream-based-uncompressed-limit {integer}
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set ssl-offloaded [no|yes]
end
config dns
Description: Configure DNS protocol options.
set ports {integer}
set status [enable|disable]
end
config cifs
Description: Configure CIFS protocol options.
set ports {integer}
set status [enable|disable]
set options {option1}, {option2}, ...
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]

FortiOS 7.2.1 CLI Reference 334

Fortinet Inc.
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set server-credential-type [none|credential-replication|...]
set domain-controller {string}
config server-keytab
Description: Server keytab.
edit <principal>
set keytab {string}
next
end
end
config mail-signature
Description: Configure Mail signature.
set status [disable|enable]
set signature {string}
end
set rpc-over-http [enable|disable]
next
end

config firewall profile-protocol-options

Parameter Description Type Size Default

comment Optional comments. var-string Not

enable Enable inspection of RPC over HTTP.

disable Disable inspection of RPC over HTTP.

FortiOS 7.2.1 CLI Reference 335

Fortinet Inc.
config http

Parameter Description Type Size Default

ports Ports to scan for content . integer Minimum

value: 1
Maximum
value: 65535

status Enable/disable the active status of scanning for option - enable

options One or more options that can be applied to the option -

session.

Option Description

clientcomfort Prevent client timeout.

servercomfort Prevent server timeout.

oversize Block oversized file.

chunkedbypass Bypass chunked transfer encoded sites.

comfort-interval Period of time between start, or last transmission, integer Minimum 10

and the next client comfort transmission of data . value: 1
Maximum
value: 900

FortiOS 7.2.1 CLI Reference 336

Fortinet Inc.
Parameter Description Type Size Default

comfort-amount Amount of data to send in a transmission for client integer Minimum 1

comforting . value: 1
Maximum
value: 65535

range-block Enable/disable blocking of partial downloads. option - disable

Option Description

disable Disable range header blocking (allow partial file downloads)

enable Enable range header blocking (treat all partial file downloads as full file
download)

strip-x-forwarded- Enable/disable stripping of HTTP X-Forwarded- option - disable

for For header.

Option Description

disable Disable changing of HTTP X-Forwarded-For header.

enable Enable replacement of X-Forwarded-For value with 1.1.1.1.

post-lang ID codes for character sets to be used to convert option -

to UTF-8 for banned words and DLP on HTTP
posts (maximum of 5 character sets).

Option Description

jisx0201 Japanese Industrial Standard 0201.

jisx0208 Japanese Industrial Standard 0208.

jisx0212 Japanese Industrial Standard 0212.

gb2312 Guojia Biaozhun 2312 (simplified Chinese).

ksc5601-ex Wansung Korean standard 5601.

euc-jp Extended Unicode Japanese.

sjis Shift Japanese Industrial Standard.

iso2022-jp ISO 2022 Japanese.

iso2022-jp-1 ISO 2022-1 Japanese.

iso2022-jp-2 ISO 2022-2 Japanese.

euc-cn Extended Unicode Chinese.

ces-gbk Extended GB2312 (simplified Chinese).

hz Hanzi simplified Chinese.

FortiOS 7.2.1 CLI Reference 337

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ces-big5 Big-5 traditional Chinese.

euc-kr Extended Unicode Korean.

iso2022-jp-3 ISO 2022-3 Japanese.

iso8859-1 ISO 8859 Part 1 (Western European).

tis620 Thai Industrial Standard 620.

cp874 Code Page 874 (Thai).

tunnel Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying
HTTP protocol optimization, byte-caching, or web caching. TCP protocol
optimization is applied.

best-effort Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session
uses a different HTTP version, it may not parse correctly and the
connection may be lost.

FortiOS 7.2.1 CLI Reference 338

Fortinet Inc.
Parameter Description Type Size Default

tunnel-non-http Configure how to process non-HTTP traffic when option - enable

a profile configured for HTTP traffic accepts a
non-HTTP session. Can occur if an application
sends non-HTTP traffic using an HTTP
destination port.

Option Description

enable Pass non-HTTP sessions through the tunnel without applying protocol
optimization, byte-caching, or web caching. TCP protocol optimization is
applied.

disable Drop or tear down non-HTTP sessions accepted by the profile.

h2c Enable/disable h2c HTTP connection upgrade. option - disable

Option Description

enable Allow h2c HTTP connection upgrades. h2c tunnels do not support content
scan.

disable Do not allow h2c HTTP connection upgrades.

oversize-limit Maximum in-memory file size that can be integer Minimum 10

scanned . value: 1
Maximum
value: 383 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned . value: 1
Maximum
value: 383 **

uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned . value: 2
Maximum
value: 100

stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions . value:
4294967295

scan-bzip2 Enable/disable scanning of BZip2 compressed option - enable

files.

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.2.1 CLI Reference 339

Fortinet Inc.
Parameter Description Type Size Default

verify-dns-for- Enable/disable verification of DNS for policy option - enable

policy-matching matching.

Option Description

enable Enable setting.

disable Disable setting.

block-page- Code number returned for blocked HTTP pages . integer Minimum 403
status-code value: 100
Maximum
value: 599

retry-count Number of attempts to retry HTTP connection . integer Minimum 0

value: 0
Maximum
value: 100

tcp-window-type TCP window type to use for this protocol. option - auto-tuning

Option Description

auto-tuning Allow system to auto-tune TCP window size (default).

system Use system default TCP window size for this protocol.

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value: 65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value: 65536
Maximum
value:
33554432

FortiOS 7.2.1 CLI Reference 340

Fortinet Inc.
Parameter Description Type Size Default

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

address-ip-rating Enable/disable IP based URL rating. option - enable

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

config ftp

Parameter Description Type Size Default

ports Ports to scan for content . integer Minimum

value: 1
Maximum
value: 65535

status Enable/disable the active status of scanning for option - enable

this protocol.

Option Description

enable Enable setting.

disable Disable setting.

inspect-all Enable/disable the inspection of all ports for the option - disable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

FortiOS 7.2.1 CLI Reference 341

Fortinet Inc.
Parameter Description Type Size Default

Option Description

clientcomfort Prevent client timeout.

oversize Block oversized file.

splice Enable splice mode.

bypass-rest- Bypass REST command.

command

bypass-mode- Bypass MODE command.

command

comfort-interval Period of time between start, or last transmission, integer Minimum 10

and the next client comfort transmission of data . value: 1
Maximum
value: 900

comfort-amount Amount of data to send in a transmission for client integer Minimum 1

comforting . value: 1
Maximum
value: 65535

oversize-limit Maximum in-memory file size that can be scanned integer Minimum 10
. value: 1
Maximum
value: 383 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned . value: 1
Maximum
value: 383 **

uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned . value: 2
Maximum
value: 100

stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions . value:
4294967295

scan-bzip2 Enable/disable scanning of BZip2 compressed option - enable

files.

Option Description

enable Enable setting.

FortiOS 7.2.1 CLI Reference 342

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable setting.

tcp-window-type TCP window type to use for this protocol. option - auto-tuning

Option Description

auto-tuning Allow system to auto-tune TCP window size (default).

system Use system default TCP window size for this protocol.

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value: 65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value: 65536
Maximum
value:
33554432

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

explicit-ftp-tls Enable/disable FTP redirection for explicit FTPS. option - disable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.2.1 CLI Reference 343

Fortinet Inc.
** Values may differ between models.

config imap

Parameter Description Type Size Default

ports Ports to scan for content . integer Minimum

value: 1
Maximum
value:
65535

options One or more options that can be applied to the option -

session.

Option Description

fragmail Pass fragmented email.

oversize Block oversized email.

oversize-limit Maximum in-memory file size that can be scanned . integer Minimum 10
value: 1
Maximum
value: 383
**

FortiOS 7.2.1 CLI Reference 344

Fortinet Inc.
Parameter Description Type Size Default

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned . value: 1
Maximum
value: 383
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned . value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config mapi

Parameter Description Type Size Default

ports Ports to scan for content . integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

disable Disable setting.

** Values may differ between models.

config pop3

Parameter Description Type Size Default

ports Ports to scan for content . integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

fragmail Pass fragmented email.

oversize Block oversized email.

oversize-limit Maximum in-memory file size that can be scanned . integer Minimum 10
value: 1
Maximum
value: 383
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned . value: 1
Maximum
value: 383
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned . value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

FortiOS 7.2.1 CLI Reference 347

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config smtp

Parameter Description Type Size Default

ports Ports to scan for content . integer Minimum

value: 1
Maximum
value:
65535

splice Enable splice mode.

oversize-limit Maximum in-memory file size that can be scanned . integer Minimum 10
value: 1
Maximum
value: 383
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned . value: 1
Maximum
value: 383
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned . value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config nntp

Parameter Description Type Size Default

ports Ports to scan for content . integer Minimum

value: 1
Maximum
value:
65535

options One or more options that can be applied to the option -

session.

Option Description

oversize Block oversized file.

FortiOS 7.2.1 CLI Reference 350

Fortinet Inc.
Parameter Description Type Size Default

Option Description

splice Enable splice mode.

oversize-limit Maximum in-memory file size that can be scanned . integer Minimum 10
value: 1
Maximum
value: 383
**

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned . value: 1
Maximum
value: 383
**

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned . value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

Option Description

enable Enable setting.

disable Disable setting.

** Values may differ between models.

config ssh

Parameter Description Type Size Default

options One or more options that can be applied to the option -

session.

Option Description

oversize Block oversized file.

clientcomfort Prevent client timeout.

servercomfort Prevent server timeout.

comfort-interval Period of time between start, or last transmission, integer Minimum 10

and the next client comfort transmission of data . value: 1
Maximum
value: 900

FortiOS 7.2.1 CLI Reference 351

Fortinet Inc.
Parameter Description Type Size Default

comfort-amount Amount of data to send in a transmission for client integer Minimum 1

comforting . value: 1
Maximum
value: 65535

oversize-limit Maximum in-memory file size that can be scanned integer Minimum 10
. value: 1
Maximum
value: 383 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned . value: 1
Maximum
value: 383 **

uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned . value: 2
Maximum
value: 100

stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions . value:
4294967295

scan-bzip2 Enable/disable scanning of BZip2 compressed option - enable

files.

Option Description

enable Enable setting.

disable Disable setting.

tcp-window-type TCP window type to use for this protocol. option - auto-tuning

Option Description

auto-tuning Allow system to auto-tune TCP window size (default).

system Use system default TCP window size for this protocol.

static Manually specify TCP window size.

dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.

FortiOS 7.2.1 CLI Reference 352

Fortinet Inc.
Parameter Description Type Size Default

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value: 65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value: 65536
Maximum
value:
33554432

ssl-offloaded SSL decryption and encryption performed by an option - no

external device.

Option Description

no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.

yes SSL decryption and encryption performed by an external device.

** Values may differ between models.

config dns

Parameter Description Type Size Default

ports Ports to scan for content . integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.2.1 CLI Reference 353

Fortinet Inc.
config cifs

Parameter Description Type Size Default

ports Ports to scan for content . integer Minimum

value: 1
Maximum
value:
65535

status Enable/disable the active status of scanning for this option - enable
protocol.

Option Description

enable Enable setting.

disable Disable setting.

options One or more options that can be applied to the option -

session.

Option Description

oversize Block oversized file.

oversize-limit Maximum in-memory file size that can be scanned . integer Minimum 10
value: 1
Maximum
value: 383 **

uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned . value: 1
Maximum
value: 383 **

uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned . value: 2
Maximum
value: 100

scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable

tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value:
65536
Maximum
value:
1048576

tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

tcp-window-size Set TCP static window size. integer Minimum 262144

value:
65536
Maximum
value:
33554432

server-credential- CIFS server credential type. option - none

type

Option Description

none Credential derivation not set.

credential- Credential derived using Replication account on Domain Controller.

replication

credential- Credential derived using server keytab.

keytab

domain-controller Domain for which to decrypt CIFS traffic. string Not

Specified

** Values may differ between models.

FortiOS 7.2.1 CLI Reference 355

Fortinet Inc.
config server-keytab

Parameter Description Type Size Default

keytab Base64 encoded keytab file containing credential of the string Not
server. Specified

config mail-signature

Parameter Description Type Size Default

status Enable/disable adding an email signature to SMTP option - disable

email messages as they pass through the FortiGate.

Option Description

disable Disable mail signature.

enable Enable mail signature.

signature Email signature to be added to outgoing email (if the string Not
signature contains spaces, enclose with quotation Specified
marks).

config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile
Description: Configure SSL/SSH protocol options.
edit <name>
set comment {var-string}
config ssl
Description: Configure SSL options.
set inspect-all [disable|certificate-inspection|...]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set cert-probe-failure [allow|block]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end
config https
Description: Configure HTTPS options.
set ports {integer}
set status [disable|certificate-inspection|...]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]

FortiOS 7.2.1 CLI Reference 356

Fortinet Inc.
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set cert-probe-failure [allow|block]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end
config ftps
Description: Configure FTPS options.
set ports {integer}
set status [disable|deep-inspection]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end
config imaps
Description: Configure IMAPS options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config pop3s
Description: Configure POP3S options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]

FortiOS 7.2.1 CLI Reference 357

Fortinet Inc.
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config smtps
Description: Configure SMTPS options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ssh
Description: Configure SSH options.
set ports {integer}
set status [disable|deep-inspection]
set inspect-all [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set unsupported-version [bypass|block]
set ssh-tun-policy-check [disable|enable]
set ssh-algorithm [compatible|high-encryption]
end
config dot
Description: Configure DNS over TLS options.
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
set allowlist [enable|disable]
set block-blocklisted-certificates [disable|enable]
config ssl-exempt
Description: Servers to exempt from SSL inspection.
edit <id>
set type [fortiguard-category|address|...]
set fortiguard-category {integer}
set address {string}
set address6 {string}
set wildcard-fqdn {string}
set regex {string}
next
end

FortiOS 7.2.1 CLI Reference 358

Fortinet Inc.
set server-cert-mode [re-sign|replace]
set use-ssl-server [disable|enable]
set caname {string}
set untrusted-caname {string}
set server-cert <name1>, <name2>, ...
config ssl-server
Description: SSL server settings used for client certificate request.
edit <id>
set ip {ipv4-address-any}
set https-client-certificate [bypass|inspect|...]
set smtps-client-certificate [bypass|inspect|...]
set pop3s-client-certificate [bypass|inspect|...]
set imaps-client-certificate [bypass|inspect|...]
set ftps-client-certificate [bypass|inspect|...]
set ssl-other-client-certificate [bypass|inspect|...]
next
end
set ssl-exemption-ip-rating [enable|disable]
set ssl-exemption-log [disable|enable]
set ssl-anomaly-log [disable|enable]
set ssl-negotiation-log [disable|enable]
set ssl-server-cert-log [disable|enable]
set ssl-handshake-log [disable|enable]
set rpc-over-https [enable|disable]
set mapi-over-https [enable|disable]
set supported-alpn [http1-1|http2|...]
next
end

config firewall ssl-ssh-profile

Parameter Description Type Size Default

comment Optional comments. var-string Not

Specified

allowlist Enable/disable exempting servers by FortiGuard option - disable

allowlist.

Option Description

enable Enable setting.

disable Disable setting.

block- Enable/disable blocking SSL-based botnet option - enable

blocklisted- communication by FortiGuard certificate blocklist.
certificates

Option Description

disable Disable FortiGuard certificate blocklist.

enable Enable FortiGuard certificate blocklist.

FortiOS 7.2.1 CLI Reference 359

Fortinet Inc.
Parameter Description Type Size Default

server-cert- Re-sign or replace the server's certificate. option - re-sign

mode

Option Description

re-sign Multiple clients connecting to multiple servers.

replace Protect an SSL server.

use-ssl-server Enable/disable the use of SSL server table for SSL option - disable
offloading.

Option Description

disable Don't use SSL server configuration.

enable Use SSL server configuration.

caname CA certificate used by SSL Inspection. string Not Fortinet_

Specified CA_SSL

untrusted- Untrusted CA certificate used by SSL Inspection. string Not Fortinet_

caname Specified CA_
Untrusted

server-cert Certificate used by SSL Inspection to replace server string Maximum

<name> certificate. length: 35
Certificate list.

ssl- Enable/disable IP based URL rating. option - enable

exemption-ip-
rating

Option Description

enable Enable IP based URL rating.

disable Disable IP based URL rating.

ssl- Enable/disable logging SSL exemptions. option - disable

exemption-log

Option Description

disable Disable logging SSL exemptions.

enable Enable logging SSL exemptions.

ssl-anomaly- Enable/disable logging of SSL anomalies. option - enable

log

https

Option Description

enable Enable inspection of MAPI over HTTPS.

disable Disable inspection of MAPI over HTTPS.

FortiOS 7.2.1 CLI Reference 361

Fortinet Inc.
Parameter Description Type Size Default

supported- Configure ALPN option. option - all

alpn

Option Description

http1-1 Enable ALPN of HTTP1.1.

http2 Enable ALPN of HTTP2.

all Enable ALPN of HTTP1.1 and HTTP2.

none Do not use ALPN.

config ssl

Parameter Description Type Size Default

inspect-all Level of SSL inspection. option - disable

Option Description

disable Disable.

certificate- Inspect SSL handshake only.

inspection

deep-inspection Full SSL inspection.

client-certificate Action based on received client certificate. option - bypass

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.

Option Description

allow Bypass the session when the version is not supported.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

FortiOS 7.2.1 CLI Reference 362

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

FortiOS 7.2.1 CLI Reference 363

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

cert-validation- Action based on certificate validation failure. option - block

failure

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

cert-probe- Action based on certificate probe failure. option - block

failure

Option Description

allow Bypass the session when unable to retrieve server's certificate for
inspection.

block Block the session when unable to retrieve server's certificate for inspection.

min-allowed- Minimum SSL version to be allowed. option - tls-1.1

ssl-version

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

FortiOS 7.2.1 CLI Reference 364

Fortinet Inc.
Parameter Description Type Size Default

Option Description

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config https

Parameter Description Type Size Default

ports Ports to use for scanning . integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

certificate- Inspect SSL handshake only.

inspection

deep-inspection Full SSL inspection.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - bypass

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.

FortiOS 7.2.1 CLI Reference 365

expired-server- Action based on server certificate is expired. option - block

cert

Option Description

allow Allow the server certificate.

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

cert-probe- Action based on certificate probe failure. option - block

failure

Option Description

allow Bypass the session when unable to retrieve server's certificate for
inspection.

block Block the session when unable to retrieve server's certificate for inspection.

FortiOS 7.2.1 CLI Reference 367

Fortinet Inc.
Parameter Description Type Size Default

min-allowed- Minimum SSL version to be allowed. option - tls-1.1

ssl-version

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

config ftps

Parameter Description Type Size Default

ports Ports to use for scanning . integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

block Block the session.

ignore Re-sign the server certificate as trusted.

untrusted- Action based on server certificate is not issued by a option - allow

server-cert trusted CA.

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

cert-validation- Action based on certificate validation timeout. option - allow

timeout

FortiOS 7.2.1 CLI Reference 369

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

cert-validation- Action based on certificate validation failure. option - block

failure

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

min-allowed- Minimum SSL version to be allowed. option - tls-1.1

ssl-version

Option Description

ssl-3.0 SSL 3.0.

tls-1.0 TLS 1.0.

tls-1.1 TLS 1.1.

tls-1.2 TLS 1.2.

tls-1.3 TLS 1.3.

FortiOS 7.2.1 CLI Reference 370

Fortinet Inc.
config imaps

Parameter Description Type Size Default

ports Ports to use for scanning . integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

deep-inspection Full SSL inspection.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - inspect

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

cert-validation- Action based on certificate validation failure. option - block

failure

FortiOS 7.2.1 CLI Reference 372

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

config pop3s

Parameter Description Type Size Default

ports Ports to use for scanning . integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

deep-inspection Full SSL inspection.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - inspect

FortiOS 7.2.1 CLI Reference 373

Fortinet Inc.
Parameter Description Type Size Default

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.

Option Description

allow Bypass the session when the version is not supported.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

timeout

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

cert-validation- Action based on certificate validation failure. option - block

failure

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

FortiOS 7.2.1 CLI Reference 375

Fortinet Inc.
config smtps

Parameter Description Type Size Default

ports Ports to use for scanning . integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - deep-

inspection

Option Description

disable Disable.

deep-inspection Full SSL inspection.

proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).

Option Description

enable Enable setting.

disable Disable setting.

client-certificate Action based on received client certificate. option - inspect

Option Description

bypass Bypass the session.

inspect Inspect the session.

block Block the session.

cert-validation- Action based on certificate validation failure. option - block

failure

FortiOS 7.2.1 CLI Reference 377

Fortinet Inc.
Parameter Description Type Size Default

Option Description

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

config ssh

Parameter Description Type Size Default

ports Ports to use for scanning . integer Minimum

value: 1
Maximum
value:
65535

status Configure protocol inspection status. option - disable

Option Description

disable Disable.

block Block the session when the version is not supported.

unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.

Option Description

allow Bypass the session when the cipher is not supported.

block Block the session when the cipher is not supported.

unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.

Option Description

allow Bypass the session when the negotiation is not supported.

block Block the session when the negotiation is not supported.

expired-server- Action based on server certificate is expired. option - block

cert

Option Description

allow Allow the server certificate.

block Block the session.

allow Allow the server certificate.

block Block the session.

ignore Re-sign the server certificate as trusted.

sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.

Option Description

enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.

strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.

disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

FortiOS 7.2.1 CLI Reference 381

Fortinet Inc.
config ssl-exempt

Parameter Description Type Size Default

type Type of address object (IPv4 or IPv6) or FortiGuard option - fortiguard-

category. category

Option Description

fortiguard- FortiGuard category.

address Firewall IPv4 address.

address6 Firewall IPv6 address.

wildcard-fqdn Fully Qualified Domain Name with wildcard characters.

regex Regular expression FQDN.

fortiguard- FortiGuard category ID. integer Minimum 0

category value: 0
Maximum
value: 255

address IPv4 address object. string Not

Specified

address6 IPv6 address object. string Not

Specified

wildcard-fqdn Exempt servers by wildcard FQDN. string Not

Specified

regex Exempt servers by regular expression. string Not

Specified

config ssl-server

Parameter Description Type Size Default

ip IPv4 address of the SSL server. ipv4- Not 0.0.0.0

address- Specified
any

https-client- Action based on received client certificate during the option - bypass
certificate HTTPS handshake.

Option Description

bypass Bypass the session.

inspect Inspect the session.

bypass Bypass the session.

ssh-filter- Name of an existing SSH filter profile. string Not

profile Specified

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server
Description: Configure SSL servers.
edit <name>
set ip {ipv4-address-any}
set port {integer}
set ssl-mode [half|full]
set add-header-x-forwarded-proto [enable|disable]
set mapped-port {integer}
set ssl-cert {string}
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
set ssl-client-renegotiation [allow|deny|...]
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-send-empty-frags [enable|disable]
set url-rewrite [enable|disable]
next
end

FortiOS 7.2.1 CLI Reference 385

Fortinet Inc.
config firewall ssl-server

Parameter Description Type Size Default

ip IPv4 address of the SSL server. ipv4- Not 0.0.0.0

address- Specified
any

port Server service port . integer Minimum 443

value: 1
Maximum
value:
65535

ssl-mode SSL/TLS mode for encryption and decryption of traffic. option - full

Option Description

half Client to FortiGate SSL.

full Client to FortiGate and FortiGate to Server SSL.

add-header-x- Enable/disable adding an X-Forwarded-Proto header option - enable

forwarded- to forwarded requests.
proto

Option Description

enable Add X-Forwarded-Proto header.

disable Do not add X-Forwarded-Proto header.

mapped-port Mapped server service port . integer Minimum 80

value: 1
Maximum
value:
65535

ssl-cert Name of certificate for SSL connections to this server . string Not Fortinet_
Specified CA_SSL

ssl-dh-bits Bit-size of Diffie-Hellman . option - 2048

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

ssl-algorithm Relative strength of encryption algorithms accepted in option - high

negotiation.

FortiOS 7.2.1 CLI Reference 386

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high High encryption. Allow only AES and ChaCha

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-client- Allow or block client renegotiation by server. option - allow

renegotiation

Option Description

allow Allow a SSL client to renegotiate.

deny Abort any SSL connection that attempts to renegotiate.

secure Reject any SSL connection that does not offer a RFC 5746 Secure
Renegotiation Indication.

ssl-min-version Lowest SSL/TLS version to negotiate. option - tls-1.1

enable Enable setting.

disable Disable setting.

config firewall identity-based-route

Configure identity based routing.

config firewall identity-based-route
Description: Configure identity based routing.
edit <name>
set comments {string}
config rule
Description: Rule.
edit <id>
set gateway {ipv4-address}
set device {string}
set groups <name1>, <name2>, ...
next
end
next
end

config firewall identity-based-route

Parameter Description Type Size Default

comments Comments. string Not

Specified

config rule

Parameter Description Type Size Default

gateway IPv4 address of the gateway (Format: xxx.xxx.xxx.xxx , ipv4- Not 0.0.0.0
Default: 0.0.0.0). address Specified

device Outgoing interface for the rule. string Not

Specified

groups Select one or more group(s) from available groups that string Maximum
<name> are allowed to use this route. Separate group names length: 79
with a space.
Group name.

FortiOS 7.2.1 CLI Reference 388

Fortinet Inc.
config firewall auth-portal

Configure firewall authentication portals.

config firewall auth-portal
Description: Configure firewall authentication portals.
set groups <name1>, <name2>, ...
set portal-addr {string}
set portal-addr6 {string}
set identity-based-route {string}
end

config firewall auth-portal

Parameter Description Type Size Default

groups Firewall user groups permitted to authenticate through string Maximum

<name> this portal. Separate group names with spaces. length: 79
Group name.

portal-addr Address (or FQDN) of the authentication portal. string Not

Specified

portal-addr6 IPv6 address (or FQDN) of authentication portal. string Not

Specified

identity- Name of the identity-based route that applies to this string Not
based-route portal. Specified

config firewall security-policy

Configure NGFW IPv4/IPv6 application policies.

config firewall security-policy
Description: Configure NGFW IPv4/IPv6 application policies.
edit <policyid>
set uuid {uuid}
set name {string}
set comments {var-string}
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set srcaddr6 <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set internet-service [enable|disable]
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service-group <name1>, <name2>, ...
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-src [enable|disable]

FortiOS 7.2.1 CLI Reference 389

Fortinet Inc.
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service6 [enable|disable]
set internet-service6-name <name1>, <name2>, ...
set internet-service6-negate [enable|disable]
set internet-service6-group <name1>, <name2>, ...
set internet-service6-custom <name1>, <name2>, ...
set internet-service6-custom-group <name1>, <name2>, ...
set internet-service6-src [enable|disable]
set internet-service6-src-name <name1>, <name2>, ...
set internet-service6-src-negate [enable|disable]
set internet-service6-src-group <name1>, <name2>, ...
set internet-service6-src-custom <name1>, <name2>, ...
set internet-service6-src-custom-group <name1>, <name2>, ...
set enforce-default-app-port [enable|disable]
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set action [accept|deny]
set send-deny-packet [disable|enable]
set schedule {string}
set status [enable|disable]
set logtraffic [all|utm|...]
set learning-mode [enable|disable]
set nat46 [enable|disable]
set nat64 [enable|disable]
set profile-type [single|group]
set profile-group {string}
set profile-protocol-options {string}
set ssl-ssh-profile {string}
set av-profile {string}
set webfilter-profile {string}
set dnsfilter-profile {string}
set emailfilter-profile {string}
set dlp-profile {string}
set file-filter-profile {string}
set ips-sensor {string}
set application-list {string}
set voip-profile {string}
set sctp-filter-profile {string}
set icap-profile {string}
set cifs-profile {string}
set videofilter-profile {string}
set ssh-filter-profile {string}
set application <id1>, <id2>, ...
set app-category <id1>, <id2>, ...
set url-category {user}
set app-group <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set users <name1>, <name2>, ...
set fsso-groups <name1>, <name2>, ...
next
end

FortiOS 7.2.1 CLI Reference 390

Fortinet Inc.
config firewall security-policy

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

name Policy name. string Not Specified

comments Comment. var-string Not Specified

srcintf Incoming (ingress) interface. string Maximum

<name> Interface name. length: 79

dstintf Outgoing (egress) interface. string Maximum

<name> Interface name. length: 79

srcaddr Source IPv4 address name and address group string Maximum
<name> names. length: 79
Address name.

srcaddr- When enabled srcaddr specifies what the option - disable

negate source address must NOT be.

Option Description

enable Enable source address negate.

disable Disable source address negate.

dstaddr Destination IPv4 address name and address string Maximum

<name> group names. length: 79
Address name.

dstaddr- When enabled dstaddr specifies what the option - disable

negate destination address must NOT be.

Option Description

enable Enable destination address negate.

disable Disable destination address negate.

srcaddr6 Source IPv6 address name and address group string Maximum
<name> names. length: 79
Address name.

dstaddr6 Destination IPv6 address name and address string Maximum

<name> group names. length: 79
Address name.

FortiOS 7.2.1 CLI Reference 391

Fortinet Inc.
Parameter Description Type Size Default

internet- Enable/disable use of Internet Services for this option - disable

service policy. If enabled, destination address, service
and default application port enforcement are not
used.

Option Description

enable Enable use of Internet Services in policy.

disable Disable use of Internet Services in policy.

internet- Internet Service name. string Maximum

service-name Internet Service name. length: 79
<name>

internet- When enabled internet-service specifies what option - disable

service- the service must NOT be.
negate

Option Description

enable Enable negated Internet Service match.

disable Disable negated Internet Service match.

internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>

internet- Custom Internet Service name. string Maximum

service- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Enable/disable use of Internet Services in option - disable

service-src source for this policy. If enabled, source address
is not used.

Option Description

enable Enable use of Internet Services source in policy.

disable Disable use of Internet Services source in policy.

FortiOS 7.2.1 CLI Reference 392

Fortinet Inc.
Parameter Description Type Size Default

internet- Internet Service source name. string Maximum

service-src- Internet Service name. length: 79
name
<name>

internet- When enabled internet-service-src specifies option - disable

service-src- what the service must NOT be.
negate

Option Description

enable Enable negated Internet Service source match.

disable Disable negated Internet Service source match.

internet- Internet Service source group name. string Maximum

service-src- Internet Service group name. length: 79
group
<name>

internet- Custom Internet Service source name. string Maximum

service-src- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service source group name. string Maximum

service-src- Custom Internet Service group name. length: 79
custom-group
<name>

internet- Enable/disable use of IPv6 Internet Services for option - disable

service6 this policy. If enabled, destination address,
service and default application port enforcement
are not used.

Option Description

enable Enable use of IPv6 Internet Services in policy.

disable Disable use of IPv6 Internet Services in policy.

internet- IPv6 Internet Service name. string Maximum

service6- IPv6 Internet Service name. length: 79
name
<name>

internet- When enabled internet-service6 specifies what option - disable

service6- the service must NOT be.
negate

FortiOS 7.2.1 CLI Reference 393

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable negated IPv6 Internet Service match.

disable Disable negated IPv6 Internet Service match.

internet- Internet Service group name. string Maximum

service6- Internet Service group name. length: 79
group
<name>

internet- Custom IPv6 Internet Service name. string Maximum

service6- Custom IPv6 Internet Service name. length: 79
custom
<name>

internet- Custom IPv6 Internet Service group name. string Maximum

service6- Custom IPv6 Internet Service group name. length: 79
custom-group
<name>

internet- Enable/disable use of IPv6 Internet Services in option - disable

service6-src source for this policy. If enabled, source address
is not used.

Option Description

enable Enable use of IPv6 Internet Services source in policy.

disable Disable use of IPv6 Internet Services source in policy.

internet- IPv6 Internet Service source name. string Maximum

service6-src- Internet Service name. length: 79
name
<name>

internet- When enabled internet-service6-src specifies option - disable

service6-src- what the service must NOT be.
negate

Option Description

enable Enable negated IPv6 Internet Service source match.

disable Disable negated IPv6 Internet Service source match.

internet- Internet Service6 source group name. string Maximum

service6-src- Internet Service group name. length: 79
group
<name>

FortiOS 7.2.1 CLI Reference 394

Fortinet Inc.
Parameter Description Type Size Default

internet- Custom IPv6 Internet Service source name. string Maximum

service6-src- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service6 source group name. string Maximum

service6-src- Custom Internet Service6 group name. length: 79
custom-group
<name>

enforce- Enable/disable default application port option - enable

default-app- enforcement for allowed applications.
port

Option Description

enable Enable setting.

disable Disable setting.

service Service and service group names. string Maximum

<name> Service name. length: 79

service- When enabled service specifies what the option - disable

negate service must NOT be.

Option Description

enable Enable negated service match.

disable Disable negated service match.

action Policy action (accept/deny). option - deny

Option Description

accept Allows session that match the firewall policy.

deny Blocks sessions that match the firewall policy.

send-deny- Enable to send a reply when a session is denied option - disable

packet or blocked by a firewall policy.

Option Description

disable Disable deny-packet sending.

enable Enable deny-packet sending.

disable Disable NAT46.

nat64 Enable/disable NAT64. option - disable

Option Description

enable Enable NAT64.

disable Disable NAT64.

profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.

Option Description

single Do not allow security profile groups.

group Allow security profile groups.

profile-group Name of profile group. string Not Specified

FortiOS 7.2.1 CLI Reference 396

Fortinet Inc.
Parameter Description Type Size Default

profile- Name of an existing Protocol options profile. string Not Specified default
protocol-
options

ssl-ssh-profile Name of an existing SSL SSH profile. string Not Specified no-inspection

av-profile Name of an existing Antivirus profile. string Not Specified

webfilter- Name of an existing Web filter profile. string Not Specified

profile

dnsfilter- Name of an existing DNS filter profile. string Not Specified

profile

emailfilter- Name of an existing email filter profile. string Not Specified

profile

dlp-profile Name of an existing DLP profile. string Not Specified

file-filter- Name of an existing file-filter profile. string Not Specified

profile

ips-sensor Name of an existing IPS sensor. string Not Specified

application- Name of an existing Application list. string Not Specified

list

voip-profile Name of an existing VoIP profile. string Not Specified

sctp-filter- Name of an existing SCTP filter profile. string Not Specified

profile

icap-profile Name of an existing ICAP profile. string Not Specified

cifs-profile Name of an existing CIFS profile. string Not Specified

videofilter- Name of an existing VideoFilter profile. string Not Specified

profile

ssh-filter- Name of an existing SSH filter profile. string Not Specified

profile

application Application ID list. integer Minimum

<id> Application IDs. value: 0
Maximum
value:
4294967295

app-category Application category ID list. integer Minimum

<id> Category IDs. value: 0
Maximum
value:
4294967295

url-category URL categories or groups. user Not Specified

FortiOS 7.2.1 CLI Reference 397

Fortinet Inc.
Parameter Description Type Size Default

app-group Application group names. string Maximum

<name> Application group names. length: 79

groups Names of user groups that can authenticate with string Maximum
<name> this policy. length: 79
User group name.

users <name> Names of individual users that can authenticate string Maximum
with this policy. length: 79
User name.

fsso-groups Names of FSSO groups. string Maximum

<name> Names of FSSO groups. length: 511

config firewall policy

Configure IPv4/IPv6 policies.

config firewall policy
Description: Configure IPv4/IPv6 policies.
edit <policyid>
set status [enable|disable]
set name {string}
set uuid {uuid}
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set action [accept|deny|...]
set nat64 [enable|disable]
set nat46 [enable|disable]
set ztna-status [enable|disable]
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set ztna-ems-tag <name1>, <name2>, ...
set ztna-geo-tag <name1>, <name2>, ...
set internet-service [enable|disable]
set internet-service-name <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-custom <name1>, <name2>, ...
set network-service-dynamic <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-src [enable|disable]
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-custom <name1>, <name2>, ...
set network-service-src-dynamic <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set reputation-minimum {integer}
set reputation-direction [source|destination]
set src-vendor-mac <id1>, <id2>, ...
set internet-service6 [enable|disable]
set internet-service6-name <name1>, <name2>, ...

FortiOS 7.2.1 CLI Reference 398

Fortinet Inc.
set internet-service6-group <name1>, <name2>, ...
set internet-service6-custom <name1>, <name2>, ...
set internet-service6-custom-group <name1>, <name2>, ...
set internet-service6-src [enable|disable]
set internet-service6-src-name <name1>, <name2>, ...
set internet-service6-src-group <name1>, <name2>, ...
set internet-service6-src-custom <name1>, <name2>, ...
set internet-service6-src-custom-group <name1>, <name2>, ...
set reputation-minimum6 {integer}
set reputation-direction6 [source|destination]
set rtp-nat [disable|enable]
set rtp-addr <name1>, <name2>, ...
set send-deny-packet [disable|enable]
set firewall-session-dirty [check-all|check-new]
set schedule {string}
set schedule-timeout [enable|disable]
set policy-expiry [enable|disable]
set policy-expiry-date {datetime}
set service <name1>, <name2>, ...
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set anti-replay [enable|disable]
set tcp-session-without-syn [all|data-only|...]
set geoip-anycast [enable|disable]
set geoip-match [physical-location|registered-location]
set dynamic-shaping [enable|disable]
set passive-wan-health-measurement [enable|disable]
set utm-status [enable|disable]
set inspection-mode [proxy|flow]
set http-policy-redirect [enable|disable]
set ssh-policy-redirect [enable|disable]
set webproxy-profile {string}
set profile-type [single|group]
set profile-group {string}
set profile-protocol-options {string}
set ssl-ssh-profile {string}
set av-profile {string}
set webfilter-profile {string}
set dnsfilter-profile {string}
set emailfilter-profile {string}
set dlp-profile {string}
set file-filter-profile {string}
set ips-sensor {string}
set application-list {string}
set voip-profile {string}
set sctp-filter-profile {string}
set icap-profile {string}
set cifs-profile {string}
set videofilter-profile {string}
set waf-profile {string}
set ssh-filter-profile {string}
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set auto-asic-offload [enable|disable]
set np-acceleration [enable|disable]
set webproxy-forward-server {string}

FortiOS 7.2.1 CLI Reference 399

Fortinet Inc.
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set per-ip-shaper {string}
set nat [enable|disable]
set permit-any-host [enable|disable]
set permit-stun-host [enable|disable]
set fixedport [enable|disable]
set ippool [enable|disable]
set poolname <name1>, <name2>, ...
set poolname6 <name1>, <name2>, ...
set session-ttl {user}
set vlan-cos-fwd {integer}
set vlan-cos-rev {integer}
set inbound [enable|disable]
set outbound [enable|disable]
set natinbound [enable|disable]
set natoutbound [enable|disable]
set fec [enable|disable]
set wccp [enable|disable]
set ntlm [enable|disable]
set ntlm-guest [enable|disable]
set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
set fsso-agent-for-ntlm {string}
set groups <name1>, <name2>, ...
set users <name1>, <name2>, ...
set fsso-groups <name1>, <name2>, ...
set auth-path [enable|disable]
set disclaimer [enable|disable]
set email-collect [enable|disable]
set vpntunnel {string}
set natip {ipv4-classnet}
set match-vip [enable|disable]
set match-vip-only [enable|disable]
set diffserv-copy [enable|disable]
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set tcp-mss-sender {integer}
set tcp-mss-receiver {integer}
set comments {var-string}
set auth-cert {string}
set auth-redirect-addr {string}
set redirect-url {var-string}
set identity-based-route {string}
set block-notification [enable|disable]
set custom-log-fields <field-id1>, <field-id2>, ...
set replacemsg-override-group {string}
set srcaddr-negate [enable|disable]
set srcaddr6-negate [enable|disable]
set dstaddr-negate [enable|disable]
set dstaddr6-negate [enable|disable]
set service-negate [enable|disable]
set internet-service-negate [enable|disable]
set internet-service-src-negate [enable|disable]
set internet-service6-negate [enable|disable]
set internet-service6-src-negate [enable|disable]

FortiOS 7.2.1 CLI Reference 400

Fortinet Inc.
set timeout-send-rst [enable|disable]
set captive-portal-exempt [enable|disable]
set decrypted-traffic-mirror {string}
set dsri [enable|disable]
set radius-mac-auth-bypass [enable|disable]
set delay-tcp-npu-session [enable|disable]
set vlan-filter {user}
set sgt-check [enable|disable]
set sgt <id1>, <id2>, ...
next
end

config firewall policy

Parameter Description Type Size Default

status Enable or disable this policy. option - enable

Option Description

enable Enable setting.

disable Disable setting.

name Policy name. string Not Specified

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

srcintf <name> Incoming (ingress) interface. string Maximum

Interface name. length: 79

dstintf <name> Outgoing (egress) interface. string Maximum

Interface name. length: 79

action Policy action (accept/deny/ipsec). option - deny

Option Description

accept Allows session that match the firewall policy.

deny Blocks sessions that match the firewall policy.

ipsec Firewall policy becomes a policy-based IPsec VPN policy.

nat64 Enable/disable NAT64. option - disable

Option Description

enable Enable NAT64.

disable Disable NAT64.

nat46 Enable/disable NAT46. option - disable

FortiOS 7.2.1 CLI Reference 401

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable NAT46.

disable Disable NAT46.

ztna-status Enable/disable zero trust access. option - disable

Option Description

enable Enable zero trust network access.

disable Disable zero trust network access.

srcaddr <name> Source IPv4 address and address group string Maximum
names. length: 79
Address name.

dstaddr <name> Destination IPv4 address and address group string Maximum
names. length: 79
Address name.

srcaddr6 Source IPv6 address name and address string Maximum

<name> group names. length: 79
Address name.

dstaddr6 Destination IPv6 address name and address string Maximum

<name> group names. length: 79
Address name.

ztna-ems-tag Source ztna-ems-tag names. string Maximum

<name> Address name. length: 79

ztna-geo-tag Source ztna-geo-tag names. string Maximum

<name> Address name. length: 79

internet-service Enable/disable use of Internet Services for option - disable

this policy. If enabled, destination address
and service are not used.

Option Description

enable Enable use of Internet Services in policy.

disable Disable use of Internet Services in policy.

internet-service- Internet Service name. string Maximum

name <name> Internet Service name. length: 79

internet-service- Internet Service group name. string Maximum

group <name> Internet Service group name. length: 79

FortiOS 7.2.1 CLI Reference 402

Fortinet Inc.
Parameter Description Type Size Default

internet-service- Custom Internet Service name. string Maximum

custom <name> Custom Internet Service name. length: 79

network- Dynamic Network Service name. string Maximum

service-dynamic Dynamic Network Service name. length: 79
<name>

internet-service- Custom Internet Service group name. string Maximum

custom-group Custom Internet Service group name. length: 79
<name>

internet-service- Enable/disable use of Internet Services in option - disable

src source for this policy. If enabled, source
address is not used.

Option Description

enable Enable use of Internet Services source in policy.

disable Disable use of Internet Services source in policy.

internet-service- Internet Service source name. string Maximum

src-name Internet Service name. length: 79
<name>

internet-service- Internet Service source group name. string Maximum

src-group Internet Service group name. length: 79
<name>

internet-service- Custom Internet Service source name. string Maximum

src-custom Custom Internet Service name. length: 79
<name>

network- Dynamic Network Service source name. string Maximum

service-src- Dynamic Network Service name. length: 79
dynamic
<name>

internet-service- Custom Internet Service source group name. string Maximum

src-custom- Custom Internet Service group name. length: 79
group <name>

reputation- Minimum Reputation to take action. integer Minimum 0

minimum value: 0
Maximum
value:
4294967295

reputation- Direction of the initial traffic for reputation to option - destination

direction take effect.

FortiOS 7.2.1 CLI Reference 403

Fortinet Inc.
Parameter Description Type Size Default

Option Description

source Check reputation for source address.

destination Check reputation for destination address.

src-vendor-mac Vendor MAC source ID. integer Minimum

<id> Vendor MAC ID. value: 0
Maximum
value:
4294967295

internet- Enable/disable use of IPv6 Internet Services option - disable

service6 for this policy. If enabled, destination address
and service are not used.

Option Description

enable Enable use of IPv6 Internet Services in policy.

disable Disable use of IPv6 Internet Services in policy.

internet- IPv6 Internet Service name. string Maximum

service6-name IPv6 Internet Service name. length: 79
<name>

internet- Internet Service group name. string Maximum

service6-group Internet Service group name. length: 79
<name>

internet- Custom IPv6 Internet Service name. string Maximum

service6- Custom Internet Service name. length: 79
custom <name>

internet- Custom Internet Service6 group name. string Maximum

service6- Custom Internet Service6 group name. length: 79
custom-group
<name>

internet- Enable/disable use of IPv6 Internet Services option - disable

service6-src in source for this policy. If enabled, source
address is not used.

Option Description

enable Enable use of IPv6 Internet Services source in policy.

disable Disable use of IPv6 Internet Services source in policy.

internet- IPv6 Internet Service source name. string Maximum

service6-src- Internet Service name. length: 79
name <name>

FortiOS 7.2.1 CLI Reference 404

Fortinet Inc.
Parameter Description Type Size Default

internet- Internet Service6 source group name. string Maximum

service6-src- Internet Service group name. length: 79
group <name>

internet- Custom IPv6 Internet Service source name. string Maximum

service6-src- Custom Internet Service name. length: 79
custom <name>

internet- Custom Internet Service6 source group string Maximum

service6-src- name. length: 79
custom-group Custom Internet Service6 group name.
<name>

reputation- IPv6 Minimum Reputation to take action. integer Minimum 0

minimum6 value: 0
Maximum
value:
4294967295

reputation- Direction of the initial traffic for IPv6 option - destination

direction6 reputation to take effect.

Option Description

source Check reputation for IPv6 source address.

destination Check reputation for IPv6 destination address.

rtp-nat Enable Real Time Protocol (RTP) NAT. option - disable

Option Description

disable Disable setting.

enable Enable setting.

rtp-addr Address names if this is an RTP NAT policy. string Maximum

<name> Address name. length: 79

send-deny- Enable to send a reply when a session is option - disable

packet denied or blocked by a firewall policy.

Option Description

disable Disable deny-packet sending.

enable Enable deny-packet sending.

firewall-session- How to handle sessions if the configuration of option - check-all

dirty this firewall policy changes.

FortiOS 7.2.1 CLI Reference 405

Fortinet Inc.
Parameter Description Type Size Default

Option Description

check-all Flush all current sessions accepted by this policy. These sessions must be
started and re-matched with policies.

check-new Continue to allow sessions already accepted by this policy.

schedule Schedule name. string Not Specified

schedule- Enable to force current sessions to end when option - disable

timeout the schedule object times out. Disable allows
them to end from inactivity.

Option Description

enable Enable schedule timeout.

disable Disable schedule timeout.

policy-expiry Enable/disable policy expiry. option - disable

Option Description

enable Enable policy expiry.

disable Disable polcy expiry.

policy-expiry- Policy expiry date (YYYY-MM-DD datetime Not Specified 0000-00-00

date HH:MM:SS). 00:00:00

service <name> Service and service group names. string Maximum

Service and service group names. length: 79

tos ToS (Type of Service) value used for user Not Specified
comparison.

tos-mask Non-zero bit positions are used for user Not Specified
comparison while zero bit positions are
ignored.

tos-negate Enable negated TOS match. option - disable

Option Description

enable Enable TOS match negate.

disable Disable TOS match negate.

anti-replay Enable/disable anti-replay check. option - enable

FortiOS 7.2.1 CLI Reference 406

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable anti-replay check.

disable Disable anti-replay check.

tcp-session- Enable/disable creation of TCP session option - disable

without-syn without SYN flag.

Option Description

all Enable TCP session without SYN.

data-only Enable TCP session data only.

disable Disable TCP session without SYN.

geoip-anycast Enable/disable recognition of anycast IP option - disable

addresses using the geography IP database.

Option Description

enable Enable recognition of anycast IP addresses using the geography IP

database.

disable Disable recognition of anycast IP addresses using the geography IP

database.

geoip-match Match geography address based either on its option - physical-location

physical location or registered location.

Option Description

physical-location Match geography address to its physical location using the geography IP
database.

registered- Match geography address to its registered location using the geography IP
location database.

dynamic- Enable/disable dynamic RADIUS defined option - disable

shaping traffic shaping.

Option Description

enable Enable dynamic RADIUS defined traffic shaping.

disable Disable dynamic RADIUS defined traffic shaping.

passive-wan- Enable/disable passive WAN health option - disable

health- measurement. When enabled, auto-asic-
measurement offload is disabled.

webproxy- Webproxy profile name. string Not Specified

profile

profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.

Option Description

single Do not allow security profile groups.

group Allow security profile groups.

FortiOS 7.2.1 CLI Reference 408

Fortinet Inc.
Parameter Description Type Size Default

profile-group Name of profile group. string Not Specified

profile-protocol- Name of an existing Protocol options profile. string Not Specified default
options

ssl-ssh-profile Name of an existing SSL SSH profile. string Not Specified no-inspection

av-profile Name of an existing Antivirus profile. string Not Specified

webfilter-profile Name of an existing Web filter profile. string Not Specified

dnsfilter-profile Name of an existing DNS filter profile. string Not Specified

emailfilter- Name of an existing email filter profile. string Not Specified

profile

dlp-profile Name of an existing DLP profile. string Not Specified

file-filter-profile Name of an existing file-filter profile. string Not Specified

ips-sensor Name of an existing IPS sensor. string Not Specified

application-list Name of an existing Application list. string Not Specified

voip-profile Name of an existing VoIP profile. string Not Specified

sctp-filter-profile Name of an existing SCTP filter profile. string Not Specified

icap-profile Name of an existing ICAP profile. string Not Specified

cifs-profile Name of an existing CIFS profile. string Not Specified

videofilter- Name of an existing VideoFilter profile. string Not Specified

profile

waf-profile Name of an existing Web application firewall string Not Specified

profile.

np-acceleration Enable/disable UTM Network Processor option - enable

* acceleration.

Option Description

enable Enable UTM Network Processor acceleration.

disable Disable UTM Network Processor acceleration.

webproxy- Webproxy forward server name. string Not Specified

forward-server

traffic-shaper Traffic shaper. string Not Specified

traffic-shaper- Reverse traffic shaper. string Not Specified

reverse

per-ip-shaper Per-IP traffic shaper. string Not Specified

nat Enable/disable source NAT. option - disable

Option Description

enable Enable setting.

disable Disable setting.

permit-any-host Accept UDP packets from any host. option - disable

Option Description

enable Enable setting.

disable Disable setting.

permit-stun-host Accept UDP packets from any Session option - disable

Traversal Utilities for NAT (STUN) host.

Option Description

enable Enable setting.

disable Disable setting.

fixedport Enable to prevent source NAT from changing option - disable

a session's source port.

FortiOS 7.2.1 CLI Reference 410

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

ippool Enable to use IP Pools for source NAT. option - disable

Option Description

enable Enable setting.

disable Disable setting.

poolname IP Pool names. string Maximum

<name> IP pool name. length: 79

poolname6 IPv6 pool names. string Maximum

<name> IPv6 pool name. length: 79

session-ttl TTL in seconds for sessions accepted by this user Not Specified
policy .

vlan-cos-fwd VLAN forward direction user priority: 255 integer Minimum 255
passthrough, 0 lowest, 7 highest. value: 0
Maximum
value: 7

vlan-cos-rev VLAN reverse direction user priority: 255 integer Minimum 255
passthrough, 0 lowest, 7 highest. value: 0
Maximum
value: 7

inbound Policy-based IPsec VPN: only traffic from the option - disable
remote network can initiate a VPN.

Option Description

enable Enable setting.

disable Disable setting.

outbound Policy-based IPsec VPN: only traffic from the option - enable
internal network can initiate a VPN.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable WCCP setting.

disable Disable WCCP setting.

ntlm Enable/disable NTLM authentication. option - disable

Option Description

enable Enable setting.

disable Disable setting.

ntlm-guest Enable/disable NTLM guest user access. option - disable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.2.1 CLI Reference 412

Fortinet Inc.
Parameter Description Type Size Default

ntlm-enabled- HTTP-User-Agent value of supported string Maximum

browsers browsers. length: 79
<user-agent- User agent string.
string>

fsso-agent-for- FSSO agent to use for NTLM authentication. string Not Specified
ntlm

groups <name> Names of user groups that can authenticate string Maximum
with this policy. length: 79
Group name.

users <name> Names of individual users that can string Maximum

authenticate with this policy. length: 79
Names of individual users that can
authenticate with this policy.

fsso-groups Names of FSSO groups. string Maximum

<name> Names of FSSO groups. length: 511

auth-path Enable/disable authentication-based routing. option - disable

Option Description

enable Enable authentication-based routing.

disable Disable authentication-based routing.

disclaimer Enable/disable user authentication option - disable

disclaimer.

Option Description

enable Enable user authentication disclaimer.

disable Disable user authentication disclaimer.

email-collect Enable/disable email collection. option - disable

Option Description

enable Enable email collection.

disable Disable email collection.

vpntunnel Policy-based IPsec VPN: name of the IPsec string Not Specified
VPN Phase 1.

natip Policy-based IPsec VPN: source NAT IP ipv4- Not Specified 0.0.0.0 0.0.0.0
address for outgoing traffic. classnet

FortiOS 7.2.1 CLI Reference 413

Fortinet Inc.
Parameter Description Type Size Default

match-vip Enable to match packets that have had their option - disable
destination addresses changed by a VIP.

Option Description

enable Match DNATed packet.

disable Do not match DNATed packet.

match-vip-only Enable/disable matching of only those option - disable

packets that have had their destination
addresses changed by a VIP.

Option Description

enable Enable matching of only those packets that have had their destination
addresses changed by a VIP.

disable Disable setting reverse (reply) traffic DiffServ.

diffservcode- Change packet's DiffServ to this value. user Not Specified

forward

FortiOS 7.2.1 CLI Reference 414

Fortinet Inc.
Parameter Description Type Size Default

diffservcode-rev Change packet's reverse (reply) DiffServ to user Not Specified

this value.

tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum 0

value: 0
Maximum
value: 65535

tcp-mss- Receiver TCP maximum segment size integer Minimum 0

receiver (MSS). value: 0
Maximum
value: 65535

comments Comment. var-string Not Specified

auth-cert HTTPS server certificate for policy string Not Specified

authentication.

auth-redirect- HTTP-to-HTTPS redirect address for firewall string Not Specified

addr authentication.

redirect-url URL users are directed to after seeing and var-string Not Specified
accepting the disclaimer or authenticating.

identity-based- Name of identity-based routing rule. string Not Specified

route

block- Enable/disable block notification. option - disable

notification

Option Description

enable Enable setting.

disable Disable setting.

custom-log- Custom fields to append to log messages for string Maximum

fields <field- this policy. length: 35
id> Custom log field.

replacemsg- Override the default replacement message string Not Specified

override-group group for this policy.

srcaddr-negate When enabled srcaddr specifies what the option - disable

source address must NOT be.

Option Description

enable Enable source address negate.

disable Disable source address negate.

enable Enable negated Internet Service source match.

disable Disable negated Internet Service source match.

vlan-filter Set VLAN filters. user Not Specified

sgt-check Enable/disable security group tags (SGT) option - disable

check.

Option Description

enable Enable SGT check.

disable Disable SGT check.

sgt <id> Security group tags. integer Minimum

Security group tag (1 - 65535). value: 1
Maximum
value: 65535

* This parameter may not exist in some models.

config firewall shaping-policy

Configure shaping policies.

config firewall shaping-policy
Description: Configure shaping policies.
edit <id>
set uuid {uuid}
set name {string}
set comment {var-string}
set status [enable|disable]
set ip-version [4|6]
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set internet-service [enable|disable]
set internet-service-name <name1>, <name2>, ...

FortiOS 7.2.1 CLI Reference 418

Fortinet Inc.
set internet-service-group <name1>, <name2>, ...
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-src [enable|disable]
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set service <name1>, <name2>, ...
set schedule {string}
set users <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set application <id1>, <id2>, ...
set app-category <id1>, <id2>, ...
set app-group <name1>, <name2>, ...
set url-category <id1>, <id2>, ...
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set per-ip-shaper {string}
set class-id {integer}
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
next
end

config firewall shaping-policy

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000

name Shaping policy name. string Not Specified

comment Comments. var-string Not Specified

status Enable/disable this traffic shaping policy. option - enable

Option Description

enable Enable traffic shaping policy.

disable Disable traffic shaping policy.

ip-version Apply this traffic shaping policy to IPv4 or IPv6 option - 4

traffic.

FortiOS 7.2.1 CLI Reference 419

Fortinet Inc.
Parameter Description Type Size Default

Option Description

4 Use IPv4 addressing for Configuration Method.

6 Use IPv6 addressing for Configuration Method.

srcaddr IPv4 source address and address group string Maximum

<name> names. length: 79
Address name.

dstaddr IPv4 destination address and address group string Maximum

<name> names. length: 79
Address name.

srcaddr6 IPv6 source address and address group string Maximum

<name> names. length: 79
Address name.

dstaddr6 IPv6 destination address and address group string Maximum

<name> names. length: 79
Address name.

internet-service Enable/disable use of Internet Services for this option - disable

policy. If enabled, destination address and
service are not used.

Option Description

enable Enable use of Internet Service in shaping-policy.

disable Disable use of Internet Service in shaping-policy.

internet- Internet Service ID. string Maximum

service-name Internet Service name. length: 79
<name>

internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>

internet- Custom Internet Service name. string Maximum

service-custom Custom Internet Service name. length: 79
<name>

internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>

FortiOS 7.2.1 CLI Reference 420

Fortinet Inc.
Parameter Description Type Size Default

internet- Enable/disable use of Internet Services in option - disable

service-src source for this policy. If enabled, source
address is not used.

Option Description

enable Enable use of Internet Service source in shaping-policy.

disable Disable use of Internet Service source in shaping-policy.

internet- Internet Service source name. string Maximum

service-src- Internet Service name. length: 79
name <name>

internet- Internet Service source group name. string Maximum

service-src- Internet Service group name. length: 79
group <name>

internet- Custom Internet Service source name. string Maximum

service-src- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service source group name. string Maximum

service-src- Custom Internet Service group name. length: 79
custom-group
<name>

service Service and service group names. string Maximum

<name> Service name. length: 79

schedule Schedule name. string Not Specified

users <name> Apply this traffic shaping policy to individual string Maximum
users that have authenticated with the length: 79
FortiGate.
User name.

groups Apply this traffic shaping policy to user groups string Maximum
<name> that have authenticated with the FortiGate. length: 79
Group name.

application IDs of one or more applications that this shaper integer Minimum
<id> applies application control traffic shaping to. value: 0
Application IDs. Maximum
value:
4294967295

FortiOS 7.2.1 CLI Reference 421

Fortinet Inc.
Parameter Description Type Size Default

app-category IDs of one or more application categories that integer Minimum

<id> this shaper applies application control traffic value: 0
shaping to. Maximum
Category IDs. value:
4294967295

app-group One or more application group names. string Maximum

<name> Application group name. length: 79

url-category IDs of one or more FortiGuard Web Filtering integer Minimum

<id> categories that this shaper applies traffic value: 0
shaping to. Maximum
URL category ID. value:
4294967295

srcintf <name> One or more incoming (ingress) interfaces. string Maximum

Interface name. length: 79

dstintf <name> One or more outgoing (egress) interfaces. string Maximum

Interface name. length: 79

tos ToS (Type of Service) value used for user Not Specified
comparison.

tos-mask Non-zero bit positions are used for comparison user Not Specified
while zero bit positions are ignored.

tos-negate Enable negated TOS match. option - disable

Option Description

enable Enable TOS match negate.

disable Disable TOS match negate.

traffic-shaper Traffic shaper to apply to traffic forwarded by string Not Specified

the firewall policy.

traffic-shaper- Traffic shaper to apply to response traffic string Not Specified

reverse received by the firewall policy.

per-ip-shaper Per-IP traffic shaper to apply with this policy. string Not Specified

class-id Traffic class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

diffserv- Enable to change packet's DiffServ values to option - disable

forward the specified diffservcode-forward value.

FortiOS 7.2.1 CLI Reference 422

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting forward (original) traffic DiffServ.

disable Disable setting forward (original) traffic DiffServ.

diffserv- Enable to change packet's reverse (reply) option - disable

reverse DiffServ values to the specified diffservcode-
rev value.

Option Description

enable Enable setting reverse (reply) traffic DiffServ.

disable Disable setting reverse (reply) traffic DiffServ.

diffservcode- Change packet's DiffServ to this value. user Not Specified

forward

diffservcode- Change packet's reverse (reply) DiffServ to this user Not Specified
rev value.

config firewall shaping-profile

Configure shaping profiles.

config firewall shaping-profile
Description: Configure shaping profiles.
edit <profile-name>
set comment {var-string}
set type [policing|queuing]
set default-class-id {integer}
config shaping-entries
Description: Define shaping entries of this shaping profile.
edit <id>
set class-id {integer}
set priority [top|critical|...]
set guaranteed-bandwidth-percentage {integer}
set maximum-bandwidth-percentage {integer}
set limit {integer}
set burst-in-msec {integer}
set cburst-in-msec {integer}
set red-probability {integer}
set min {integer}
set max {integer}
next
end
next
end

FortiOS 7.2.1 CLI Reference 423

Fortinet Inc.
config firewall shaping-profile

Parameter Description Type Size Default

comment Comment. var-string Not Specified

type Select shaping profile type: policing / queuing. option - policing

Option Description

policing Enable policing mode.

queuing Enable queuing mode.

default-class- Default class ID to handle unclassified packets integer Minimum 0

id (including all local traffic). value: 0
Maximum
value:
4294967295

config shaping-entries

Parameter Description Type Size Default

class-id Class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

priority Priority. option - high

Option Description

top Top priority.

critical Critical priority.

high High priority.

medium Medium priority.

low Low priority.

guaranteed- Guaranteed bandwidth in percentage. integer Minimum 0

bandwidth- value: 0
percentage Maximum
value: 100

maximum- Maximum bandwidth in percentage. integer Minimum 1

bandwidth- value: 1
percentage Maximum
value: 100

FortiOS 7.2.1 CLI Reference 424

Fortinet Inc.
Parameter Description Type Size Default

limit Hard limit on the real queue size in packets. integer Minimum 1000
value: 5
Maximum
value: 10000

burst-in-msec Number of bytes that can be burst at maximum- integer Minimum 0

bandwidth speed. Formula: burst = maximum- value: 0
bandwidth*burst-in-msec. Maximum
value: 2000

cburst-in- Number of bytes that can be burst as fast as the integer Minimum 0
msec interface can transmit. Formula: cburst = maximum- value: 0
bandwidth*cburst-in-msec. Maximum
value: 2000

red-probability Maximum probability (in percentage) for RED integer Minimum 0

marking. value: 0
Maximum
value: 20

min Average queue size in packets at which RED drop integer Minimum 83
becomes a possibility. value: 3
Maximum
value: 3000

max Average queue size in packets at which RED drop integer Minimum 250
probability is maximal. value: 3
Maximum
value: 3000

config firewall local-in-policy

Configure user defined IPv4 local-in policies.

config firewall local-in-policy
Description: Configure user defined IPv4 local-in policies.
edit <policyid>
set uuid {uuid}
set ha-mgmt-intf-only [enable|disable]
set intf {string}
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set action [accept|deny]
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set schedule {string}
set status [enable|disable]
set comments {var-string}
next
end

FortiOS 7.2.1 CLI Reference 425

Fortinet Inc.
config firewall local-in-policy

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

ha-mgmt-intf- Enable/disable dedicating the HA management option - disable

only interface only for local-in policy.

Option Description

enable Enable dedicating HA management interface only for local-in policy.

disable Disable dedicating HA management interface only for local-in policy.

intf Incoming interface name from available options. string Not

Specified

srcaddr Source address object from available options. string Maximum

<name> Address name. length: 79

srcaddr- When enabled srcaddr specifies what the source option - disable
negate address must NOT be.

Option Description

enable Enable source address negate.

disable Disable source address negate.

dstaddr Destination address object from available options. string Maximum

<name> Address name. length: 79

dstaddr- When enabled dstaddr specifies what the option - disable

negate destination address must NOT be.

Option Description

enable Enable destination address negate.

disable Disable destination address negate.

action Action performed on traffic matching the policy . option - deny

Option Description

accept Allow traffic matching this policy.

deny Deny or block traffic matching this policy.

service Service object from available options. string Maximum

<name> Service name. length: 79

FortiOS 7.2.1 CLI Reference 426

Fortinet Inc.
Parameter Description Type Size Default

service- When enabled service specifies what the service option - disable
negate must NOT be.

Option Description

enable Enable negated service match.

disable Disable negated service match.

schedule Schedule object from available options. string Not

Specified

status Enable/disable this local-in policy. option - enable

Option Description

enable Enable this local-in policy.

disable Disable this local-in policy.

comments Comment. var-string Not

Specified

config firewall local-in-policy6

Configure user defined IPv6 local-in policies.

config firewall local-in-policy6
Description: Configure user defined IPv6 local-in policies.
edit <policyid>
set uuid {uuid}
set intf {string}
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set action [accept|deny]
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set schedule {string}
set status [enable|disable]
set comments {var-string}
next
end

FortiOS 7.2.1 CLI Reference 427

Fortinet Inc.
config firewall local-in-policy6

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

intf Incoming interface name from available options. string Not

Specified

srcaddr Source address object from available options. string Maximum

<name> Address name. length: 79

srcaddr- When enabled srcaddr specifies what the source option - disable
negate address must NOT be.

Option Description

enable Enable source address negate.

disable Disable source address negate.

dstaddr Destination address object from available options. string Maximum

<name> Address name. length: 79

FortiOS 7.2.1 CLI Reference 428

Fortinet Inc.
Parameter Description Type Size Default

schedule Schedule object from available options. string Not

Specified

status Enable/disable this local-in policy. option - enable

Option Description

enable Enable this local-in policy.

disable Disable this local-in policy.

comments Comment. var-string Not

Specified

config firewall ttl-policy

Configure TTL policies.

config firewall ttl-policy
Description: Configure TTL policies.
edit <id>
set status [enable|disable]
set action [accept|deny]
set srcintf {string}
set srcaddr <name1>, <name2>, ...
set service <name1>, <name2>, ...
set schedule {string}
set ttl {user}
next
end

config firewall ttl-policy

Parameter Description Type Size Default

status Enable/disable this TTL policy. option - enable

Option Description

enable Enable this TTL policy.

disable Disable this TTL policy.

action Action to be performed on traffic matching this policy . option - deny

Option Description

accept Allow traffic matching this policy.

deny Deny or block traffic matching this policy.

FortiOS 7.2.1 CLI Reference 429

Fortinet Inc.
Parameter Description Type Size Default

srcintf Source interface name from available interfaces. string Not

Specified

srcaddr Source address object(s) from available options. string Maximum

<name> Separate multiple names with a space. length: 79
Address name.

service Service object(s) from available options. Separate string Maximum

<name> multiple names with a space. length: 79
Service name.

schedule Schedule object from available options. string Not

Specified

ttl Value/range to match against the packet's Time to Live user Not
value . Specified

config firewall proxy-policy

Configure proxy policies.

config firewall proxy-policy
Description: Configure proxy policies.
edit <policyid>
set uuid {uuid}
set name {string}
set proxy [explicit-web|transparent-web|...]
set access-proxy <name1>, <name2>, ...
set access-proxy6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set poolname <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set ztna-ems-tag <name1>, <name2>, ...
set ztna-tags-match-logic [or|and]
set device-ownership [enable|disable]
set internet-service [enable|disable]
set internet-service-negate [enable|disable]
set internet-service-name <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set service <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set dstaddr-negate [enable|disable]
set service-negate [enable|disable]
set action [accept|deny|...]
set status [enable|disable]
set schedule {string}
set logtraffic [all|utm|...]
set session-ttl {integer}
set srcaddr6 <name1>, <name2>, ...

FortiOS 7.2.1 CLI Reference 430

Fortinet Inc.
set dstaddr6 <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set users <name1>, <name2>, ...
set http-tunnel-auth [enable|disable]
set ssh-policy-redirect [enable|disable]
set webproxy-forward-server {string}
set webproxy-profile {string}
set transparent [enable|disable]
set disclaimer [disable|domain|...]
set utm-status [enable|disable]
set profile-type [single|group]
set profile-group {string}
set profile-protocol-options {string}
set ssl-ssh-profile {string}
set av-profile {string}
set webfilter-profile {string}
set emailfilter-profile {string}
set dlp-profile {string}
set file-filter-profile {string}
set ips-sensor {string}
set application-list {string}
set icap-profile {string}
set videofilter-profile {string}
set waf-profile {string}
set ssh-filter-profile {string}
set replacemsg-override-group {string}
set logtraffic-start [enable|disable]
set comments {var-string}
set block-notification [enable|disable]
set redirect-url {var-string}
set decrypted-traffic-mirror {string}
next
end

config firewall proxy-policy

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

name Policy name. string Not

Specified

proxy Type of explicit proxy. option -

Option Description

explicit-web Explicit Web Proxy

transparent-web Transparent Web Proxy

ftp Explicit FTP Proxy

FortiOS 7.2.1 CLI Reference 431

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH Proxy

ssh-tunnel SSH Tunnel

access-proxy Access Proxy

access-proxy IPv4 access proxy. string Maximum

<name> Access Proxy name. length: 79

access-proxy6 IPv6 access proxy. string Maximum

<name> Access proxy name. length: 79

srcintf <name> Source interface names. string Maximum

Interface name. length: 79

dstintf <name> Destination interface names. string Maximum

Interface name. length: 79

srcaddr Source address objects. string Maximum

<name> Address name. length: 79

poolname Name of IP pool object. string Maximum

<name> IP pool name. length: 79

dstaddr Destination address objects. string Maximum

<name> Address name. length: 79

ztna-ems-tag ZTNA EMS Tag names. string Maximum

<name> EMS Tag name. length: 79

ztna-tags- ZTNA tag matching logic. option - or

match-logic

Option Description

or Match ZTNA tags using a logical OR operator.

and Match ZTNA tags using a logical AND operator.

device- When enabled, the ownership enforcement will be option - disable

ownership done at policy level.

Option Description

enable Enable device ownership.

disable Disable device ownership.

FortiOS 7.2.1 CLI Reference 432

Fortinet Inc.
Parameter Description Type Size Default

internet- Enable/disable use of Internet Services for this option - disable

service policy. If enabled, destination address and service
are not used.

Option Description

enable Enable use of Internet Services in policy.

disable Disable use of Internet Services in policy.

internet- When enabled, Internet Services match against option - disable

service-negate any internet service EXCEPT the selected Internet
Service.

Option Description

enable Enable negated Internet Service match.

disable Disable negated Internet Service match.

internet- Internet Service name. string Maximum

service-name Internet Service name. length: 79
<name>

internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>

internet- Custom Internet Service name. string Maximum

service- Custom Internet Service name. length: 79
custom
<name>

internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>

service Name of service objects. string Maximum

<name> Service name. length: 79

srcaddr- When enabled, source addresses match against option - disable

negate any address EXCEPT the specified source
addresses.

Option Description

enable Enable source address negate.

disable Disable destination address negate.

accept Action accept.

deny Action deny.

redirect Action redirect.

status Enable/disable the active status of the policy. option - enable

Option Description

enable Enable setting.

disable Disable setting.

schedule Name of schedule object. string Not

Specified

logtraffic Enable/disable logging traffic through the policy. option - utm

Option Description

all Log all sessions.

utm UTM event and matched application traffic log.

disable Disable traffic and application log.

FortiOS 7.2.1 CLI Reference 434

Fortinet Inc.
Parameter Description Type Size Default

session-ttl TTL in seconds for sessions accepted by this integer Minimum 0

policy . value: 300
Maximum
value:
2764800

srcaddr6 IPv6 source address objects. string Maximum

<name> Address name. length: 79

dstaddr6 IPv6 destination address objects. string Maximum

<name> Address name. length: 79

groups Names of group objects. string Maximum

<name> Group name. length: 79

users <name> Names of user objects. string Maximum

Group name. length: 79

http-tunnel- Enable/disable HTTP tunnel authentication. option - disable

auth

Option Description

enable Enable setting.

disable Disable setting.

ssh-policy- Redirect SSH traffic to matching transparent proxy option - disable

redirect policy.

Option Description

enable Enable SSH policy redirect.

disable Disable SSH policy redirect.

webproxy- Web proxy forward server name. string Not

forward-server Specified

webproxy- Name of web proxy profile. string Not

profile Specified

transparent Enable to use the IP address of the client to option - disable

connect to the server.

Option Description

enable Enable use of IP address of client to connect to server.

disable Disable use of IP address of client to connect to server.

FortiOS 7.2.1 CLI Reference 435

Fortinet Inc.
Parameter Description Type Size Default

disclaimer Web proxy disclaimer setting: by domain, policy, option - disable

or user.

Option Description

disable Disable disclaimer.

domain Display disclaimer for domain

policy Display disclaimer for policy

user Display disclaimer for current user

utm-status Enable the use of UTM profiles/sensors/lists. option - disable

Option Description

enable Enable setting.

disable Disable setting.

profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.

override-group group. Specified

logtraffic-start Enable/disable policy log traffic start. option - disable

Option Description

enable Enable setting.

disable Disable setting.

comments Optional comments. var-string Not

Specified

block- Enable/disable block notification. option - disable

notification

Option Description

enable Enable setting.

disable Disable setting.

redirect-url Redirect URL for further explicit web proxy var-string Not
processing. Specified

decrypted- Decrypted traffic mirror. string Not

traffic-mirror Specified

FortiOS 7.2.1 CLI Reference 437

Fortinet Inc.
config firewall dnstranslation

Configure DNS translation.

config firewall dnstranslation
Description: Configure DNS translation.
edit <id>
set src {ipv4-address}
set dst {ipv4-address}
set netmask {ipv4-netmask}
next
end

config firewall dnstranslation

Parameter Description Type Size Default

netmask If src and dst are subnets rather than single IP ipv4- Not 255.255.255.255
addresses, enter the netmask for both src and netmask Specified
dst.

config firewall multicast-policy

Configure multicast NAT policies.

config firewall multicast-policy
Description: Configure multicast NAT policies.
edit <id>
set uuid {uuid}
set name {string}
set comments {var-string}
set status [enable|disable]
set logtraffic [enable|disable]
set srcintf {string}
set dstintf {string}
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set snat [enable|disable]
set snat-ip {ipv4-address}
set dnat {ipv4-address-any}
set action [accept|deny]

FortiOS 7.2.1 CLI Reference 438

Fortinet Inc.
set protocol {integer}
set start-port {integer}
set end-port {integer}
set auto-asic-offload [enable|disable]
set traffic-shaper {string}
next
end

config firewall multicast-policy

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

name Policy name. string Not

Specified

comments Comment. var-string Not

Specified

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

logtraffic Enable/disable logging traffic accepted by this option - disable

policy.

Option Description

enable Enable logging traffic accepted by this policy.

disable Disable logging traffic accepted by this policy.

srcintf Source interface name. string Not

Specified

dstintf Destination interface name. string Not

Specified

srcaddr Source address objects. string Maximum

<name> Source address objects. length: 79

dstaddr Destination address objects. string Maximum

<name> Destination address objects. length: 79

snat Enable/disable substitution of the outgoing option - disable

interface IP address for the original source IP
address (called source NAT or SNAT).

FortiOS 7.2.1 CLI Reference 439

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable source NAT.

disable Disable source NAT.

snat-ip IPv4 address to be used as the source address for ipv4- Not 0.0.0.0
NATed traffic. address Specified

dnat IPv4 DNAT address used for multicast destination ipv4- Not 0.0.0.0
addresses. address- Specified
any

action Accept or deny traffic matching the policy. option - accept

Option Description

accept Accept traffic matching the policy.

deny Deny or block traffic matching the policy.

protocol Integer value for the protocol type as defined by integer Minimum 0
IANA . value: 0
Maximum
value: 255

start-port Integer value for starting TCP/UDP/SCTP integer Minimum 1

destination port in range . value: 0
Maximum
value:
65535

end-port Integer value for ending TCP/UDP/SCTP integer Minimum 65535

destination port in range . value: 0
Maximum
value:
65535

auto-asic- Enable/disable offloading policy traffic for option - enable

offload hardware acceleration.

Option Description

enable Enable hardware acceleration offloading.

disable Disable offloading for hardware acceleration.

traffic-shaper Traffic shaper to apply to traffic forwarded by the string Not

multicast policy. Specified

config firewall multicast-policy6

Configure IPv6 multicast NAT policies.

FortiOS 7.2.1 CLI Reference 440

Fortinet Inc.
config firewall multicast-policy6
Description: Configure IPv6 multicast NAT policies.
edit <id>
set uuid {uuid}
set status [enable|disable]
set name {string}
set logtraffic [enable|disable]
set srcintf {string}
set dstintf {string}
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set action [accept|deny]
set protocol {integer}
set start-port {integer}
set end-port {integer}
set auto-asic-offload [enable|disable]
set comments {var-string}
next
end

config firewall multicast-policy6

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

name Policy name. string Not

Specified

logtraffic Enable/disable logging traffic accepted by this option - disable

policy.

Option Description

enable Enable logging traffic accepted by this policy.

disable Disable logging traffic accepted by this policy.

srcintf IPv6 source interface name. string Not

Specified

dstintf IPv6 destination interface name. string Not

Specified

FortiOS 7.2.1 CLI Reference 441

Fortinet Inc.
Parameter Description Type Size Default

srcaddr IPv6 source address name. string Maximum

<name> Address name. length: 79

dstaddr IPv6 destination address name. string Maximum

<name> Address name. length: 79

action Accept or deny traffic matching the policy. option - accept

Option Description

accept Accept.

deny Deny.

protocol Integer value for the protocol type as defined by integer Minimum 0
IANA . value: 0
Maximum
value: 255

start-port Integer value for starting TCP/UDP/SCTP integer Minimum 1

destination port in range . value: 0
Maximum
value:
65535

end-port Integer value for ending TCP/UDP/SCTP integer Minimum 65535

destination port in range . value: 0
Maximum
value:
65535

auto-asic- Enable/disable offloading policy traffic for option - enable

offload hardware acceleration.

Option Description

enable Enable offloading policy traffic for hardware acceleration.

disable Disable offloading policy traffic for hardware acceleration.

comments Comment. var-string Not

Specified

config firewall interface-policy

Configure IPv4 interface policies.

config firewall interface-policy
Description: Configure IPv4 interface policies.
edit <policyid>
set status [enable|disable]
set comments {var-string}
set logtraffic [all|utm|...]

FortiOS 7.2.1 CLI Reference 442

Fortinet Inc.
set interface {string}
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set service <name1>, <name2>, ...
set application-list-status [enable|disable]
set application-list {string}
set ips-sensor-status [enable|disable]
set ips-sensor {string}
set dsri [enable|disable]
set av-profile-status [enable|disable]
set av-profile {string}
set webfilter-profile-status [enable|disable]
set webfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set emailfilter-profile {string}
set dlp-profile-status [enable|disable]
set dlp-profile {string}
next
end

config firewall interface-policy

Parameter Description Type Size Default

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

comments Comments. var-string Not

Specified

logtraffic Logging type to be used in this policy (Options: all | utm | option - utm
disable, Default: utm).

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

interface Monitored interface name from available interfaces. string Not

Specified

srcaddr Address object to limit traffic monitoring to network string Maximum

<name> traffic sent from the specified address or range. length: 79
Address name.

dstaddr Address object to limit traffic monitoring to network string Maximum

<name> traffic sent to the specified address or range. length: 79

FortiOS 7.2.1 CLI Reference 443

Fortinet Inc.
Parameter Description Type Size Default

Address name.

status

Option Description

enable Enable antivirus

disable Disable antivirus

enable Enable setting.

disable Disable setting.

dlp-profile DLP profile name. string Not

Specified

config firewall interface-policy6

Configure IPv6 interface policies.

config firewall interface-policy6
Description: Configure IPv6 interface policies.
edit <policyid>
set status [enable|disable]
set comments {var-string}
set logtraffic [all|utm|...]
set interface {string}
set srcaddr6 <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set service6 <name1>, <name2>, ...
set application-list-status [enable|disable]
set application-list {string}
set ips-sensor-status [enable|disable]
set ips-sensor {string}
set dsri [enable|disable]
set av-profile-status [enable|disable]
set av-profile {string}

FortiOS 7.2.1 CLI Reference 445

Fortinet Inc.
set webfilter-profile-status [enable|disable]
set webfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set emailfilter-profile {string}
set dlp-profile-status [enable|disable]
set dlp-profile {string}
next
end

config firewall interface-policy6

Parameter Description Type Size Default

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

comments Comments. var-string Not

Specified

logtraffic Logging type to be used in this policy (Options: all | utm | option - utm
disable, Default: utm).

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

interface Monitored interface name from available interfaces. string Not

Specified

srcaddr6 IPv6 address object to limit traffic monitoring to network string Maximum
<name> traffic sent from the specified address or range. length: 79
Address name.

dstaddr6 IPv6 address object to limit traffic monitoring to network string Maximum
<name> traffic sent to the specified address or range. length: 79
Address name.

service6 Service name. string Maximum

<name> Address name. length: 79

application- Enable/disable application control. option - disable

list-status

FortiOS 7.2.1 CLI Reference 446

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable application control

disable Disable application control

application- Application list name. string Not

list Specified

ips-sensor- Enable/disable IPS. option - disable

status

Option Description

enable Enable IPS.

disable Disable IPS.

ips-sensor IPS sensor name. string Not

Specified

dsri Enable/disable DSRI. option - disable

Option Description

enable Enable DSRI.

disable Disable DSRI.

av-profile- Enable/disable antivirus. option - disable

status

Option Description

enable Enable antivirus

disable Disable antivirus

av-profile Antivirus profile. string Not

Specified

webfilter- Enable/disable web filtering. option - disable

profile-status

Option Description

enable Enable web filtering.

disable Disable web filtering.

webfilter- Web filter profile. string Not

profile Specified

FortiOS 7.2.1 CLI Reference 447

Fortinet Inc.
Parameter Description Type Size Default

emailfilter- Enable/disable email filter. option - disable

profile-status

Option Description

enable Enable Email filter.

disable Disable Email filter.

emailfilter- Email filter profile. string Not

profile Specified

dlp-profile- Enable/disable DLP. option - disable

status

Option Description

enable Enable setting.

disable Disable setting.

dlp-profile DLP profile name. string Not

Specified

config firewall DoS-policy

Configure IPv4 DoS policies.

config firewall DoS-policy
Description: Configure IPv4 DoS policies.
edit <policyid>
set status [enable|disable]
set name {string}
set comments {var-string}
set interface {string}
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set service <name1>, <name2>, ...
config anomaly
Description: Anomaly name.
edit <name>
set status [disable|enable]
set log [enable|disable]
set action [pass|block]
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
set threshold {integer}
set threshold(default) {integer}
next
end
next
end

FortiOS 7.2.1 CLI Reference 448

Fortinet Inc.
config firewall DoS-policy

Parameter Description Type Size Default

status Enable/disable this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

config anomaly

Parameter Description Type Size Default

status Enable/disable this anomaly. option - disable

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine. . Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

threshold Anomaly threshold. Number of detected instances integer Minimum 0

(packets per second or concurrent session number) value: 1
that triggers the anomaly action. Maximum
value:
2147483647

threshold Number of detected instances. Note that each integer Minimum 0

(default) anomaly has a different threshold value assigned to value: 0
it. Maximum
value:
4294967295

<name> Address name. length: 79

dstaddr Destination address name from available addresses. string Maximum

<name> Address name. length: 79

service Service object from available options. string Maximum

<name> Service name. length: 79

config anomaly

Parameter Description Type Size Default

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine. . Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

threshold Anomaly threshold. Number of detected instances integer Minimum 0

(packets per second or concurrent session number) value: 1
that triggers the anomaly action. Maximum
value:
2147483647

threshold Number of detected instances. Note that each integer Minimum 0

(default) anomaly has a different threshold value assigned to value: 0
it. Maximum
value:
4294967295

FortiOS 7.2.1 CLI Reference 452

Fortinet Inc.
config firewall sniffer

Configure sniffer.
config firewall sniffer
Description: Configure sniffer.
edit <id>
set status [enable|disable]
set logtraffic [all|utm|...]
set ipv6 [enable|disable]
set non-ip [enable|disable]
set interface {string}
set host {string}
set port {string}
set protocol {string}
set vlan {string}
set application-list-status [enable|disable]
set application-list {string}
set ips-sensor-status [enable|disable]
set ips-sensor {string}
set dsri [enable|disable]
set av-profile-status [enable|disable]
set av-profile {string}
set webfilter-profile-status [enable|disable]
set webfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set emailfilter-profile {string}
set dlp-profile-status [enable|disable]
set dlp-profile {string}
set ip-threatfeed-status [enable|disable]
set ip-threatfeed <name1>, <name2>, ...
set file-filter-profile-status [enable|disable]
set file-filter-profile {string}
set ips-dos-status [enable|disable]
config anomaly
Description: Configuration method to edit Denial of Service (DoS) anomaly settings.
edit <name>
set status [disable|enable]
set log [enable|disable]
set action [pass|block]
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
set threshold {integer}
set threshold(default) {integer}
next
end
next
end

FortiOS 7.2.1 CLI Reference 453

Fortinet Inc.
config firewall sniffer

Parameter Description Type Size Default

status Enable/disable the active status of the sniffer. option - enable

Option Description

enable Enable sniffer status.

disable Disable sniffer status.

logtraffic Either log all sessions, only sessions that have a option - utm
security profile applied, or disable all logging for this
policy.

Option Description

all Log all sessions accepted or denied by this policy.

utm Log traffic that has a security profile applied to it.

disable Disable all logging for this policy.

ipv6 Enable/disable sniffing IPv6 packets. option - disable

Option Description

enable Enable sniffer for IPv6 packets.

disable Disable sniffer for IPv6 packets.

non-ip Enable/disable sniffing non-IP packets. option - disable

Option Description

enable Enable sniffer for non-IP packets.

enable Enable setting.

disable Disable setting.

ips-sensor Name of an existing IPS sensor. string Not

Specified

dsri Enable/disable DSRI. option - disable

Option Description

enable Enable DSRI.

disable Disable DSRI.

av-profile- Enable/disable antivirus profile. option - disable

status

Option Description

enable Enable setting.

disable Disable setting.

av-profile Name of an existing antivirus profile. string Not

Specified

webfilter- Enable/disable web filter profile. option - disable

profile-status

Option Description

enable Enable setting.

disable Disable setting.

Option Description

pass Allow traffic but record a log message if logging is enabled.

block Block traffic if this anomaly is found.

quarantine Quarantine method. option - none

Option Description

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine. . Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

Option Description

disable Disable quarantine logging.

FortiOS 7.2.1 CLI Reference 457

Fortinet Inc.
Parameter Description Type Size Default

Option Description

This command is available for reference model(s) FortiGate 140E-POE, FortiGate 601E,
FortiGate 2201E. It is not available for FortiWiFi 61F, FortiGate VM64.

Configure IPv6 access control list.

config firewall acl6
Description: Configure IPv6 access control list.
edit <policyid>
set status [enable|disable]
set name {string}
set comments {var-string}
set interface {string}
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set service <name1>, <name2>, ...
next
end

config firewall acl6

Parameter Description Type Size Default

status Enable/disable access control list status. option - enable

FortiOS 7.2.1 CLI Reference 459

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable access control list status.

disable Disable access control list status.

config firewall central-snat-map

Configure IPv4 and IPv6 central SNAT policies.

config firewall central-snat-map
Description: Configure IPv4 and IPv6 central SNAT policies.
edit <policyid>
set uuid {uuid}
set status [enable|disable]
set type [ipv4|ipv6]
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set orig-addr <name1>, <name2>, ...
set orig-addr6 <name1>, <name2>, ...
set dst-addr <name1>, <name2>, ...
set dst-addr6 <name1>, <name2>, ...
set protocol {integer}
set orig-port {user}
set nat [disable|enable]
set nat46 [enable|disable]
set nat64 [enable|disable]
set nat-ippool <name1>, <name2>, ...
set nat-ippool6 <name1>, <name2>, ...
set nat-port {user}
set comments {var-string}
next
end

FortiOS 7.2.1 CLI Reference 460

Fortinet Inc.
config firewall central-snat-map

Parameter Description Type Size Default

uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000

status Enable/disable the active status of this policy. option - enable

Option Description

enable Enable this policy.

disable Disable this policy.

type IPv4/IPv6 source NAT. option - ipv4

Option Description

ipv4 Perform IPv4 source NAT.

ipv6 Perform IPv6 source NAT.

srcintf Source interface name from available interfaces. string Maximum

<name> Interface name. length: 79

dstintf Destination interface name from available string Maximum

<name> interfaces. length: 79
Interface name.

orig-addr IPv4 Original address. string Maximum

<name> Address name. length: 79

orig-addr6 IPv6 Original address. string Maximum

<name> Address name. length: 79

dst-addr IPv4 Destination address. string Maximum

<name> Address name. length: 79

dst-addr6 IPv6 Destination address. string Maximum

<name> Address name. length: 79

protocol Integer value for the protocol type . integer Minimum 0

value: 0
Maximum
value: 255

orig-port Original TCP port (1 to 65535, 0 means any port). user Not
Specified

nat Enable/disable source NAT. option - enable

FortiOS 7.2.1 CLI Reference 461

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable source NAT.

enable Enable source NAT.

nat46 Enable/disable NAT46. option - disable

Option Description

enable Enable NAT46.

disable Disable NAT46.

nat64 Enable/disable NAT64. option - disable

Option Description

enable Enable NAT64.

disable Disable NAT64.

nat-ippool Name of the IP pools to be used to translate string Maximum

<name> addresses from available IP Pools. length: 79
IP pool name.

nat-ippool6 IPv6 pools to be used for source NAT. string Maximum

<name> IPv6 pool name. length: 79

nat-port Translated port or port range (1 to 65535, 0 means user Not

any port). Specified

comments Comment. var-string Not

Specified

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting
Description: SSL proxy settings.
set proxy-connect-timeout {integer}
set ssl-dh-bits [768|1024|...]
set ssl-send-empty-frags [enable|disable]
set no-matching-cipher-action [bypass|drop]
set cert-cache-capacity {integer}
set cert-cache-timeout {integer}
set session-cache-capacity {integer}
set session-cache-timeout {integer}
set kxp-queue-threshold {integer}
set ssl-queue-threshold {integer}
set abbreviate-handshake [enable|disable]
end

FortiOS 7.2.1 CLI Reference 462

Fortinet Inc.
config firewall ssl setting

Parameter Description Type Size Default

proxy- Time limit to make an internal connection to the integer Minimum 30

connect- appropriate proxy process . value: 1
timeout Maximum
value: 60

ssl-dh-bits Bit-size of Diffie-Hellman . option - 2048

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

ssl-send- Enable/disable sending empty fragments to avoid attack option - enable

empty-frags on CBC IV (for SSL 3.0 and TLS 1.0 only).

Option Description

enable Send empty fragments.

disable Do not send empty fragments.

no-matching- Bypass or drop the connection when no matching cipher option - bypass
cipher-action is found.

Option Description

bypass Bypass connection.

drop Drop connection.

cert-cache- Maximum capacity of the host certificate cache . integer Minimum 200
capacity value: 0
Maximum
value: 500

cert-cache- Time limit to keep certificate cache . integer Minimum 10

timeout value: 1
Maximum
value: 120

session- Capacity of the SSL session cache . integer Minimum 500

cache- value: 0
capacity Maximum
value: 1000

FortiOS 7.2.1 CLI Reference 463

Fortinet Inc.
Parameter Description Type Size Default

session- Time limit to keep SSL session state . integer Minimum 20

cache-timeout value: 1
Maximum
value: 60

kxp-queue- Maximum length of the CP KXP queue. When the integer Minimum 16
threshold * queue becomes full, the proxy switches cipher functions value: 0
to the main CPU . Maximum
value: 512

ssl-queue- Maximum length of the CP SSL queue. When the queue integer Minimum 32
threshold * becomes full, the proxy switches cipher functions to the value: 0
main CPU . Maximum
value: 512

abbreviate- Enable/disable use of SSL abbreviated handshake. option - enable

handshake

Option Description

enable Enable use of SSL abbreviated handshake.

disable Disable use of SSL abbreviated handshake.

* This parameter may not exist in some models.

config firewall ip-translation

Configure firewall IP-translation.

config firewall ip-translation
Description: Configure firewall IP-translation.
edit <transid>
set type {option}
set startip {ipv4-address-any}
set endip {ipv4-address-any}
set map-startip {ipv4-address-any}
next
end

config firewall ip-translation

Parameter Description Type Size Default

type IP translation type (option: SCTP). option - SCTP

Option Description

SCTP SCTP

FortiOS 7.2.1 CLI Reference 464

Fortinet Inc.
Parameter Description Type Size Default

startip First IPv4 address . ipv4- Not 0.0.0.0

address- Specified
any

endip Final IPv4 address . ipv4- Not 0.0.0.0

address- Specified
any

map-startip Address to be used as the starting point for translation in ipv4- Not 0.0.0.0
the range . address- Specified
any

config firewall ipv6-eh-filter

Configure IPv6 extension header filter.

config firewall ipv6-eh-filter
Description: Configure IPv6 extension header filter.
set hop-opt [enable|disable]
set dest-opt [enable|disable]
set hdopt-type {integer}
set routing [enable|disable]
set routing-type {integer}
set fragment [enable|disable]
set auth [enable|disable]
set no-next [enable|disable]
end

config firewall ipv6-eh-filter

Parameter Description Type Size Default

hop-opt Enable/disable blocking packets with the Hop-by-Hop option - disable

Options header .

Option Description

enable Enable blocking packets with the Hop-by-Hop Options header.

disable Disable blocking packets with the Hop-by-Hop Options header.

dest-opt Enable/disable blocking packets with Destination option - disable

Options headers .

Option Description

enable Enable blocking packets with Destination Options headers.

disable Disable blocking packets with Destination Options headers.

FortiOS 7.2.1 CLI Reference 465

Fortinet Inc.
Parameter Description Type Size Default

hdopt-type Block specific Hop-by-Hop and/or Destination Option integer Minimum

types (max. 7 types, each between 0 and 255). value: 0
Maximum
value: 255

routing Enable/disable blocking packets with Routing headers . option - enable

Option Description

enable Block packets with Routing headers.

disable Allow packets with Routing headers.

enable Block packets with the No Next header.

disable Allow packets with the No Next header.

config firewall global

Global firewall settings.

config firewall global
Description: Global firewall settings.
set banned-ip-persistency [disabled|permanent-only|...]
end

FortiOS 7.2.1 CLI Reference 466

Fortinet Inc.
config firewall global

Parameter Description Type Size Default

banned-ip- Persistency of banned IPs across power cycling. option - disabled

persistency

Option Description

disabled No entries are kept across power cycling.

permanent-only Only permanent IP bans are kept across power cycling.

all All IP bans are kept across power cycling.

config firewall iprope list

List.
config firewall iprope list
Description: List.
set <group_number> {string}
end

config firewall iprope list

Parameter Description Type Size Default

<group_ Number, hexadecimal. string Maximum

number> length: 1

config firewall iprope appctrl list

List application control policies.

config firewall iprope appctrl list
Description: List application control policies.
end

config firewall iprope appctrl status

Application control policy status.

config firewall iprope appctrl status
Description: Application control policy status.
end

FortiOS 7.2.1 CLI Reference 467

Fortinet Inc.
config firewall proute

List policy routing.

config firewall proute
Description: List policy routing.
set <policy route id> {string}
end

config firewall proute

Parameter Description Type Size Default

<policy route id> Number. string Maximum

length: 1

config firewall proute6

List IPv6 policy routing.

config firewall proute6
Description: List IPv6 policy routing.
end

FortiOS 7.2.1 CLI Reference 468

Fortinet Inc.
ftp-proxy

This section includes syntax for the following commands:

l config ftp-proxy explicit on page 469

config ftp-proxy explicit

Configure explicit FTP proxy settings.

config ftp-proxy explicit
Description: Configure explicit FTP proxy settings.
set status [enable|disable]
set incoming-port {user}
set incoming-ip {ipv4-address-any}
set outgoing-ip {ipv4-address-any}
set sec-default-action [accept|deny]
set ssl [enable|disable]
set ssl-cert {string}
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
end

config ftp-proxy explicit

Parameter Description Type Size Default

status Enable/disable the explicit FTP proxy. option - disable

Option Description

enable Enable the explicit FTP proxy.

disable Disable the explicit FTP proxy.

incoming-port Accept incoming FTP requests on one or more ports. user Not
Specified

incoming-ip Accept incoming FTP requests from this IP address. An ipv4- Not 0.0.0.0
interface must have this IP address. address- Specified
any

outgoing-ip Outgoing FTP requests will leave from this IP address. ipv4- Not
An interface must have this IP address. address- Specified
any

sec-default- Accept or deny explicit FTP proxy sessions when no option - deny
action FTP proxy firewall policy exists.

FortiOS 7.2.1 CLI Reference 469

Fortinet Inc.
Parameter Description Type Size Default

Option Description

accept Accept requests. All explicit FTP proxy traffic is accepted whether there is an
explicit FTP proxy policy or not

deny Deny requests unless there is a matching explicit FTP proxy policy.

ssl Enable/disable the explicit FTPS proxy. option - disable

Option Description

enable Enable the explicit FTPS proxy.

disable Disable the explicit FTPS proxy.

ssl-cert Name of certificate for SSL connections to this server . string Not Fortinet_
Specified CA_SSL

ssl-dh-bits Bit-size of Diffie-Hellman . option - 2048

Option Description

768 768-bit Diffie-Hellman prime.

1024 1024-bit Diffie-Hellman prime.

1536 1536-bit Diffie-Hellman prime.

2048 2048-bit Diffie-Hellman prime.

ssl-algorithm Relative strength of encryption algorithms accepted in option - high

negotiation.

Option Description

high High encryption. Allow only AES and ChaCha

medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

FortiOS 7.2.1 CLI Reference 470

Fortinet Inc.
hardware

This section includes syntax for the following commands:

l config hardware memory on page 471
l config hardware cpu on page 471
l config hardware status on page 471
l config hardware nic on page 471

config hardware status

Hardware status.
config hardware status
Description: Hardware status.
end

config hardware cpu

Display detailed information for all installed CPU(s).

config hardware cpu
Description: Display detailed information for all installed CPU(s).
end

config hardware memory

Display system memory information.

config hardware memory
Description: Display system memory information.
end

config hardware nic

Display NIC information.

config hardware nic
Description: Display NIC information.
set <nic> {string}
end

FortiOS 7.2.1 CLI Reference 471

Fortinet Inc.
config hardware nic

Parameter Description Type Size Default

<nic> NIC name. string Maximum

length: 1

FortiOS 7.2.1 CLI Reference 472

Fortinet Inc.
icap

This section includes syntax for the following commands:

l config icap server-group on page 474
l config icap server on page 473
l config icap profile on page 475

config icap server

Configure ICAP servers.

config icap server
Description: Configure ICAP servers.
edit <name>
set addr-type [ip4|ip6|...]
set ip-address {ipv4-address-any}
set ip6-address {ipv6-address}
set fqdn {string}
set port {integer}
set max-connections {integer}
set secure [disable|enable]
set ssl-cert {string}
set healthcheck [disable|enable]
set healthcheck-service {string}
next
end

config icap server

Parameter Description Type Size Default

addr-type Address type of the remote ICAP server: IPv4, IPv6 option - ip4
or FQDN.

Option Description

ip4 Use an IPv4 address for the remote ICAP server.

ip6 Use an IPv6 address for the remote ICAP server.

fqdn Use the FQDN for the forwarding proxy server.

ip-address IPv4 address of the ICAP server. ipv4- Not Specified 0.0.0.0
address-
any

FortiOS 7.2.1 CLI Reference 473

Fortinet Inc.
Parameter Description Type Size Default

ip6-address IPv6 address of the ICAP server. ipv6- Not Specified ::

address

fqdn ICAP remote server Fully Qualified Domain Name string Not Specified
(FQDN).

port ICAP server port. integer Minimum 1344

value: 1
Maximum
value: 65535

max- Maximum number of concurrent connections to integer Minimum 100

connections ICAP server . Must not be less than wad-worker- value: 0
count. Maximum
value:
4294967295

secure Enable/disable secure connection to ICAP server. option - disable

Option Description

disable Disable connection to secure ICAP server.

enable Enable connection to secure ICAP server.

ssl-cert CA certificate name. string Not Specified

healthcheck Enable/disable ICAP remote server health checking. option - disable

Attempts to connect to the remote ICAP server to
verify that the server is operating normally.

Option Description

disable Disable health checking.

enable Enable health checking.

healthcheck- ICAP Service name to use for health checks. string Not Specified
service

config icap server-group

Configure an ICAP server group consisting of multiple forward servers. Supports failover and load balancing.
config icap server-group
Description: Configure an ICAP server group consisting of multiple forward servers.
Supports failover and load balancing.
edit <name>
set ldb-method [weighted|least-session|...]
config server-list
Description: Add ICAP servers to a list to form a server group. Optionally assign
weights to each server.
edit <name>
set weight {integer}

FortiOS 7.2.1 CLI Reference 474

Fortinet Inc.
next
end
next
end

config icap server-group

Parameter Description Type Size Default

ldb-method Load balance method. option - weighted

Option Description

weighted Load balance traffic to forward servers based on assigned weights.

least-session Send new sessions to the server with lowest session count.

active-passive Send new sessions to active server with high weight.

config server-list

Parameter Description Type Size Default

weight Optionally assign a weight of the ICAP server for integer Minimum 10
weighted load balancing value: 1
Maximum
value: 100

config icap profile

Configure ICAP profiles.

config icap profile
Description: Configure ICAP profiles.
edit <name>
set replacemsg-group {string}
set request [disable|enable]
set response [disable|enable]
set file-transfer {option1}, {option2}, ...
set streaming-content-bypass [disable|enable]
set 204-size-limit {integer}
set 204-response [disable|enable]
set preview [disable|enable]
set preview-data-length {integer}
set request-server {string}
set response-server {string}
set file-transfer-server {string}
set request-failure [error|bypass]
set response-failure [error|bypass]
set file-transfer-failure [error|bypass]
set request-path {string}
set response-path {string}
set file-transfer-path {string}

FortiOS 7.2.1 CLI Reference 475

Fortinet Inc.
set methods {option1}, {option2}, ...
set response-req-hdr [disable|enable]
set respmod-default-action [forward|bypass]
set icap-block-log [disable|enable]
set chunk-encap [disable|enable]
set extension-feature {option1}, {option2}, ...
set scan-progress-interval {integer}
set timeout {integer}
config icap-headers
Description: Configure ICAP forwarded request headers.
edit <id>
set name {string}
set content {string}
set base64-encoding [disable|enable]
next
end
config respmod-forward-rules
Description: ICAP response mode forward rules.
edit <name>
set host {string}
config header-group
Description: HTTP header group.
edit <id>
set header-name {string}
set header {string}
set case-sensitivity [disable|enable]
next
end
set action [forward|bypass]
set http-resp-status-code <code1>, <code2>, ...
next
end
next
end

config icap profile

Parameter Description Type Size Default

replacemsg- Replacement message group. string Not

group Specified

request Enable/disable whether an HTTP request is passed to option - disable

an ICAP server.

Option Description

disable Disable HTTP request passing to ICAP server.

enable Enable HTTP request passing to ICAP server.

disable Disable bypassing of ICAP server for streaming content.

enable Enable bypassing of ICAP server for streaming content.

204-size-limit 204 response size limit to be saved by ICAP client in integer Minimum 1
megabytes . value: 1
Maximum
value: 10

204-response Enable/disable allowance of 204 response from ICAP option - disable

server.

Option Description

disable Disable allowance of 204 response from ICAP server.

enable Enable allowance of 204 response from ICAP server.

preview Enable/disable preview of data to ICAP server. option - disable

Option Description

disable Disable preview of data to ICAP server.

enable Enable preview of data to ICAP server.

preview-data- Preview data length to be sent to ICAP server. integer Minimum 0

length value: 0
Maximum
value: 4096

FortiOS 7.2.1 CLI Reference 477

Fortinet Inc.
Parameter Description Type Size Default

request-server ICAP server to use for an HTTP request. string Not

Specified

response- ICAP server to use for an HTTP response. string Not

server Specified

file-transfer- ICAP server to use for a file transfer. string Not

server Specified

request-failure Action to take if the ICAP server cannot be contacted option - error
when processing an HTTP request.

Option Description

error Error.

bypass Bypass.

response- Action to take if the ICAP server cannot be contacted option - error
failure when processing an HTTP response.

Option Description

error Error.

bypass Bypass.

file-transfer- Action to take if the ICAP server cannot be contacted option - error
failure when processing a file transfer.

Option Description

error Error.

bypass Bypass.

request-path Path component of the ICAP URI that identifies the string Not
HTTP request processing service. Specified

response-path Path component of the ICAP URI that identifies the string Not
HTTP response processing service. Specified

file-transfer- Path component of the ICAP URI that identifies the file string Not
path transfer processing service. Specified

methods The allowed HTTP methods that will be sent to ICAP option - delete get
server for further processing. head
options
post put
trace
connect
other

FortiOS 7.2.1 CLI Reference 478

Fortinet Inc.
Parameter Description Type Size Default

Option Description

delete Forward HTTP request or response with DELETE method to ICAP server for
further processing.

get Forward HTTP request or response with GET method to ICAP server for
further processing.

head Forward HTTP request or response with HEAD method to ICAP server for
further processing.

options Forward HTTP request or response with OPTIONS method to ICAP server for
further processing.

post Forward HTTP request or response with POST method to ICAP server for
further processing.

put Forward HTTP request or response with PUT method to ICAP server for
further processing.

trace Forward HTTP request or response with TRACE method to ICAP server for
further processing.

connect Forward HTTP request or response with CONNECT method to ICAP server
for further processing.

other Forward HTTP request or response with All other methods to ICAP server for
further processing.

response-req- Enable/disable addition of req-hdr for ICAP response option - enable

hdr modification (respmod) processing.

Option Description

disable Do not add req-hdr for response modification (respmod) processing.

enable Add req-hdr for response modification (respmod) processing.

respmod- Default action to ICAP response modification (respmod) option - forward

default-action processing.

Option Description

forward Forward response to ICAP server unless a rule specifies not to.

bypass Don't forward request to ICAP server unless a rule specifies to forward the
request.

icap-block-log Enable/disable UTM log when infection found . option - disable

FortiOS 7.2.1 CLI Reference 479

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable UTM log when infection found.

enable Enable UTM log when infection found.

chunk-encap Enable/disable chunked encapsulation . option - disable

Option Description

disable Do not encapsulate chunked data.

enable Encapsulate chunked data into a new chunk.

extension- Enable/disable ICAP extension features. option -

feature

Option Description

scan-progress Support X-Scan-Progress-Interval ICAP header.

scan- Scan progress interval value. integer Minimum 10

progress- value: 5
interval Maximum
value: 30

timeout Time (in seconds) that ICAP client waits for the integer Minimum 30
response from ICAP server. value: 30
Maximum
value: 3600

config icap-headers

Parameter Description Type Size Default

name HTTP forwarded header name. string Not

forward Forward request to ICAP server when this rule is matched.

bypass Don't forward request to ICAP server when this rule is matched.

http-resp- HTTP response status code. integer Minimum 0 **

status-code HTTP response status code. value: 100
<code> Maximum
value: 599

** Values may differ between models.

config header-group

Parameter Description Type Size Default

header-name HTTP header. string Not

Specified

header HTTP header regular expression. string Not

Specified

case- Enable/disable case sensitivity when matching header. option - disable

sensitivity

Option Description

disable Ignore case when matching header.

enable Do not ignore case when matching header.

FortiOS 7.2.1 CLI Reference 481

Fortinet Inc.
ips

This section includes syntax for the following commands:

l config ips decoder on page 488
l config ips rule-settings on page 490
l config ips view-map on page 487
l config ips sensor on page 482
l config ips global on page 492
l config ips rule on page 488
l config ips custom on page 491
l config ips session on page 497
l config ips settings on page 496

config ips sensor

Configure IPS sensor.

config ips sensor
Description: Configure IPS sensor.
edit <name>
set comment {var-string}
set replacemsg-group {string}
set block-malicious-url [disable|enable]
set scan-botnet-connections [disable|block|...]
set extended-log [enable|disable]
config entries
Description: IPS sensor filter.
edit <id>
set rule <id1>, <id2>, ...
set location {user}
set severity {user}
set protocol {user}
set os {user}
set application {user}
set default-action [all|pass|...]
set default-status [all|enable|...]
set cve <cve-entry1>, <cve-entry2>, ...
set vuln-type <id1>, <id2>, ...
set last-modified {user}
set status [disable|enable|...]
set log [disable|enable]
set log-packet [disable|enable]
set log-attack-context [disable|enable]
set action [pass|block|...]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]
set rate-track [none|src-ip|...]
config exempt-ip

FortiOS 7.2.1 CLI Reference 482

Fortinet Inc.
Description: Traffic from selected source or destination IP addresses is
exempt from this signature.
edit <id>
set src-ip {ipv4-classnet}
set dst-ip {ipv4-classnet}
next
end
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
next
end
next
end

config ips sensor

Parameter Description Type Size Default

comment Comment. var-string Not

Specified

replacemsg- Replacement message group. string Not

group Specified

FortiOS 7.2.1 CLI Reference 483

Fortinet Inc.
config entries

Parameter Description Type Size Default

rule <id> Identifies the predefined or custom IPS signatures integer Minimum
to add to the sensor. value: 0
Rule IPS. Maximum
value:
4294967295

location Protect client or server traffic. user Not Specified all

severity Relative severity of the signature, from info to user Not Specified all
critical. Log messages generated by the signature
include the severity.

protocol Protocols to be examined. Use all for every protocol user Not Specified all
and other for unlisted protocols.

os Operating systems to be protected. Use all for every user Not Specified all
operating system and other for unlisted operating
systems.

application Operating systems to be protected. Use all for every user Not Specified all
application and other for unlisted application.

default-action Signature default action filter. option - all

Option Description

all Selects signatures with any default action.

pass Selects signatures with default action 'pass'.

block Selects signatures with default action 'block'.

default-status Signature default status filter. option - all

Option Description

all Selects signatures with any default status.

enable Selects signatures enabled by default.

disable Selects signatures disabled by default.

cve <cve- List of CVE IDs of the signatures to add to the string Maximum
entry> sensor. length: 19
CVE IDs or CVE wildcards.

vuln-type List of signature vulnerability types to filter by. integer Minimum

<id> Vulnerability type ID. value: 0
Maximum
value:
4294967295

FortiOS 7.2.1 CLI Reference 484

Fortinet Inc.
Parameter Description Type Size Default

last-modified Filter by signature last modified date. Formats: user Not Specified
before <date>, after <date>, between <start-date>
<end-date>.

status Status of the signatures included in filter. Only those option - default
filters with a status to enable are used.

Option Description

disable Disable status of selected rules.

disable Disable logging of detailed attack context.

enable Enable logging of detailed attack context.

action Action taken with traffic in which signatures are option - default
detected.

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

FortiOS 7.2.1 CLI Reference 485

Fortinet Inc.
Parameter Description Type Size Default

Option Description

reset Reset sessions for matching traffic.

default Pass or drop matching traffic, depending on the default action of the signature.

rate-count Count of the rate. integer Minimum 0

value: 0
Maximum
value: 65535

rate-duration Duration (sec) of the rate. integer Minimum 60

value: 1
Maximum
value: 65535

rate-mode Rate limit mode. option - continuous

Option Description

periodical Allow configured number of packets every rate-duration.

continuous Block packets once the rate is reached.

rate-track Track the packet protocol field. option - none

Option Description

none none

src-ip Source IP.

dest-ip Destination IP.

dhcp-client-mac DHCP client.

dns-domain DNS domain.

quarantine Quarantine method. option - none

Option Description

none Quarantine is disabled.

attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.

quarantine- Duration of quarantine. . Requires quarantine set to user Not Specified 5m

expiry attacker.

quarantine- Enable/disable quarantine logging. option - enable

log

FortiOS 7.2.1 CLI Reference 486

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable quarantine logging.

enable Enable quarantine logging.

config exempt-ip

Parameter Description Type Size Default

src-ip Source IP address and netmask (applies to packet ipv4- Not 0.0.0.0
matching the signature). classnet Specified 0.0.0.0

dst-ip Destination IP address and netmask (applies to packet ipv4- Not 0.0.0.0
matching the signature). classnet Specified 0.0.0.0

config ips view-map

Configure IPS view-map.

config ips view-map
Description: Configure IPS view-map.
edit <id>
set vdom-id {integer}
set policy-id {integer}
set id-policy-id {integer}
set which [firewall|interface|...]
next
end

config ips view-map

Parameter Description Type Size Default

vdom-id VDOM ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

policy-id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.2.1 CLI Reference 487

Fortinet Inc.
Parameter Description Type Size Default

id-policy-id ID-based policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

which Policy. option - firewall

Option Description

firewall Firewall policy.

interface Interface policy.

interface6 Interface policy6.

sniffer Sniffer policy.

sniffer6 Sniffer policy6.

explicit explicit proxy policy.

config ips decoder

Configure IPS decoder.

config ips decoder
Description: Configure IPS decoder.
edit <name>
config parameter
Description: IPS group parameters.
edit <name>
set value {string}
next
end
next
end

config parameter

Parameter Description Type Size Default

value Parameter value. string Not

Specified

config ips rule

Configure IPS rules.

config ips rule
Description: Configure IPS rules.
edit <name>

FortiOS 7.2.1 CLI Reference 488

Fortinet Inc.
set log [disable|enable]
set log-packet [disable|enable]
set action [pass|block]
set group {string}
set severity {user}
set location {user}
set os {user}
set application {user}
set service {user}
set rule-id {integer}
set rev {integer}
set date {integer}
config metadata
Description: Meta data.
edit <id>
set metaid {integer}
set valueid {integer}
next
end
next
end

config ips rule

Parameter Description Type Size Default

log Enable/disable logging. option - enable

Option Description

disable Disable logging.

enable Enable logging.

log-packet Enable/disable packet logging. option - disable

Option Description

disable Disable packet logging.

enable Enable packet logging.

action Action. option - pass

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

group Group. string Not Specified

severity Severity. user Not Specified

location Vulnerable location. user Not Specified

FortiOS 7.2.1 CLI Reference 489

Fortinet Inc.
Parameter Description Type Size Default

os Vulnerable operation systems. user Not Specified

application Vulnerable applications. user Not Specified

service Vulnerable service. user Not Specified

rule-id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

rev Revision. integer Minimum 0

value: 0
Maximum
value:
4294967295

date Date. integer Minimum 0

value: 0
Maximum
value:
4294967295

config metadata

Parameter Description Type Size Default

metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

config ips rule-settings

Configure IPS rule setting.

config ips rule-settings
Description: Configure IPS rule setting.
edit <id>
next
end

FortiOS 7.2.1 CLI Reference 490

Fortinet Inc.
config ips custom

Configure IPS custom signature.

config ips custom
Description: Configure IPS custom signature.
edit <tag>
set signature {var-string}
set rule-id {integer}
set severity {user}
set location {user}
set os {user}
set application {user}
set protocol {user}
set status [disable|enable]
set log [disable|enable]
set log-packet [disable|enable]
set action [pass|block]
set comment {string}
next
end

config ips custom

Parameter Description Type Size Default

signature Custom signature enclosed in single quotes. var-string Not Specified

rule-id Signature ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

severity Relative severity of the signature, from info to critical. user Not Specified
Log messages generated by the signature include the
severity.

location Protect client or server traffic. user Not Specified

os Operating system(s) that the signature protects. user Not Specified

Blank for all operating systems.

application Applications to be protected. Blank for all user Not Specified

applications.

protocol Protocol(s) that the signature scans. Blank for all user Not Specified
protocols.

status Enable/disable this signature. option - enable

FortiOS 7.2.1 CLI Reference 491

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable status.

enable Enable status.

log Enable/disable logging. option - enable

Option Description

disable Disable logging.

enable Enable logging.

log-packet Enable/disable packet logging. option - disable

Option Description

disable Disable packet logging.

enable Enable packet logging.

action Default action (pass or block) for this signature. option - pass

Option Description

pass Pass or allow matching traffic.

block Block or drop matching traffic.

comment Comment. string Not Specified

config ips global

Configure IPS global parameter.

config ips global
Description: Configure IPS global parameter.
set fail-open [enable|disable]
set database [regular|extended]
set traffic-submit [enable|disable]
set anomaly-mode [periodical|continuous]
set session-limit-mode [accurate|heuristic]
set socket-size {integer}
set engine-count {integer}
set sync-session-ttl [enable|disable]
set np-accel-mode [none|basic]
set cp-accel-mode [none|basic|...]
set deep-app-insp-timeout {integer}
set deep-app-insp-db-limit {integer}
set exclude-signatures [none|industrial]
set packet-log-queue-depth {integer}
set ngfw-max-scan-range {integer}
config tls-active-probe

FortiOS 7.2.1 CLI Reference 492

periodical After an anomaly is detected, allow the number of packets per second
according to the anomaly configuration.

continuous Block packets once an anomaly is detected. Overrides individual anomaly

settings.

FortiOS 7.2.1 CLI Reference 493

Fortinet Inc.
Parameter Description Type Size Default

session-limit- Method of counting concurrent sessions used by option - heuristic

mode session limit anomalies. Choose between greater
accuracy (accurate) or improved performance
(heuristics).

Option Description

accurate Accurately count concurrent sessions, demands more resources.

heuristic Use heuristics to estimate the number of concurrent sessions. Acceptable in

most cases.

socket-size IPS socket buffer size. Max and default value integer Minimum 64 **
depend on available memory. Can be changed to value: 0
tune performance. Maximum
value: 128 **

advanced Offload more types of pattern matching resulting in higher throughput than
basic mode. Requires two CP8s or one CP9.

FortiOS 7.2.1 CLI Reference 494

Fortinet Inc.
Parameter Description Type Size Default

deep-app- Timeout for Deep application inspection . integer Minimum 0

insp-timeout value: 0
Maximum
value:
2147483647

deep-app- Limit on number of entries in deep application integer Minimum 0

insp-db-limit inspection database . value: 0
Maximum
value:
2147483647

exclude- Excluded signatures. option - industrial

signatures

Option Description

none No signatures excluded.

industrial Exclude industrial signatures.

packet-log- Packet/pcap log queue depth per IPS engine. integer Minimum 128
queue-depth value: 128
Maximum
value: 4096

ngfw-max- NGFW policy-mode app detection threshold. integer Minimum 4096

scan-range value: 0
Maximum
value:
4294967295

* This parameter may not exist in some models.

** Values may differ between models.

config tls-active-probe

Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

FortiOS 7.2.1 CLI Reference 495

Fortinet Inc.
Parameter Description Type Size Default

interface Specify outgoing interface to reach server. string Not

Specified

vdom Virtual domain name for TLS active probe. string Not
Specified

source-ip Source IP address used for TLS active probe. ipv4- Not 0.0.0.0
address Specified

source-ip6 Source IPv6 address used for TLS active probe. ipv6- Not ::
address Specified

config ips settings

Configure IPS VDOM parameter.

config ips settings
Description: Configure IPS VDOM parameter.
set packet-log-history {integer}
set packet-log-post-attack {integer}
set packet-log-memory {integer}
set ips-packet-quota {integer}
end

config ips settings

Parameter Description Type Size Default

packet-log- Number of packets to capture before and including integer Minimum 1

history the one in which the IPS signature is detected . value: 1
Maximum
value: 255

packet-log- Number of packets to log after the IPS signature is integer Minimum 0
post-attack detected . value: 0
Maximum
value: 255

packet-log- Maximum memory can be used by packet log . integer Minimum 256
memory value: 64
Maximum
value: 8192

ips-packet- Maximum amount of disk space in MB for logged integer Minimum 0

quota packets when logging to disk. Range depends on disk value: 0
size. Maximum
value:
4294967295

FortiOS 7.2.1 CLI Reference 496

Fortinet Inc.
config ips session

Session status.
config ips session
Description: Session status.
end

FortiOS 7.2.1 CLI Reference 497

Fortinet Inc.
ipsec

This section includes syntax for the following commands:

l config ipsec tunnel on page 498

config ipsec tunnel

IPsec tunnel.
config ipsec tunnel
Description: IPsec tunnel.
end

FortiOS 7.2.1 CLI Reference 498

Fortinet Inc.
log

This section includes syntax for the following commands:

l config log syslogd4 override-setting on page 554
l config log syslogd setting on page 511
l config log fortianalyzer2 filter on page 626
l config log tacacs+accounting3 setting on page 594
l config log memory setting on page 567
l config log tacacs+accounting2 setting on page 593
l config log syslogd4 filter on page 557
l config log syslogd3 override-setting on page 541
l config log syslogd2 override-setting on page 528
l config log fortianalyzer2 setting on page 618
l config log fortianalyzer3 filter on page 640
l config log syslogd3 filter on page 544
l config log fortianalyzer-cloud setting on page 646
l config log syslogd2 filter on page 531
l config log tacacs+accounting2 filter on page 593
l config log tacacs+accounting filter on page 592
l config log fortianalyzer3 override-setting on page 636
l config log fortianalyzer-cloud filter on page 650
l config log fortianalyzer3 setting on page 632
l config log fortianalyzer3 override-filter on page 643
l config log syslogd filter on page 518
l config log memory global-setting on page 566
l config log fortianalyzer2 override-setting on page 622
l config log setting on page 599
l config log syslogd override-filter on page 521
l config log fortianalyzer filter on page 612
l config log fortiguard filter on page 586
l config log syslogd override-setting on page 514
l config log threat-weight on page 500
l config log syslogd4 setting on page 550
l config log fortiguard setting on page 581
l config log fortiguard override-filter on page 588
l config log fortianalyzer-cloud override-filter on page 653
l config log eventfilter on page 578
l config log fortianalyzer setting on page 604
l config log syslogd2 override-filter on page 534
l config log webtrends setting on page 563
l config log syslogd3 setting on page 537
l config log tacacs+accounting3 filter on page 595

FortiOS 7.2.1 CLI Reference 499

Fortinet Inc.
l config log webtrends filter on page 563
l config log fortianalyzer2 override-filter on page 629
l config log null-device filter on page 596
l config log fortianalyzer override-setting on page 608
l config log disk filter on page 576
l config log null-device setting on page 596
l config log fortiguard override-setting on page 584
l config log gui-display on page 603
l config log fortianalyzer override-filter on page 615
l config log custom-field on page 510
l config log fortianalyzer-cloud override-setting on page 650
l config log syslogd2 setting on page 524
l config log tacacs+accounting setting on page 591
l config log disk setting on page 570
l config log syslogd4 override-filter on page 560
l config log syslogd3 override-filter on page 547
l config log memory filter on page 568

config log threat-weight

Configure threat weight settings.

config log threat-weight
Description: Configure threat weight settings.
set status [enable|disable]
config level
Description: Score mapping for threat weight levels.
set low {integer}
set medium {integer}
set high {integer}
set critical {integer}
end
set blocked-connection [disable|low|...]
set failed-connection [disable|low|...]
set url-block-detected [disable|low|...]
set botnet-connection-detected [disable|low|...]
config malware
Description: Anti-virus malware threat weight settings.
set virus-infected [disable|low|...]
set fortindr [disable|low|...]
set fortisandbox [disable|low|...]
set file-blocked [disable|low|...]
set command-blocked [disable|low|...]
set oversized [disable|low|...]
set virus-scan-error [disable|low|...]
set switch-proto [disable|low|...]
set mimefragmented [disable|low|...]
set virus-file-type-executable [disable|low|...]
set virus-outbreak-prevention [disable|low|...]
set content-disarm [disable|low|...]
set malware-list [disable|low|...]
set ems-threat-feed [disable|low|...]

FortiOS 7.2.1 CLI Reference 500

Fortinet Inc.
set fsa-malicious [disable|low|...]
set fsa-high-risk [disable|low|...]
set fsa-medium-risk [disable|low|...]
end
config ips
Description: IPS threat weight settings.
set info-severity [disable|low|...]
set low-severity [disable|low|...]
set medium-severity [disable|low|...]
set high-severity [disable|low|...]
set critical-severity [disable|low|...]
end
config web
Description: Web filtering threat weight settings.
edit <id>
set category {integer}
set level [disable|low|...]
next
end
config geolocation
Description: Geolocation-based threat weight settings.
edit <id>
set country {string}
set level [disable|low|...]
next
end
config application
Description: Application-control threat weight settings.
edit <id>
set category {integer}
set level [disable|low|...]
next
end
end

config log threat-weight

Parameter Description Type Size Default

status Enable/disable the threat weight feature. option - enable

Option Description

enable Enable the threat weight feature.

disable Disable the threat weight feature.

blocked- Threat weight score for blocked connections. option - high

connection

Option Description

disable Disable threat weight scoring for blocked connections.

FortiOS 7.2.1 CLI Reference 501

Fortinet Inc.
Parameter Description Type Size Default

Option Description

low Use the low level score for blocked connections.

medium Use the medium level score for blocked connections.

high Use the high level score for blocked connections.

critical Use the critical level score for blocked connections.

failed- Threat weight score for failed connections. option - low

connection

Option Description

disable Disable threat weight scoring for failed connections.

low Use the low level score for failed connections.

medium Use the medium level score for failed connections.

high Use the high level score for failed connections.

critical Use the critical level score for failed connections.

url-block- Threat weight score for URL blocking. option - high

detected

Option Description

disable Disable threat weight scoring for URL blocking.

low Use the low level score for URL blocking.

medium Use the medium level score for URL blocking.

high Use the high level score for URL blocking.

critical Use the critical level score for URL blocking.

botnet- Threat weight score for detected botnet connections. option - critical
connection-
detected

Option Description

disable Disable threat weight scoring for detected botnet connections.

low Use the low level score for detected botnet connections.

medium Use the medium level score for detected botnet connections.

high Use the high level score for detected botnet connections.

critical Use the critical level score for detected botnet connections.

FortiOS 7.2.1 CLI Reference 502

Fortinet Inc.
config level

Parameter Description Type Size Default

low Low level score value . integer Minimum 5

value: 1
Maximum
value: 100

medium Medium level score value . integer Minimum 10

value: 1
Maximum
value: 100

high High level score value . integer Minimum 30

value: 1
Maximum
value: 100

critical Critical level score value . integer Minimum 50

value: 1
Maximum
value: 100

config malware

Parameter Description Type Size Default

virus-infected Threat weight score for virus (infected) detected. option - critical

Option Description

disable Disable threat weight scoring for virus (infected) detected.

low Use the low level score for virus (infected) detected.

medium Use the medium level score for virus (infected) detected.

high Use the high level score for virus (infected) detected.

critical Use the critical level score for virus (infected) detected.

fortindr Threat weight score for FortiNDR-detected virus. option - critical

Option Description

disable Disable threat weight scoring for virus detected by FortiNDR.

low Use the low level score for virus detected by FortiNDR.

medium Use the medium level score for virus detected by FortiNDR.

high Use the high level score for virus detected by FortiNDR.

critical Use the critical level score for virus detected by FortiNDR.

FortiOS 7.2.1 CLI Reference 503

critical Use the critical level score for oversized file detected.

virus-scan-error Threat weight score for virus (scan error) detected. option - high

FortiOS 7.2.1 CLI Reference 504

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable threat weight scoring for virus (scan error) detected.

low Use the low level score for virus (scan error) detected.

medium Use the medium level score for virus (scan error) detected.

high Use the high level score for virus (scan error) detected.

critical Use the critical level score for virus (scan error) detected.

switch-proto Threat weight score for switch proto detected. option - disable

Option Description

disable Disable threat weight scoring for switch proto detected.

low Use the low level score for switch proto detected.

medium Use the medium level score for switch proto detected.

high Use the high level score for switch proto detected.

critical Use the critical level score for switch proto detected.

mimefragmented Threat weight score for mimefragmented detected. option - disable

Option Description

disable Disable threat weight scoring for mimefragmented detected.

low Use the low level score for mimefragmented detected.

medium Use the medium level score for mimefragmented detected.

high Use the high level score for mimefragmented detected.

critical Use the critical level score for mimefragmented detected.

virus-file-type- Threat weight score for virus (file type executable) option - medium
executable detected.

Option Description

disable Disable threat weight scoring for virus (filetype executable) detected.

low Use the low level score for virus (filetype executable) detected.

medium Use the medium level score for virus (filetype executable) detected.

high Use the high level score for virus (filetype executable) detected.

critical Use the critical level score for virus (filetype executable) detected.

FortiOS 7.2.1 CLI Reference 505

Fortinet Inc.
Parameter Description Type Size Default

virus-outbreak- Threat weight score for virus (outbreak prevention) option - critical
prevention event.

Option Description

disable Disable threat weight scoring for virus (outbreak prevention) event.

low Use the low level score for virus (outbreak prevention) event.

medium Use the medium level score for virus (outbreak prevention) event.

high Use the high level score for virus (outbreak prevention) event.

critical Use the critical level score for virus (outbreak prevention) event.

content-disarm Threat weight score for virus (content disarm) option - medium
detected.

Option Description

disable Disable threat weight scoring for virus (content disarm) detected.

low Use the low level score for virus (content disarm) detected.

medium Use the medium level score for virus (content disarm) detected.

high Use the high level score for virus (content disarm) detected.

critical Use the critical level score for virus (content disarm) detected.

malware-list Threat weight score for virus (malware list) detected. option - medium

Option Description

disable Disable threat weight scoring for virus (malware list) detected.

low Use the low level score for virus (malware list) detected.

medium Use the medium level score for virus (malware list) detected.

high Use the high level score for virus (malware list) detected.

critical Use the critical level score for virus (malware list) detected.

ems-threat-feed Threat weight score for virus (EMS threat feed) option - medium
detected.

Option Description

disable Disable threat weight scoring for virus (EMS threat feed) detected.

low Use the low level score for virus (EMS threat feed) detected.

medium Use the medium level score for virus (EMS threat feed) detected.

FortiOS 7.2.1 CLI Reference 506

Fortinet Inc.
Parameter Description Type Size Default

Option Description

high Use the high level score for virus (EMS threat feed) detected.

critical Use the critical level score for virus (EMS threat feed) detected.

fsa-malicious Threat weight score for FortiSandbox malicious option - critical

malware detected.

Option Description

disable Disable threat weight scoring for FortiSandbox malicious malware

detected.

low Use the low level score for FortiSandbox malicious malware detected.

medium Use the medium level score for FortiSandbox malicious malware
detected.

high Use the high level score for FortiSandbox malicious malware detected.

critical Use the critical level score for FortiSandbox malicious malware detected.

fsa-high-risk Threat weight score for FortiSandbox high risk option - high
malware detected.

Option Description

disable Disable threat weight scoring for FortiSandbox high risk malware
detected.

low Use the low level score for FortiSandbox high risk malware detected.

medium Use the medium level score for FortiSandbox high risk malware detected.

high Use the high level score for FortiSandbox high risk malware detected.

critical Use the critical level score for FortiSandbox high risk malware detected.

fsa-medium-risk Threat weight score for FortiSandbox medium risk option - medium
malware detected.

Option Description

disable Disable threat weight scoring for FortiSandbox medium risk malware
detected.

low Use the low level score for FortiSandbox medium risk malware detected.

medium Use the medium level score for FortiSandbox medium risk malware
detected.

high Use the high level score for FortiSandbox medium risk malware detected.

FortiOS 7.2.1 CLI Reference 507

Fortinet Inc.
Parameter Description Type Size Default

Option Description

critical Use the critical level score for FortiSandbox medium risk malware
detected.

config ips

Parameter Description Type Size Default

info-severity Threat weight score for IPS info severity events. option - disable

Option Description

disable Disable threat weight scoring for IPS info severity events.

low Use the low level score for IPS info severity events.

medium Use the medium level score for IPS info severity events.

high Use the high level score for IPS info severity events.

critical Use the critical level score for IPS info severity events.

low-severity Threat weight score for IPS low severity events. option - low

Option Description

disable Disable threat weight scoring for IPS low severity events.

low Use the low level score for IPS low severity events.

medium Use the medium level score for IPS low severity events.

high Use the high level score for IPS low severity events.

critical Use the critical level score for IPS low severity events.

medium- Threat weight score for IPS medium severity events. option - medium
severity

Option Description

disable Disable threat weight scoring for IPS medium severity events.

low Use the low level score for IPS medium severity events.

medium Use the medium level score for IPS medium severity events.

high Use the high level score for IPS medium severity events.

critical Use the critical level score for IPS medium severity events.

high-severity Threat weight score for IPS high severity events. option - high

FortiOS 7.2.1 CLI Reference 508

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable threat weight scoring for IPS high severity events.

low Use the low level score for IPS high severity events.

medium Use the medium level score for IPS high severity events.

high Use the high level score for IPS high severity events.

critical Use the critical level score for IPS high severity events.

critical- Threat weight score for IPS critical severity events. option - critical
severity

Option Description

disable Disable threat weight scoring for IPS critical severity events.

low Use the low level score for IPS critical severity events.

medium Use the medium level score for IPS critical severity events.

high Use the high level score for IPS critical severity events.

critical Use the critical level score for IPS critical severity events.

config web

Parameter Description Type Size Default

category Threat weight score for web category filtering matches. integer Minimum 0
value: 0
Maximum
value: 255

level Threat weight score for web category filtering matches. option - low

Option Description

disable Disable threat weight scoring for web category filtering matches.

low Use the low level score for web category filtering matches.

medium Use the medium level score for web category filtering matches.

high Use the high level score for web category filtering matches.

critical Use the critical level score for web category filtering matches.

FortiOS 7.2.1 CLI Reference 509

Fortinet Inc.
config geolocation

Parameter Description Type Size Default

country Country code. string Not

Specified

level Threat weight score for Geolocation-based events. option - low

Option Description

disable Disable threat weight scoring for Geolocation-based events.

low Use the low level score for Geolocation-based events.

medium Use the medium level score for Geolocation-based events.

high Use the high level score for Geolocation-based events.

critical Use the critical level score for Geolocation-based events.

config application

Parameter Description Type Size Default

category Application category. integer Minimum 0

value: 0
Maximum
value:
65535

level Threat weight score for Application events. option - low

Option Description

disable Disable threat weight scoring for Application events.

low Use the low level score for Application events.

medium Use the medium level score for Application events.

high Use the high level score for Application events.

critical Use the critical level score for Application events.

config log custom-field

Configure custom log fields.

config log custom-field
Description: Configure custom log fields.
edit <id>
set name {string}
set value {string}
next
end

FortiOS 7.2.1 CLI Reference 510

Fortinet Inc.
config log custom-field

Parameter Description Type Size Default

name Field name (max: 15 characters). string Not

Specified

value Field value (max: 15 characters). string Not

Specified

config log syslogd setting

Global settings for remote syslog server.

config log syslogd setting
Description: Global settings for remote syslog server.
set status [enable|disable]
set server {string}
set mode [udp|legacy-reliable|...]
set port {integer}
set facility [kernel|user|...]
set source-ip {string}
set format [default|csv|...]
set priority [default|low]
set max-log-rate {integer}
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set name {string}
set custom {string}
next
end
set interface-select-method [auto|sdwan|...]
set interface {string}
end

config log syslogd setting

Parameter Description Type Size Default

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

FortiOS 7.2.1 CLI Reference 512

Fortinet Inc.
Parameter Description Type Size Default

Option Description

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

FortiOS 7.2.1 CLI Reference 513

Fortinet Inc.
Parameter Description Type Size Default

Option Description

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

certificate Certificate used to communicate with Syslog server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config custom-field-name

Parameter Description Type Size Default

name Field name. string Not

Specified

custom Field custom name. string Not

Specified

config log syslogd override-setting

Override settings for remote syslog server.

config log syslogd override-setting
Description: Override settings for remote syslog server.

FortiOS 7.2.1 CLI Reference 514

Fortinet Inc.
set status [enable|disable]
set server {string}
set mode [udp|legacy-reliable|...]
set port {integer}
set facility [kernel|user|...]
set source-ip {string}
set format [default|csv|...]
set priority [default|low]
set max-log-rate {integer}
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set name {string}
set custom {string}
next
end
set interface-select-method [auto|sdwan|...]
set interface {string}
end

config log syslogd override-setting

Parameter Description Type Size Default

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

server Address of remote syslog server. string Not

Specified

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

FortiOS 7.2.1 CLI Reference 515

Fortinet Inc.
Parameter Description Type Size Default

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

source-ip Source IP address of syslog. string Not

Specified

format Log format. option - default

FortiOS 7.2.1 CLI Reference 516

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

certificate Certificate used to communicate with Syslog server. string Not

Specified

FortiOS 7.2.1 CLI Reference 517

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 519

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.2.1 CLI Reference 520

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd override-filter

Override filters for remote system server.

config log syslogd override-filter
Description: Override filters for remote system server.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

config log syslogd override-filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

FortiOS 7.2.1 CLI Reference 521

Fortinet Inc.
Parameter Description Type Size Default

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

FortiOS 7.2.1 CLI Reference 523

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd2 setting

Global settings for remote syslog server.

config log syslogd2 setting
Description: Global settings for remote syslog server.
set status [enable|disable]
set server {string}
set mode [udp|legacy-reliable|...]
set port {integer}
set facility [kernel|user|...]
set source-ip {string}
set format [default|csv|...]
set priority [default|low]
set max-log-rate {integer}
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set name {string}
set custom {string}
next
end
set interface-select-method [auto|sdwan|...]
set interface {string}
end

FortiOS 7.2.1 CLI Reference 524

Fortinet Inc.
config log syslogd2 setting

Parameter Description Type Size Default

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

server Address of remote syslog server. string Not

Specified

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

FortiOS 7.2.1 CLI Reference 525

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

source-ip Source IP address of syslog. string Not

Specified

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

FortiOS 7.2.1 CLI Reference 526

Fortinet Inc.
Parameter Description Type Size Default

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

certificate Certificate used to communicate with Syslog server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config custom-field-name

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

FortiOS 7.2.1 CLI Reference 529

Fortinet Inc.
Parameter Description Type Size Default

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

FortiOS 7.2.1 CLI Reference 530

Fortinet Inc.
Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 532

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.2.1 CLI Reference 533

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd2 override-filter

Override filters for remote system server.

config log syslogd2 override-filter
Description: Override filters for remote system server.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

config log syslogd2 override-filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

FortiOS 7.2.1 CLI Reference 534

Fortinet Inc.
Parameter Description Type Size Default

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

FortiOS 7.2.1 CLI Reference 536

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd3 setting

Global settings for remote syslog server.

config log syslogd3 setting
Description: Global settings for remote syslog server.
set status [enable|disable]
set server {string}
set mode [udp|legacy-reliable|...]
set port {integer}
set facility [kernel|user|...]
set source-ip {string}
set format [default|csv|...]
set priority [default|low]
set max-log-rate {integer}
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set name {string}
set custom {string}
next
end
set interface-select-method [auto|sdwan|...]
set interface {string}
end

FortiOS 7.2.1 CLI Reference 537

Fortinet Inc.
config log syslogd3 setting

Parameter Description Type Size Default

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

server Address of remote syslog server. string Not

Specified

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

FortiOS 7.2.1 CLI Reference 538

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

source-ip Source IP address of syslog. string Not

Specified

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

FortiOS 7.2.1 CLI Reference 539

Fortinet Inc.
Parameter Description Type Size Default

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

certificate Certificate used to communicate with Syslog server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config custom-field-name

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

FortiOS 7.2.1 CLI Reference 542

Fortinet Inc.
Parameter Description Type Size Default

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

FortiOS 7.2.1 CLI Reference 543

Fortinet Inc.
Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 545

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.2.1 CLI Reference 546

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd3 override-filter

Override filters for remote system server.

config log syslogd3 override-filter
Description: Override filters for remote system server.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

config log syslogd3 override-filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

FortiOS 7.2.1 CLI Reference 547

Fortinet Inc.
Parameter Description Type Size Default

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

FortiOS 7.2.1 CLI Reference 549

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd4 setting

Global settings for remote syslog server.

config log syslogd4 setting
Description: Global settings for remote syslog server.
set status [enable|disable]
set server {string}
set mode [udp|legacy-reliable|...]
set port {integer}
set facility [kernel|user|...]
set source-ip {string}
set format [default|csv|...]
set priority [default|low]
set max-log-rate {integer}
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set certificate {string}
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set name {string}
set custom {string}
next
end
set interface-select-method [auto|sdwan|...]
set interface {string}
end

FortiOS 7.2.1 CLI Reference 550

Fortinet Inc.
config log syslogd4 setting

Parameter Description Type Size Default

status Enable/disable remote syslog logging. option - disable

Option Description

enable Log to remote syslog server.

disable Do not log to remote syslog server.

server Address of remote syslog server. string Not

Specified

mode Remote syslog logging over UDP/Reliable TCP. option - udp

Option Description

udp Enable syslogging over UDP.

legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).

reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).

port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535

facility Remote syslog facility. option - local7

Option Description

kernel Kernel messages.

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

FortiOS 7.2.1 CLI Reference 551

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

source-ip Source IP address of syslog. string Not

Specified

format Log format. option - default

Option Description

default Syslog format.

csv CSV (Comma Separated Values) format.

cef CEF (Common Event Format) format.

rfc5424 Syslog RFC5424 format.

priority Set log transmission priority. option - default

Option Description

default Set Syslog transmission priority to default.

low Set Syslog transmission priority to low.

max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

FortiOS 7.2.1 CLI Reference 552

Fortinet Inc.
Parameter Description Type Size Default

enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable

Option Description

high-medium SSL communication with high and medium encryption algorithms.

high SSL communication with high encryption algorithms.

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

certificate Certificate used to communicate with Syslog server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config custom-field-name

user Random user-level messages.

mail Mail system.

daemon System daemons.

auth Security/authorization messages.

syslog Messages generated internally by syslog.

lpr Line printer subsystem.

news Network news subsystem.

uucp Network news subsystem.

cron Clock daemon.

authpriv Security/authorization messages (private).

ftp FTP daemon.

ntp NTP daemon.

audit Log audit.

alert Log alert.

clock Clock daemon.

local0 Reserved for local use.

local1 Reserved for local use.

local2 Reserved for local use.

local3 Reserved for local use.

local4 Reserved for local use.

local5 Reserved for local use.

local6 Reserved for local use.

local7 Reserved for local use.

FortiOS 7.2.1 CLI Reference 555

Fortinet Inc.
Parameter Description Type Size Default

low SSL communication with low encryption algorithms.

disable Disable SSL communication.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

FortiOS 7.2.1 CLI Reference 556

Fortinet Inc.
Parameter Description Type Size Default

certificate Certificate used to communicate with Syslog server. string Not

Specified

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 558

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.2.1 CLI Reference 559

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log syslogd4 override-filter

Override filters for remote system server.

config log syslogd4 override-filter
Description: Override filters for remote system server.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

config log syslogd4 override-filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

FortiOS 7.2.1 CLI Reference 560

Fortinet Inc.
Parameter Description Type Size Default

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

FortiOS 7.2.1 CLI Reference 562

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log webtrends setting

Settings for WebTrends.

config log webtrends setting
Description: Settings for WebTrends.
set status [enable|disable]
set server {string}
end

config log webtrends setting

Parameter Description Type Size Default

status Enable/disable logging to WebTrends. option - disable

Option Description

enable Enable logging to WebTrends.

disable Disble logging to WebTrends.

server Address of the remote WebTrends server. string Not

Specified

config log webtrends filter

Filters for WebTrends.

config log webtrends filter
Description: Filters for WebTrends.
set severity [emergency|alert|...]

FortiOS 7.2.1 CLI Reference 563

Fortinet Inc.
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

config log webtrends filter

Parameter Description Type Size Default

severity Lowest severity level to log to WebTrends. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

FortiOS 7.2.1 CLI Reference 564

Fortinet Inc.
Parameter Description Type Size Default

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

FortiOS 7.2.1 CLI Reference 565

Fortinet Inc.
Parameter Description Type Size Default

Option Description

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log memory global-setting

Global settings for memory logging.

config log memory global-setting
Description: Global settings for memory logging.
set max-size {integer}
set full-first-warning-threshold {integer}
set full-second-warning-threshold {integer}
set full-final-warning-threshold {integer}
end

FortiOS 7.2.1 CLI Reference 566

Fortinet Inc.
config log memory global-setting

Parameter Description Type Size Default

max-size Maximum amount of memory that can be used for integer Minimum 31870197 **
memory logging in bytes. value: 0
Maximum
value:
4294967295

full-first- Log full first warning threshold as a percent . integer Minimum 75

warning- value: 1
threshold Maximum
value: 98

full-second- Log full second warning threshold as a percent . integer Minimum 90

warning- value: 2
threshold Maximum
value: 99

full-final- Log full final warning threshold as a percent . integer Minimum 95

warning- value: 3
threshold Maximum
value: 100

** Values may differ between models.

config log memory setting

Settings for memory buffer.

config log memory setting
Description: Settings for memory buffer.
set status [enable|disable]
end

config log memory setting

Parameter Description Type Size Default

status Enable/disable logging to the FortiGate's memory. option - enable **

Option Description

enable Enable logging to memory.

disable Disable logging to memory.

** Values may differ between models.

FortiOS 7.2.1 CLI Reference 567

Fortinet Inc.
config log memory filter

Filters for memory buffer.

config log memory filter
Description: Filters for memory buffer.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

config log memory filter

Parameter Description Type Size Default

severity Log every message above and including this severity option - information
level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

FortiOS 7.2.1 CLI Reference 568

Fortinet Inc.
Parameter Description Type Size Default

local-traffic Enable/disable local in or out traffic logging. option - disable **

Option Description

enable Enable local in or out traffic logging.

enable Enable VoIP logging.

disable Disable VoIP logging.

** Values may differ between models.

FortiOS 7.2.1 CLI Reference 569

Fortinet Inc.
config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log disk setting

Settings for local disk logging.

config log disk setting
Description: Settings for local disk logging.
set status [enable|disable]
set ips-archive [enable|disable]

FortiOS 7.2.1 CLI Reference 570

Fortinet Inc.
set max-log-file-size {integer}
set max-policy-packet-capture-size {integer}
set roll-schedule [daily|weekly]
set roll-day {option1}, {option2}, ...
set roll-time {user}
set diskfull [overwrite|nolog]
set log-quota {integer}
set dlp-archive-quota {integer}
set maximum-log-age {integer}
set upload [enable|disable]
set upload-destination {option}
set uploadip {ipv4-address}
set uploadport {integer}
set source-ip {ipv4-address}
set uploaduser {string}
set uploadpass {password}
set uploaddir {string}
set uploadtype {option1}, {option2}, ...
set uploadsched [disable|enable]
set uploadtime {user}
set upload-delete-files [enable|disable]
set upload-ssl-conn [default|high|...]
set full-first-warning-threshold {integer}
set full-second-warning-threshold {integer}
set full-final-warning-threshold {integer}
set interface-select-method [auto|sdwan|...]
set interface {string}
end

config log disk setting

Parameter Description Type Size Default

status Enable/disable local disk logging. option - disable **

Option Description

enable Log to local disk.

disable Do not log to local disk.

ips-archive Enable/disable IPS packet archiving to the local option - enable

disk.

Option Description

enable Enable IPS packet archiving.

disable Disable IPS packet archiving.

max-log-file- Maximum log file size before rolling . integer Minimum 20

size value: 1
Maximum
value: 100

FortiOS 7.2.1 CLI Reference 571

Fortinet Inc.
Parameter Description Type Size Default

max-policy- Maximum size of policy sniffer in MB (0 means integer Minimum 100

packet- unlimited). value: 0
capture-size Maximum
value:
4294967295

roll-schedule Frequency to check log file for rolling. option - daily

Option Description

daily Check the log file once a day.

weekly Check the log file once a week.

roll-day Day of week on which to roll log file. option - sunday

Option Description

sunday Sunday

monday Monday

tuesday Tuesday

wednesday Wednesday

thursday Thursday

friday Friday

saturday Saturday

roll-time Time of day to roll the log file (hh:mm). user Not Specified

diskfull Action to take when disk is full. The system can option - overwrite
overwrite the oldest log messages or stop logging
when the disk is full .

Option Description

overwrite Overwrite the oldest logs when the log disk is full.

nolog Stop logging when the log disk is full.

log-quota Disk log quota (MB). integer Minimum 0

value: 0
Maximum
value:
4294967295

FortiOS 7.2.1 CLI Reference 572

Fortinet Inc.
Parameter Description Type Size Default

dlp-archive- DLP archive quota (MB). integer Minimum 0

quota value: 0
Maximum
value:
4294967295

maximum-log- Delete log files older than (days). integer Minimum 7

age value: 0
Maximum
value: 3650

upload Enable/disable uploading log files when they are option - disable
rolled.

Option Description

enable Enable uploading log files when they are rolled.

disable Disable uploading log files when they are rolled.

upload- The type of server to upload log files to. Only FTP is option - ftp-server
destination currently supported.

Option Description

ftp-server Upload rolled log files to an FTP server.

uploadip IP address of the FTP server to upload log files to. ipv4- Not Specified 0.0.0.0
address

uploadport TCP port to use for communicating with the FTP integer Minimum 21
server . value: 0
Maximum
value: 65535

source-ip Source IP address to use for uploading disk log ipv4- Not Specified 0.0.0.0
files. address

uploaduser Username required to log into the FTP server to string Not Specified
upload disk log files.

uploadpass Password required to log into the FTP server to password Not Specified
upload disk log files.

uploaddir The remote directory on the FTP server to upload string Not Specified
log files to.

FortiOS 7.2.1 CLI Reference 573

Fortinet Inc.
Parameter Description Type Size Default

uploadtype Types of log files to upload. Separate multiple option - traffic event
entries with a space. virus
webfilter
IPS
emailfilter
dlp-archive
anomaly
voip dlp
app-ctrl waf
dns ssh ssl
**

Option Description

traffic Upload traffic log.

event Upload event log.

virus Upload anti-virus log.

webfilter Upload web filter log.

IPS Upload IPS log.

emailfilter Upload spam filter log.

dlp-archive Upload DLP archive.

anomaly Upload anomaly log.

voip Upload VoIP log.

dlp Upload DLP log.

app-ctrl Upload application control log.

waf Upload web application firewall log.

dns Upload DNS log.

ssh Upload SSH log.

ssl Upload SSL log.

file-filter Upload file-filter log.

icap Upload ICAP log.

uploadsched Set the schedule for uploading log files to the FTP option - disable
server .

Option Description

disable Upload when rolling.

enable Scheduled upload.

FortiOS 7.2.1 CLI Reference 574

Fortinet Inc.
Parameter Description Type Size Default

uploadtime Time of day at which log files are uploaded if user Not Specified
uploadsched is enabled (hh:mm or hh).

upload-delete- Delete log files after uploading . option - enable

files

Option Description

enable Delete log files after uploading.

disable Do not delete log files after uploading.

upload-ssl- Enable/disable encrypted FTPS communication to option - default

conn upload log files.

Option Description

default FTPS with high and medium encryption algorithms.

high FTPS with high encryption algorithms.

low FTPS with low encryption algorithms.

disable Disable FTPS communication.

full-first- Log full first warning threshold as a percent . integer Minimum 75

warning- value: 1
threshold Maximum
value: 98

full-second- Log full second warning threshold as a percent . integer Minimum 90

warning- value: 2
threshold Maximum
value: 99

full-final- Log full final warning threshold as a percent . integer Minimum 95

warning- value: 3
threshold Maximum
value: 100

interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not Specified

** Values may differ between models.

FortiOS 7.2.1 CLI Reference 575

Fortinet Inc.
config log disk filter

Configure filters for local disk logging. Use these filters to determine the log messages to record according to severity
and type.
config log disk filter
Description: Configure filters for local disk logging. Use these filters to determine the
log messages to record according to severity and type.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

config log disk filter

Parameter Description Type Size Default

severity Log to disk every message above and including this option - information
severity level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

FortiOS 7.2.1 CLI Reference 576

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log eventfilter

Configure log event filters.

config log eventfilter
Description: Configure log event filters.
set event [enable|disable]
set system [enable|disable]

FortiOS 7.2.1 CLI Reference 578

config log eventfilter

Parameter Description Type Size Default

event Enable/disable event logging. option - enable

Option Description

enable Enable event logging.

disable Disable event logging.

system Enable/disable system event logging. option - enable

Option Description

enable Enable system event logging.

disable Disable system event logging.

vpn Enable/disable VPN event logging. option - enable

enable Enable WAN optimization event logging.

disable Disable WAN optimization event logging.

endpoint Enable/disable endpoint event logging. option - enable

Option Description

enable Enable endpoint event logging.

disable Disable endpoint event logging.

ha Enable/disable ha event logging. option - enable

Option Description

enable Enable ha event logging.

disable Disable ha event logging.

security-rating Enable/disable Security Rating result logging. option - enable

Option Description

enable Enable Security Fabric audit result logging.

disable Disable Security Fabric audit result logging.

fortiextender Enable/disable FortiExtender logging. option - enable

Option Description

enable Enable Forti-Extender logging.

disable Disable Forti-Extender logging.

FortiOS 7.2.1 CLI Reference 580

Fortinet Inc.
Parameter Description Type Size Default

connector Enable/disable SDN connector logging. option - enable

Option Description

enable Enable SDN connector logging.

disable Disable SDN connector logging.

sdwan Enable/disable SD-WAN logging. option - enable

Option Description

enable Enable SD-WAN logging.

disable Disable SD-WAN logging.

cifs Enable/disable CIFS logging. option - enable

FortiOS 7.2.1 CLI Reference 581

Fortinet Inc.
set access-config [enable|disable]
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set conn-timeout {integer}
set source-ip {ipv4-address}
set interface-select-method [auto|sdwan|...]
set interface {string}
end

config log fortiguard setting

Parameter Description Type Size Default

status Enable/disable logging to FortiCloud. option - disable

Option Description

enable Enable logging to FortiCloud.

disable Disable logging to FortiCloud.

upload-option Configure how log messages are sent to FortiCloud. option - 5-minute

Option Description

store-and-upload Log to the hard disk and then upload logs to FortiCloud.

realtime Log directly to FortiCloud in real time.

1-minute Log directly to FortiCloud at 1-minute intervals.

5-minute Log directly to FortiCloud at 5-minute intervals.

upload- Frequency of uploading log files to FortiCloud. option - daily

interval

Option Description

daily Upload log files to FortiCloud once a day.

weekly Upload log files to FortiCloud once a week.

monthly Upload log files to FortiCloud once a month.

upload-day Day of week to roll logs. user Not

Specified

upload-time Time of day to roll logs (hh:mm). user Not

Specified

priority Set log transmission priority. option - default

Option Description

default Set FortiCloud log transmission priority to default.

FortiOS 7.2.1 CLI Reference 582

Fortinet Inc.
Parameter Description Type Size Default

Option Description

low Set FortiCloud log transmission priority to low.

max-log-rate FortiCloud maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

access-config Enable/disable FortiCloud access to configuration and option - enable

data.

Option Description

enable Enable FortiCloud access to configuration and data.

disable Disable FortiCloud access to configuration and data.

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiCloud.

Option Description

high-medium Encrypt logs using high and medium encryption.

high Encrypt logs using high encryption.

low Encrypt logs using low encryption.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

conn-timeout FortiGate Cloud connection timeout in seconds. integer Minimum 10

value: 1
Maximum
value: 3600

source-ip Source IP address used to connect FortiCloud. ipv4- Not 0.0.0.0

address Specified

FortiOS 7.2.1 CLI Reference 583

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config log fortiguard override-setting

Override global FortiCloud logging settings for this VDOM.

config log fortiguard override-setting
Description: Override global FortiCloud logging settings for this VDOM.
set override [enable|disable]
set status [enable|disable]
set upload-option [store-and-upload|realtime|...]
set upload-interval [daily|weekly|...]
set upload-day {user}
set upload-time {user}
set priority [default|low]
set max-log-rate {integer}
set access-config [enable|disable]
end

config log fortiguard override-setting

Parameter Description Type Size Default

override Overriding FortiCloud settings for this VDOM or use option - disable
global settings.

Option Description

enable Override FortiCloud logging settings.

disable Use global FortiCloud logging settings.

status Enable/disable logging to FortiCloud. option - disable

Option Description

enable Enable logging to FortiCloud.

disable Disable logging to FortiCloud.

FortiOS 7.2.1 CLI Reference 584

Fortinet Inc.
Parameter Description Type Size Default

upload-option Configure how log messages are sent to FortiCloud. option - 5-minute

Option Description

store-and-upload Log to the hard disk and then upload logs to FortiCloud.

realtime Log directly to FortiCloud in real time.

1-minute Log directly to FortiCloud at 1-minute intervals.

5-minute Log directly to FortiCloud at 5-minute intervals.

upload- Frequency of uploading log files to FortiCloud. option - daily

interval

Option Description

daily Upload log files to FortiCloud once a day.

weekly Upload log files to FortiCloud once a week.

monthly Upload log files to FortiCloud once a month.

upload-day Day of week to roll logs. user Not

Specified

upload-time Time of day to roll logs (hh:mm). user Not

Specified

priority Set log transmission priority. option - default

Option Description

default Set FortiCloud log transmission priority to default.

low Set FortiCloud log transmission priority to low.

max-log-rate FortiCloud maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

access-config Enable/disable FortiCloud access to configuration and option - enable

data.

Option Description

enable Enable FortiCloud access to configuration and data.

disable Disable FortiCloud access to configuration and data.

FortiOS 7.2.1 CLI Reference 585

Fortinet Inc.
config log fortiguard filter

Filters for FortiCloud.

config log fortiguard filter
Description: Filters for FortiCloud.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

config log fortiguard filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

FortiOS 7.2.1 CLI Reference 586

Fortinet Inc.
Parameter Description Type Size Default

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortiguard override-filter

Override filters for FortiCloud.

config log fortiguard override-filter
Description: Override filters for FortiCloud.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]

FortiOS 7.2.1 CLI Reference 588

Fortinet Inc.
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

config log fortiguard override-filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

FortiOS 7.2.1 CLI Reference 589

Fortinet Inc.
Parameter Description Type Size Default

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

FortiOS 7.2.1 CLI Reference 590

Fortinet Inc.
Parameter Description Type Size Default

Option Description

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log tacacs+accounting setting

Settings for TACACS+ accounting.

config log tacacs+accounting setting
Description: Settings for TACACS+ accounting.
set status [enable|disable]
set server {string}
set server-key {password}
end

FortiOS 7.2.1 CLI Reference 591

Fortinet Inc.
config log tacacs+accounting setting

Parameter Description Type Size Default

status Enable/disable TACACS+ accounting. option - disable

Option Description

enable Enable TACACS+ accounting.

disable Disable TACACS+ accounting.

server Address of TACACS+ server. string Not

Specified

server-key Key to access the TACACS+ server. password Not

Specified

config log tacacs+accounting filter

Settings for TACACS+ accounting events filter.

config log tacacs+accounting filter
Description: Settings for TACACS+ accounting events filter.
set login-audit [enable|disable]
set config-change-audit [enable|disable]
set cli-cmd-audit [enable|disable]
end

config log tacacs+accounting filter

Parameter Description Type Size Default

login-audit Enable/disable TACACS+ accounting for login events option - enable

audit.

Option Description

enable Enable TACACS+ accounting for login events audit.

disable Disable TACACS+ accounting for login events audit.

config- Enable/disable TACACS+ accounting for configuration option - enable

change-audit change events audit.

Option Description

enable Enable TACACS+ accounting for configuration change events audit.

disable Disable TACACS+ accounting for configuration change events audit.

FortiOS 7.2.1 CLI Reference 592

Fortinet Inc.
Parameter Description Type Size Default

cli-cmd-audit Enable/disable TACACS+ accounting for CLI option - enable

commands audit.

Option Description

enable Enable TACACS+ accounting for CLI commands audit.

disable Disable TACACS+ accounting for CLI commands audit.

config log tacacs+accounting2 setting

Settings for TACACS+ accounting.

config log tacacs+accounting2 setting
Description: Settings for TACACS+ accounting.
set status [enable|disable]
set server {string}
set server-key {password}
end

config log tacacs+accounting2 setting

Parameter Description Type Size Default

status Enable/disable TACACS+ accounting. option - disable

Option Description

enable Enable TACACS+ accounting.

disable Disable TACACS+ accounting.

server Address of TACACS+ server. string Not

Specified

server-key Key to access the TACACS+ server. password Not

Specified

config log tacacs+accounting2 filter

Settings for TACACS+ accounting events filter.

config log tacacs+accounting2 filter
Description: Settings for TACACS+ accounting events filter.
set login-audit [enable|disable]
set config-change-audit [enable|disable]
set cli-cmd-audit [enable|disable]
end

FortiOS 7.2.1 CLI Reference 593

enable Enable TACACS+ accounting for CLI commands audit.

disable Disable TACACS+ accounting for CLI commands audit.

config log tacacs+accounting3 setting

Settings for TACACS+ accounting.

config log tacacs+accounting3 setting
Description: Settings for TACACS+ accounting.
set status [enable|disable]
set server {string}
set server-key {password}
end

config log tacacs+accounting3 setting

Parameter Description Type Size Default

status Enable/disable TACACS+ accounting. option - disable

Option Description

enable Enable TACACS+ accounting.

FortiOS 7.2.1 CLI Reference 594

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable TACACS+ accounting.

server Address of TACACS+ server. string Not

Specified

server-key Key to access the TACACS+ server. password Not

Specified

config log tacacs+accounting3 filter

Settings for TACACS+ accounting events filter.

config log tacacs+accounting3 filter
Description: Settings for TACACS+ accounting events filter.
set login-audit [enable|disable]
set config-change-audit [enable|disable]
set cli-cmd-audit [enable|disable]
end

config log tacacs+accounting3 filter

Parameter Description Type Size Default

login-audit Enable/disable TACACS+ accounting for login events option - enable

audit.

Option Description

enable Enable TACACS+ accounting for login events audit.

disable Disable TACACS+ accounting for login events audit.

config- Enable/disable TACACS+ accounting for configuration option - enable

change-audit change events audit.

Option Description

enable Enable TACACS+ accounting for configuration change events audit.

disable Disable TACACS+ accounting for configuration change events audit.

cli-cmd-audit Enable/disable TACACS+ accounting for CLI option - enable

commands audit.

Option Description

enable Enable TACACS+ accounting for CLI commands audit.

disable Disable TACACS+ accounting for CLI commands audit.

FortiOS 7.2.1 CLI Reference 595

Fortinet Inc.
config log null-device setting

Settings for null device logging.

config log null-device setting
Description: Settings for null device logging.
set status [enable|disable]
end

config log null-device setting

Parameter Description Type Size Default

status Enable/disable statistics collection for when no external option - disable

logging destination, such as FortiAnalyzer, is present
(data is not saved).

Option Description

enable Enable statistics collection for when no external logging destination, such as
FortiAnalyzer, is present (data is not saved).

disable Disable statistics collection for when no external logging destination, such as
FortiAnalyzer, is present (data is not saved).

config log null-device filter

Filters for null device logging.

config log null-device filter
Description: Filters for null device logging.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

FortiOS 7.2.1 CLI Reference 596

Fortinet Inc.
config log null-device filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 597

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

FortiOS 7.2.1 CLI Reference 598

Fortinet Inc.
Parameter Description Type Size Default

Option Description

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log setting

Configure general log settings.

config log setting
Description: Configure general log settings.
set resolve-ip [enable|disable]
set resolve-port [enable|disable]
set log-user-in-upper [enable|disable]
set fwpolicy-implicit-log [enable|disable]
set fwpolicy6-implicit-log [enable|disable]
set log-invalid-packet [enable|disable]
set local-in-allow [enable|disable]
set local-in-deny-unicast [enable|disable]
set local-in-deny-broadcast [enable|disable]
set local-out [enable|disable]
set local-out-ioc-detection [enable|disable]
set daemon-log [enable|disable]
set neighbor-event [enable|disable]
set brief-traffic-format [enable|disable]
set user-anonymize [enable|disable]
set expolicy-implicit-log [enable|disable]
set log-policy-comment [enable|disable]
set faz-override [enable|disable]
set syslog-override [enable|disable]
set rest-api-set [enable|disable]
set rest-api-get [enable|disable]
set custom-log-fields <field-id1>, <field-id2>, ...
set anonymization-hash {string}
end

FortiOS 7.2.1 CLI Reference 599

Fortinet Inc.
config log setting

Fortinet Inc.
Parameter Description Type Size Default

local-in-allow Enable/disable local-in-allow logging. option - disable

custom-log-fields Custom fields to append to all log messages. string Maximum

<field-id> Custom log field. length: 35

anonymization- User name anonymization hash salt. string Not

hash Specified

config log gui-display

Configure how log messages are displayed on the GUI.

config log gui-display
Description: Configure how log messages are displayed on the GUI.
set resolve-hosts [enable|disable]
set resolve-apps [enable|disable]
set fortiview-unscanned-apps [enable|disable]
end

config log gui-display

Parameter Description Type Size Default

enable Enable showing unscanned traffic.

disable Disable showing unscanned traffic.

config log fortianalyzer setting

Global FortiAnalyzer settings.

config log fortianalyzer setting
Description: Global FortiAnalyzer settings.
set status [enable|disable]
set ips-archive [enable|disable]
set server {string}
set certificate-verification [enable|disable]
set serial <name1>, <name2>, ...
set preshared-key {string}
set access-config [enable|disable]
set hmac-algorithm [sha256|sha1]
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set conn-timeout {integer}
set monitor-keepalive-period {integer}
set monitor-failure-retry-period {integer}
set certificate {string}
set source-ip {string}
set upload-option [store-and-upload|realtime|...]
set upload-interval [daily|weekly|...]
set upload-day {user}
set upload-time {user}
set reliable [enable|disable]
set priority [default|low]
set max-log-rate {integer}

FortiOS 7.2.1 CLI Reference 604

Fortinet Inc.
set interface-select-method [auto|sdwan|...]
set interface {string}
end

config log fortianalyzer setting

Parameter Description Type Size Default

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

server The remote FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

preshared- Preshared-key used for auto-authorization on string Not

key FortiAnalyzer. Specified

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

hmac- OFTP login hash algorithm. option - sha256

algorithm

FortiOS 7.2.1 CLI Reference 605

Fortinet Inc.
Parameter Description Type Size Default

Option Description

sha256 Use SHA256 as HMAC algorithm.

sha1 Step down to SHA1 as the HMAC algorithm.

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

conn-timeout FortiAnalyzer connection time-out in seconds (for status integer Minimum 10

and log buffer). value: 1
Maximum
value: 3600

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

FortiOS 7.2.1 CLI Reference 606

Fortinet Inc.
Parameter Description Type Size Default

source-ip Source IPv4 or IPv6 address used to communicate with string Not
FortiAnalyzer. Specified

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-time Time to upload logs (hh:mm). user Not

Specified

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

FortiOS 7.2.1 CLI Reference 607

Fortinet Inc.
Parameter Description Type Size Default

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config log fortianalyzer override-setting

Override FortiAnalyzer settings.

config log fortianalyzer override-setting
Description: Override FortiAnalyzer settings.
set use-management-vdom [enable|disable]
set status [enable|disable]
set ips-archive [enable|disable]
set server {string}
set certificate-verification [enable|disable]
set serial <name1>, <name2>, ...
set preshared-key {string}
set access-config [enable|disable]
set hmac-algorithm [sha256|sha1]
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set conn-timeout {integer}
set monitor-keepalive-period {integer}
set monitor-failure-retry-period {integer}
set certificate {string}
set source-ip {string}
set upload-option [store-and-upload|realtime|...]
set upload-interval [daily|weekly|...]
set upload-day {user}
set upload-time {user}
set reliable [enable|disable]
set priority [default|low]
set max-log-rate {integer}
set interface-select-method [auto|sdwan|...]
set interface {string}
end

FortiOS 7.2.1 CLI Reference 608

Fortinet Inc.
config log fortianalyzer override-setting

Parameter Description Type Size Default

use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom

Option Description

enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

server The remote FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

preshared-key Preshared-key used for auto-authorization on string Not

FortiAnalyzer. Specified

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

conn-timeout FortiAnalyzer connection time-out in seconds (for integer Minimum 10

status and log buffer). value: 1
Maximum
value: 3600

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

FortiOS 7.2.1 CLI Reference 610

Fortinet Inc.
Parameter Description Type Size Default

monitor-failure- Time between FortiAnalyzer connection retries in integer Minimum 5

retry-period seconds (for status and log buffer). value: 1
Maximum
value:
86400

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate string Not

with FortiAnalyzer. Specified

upload-option Enable/disable logging to hard disk and then option - 5-minute

uploading to FortiAnalyzer.

Option Description

store-and- Log to hard disk and then upload to FortiAnalyzer.

upload

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-interval Frequency to upload log files to FortiAnalyzer. option - daily

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-time Time to upload logs (hh:mm). user Not

Specified

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

priority Set log transmission priority. option - default

FortiOS 7.2.1 CLI Reference 611

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = integer Minimum 0

unlimited). value: 0
Maximum
value:
100000

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config log fortianalyzer filter

Filters for FortiAnalyzer.

config log fortianalyzer filter
Description: Filters for FortiAnalyzer.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
set dlp-archive [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

FortiOS 7.2.1 CLI Reference 612

Fortinet Inc.
config log fortianalyzer filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 613

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

FortiOS 7.2.1 CLI Reference 614

Fortinet Inc.
Parameter Description Type Size Default

Option Description

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer override-filter

Override filters for FortiAnalyzer.

config log fortianalyzer override-filter
Description: Override filters for FortiAnalyzer.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
set dlp-archive [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

FortiOS 7.2.1 CLI Reference 615

Fortinet Inc.
config log fortianalyzer override-filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 616

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

FortiOS 7.2.1 CLI Reference 617

Fortinet Inc.
Parameter Description Type Size Default

Option Description

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer2 setting

Global FortiAnalyzer settings.

config log fortianalyzer2 setting
Description: Global FortiAnalyzer settings.
set status [enable|disable]
set ips-archive [enable|disable]
set server {string}
set certificate-verification [enable|disable]
set serial <name1>, <name2>, ...
set preshared-key {string}
set access-config [enable|disable]
set hmac-algorithm [sha256|sha1]
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set conn-timeout {integer}
set monitor-keepalive-period {integer}
set monitor-failure-retry-period {integer}
set certificate {string}
set source-ip {string}
set upload-option [store-and-upload|realtime|...]
set upload-interval [daily|weekly|...]
set upload-day {user}

FortiOS 7.2.1 CLI Reference 618

Fortinet Inc.
set upload-time {user}
set reliable [enable|disable]
set priority [default|low]
set max-log-rate {integer}
set interface-select-method [auto|sdwan|...]
set interface {string}
end

config log fortianalyzer2 setting

Parameter Description Type Size Default

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

server The remote FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

preshared- Preshared-key used for auto-authorization on string Not

key FortiAnalyzer. Specified

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

FortiOS 7.2.1 CLI Reference 619

Fortinet Inc.
Parameter Description Type Size Default

hmac- OFTP login hash algorithm. option - sha256

algorithm

Option Description

sha256 Use SHA256 as HMAC algorithm.

sha1 Step down to SHA1 as the HMAC algorithm.

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

conn-timeout FortiAnalyzer connection time-out in seconds (for status integer Minimum 10

and log buffer). value: 1
Maximum
value: 3600

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

FortiOS 7.2.1 CLI Reference 620

Fortinet Inc.
Parameter Description Type Size Default

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate with string Not
FortiAnalyzer. Specified

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-time Time to upload logs (hh:mm). user Not

Specified

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

FortiOS 7.2.1 CLI Reference 621

Fortinet Inc.
Parameter Description Type Size Default

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config log fortianalyzer2 override-setting

Override FortiAnalyzer settings.

config log fortianalyzer2 override-setting
Description: Override FortiAnalyzer settings.
set use-management-vdom [enable|disable]
set status [enable|disable]
set ips-archive [enable|disable]
set server {string}
set certificate-verification [enable|disable]
set serial <name1>, <name2>, ...
set preshared-key {string}
set access-config [enable|disable]
set hmac-algorithm [sha256|sha1]
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set conn-timeout {integer}
set monitor-keepalive-period {integer}
set monitor-failure-retry-period {integer}
set certificate {string}
set source-ip {string}
set upload-option [store-and-upload|realtime|...]
set upload-interval [daily|weekly|...]
set upload-day {user}
set upload-time {user}
set reliable [enable|disable]
set priority [default|low]
set max-log-rate {integer}
set interface-select-method [auto|sdwan|...]
set interface {string}
end

FortiOS 7.2.1 CLI Reference 622

Fortinet Inc.
config log fortianalyzer2 override-setting

Parameter Description Type Size Default

use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom

Option Description

enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

server The remote FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

preshared-key Preshared-key used for auto-authorization on string Not

FortiAnalyzer. Specified

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

conn-timeout FortiAnalyzer connection time-out in seconds (for integer Minimum 10

status and log buffer). value: 1
Maximum
value: 3600

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

FortiOS 7.2.1 CLI Reference 624

Fortinet Inc.
Parameter Description Type Size Default

monitor-failure- Time between FortiAnalyzer connection retries in integer Minimum 5

retry-period seconds (for status and log buffer). value: 1
Maximum
value:
86400

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate string Not

with FortiAnalyzer. Specified

upload-option Enable/disable logging to hard disk and then option - 5-minute

uploading to FortiAnalyzer.

Option Description

store-and- Log to hard disk and then upload to FortiAnalyzer.

upload

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-interval Frequency to upload log files to FortiAnalyzer. option - daily

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-time Time to upload logs (hh:mm). user Not

Specified

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

priority Set log transmission priority. option - default

FortiOS 7.2.1 CLI Reference 625

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = integer Minimum 0

unlimited). value: 0
Maximum
value:
100000

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config log fortianalyzer2 filter

Filters for FortiAnalyzer.

config log fortianalyzer2 filter
Description: Filters for FortiAnalyzer.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
set dlp-archive [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

FortiOS 7.2.1 CLI Reference 626

Fortinet Inc.
config log fortianalyzer2 filter

Parameter Description Type Size Default

severity Log every message above and including this severity option - information
level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 627

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

FortiOS 7.2.1 CLI Reference 628

Fortinet Inc.
Parameter Description Type Size Default

Option Description

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer2 override-filter

Override filters for FortiAnalyzer.

config log fortianalyzer2 override-filter
Description: Override filters for FortiAnalyzer.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
set dlp-archive [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

FortiOS 7.2.1 CLI Reference 629

Fortinet Inc.
config log fortianalyzer2 override-filter

Parameter Description Type Size Default

severity Log every message above and including this severity option - information
level.

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 630

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

FortiOS 7.2.1 CLI Reference 631

Fortinet Inc.
Parameter Description Type Size Default

Option Description

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer3 setting

Global FortiAnalyzer settings.

config log fortianalyzer3 setting
Description: Global FortiAnalyzer settings.
set status [enable|disable]
set ips-archive [enable|disable]
set server {string}
set certificate-verification [enable|disable]
set serial <name1>, <name2>, ...
set preshared-key {string}
set access-config [enable|disable]
set hmac-algorithm [sha256|sha1]
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set conn-timeout {integer}
set monitor-keepalive-period {integer}
set monitor-failure-retry-period {integer}
set certificate {string}
set source-ip {string}
set upload-option [store-and-upload|realtime|...]
set upload-interval [daily|weekly|...]
set upload-day {user}

FortiOS 7.2.1 CLI Reference 632

Fortinet Inc.
set upload-time {user}
set reliable [enable|disable]
set priority [default|low]
set max-log-rate {integer}
set interface-select-method [auto|sdwan|...]
set interface {string}
end

config log fortianalyzer3 setting

Parameter Description Type Size Default

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

server The remote FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

preshared- Preshared-key used for auto-authorization on string Not

key FortiAnalyzer. Specified

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

FortiOS 7.2.1 CLI Reference 633

Fortinet Inc.
Parameter Description Type Size Default

hmac- OFTP login hash algorithm. option - sha256

algorithm

Option Description

sha256 Use SHA256 as HMAC algorithm.

sha1 Step down to SHA1 as the HMAC algorithm.

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

conn-timeout FortiAnalyzer connection time-out in seconds (for status integer Minimum 10

and log buffer). value: 1
Maximum
value: 3600

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

FortiOS 7.2.1 CLI Reference 634

Fortinet Inc.
Parameter Description Type Size Default

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate with string Not
FortiAnalyzer. Specified

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-time Time to upload logs (hh:mm). user Not

Specified

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

priority Set log transmission priority. option - default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

FortiOS 7.2.1 CLI Reference 635

Fortinet Inc.
Parameter Description Type Size Default

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000

interface- Specify how to select outgoing interface to reach server. option - auto
select-method

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config log fortianalyzer3 override-setting

Override FortiAnalyzer settings.

config log fortianalyzer3 override-setting
Description: Override FortiAnalyzer settings.
set use-management-vdom [enable|disable]
set status [enable|disable]
set ips-archive [enable|disable]
set server {string}
set certificate-verification [enable|disable]
set serial <name1>, <name2>, ...
set preshared-key {string}
set access-config [enable|disable]
set hmac-algorithm [sha256|sha1]
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set conn-timeout {integer}
set monitor-keepalive-period {integer}
set monitor-failure-retry-period {integer}
set certificate {string}
set source-ip {string}
set upload-option [store-and-upload|realtime|...]
set upload-interval [daily|weekly|...]
set upload-day {user}
set upload-time {user}
set reliable [enable|disable]
set priority [default|low]
set max-log-rate {integer}
set interface-select-method [auto|sdwan|...]
set interface {string}
end

FortiOS 7.2.1 CLI Reference 636

Fortinet Inc.
config log fortianalyzer3 override-setting

Parameter Description Type Size Default

use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom

Option Description

enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

ips-archive Enable/disable IPS packet archive logging. option - enable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

server The remote FortiAnalyzer. string Not

Specified

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

preshared-key Preshared-key used for auto-authorization on string Not

FortiAnalyzer. Specified

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

conn-timeout FortiAnalyzer connection time-out in seconds (for integer Minimum 10

status and log buffer). value: 1
Maximum
value: 3600

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

FortiOS 7.2.1 CLI Reference 638

Fortinet Inc.
Parameter Description Type Size Default

monitor-failure- Time between FortiAnalyzer connection retries in integer Minimum 5

retry-period seconds (for status and log buffer). value: 1
Maximum
value:
86400

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

source-ip Source IPv4 or IPv6 address used to communicate string Not

with FortiAnalyzer. Specified

upload-option Enable/disable logging to hard disk and then option - 5-minute

uploading to FortiAnalyzer.

Option Description

store-and- Log to hard disk and then upload to FortiAnalyzer.

upload

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload-interval Frequency to upload log files to FortiAnalyzer. option - daily

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-time Time to upload logs (hh:mm). user Not

Specified

reliable Enable/disable reliable logging to FortiAnalyzer. option - disable

Option Description

enable Enable reliable logging to FortiAnalyzer.

disable Disable reliable logging to FortiAnalyzer.

priority Set log transmission priority. option - default

FortiOS 7.2.1 CLI Reference 639

Fortinet Inc.
Parameter Description Type Size Default

Option Description

default Set FortiAnalyzer log transmission priority to default.

low Set FortiAnalyzer log transmission priority to low.

max-log-rate FortiAnalyzer maximum log rate in MBps (0 = integer Minimum 0

unlimited). value: 0
Maximum
value:
100000

interface-select- Specify how to select outgoing interface to reach option - auto

method server.

Option Description

auto Set outgoing interface automatically.

sdwan Set outgoing interface by SD-WAN or policy routing rules.

specify Set outgoing interface manually.

interface Specify outgoing interface to reach server. string Not

Specified

config log fortianalyzer3 filter

Filters for FortiAnalyzer.

config log fortianalyzer3 filter
Description: Filters for FortiAnalyzer.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
set dlp-archive [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

FortiOS 7.2.1 CLI Reference 640

Fortinet Inc.
config log fortianalyzer3 filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 641

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

FortiOS 7.2.1 CLI Reference 642

Fortinet Inc.
Parameter Description Type Size Default

Option Description

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer3 override-filter

Override filters for FortiAnalyzer.

config log fortianalyzer3 override-filter
Description: Override filters for FortiAnalyzer.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
set dlp-archive [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
end

FortiOS 7.2.1 CLI Reference 643

Fortinet Inc.
config log fortianalyzer3 override-filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

FortiOS 7.2.1 CLI Reference 644

Fortinet Inc.
Parameter Description Type Size Default

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

dlp-archive Enable/disable DLP archive logging. option - enable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

FortiOS 7.2.1 CLI Reference 645

Fortinet Inc.
Parameter Description Type Size Default

Option Description

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer-cloud setting

Global FortiAnalyzer Cloud settings.

config log fortianalyzer-cloud setting
Description: Global FortiAnalyzer Cloud settings.
set status [enable|disable]
set ips-archive [enable|disable]
set certificate-verification [enable|disable]
set serial <name1>, <name2>, ...
set preshared-key {string}
set access-config [enable|disable]
set hmac-algorithm [sha256|sha1]
set enc-algorithm [high-medium|high|...]
set ssl-min-proto-version [default|SSLv3|...]
set conn-timeout {integer}
set monitor-keepalive-period {integer}
set monitor-failure-retry-period {integer}
set certificate {string}
set source-ip {string}
set upload-option [store-and-upload|realtime|...]
set upload-interval [daily|weekly|...]
set upload-day {user}
set upload-time {user}

FortiOS 7.2.1 CLI Reference 646

Fortinet Inc.
set priority [default|low]
set max-log-rate {integer}
set interface-select-method [auto|sdwan|...]
set interface {string}
end

config log fortianalyzer-cloud setting

Parameter Description Type Size Default

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

ips-archive Enable/disable IPS packet archive logging. option - disable

Option Description

enable Enable IPS packet archive logging.

disable Disable IPS packet archive logging.

certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.

Option Description

enable Enable identity verification of FortiAnalyzer by use of certificate.

disable Disable identity verification of FortiAnalyzer by use of certificate.

serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79

preshared- Preshared-key used for auto-authorization on string Not

key FortiAnalyzer. Specified

access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Option Description

enable Enable FortiAnalyzer access to configuration and data.

disable Disable FortiAnalyzer access to configuration and data.

hmac- OFTP login hash algorithm. option - sha256

algorithm

FortiOS 7.2.1 CLI Reference 647

Fortinet Inc.
Parameter Description Type Size Default

Option Description

sha256 Use SHA256 as HMAC algorithm.

sha1 Step down to SHA1 as the HMAC algorithm.

enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.

Option Description

high-medium Encrypt logs using high and medium encryption algorithms.

high Encrypt logs using high encryption algorithms.

low Encrypt logs using all encryption algorithms.

ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections .

Option Description

default Follow system global setting.

SSLv3 SSLv3.

TLSv1 TLSv1.

TLSv1-1 TLSv1.1.

TLSv1-2 TLSv1.2.

TLSv1-3 TLSv1.3.

conn-timeout FortiAnalyzer connection time-out in seconds (for status integer Minimum 10

and log buffer). value: 1
Maximum
value: 3600

monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120

monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400

certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified

FortiOS 7.2.1 CLI Reference 648

Fortinet Inc.
Parameter Description Type Size Default

source-ip Source IPv4 or IPv6 address used to communicate with string Not
FortiAnalyzer. Specified

upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.

Option Description

store-and-upload Log to hard disk and then upload to FortiAnalyzer.

realtime Log directly to FortiAnalyzer in real time.

1-minute Log directly to FortiAnalyzer at least every 1 minute.

5-minute Log directly to FortiAnalyzer at least every 5 minutes.

upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval

Option Description

daily Upload log files to FortiAnalyzer once a day.

weekly Upload log files to FortiAnalyzer once a week.

monthly Upload log files to FortiAnalyzer once a month.

upload-day Day of week (month) to upload logs. user Not

Specified

upload-time Time to upload logs (hh:mm). user Not

Specified

priority Set log transmission priority. option - default

config log fortianalyzer-cloud override-setting

Override FortiAnalyzer Cloud settings.

config log fortianalyzer-cloud override-setting
Description: Override FortiAnalyzer Cloud settings.
set status [enable|disable]
end

config log fortianalyzer-cloud override-setting

Parameter Description Type Size Default

status Enable/disable logging to FortiAnalyzer. option - disable

Option Description

enable Enable logging to FortiAnalyzer.

disable Disable logging to FortiAnalyzer.

config log fortianalyzer-cloud filter

Filters for FortiAnalyzer Cloud.

config log fortianalyzer-cloud filter
Description: Filters for FortiAnalyzer Cloud.
set severity [emergency|alert|...]
set forward-traffic [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set ztna-traffic [enable|disable]
set anomaly [enable|disable]
set voip [enable|disable]
set dlp-archive [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set category [traffic|event|...]
set filter {string}

FortiOS 7.2.1 CLI Reference 650

Fortinet Inc.
set filter-type [include|exclude]
next
end
end

config log fortianalyzer-cloud filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.2.1 CLI Reference 651

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

dlp-archive Enable/disable DLP archive logging. option - disable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

FortiOS 7.2.1 CLI Reference 652

Fortinet Inc.
Parameter Description Type Size Default

Option Description

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

config log fortianalyzer-cloud override-filter

Override filters for FortiAnalyzer Cloud.

FortiOS 7.2.1 CLI Reference 653

Fortinet Inc.
set filter {string}
set filter-type [include|exclude]
next
end
end

config log fortianalyzer-cloud override-filter

Parameter Description Type Size Default

severity Lowest severity level to log. option - information

Option Description

emergency Emergency level.

alert Alert level.

critical Critical level.

error Error level.

warning Warning level.

notification Notification level.

information Information level.

debug Debug level.

forward-traffic Enable/disable forward traffic logging. option - enable

Option Description

enable Enable forward traffic logging.

disable Disable forward traffic logging.

local-traffic Enable/disable local in or out traffic logging. option - enable

Option Description

enable Enable local in or out traffic logging.

disable Disable local in or out traffic logging.

multicast- Enable/disable multicast traffic logging. option - enable

traffic

Option Description

enable Enable multicast traffic logging.

disable Disable multicast traffic logging.

sniffer-traffic Enable/disable sniffer traffic logging. option - enable

FortiOS 7.2.1 CLI Reference 654

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable sniffer traffic logging.

disable Disable sniffer traffic logging.

ztna-traffic Enable/disable ztna traffic logging. option - enable

Option Description

enable Enable ztna traffic logging.

disable Disable ztna traffic logging.

anomaly Enable/disable anomaly logging. option - enable

Option Description

enable Enable anomaly logging.

disable Disable anomaly logging.

voip Enable/disable VoIP logging. option - enable

Option Description

enable Enable VoIP logging.

disable Disable VoIP logging.

dlp-archive Enable/disable DLP archive logging. option - disable

Option Description

enable Enable DLP archive logging.

disable Disable DLP archive logging.

config free-style

Parameter Description Type Size Default

category Log category. option - traffic

Option Description

traffic Traffic log.

event Event log.

virus Antivirus log.

webfilter Web filter log.

FortiOS 7.2.1 CLI Reference 655

Fortinet Inc.
Parameter Description Type Size Default

Option Description

attack Attack log.

spam Antispam log.

anomaly Anomaly log.

voip VoIP log.

dlp DLP log.

app-ctrl Application control log.

waf Web application firewall log.

dns DNS detail log.

ssh SSH log.

ssl SSL log.

file-filter File filter log.

icap ICAP log.

filter Free style filter string. string Not

Specified

filter-type Include/exclude logs that match the filter. option - include

Option Description

include Include logs that match the filter.

exclude Exclude logs that match the filter.

FortiOS 7.2.1 CLI Reference 656

Fortinet Inc.
mgmt-data

This section includes syntax for the following commands:

l config mgmt-data status on page 657

config mgmt-data status

Status for mgmt-data.

config mgmt-data status
Description: Status for mgmt-data.
end

FortiOS 7.2.1 CLI Reference 657

Fortinet Inc.
router

This section includes syntax for the following commands:

l config router multicast6 on page 790
l config router multicast-flow on page 781
l config router community-list on page 664
l config router ripng on page 677
l config router ospf on page 691
l config router bgp on page 721
l config router auth-path on page 792
l config router info on page 792
l config router access-list on page 658
l config router static6 on page 689
l config router policy6 on page 687
l config router isis on page 768
l config router key-chain on page 663
l config router aspath-list on page 660
l config router access-list6 on page 659
l config router bfd6 on page 794
l config router rip on page 671
l config router ospf6 on page 707
l config router setting on page 793
l config router route-map on page 665
l config router prefix-list on page 661
l config router prefix-list6 on page 662
l config router policy on page 684
l config router info6 on page 792
l config router bfd on page 793
l config router multicast on page 782
l config router static on page 682

config router access-list

Configure access lists.

config router access-list
Description: Configure access lists.
edit <name>
set comments {string}
config rule
Description: Rule.
edit <id>
set action [permit|deny]
set prefix {user}

FortiOS 7.2.1 CLI Reference 658

Fortinet Inc.
set wildcard {user}
set exact-match [enable|disable]
next
end
next
end

config router access-list

Parameter Description Type Size Default

comments Comment. string Not

Specified

config rule

Parameter Description Type Size Default

action Permit or deny this IP address and netmask prefix. option - permit

Option Description

permit Permit or allow this IP address and netmask prefix.

deny Deny this IP address and netmask prefix.

prefix IPv4 prefix to define regular filter criteria, such as "any" user Not
or subnets. Specified

wildcard Wildcard to define Cisco-style wildcard filter criteria. user Not

Specified

exact-match Enable/disable exact match. option - disable

Option Description

enable Enable exact match.

disable Disable exact match.

config router access-list6

Configure IPv6 access lists.

config router access-list6
Description: Configure IPv6 access lists.
edit <name>
set comments {string}
config rule
Description: Rule.
edit <id>
set action [permit|deny]
set prefix6 {user}
set exact-match [enable|disable]

FortiOS 7.2.1 CLI Reference 659

Fortinet Inc.
set flags {integer}
next
end
next
end

config router access-list6

Parameter Description Type Size Default

comments Comment. string Not

Specified

config rule

Parameter Description Type Size Default

action Permit or deny this IP address and netmask prefix. option - permit

Option Description

permit Permit or allow this IP address and netmask prefix.

deny Deny this IP address and netmask prefix.

prefix6 IPv6 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.

exact-match Enable/disable exact prefix match. option - disable

Option Description

enable Enable exact match.

disable Disable exact match.

flags Flags. integer Minimum 0

value: 0
Maximum
value:
4294967295

config router aspath-list

Configure Autonomous System (AS) path lists.

config router aspath-list
Description: Configure Autonomous System (AS) path lists.
edit <name>
config rule
Description: AS path list rule.
edit <id>
set action [deny|permit]

FortiOS 7.2.1 CLI Reference 660

Fortinet Inc.
set regexp {string}
next
end
next
end

config rule

Parameter Description Type Size Default

action Permit or deny route-based operations, based on the option -

route's AS_PATH attribute.

Option Description

deny Deny route-based operations.

permit Permit route-based operations.

regexp Regular-expression to match the Border Gateway string Not

Protocol (BGP) AS paths. Specified

config router prefix-list

Configure IPv4 prefix lists.

config router prefix-list
Description: Configure IPv4 prefix lists.
edit <name>
set comments {string}
config rule
Description: IPv4 prefix list rule.
edit <id>
set action [permit|deny]
set prefix {user}
set ge {integer}
set le {integer}
next
end
next
end

config router prefix-list

Parameter Description Type Size Default

comments Comment. string Not

Specified

FortiOS 7.2.1 CLI Reference 661

Fortinet Inc.
config rule

Parameter Description Type Size Default

action Permit or deny this IP address and netmask prefix. option - permit

Option Description

permit Allow or permit packets that match this rule.

deny Deny packets that match this rule.

prefix IPv4 prefix to define regular filter criteria, such as "any" user Not 0.0.0.0
or subnets. Specified 0.0.0.0

ge Minimum prefix length to be matched . integer Minimum

value: 0
Maximum
value: 32

le Maximum prefix length to be matched . integer Minimum

value: 0
Maximum
value: 32

config router prefix-list6

Configure IPv6 prefix lists.

config router prefix-list6
Description: Configure IPv6 prefix lists.
edit <name>
set comments {string}
config rule
Description: IPv6 prefix list rule.
edit <id>
set action [permit|deny]
set prefix6 {user}
set ge {integer}
set le {integer}
set flags {integer}
next
end
next
end

config router prefix-list6

Parameter Description Type Size Default

comments Comment. string Not

Specified

FortiOS 7.2.1 CLI Reference 662

Fortinet Inc.
config rule

Parameter Description Type Size Default

action Permit or deny packets that match this rule. option - permit

Option Description

permit Allow or permit packets that match this rule.

deny Deny packets that match this rule.

prefix6 IPv6 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.

ge Minimum prefix length to be matched . integer Minimum

value: 0
Maximum
value: 128

le Maximum prefix length to be matched . integer Minimum

value: 0
Maximum
value: 128

flags Flags. integer Minimum 0

value: 0
Maximum
value:
4294967295

config router key-chain

Configure key-chain.
config router key-chain
Description: Configure key-chain.
edit <name>
config key
Description: Configuration method to edit key settings.
edit <id>
set accept-lifetime {user}
set send-lifetime {user}
set key-string {password}
set algorithm [md5|hmac-sha1|...]
next
end
next
end

FortiOS 7.2.1 CLI Reference 663

Fortinet Inc.
config key

Parameter Description Type Size Default

accept- Lifetime of received authentication key (format: user Not

lifetime hh:mm:ss day month year). Specified

send-lifetime Lifetime of sent authentication key (format: hh:mm:ss user Not

day month year). Specified

key-string Password for the key (maximum = 64 characters). password Not

Specified

algorithm Cryptographic algorithm. option - md5

Option Description

md5 MD5.

hmac-sha1 HMAC-SHA1.

hmac-sha256 HMAC-SHA256.

hmac-sha384 HMAC-SHA384.

hmac-sha512 HMAC-SHA512.

config router community-list

Configure community lists.

config router community-list
Description: Configure community lists.
edit <name>
set type [standard|expanded]
config rule
Description: Community list rule.
edit <id>
set action [deny|permit]
set regexp {string}
set match {string}
next
end
next
end

config router community-list

Parameter Description Type Size Default

type Community list type (standard or expanded). option - standard

FortiOS 7.2.1 CLI Reference 664

Fortinet Inc.
Parameter Description Type Size Default

Option Description

standard Standard community list type.

expanded Expanded community list type.

config rule

Parameter Description Type Size Default

action Permit or deny route-based operations, based on the option -

route's COMMUNITY attribute.

Option Description

deny Deny route-based operations.

permit Permit or allow route-based operations.

regexp Ordered list of COMMUNITY attributes as a regular string Not

expression. Specified

match Community specifications for matching a reserved string Not

community. Specified

config router route-map

Configure route maps.

config router route-map
Description: Configure route maps.
edit <name>
set comments {string}
config rule
Description: Rule.
edit <id>
set action [permit|deny]
set match-as-path {string}
set match-community {string}
set match-community-exact [enable|disable]
set match-origin [none|egp|...]
set match-interface {string}
set match-ip-address {string}
set match-ip6-address {string}
set match-ip-nexthop {string}
set match-ip6-nexthop {string}
set match-metric {integer}
set match-route-type [external-type1|external-type2|...]
set match-tag {integer}
set match-vrf {integer}
set set-aggregator-as {integer}
set set-aggregator-ip {ipv4-address-any}

FortiOS 7.2.1 CLI Reference 665

Fortinet Inc.
set set-aspath-action [prepend|replace]
set set-aspath <as1>, <as2>, ...
set set-atomic-aggregate [enable|disable]
set set-community-delete {string}
set set-community <community1>, <community2>, ...
set set-community-additive [enable|disable]
set set-dampening-reachability-half-life {integer}
set set-dampening-reuse {integer}
set set-dampening-suppress {integer}
set set-dampening-max-suppress {integer}
set set-dampening-unreachability-half-life {integer}
set set-extcommunity-rt <community1>, <community2>, ...
set set-extcommunity-soo <community1>, <community2>, ...
set set-ip-nexthop {ipv4-address}
set set-ip6-nexthop {ipv6-address}
set set-ip6-nexthop-local {ipv6-address}
set set-local-preference {integer}
set set-metric {integer}
set set-metric-type [external-type1|external-type2|...]
set set-originator-id {ipv4-address-any}
set set-origin [none|egp|...]
set set-tag {integer}
set set-weight {integer}
set set-route-tag {integer}
set set-priority {integer}
next
end
next
end

config router route-map

Parameter Description Type Size Default

comments Optional comments. string Not

Specified

config rule

Parameter Description Type Size Default

action Action. option - permit

Option Description

permit Permit.

deny Deny.

match-as-path Match BGP AS path list. string Not Specified

match- Match BGP community list. string Not Specified

community

FortiOS 7.2.1 CLI Reference 666

Fortinet Inc.
Parameter Description Type Size Default

match- Enable/disable exact matching of communities. option - disable

community-exact

Option Description

enable Enable exact matching of communities.

disable Disable exact matching of communities.

match-origin Match BGP origin code. option - none

Option Description

none None.

egp Remote EGP.

igp Local IGP.

incomplete Unknown heritage.

match-interface Match interface configuration. string Not Specified

match-ip-address Match IP address permitted by access-list or string Not Specified

prefix-list.

match-ip6- Match IPv6 address permitted by access-list6 or string Not Specified

address prefix-list6.

match-ip-nexthop Match next hop IP address passed by access-list string Not Specified
or prefix-list.

match-ip6- Match next hop IPv6 address passed by access- string Not Specified
nexthop list6 or prefix-list6.

match-metric Match metric for redistribute routes. integer Minimum

value: 0
Maximum
value:
4294967295

match-route-type Match route type. option -

Option Description

external-type1 External type 1.

external-type2 External type 2.

none No type specified.

FortiOS 7.2.1 CLI Reference 667

Fortinet Inc.
Parameter Description Type Size Default

match-tag Match tag. integer Minimum

value: 0
Maximum
value:
4294967295

match-vrf Match VRF ID. integer Minimum

value: 0
Maximum
value: 63

set-aggregator- BGP aggregator AS. integer Minimum 0

as value: 0
Maximum
value:
4294967295

set-aggregator-ip BGP aggregator IP. ipv4- Not Specified 0.0.0.0

address-
any

set-aspath-action Specify preferred action of set-aspath. option - prepend

Option Description

prepend Prepend.

replace Replace.

set-aspath <as> Prepend BGP AS path attribute. string Maximum

AS number (0 - 4294967295). Use quotes for length: 79
repeating numbers, For example, "1 1 2".

set-atomic- Enable/disable BGP atomic aggregate attribute. option - disable

aggregate

Option Description

enable Enable BGP atomic aggregate attribute.

disable Disable BGP atomic aggregate attribute.

set-community- Delete communities matching community list. string Not Specified

delete

set-community BGP community attribute. string Maximum

set-community- Enable/disable adding set-community to existing option - disable

additive community.

FortiOS 7.2.1 CLI Reference 668

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable adding set-community to existing community.

disable Disable adding set-community to existing community.

set-dampening- Reachability half-life time for the penalty . integer Minimum 0

reachability-half- value: 0
life Maximum
value: 45

set-dampening- Value to start reusing a route . integer Minimum 0

reuse value: 0
Maximum
value: 20000

set-dampening- Value to start suppressing a route . integer Minimum 0

suppress value: 0
Maximum
value: 20000

set-dampening- Maximum duration to suppress a route . integer Minimum 0

max-suppress value: 0
Maximum
value: 255

set-dampening- Unreachability Half-life time for the penalty . integer Minimum 0

unreachability- value: 0
half-life Maximum
value: 45

set- Route Target extended community. string Maximum

extcommunity-rt AA:NN. length: 79
<community>

set- Site-of-Origin extended community. string Maximum

extcommunity- Community (format = AA:NN). length: 79
soo
<community>

set-ip-nexthop IP address of next hop. ipv4- Not Specified

address

set-ip6-nexthop IPv6 global address of next hop. ipv6- Not Specified

address

set-ip6-nexthop- IPv6 local address of next hop. ipv6- Not Specified

local address

FortiOS 7.2.1 CLI Reference 669

Fortinet Inc.
Parameter Description Type Size Default

set-local- BGP local preference path attribute. integer Minimum

preference value: 0
Maximum
value:
4294967295

set-metric Metric value. integer Minimum

value: 0
Maximum
value:
4294967295

set-metric-type Metric type. option -

Option Description

external-type1 External type 1.

external-type2 External type 2.

none No type specified.

set-originator-id BGP originator ID attribute. ipv4- Not Specified

address-
any

set-origin BGP origin code. option - none

Option Description

none None.

egp Remote EGP.

igp Local IGP.

incomplete Unknown heritage.

set-tag Tag value. integer Minimum

value: 0
Maximum
value:
4294967295

set-weight BGP weight for routing table. integer Minimum

value: 0
Maximum
value:
4294967295

FortiOS 7.2.1 CLI Reference 670

Fortinet Inc.
Parameter Description Type Size Default

set-route-tag Route tag for routing table. integer Minimum

value: 0
Maximum
value:
4294967295

set-priority Priority for routing table. integer Minimum

value: 1
Maximum
value: 65535

config router rip

Configure RIP.
config router rip
Description: Configure RIP.
set default-information-originate [enable|disable]
set default-metric {integer}
set max-out-metric {integer}
config distance
Description: Distance.
edit <id>
set prefix {ipv4-classnet-any}
set distance {integer}
set access-list {string}
next
end
config distribute-list
Description: Distribute list.
edit <id>
set status [enable|disable]
set direction [in|out]
set listname {string}
set interface {string}
next
end
config neighbor
Description: Neighbor.
edit <id>
set ip {ipv4-address}
next
end
config network
Description: Network.
edit <id>
set prefix {ipv4-classnet}
next
end
config offset-list
Description: Offset list.
edit <id>
set status [enable|disable]

FortiOS 7.2.1 CLI Reference 671

Fortinet Inc.
set direction [in|out]
set access-list {string}
set offset {integer}
set interface {string}
next
end
set passive-interface <name1>, <name2>, ...
config redistribute
Description: Redistribute configuration.
edit <name>
set status [enable|disable]
set metric {integer}
set routemap {string}
next
end
set update-timer {integer}
set timeout-timer {integer}
set garbage-timer {integer}
set version [1|2]
config interface
Description: RIP interface configuration.
edit <name>
set auth-keychain {string}
set auth-mode [none|text|...]
set auth-string {password}
set receive-version {option1}, {option2}, ...
set send-version {option1}, {option2}, ...
set send-version2-broadcast [disable|enable]
set split-horizon-status [enable|disable]
set split-horizon [poisoned|regular]
set flags {integer}
next
end
end

config router rip

Parameter Description Type Size Default

default- Enable/disable generation of default route. option - disable

information-
originate

Option Description

enable Enable setting.

disable Disable setting.

default-metric Default metric. integer Minimum 1

value: 1
Maximum
value: 16

FortiOS 7.2.1 CLI Reference 672

Fortinet Inc.
Parameter Description Type Size Default

max-out- Maximum metric allowed to output(0 means 'not set'). integer Minimum 0
metric value: 0
Maximum
value: 15

passive- Passive interface configuration. string Maximum

interface Passive interface name. length: 79
<name>

update-timer Update timer in seconds. integer Minimum 30

value: 1
Maximum
value:
2147483647

timeout-timer Timeout timer in seconds. integer Minimum 180

value: 5
Maximum
value:
2147483647

garbage-timer Garbage timer in seconds. integer Minimum 120

value: 5
Maximum
value:
2147483647

version RIP version. option - 2

Option Description

1 Version 1.

2 Version 2.

config distance

Parameter Description Type Size Default

prefix Distance prefix. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
any

distance Distance . integer Minimum 0

value: 1
Maximum
value: 255

access-list Access list for route destination. string Not

Specified

FortiOS 7.2.1 CLI Reference 673

Fortinet Inc.
config distribute-list

Parameter Description Type Size Default

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

direction Distribute list direction. option - out

Option Description

in Filter incoming packets.

out Filter outgoing packets.

listname Distribute access/prefix list name. string Not

Specified

interface Distribute list interface name. string Not

Specified

config neighbor

Parameter Description Type Size Default

ip IP address. ipv4- Not 0.0.0.0

address Specified

config network

Parameter Description Type Size Default

prefix Network prefix. ipv4- Not 0.0.0.0

classnet Specified 0.0.0.0

config offset-list

Parameter Description Type Size Default

status Status. option - enable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.2.1 CLI Reference 674

Fortinet Inc.
Parameter Description Type Size Default

direction Offset list direction. option - out

Option Description

in Filter incoming packets.

out Filter outgoing packets.

access-list Access list name. string Not

Specified

offset Offset. integer Minimum 0

value: 1
Maximum
value: 16

interface Interface name. string Not

Specified

config redistribute

Parameter Description Type Size Default

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

metric Redistribute metric setting. integer Minimum 0

value: 1
Maximum
value: 16

routemap Route map name. string Not

Specified

config interface

Parameter Description Type Size Default

auth-keychain Authentication key-chain name. string Not

Specified

auth-mode Authentication mode. option - none

FortiOS 7.2.1 CLI Reference 675

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none None.

text Text.

md5 MD5.

auth-string Authentication string/password. password Not

Specified

receive- Receive version. option -

version

Option Description

1 Version 1.

2 Version 2.

send-version Send version. option -

Option Description

1 Version 1.

2 Version 2.

Fortinet Inc.
Parameter Description Type Size Default

flags Flags. integer Minimum 8

value: 0
Maximum
value: 255

config router ripng

Configure RIPng.
config router ripng
Description: Configure RIPng.
set default-information-originate [enable|disable]
set default-metric {integer}
set max-out-metric {integer}
config distance
Description: Distance.
edit <id>
set distance {integer}
set prefix6 {ipv6-prefix}
set access-list6 {string}
next
end
config distribute-list
Description: Distribute list.
edit <id>
set status [enable|disable]
set direction [in|out]
set listname {string}
set interface {string}
next
end
config neighbor
Description: Neighbor.
edit <id>
set ip6 {ipv6-address}
set interface {string}
next
end
config network
Description: Network.
edit <id>
set prefix {ipv6-prefix}
next
end
config aggregate-address
Description: Aggregate address.
edit <id>
set prefix6 {ipv6-prefix}
next
end
config offset-list
Description: Offset list.
edit <id>

FortiOS 7.2.1 CLI Reference 677

Fortinet Inc.
set status [enable|disable]
set direction [in|out]
set access-list6 {string}
set offset {integer}
set interface {string}
next
end
set passive-interface <name1>, <name2>, ...
config redistribute
Description: Redistribute configuration.
edit <name>
set status [enable|disable]
set metric {integer}
set routemap {string}
next
end
set update-timer {integer}
set timeout-timer {integer}
set garbage-timer {integer}
config interface
Description: RIPng interface configuration.
edit <name>
set split-horizon-status [enable|disable]
set split-horizon [poisoned|regular]
set flags {integer}
next
end
end

config router ripng

Parameter Description Type Size Default

default- Enable/disable generation of default route. option - disable

information-
originate

Option Description

enable Enable setting.

disable Disable setting.

default-metric Default metric. integer Minimum 1

value: 1
Maximum
value: 16

max-out- Maximum metric allowed to output(0 means 'not set'). integer Minimum 0
metric value: 0
Maximum
value: 15

FortiOS 7.2.1 CLI Reference 678

Fortinet Inc.
Parameter Description Type Size Default

passive- Passive interface configuration. string Maximum

interface Passive interface name. length: 79
<name>

update-timer Update timer. integer Minimum 30

value: 5
Maximum
value:
2147483647

timeout-timer Timeout timer. integer Minimum 180

value: 5
Maximum
value:
2147483647

garbage-timer Garbage timer. integer Minimum 120

value: 5
Maximum
value:
2147483647

config distance

Parameter Description Type Size Default

distance Distance . integer Minimum 0

value: 1
Maximum
value: 255

prefix6 Distance prefix6. ipv6-prefix Not ::/0

Specified

access-list6 Access list for route destination. string Not

Specified

config distribute-list

Parameter Description Type Size Default

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

direction Distribute list direction. option - out

FortiOS 7.2.1 CLI Reference 679

Fortinet Inc.
Parameter Description Type Size Default

Option Description

in Filter incoming packets.

out Filter outgoing packets.

listname Distribute access/prefix list name. string Not

Specified

interface Distribute list interface name. string Not

Specified

config neighbor

Parameter Description Type Size Default

ip6 IPv6 link-local address. ipv6- Not ::

address Specified

interface Interface name. string Not

Specified

config network

Parameter Description Type Size Default

prefix Network IPv6 link-local prefix. ipv6-prefix Not ::/0

Specified

config aggregate-address

Parameter Description Type Size Default

prefix6 Aggregate address prefix. ipv6-prefix Not ::/0

Specified

config offset-list

Parameter Description Type Size Default

status Status. option - enable

Option Description

enable Enable setting.

disable Disable setting.

direction Offset list direction. option - out

FortiOS 7.2.1 CLI Reference 680

Fortinet Inc.
Parameter Description Type Size Default

Option Description

in Filter incoming packets.

out Filter outgoing packets.

access-list6 IPv6 access list name. string Not

Specified

offset Offset. integer Minimum 0

value: 1
Maximum
value: 16

interface Interface name. string Not

Specified

config redistribute

Parameter Description Type Size Default

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

metric Redistribute metric setting. integer Minimum 0

value: 1
Maximum
value: 16

routemap Route map name. string Not

Specified

config interface

Parameter Description Type Size Default

split-horizon- Enable/disable split horizon. option - enable

status

Option Description

enable Enable setting.

disable Disable setting.

split-horizon Enable/disable split horizon. option - poisoned

FortiOS 7.2.1 CLI Reference 681

Fortinet Inc.
Parameter Description Type Size Default

Option Description

poisoned Poisoned.

regular Regular.

flags Flags. integer Minimum 8

value: 0
Maximum
value: 255

config router static

Configure IPv4 static routing tables.

config router static
Description: Configure IPv4 static routing tables.
edit <seq-num>
set status [enable|disable]
set dst {ipv4-classnet}
set src {ipv4-classnet}
set gateway {ipv4-address}
set distance {integer}
set weight {integer}
set priority {integer}
set device {string}
set comment {var-string}
set blackhole [enable|disable]
set dynamic-gateway [enable|disable]
set sdwan-zone <name1>, <name2>, ...
set dstaddr {string}
set internet-service {integer}
set internet-service-custom {string}
set link-monitor-exempt [enable|disable]
set vrf {integer}
set bfd [enable|disable]
next
end

config router static

Parameter Description Type Size Default

status Enable/disable this static route. option - enable

Option Description

enable Enable static route.

disable Disable static route.

FortiOS 7.2.1 CLI Reference 682

Fortinet Inc.
Parameter Description Type Size Default

dst Destination IP and mask for this route. ipv4- Not Specified 0.0.0.0
classnet 0.0.0.0

src Source prefix for this route. ipv4- Not Specified 0.0.0.0
classnet 0.0.0.0

gateway Gateway IP for this route. ipv4- Not Specified 0.0.0.0

address

distance Administrative distance . integer Minimum 10

value: 1
Maximum
value: 255

weight Administrative weight . integer Minimum 0

value: 0
Maximum
value: 255

priority Administrative priority . integer Minimum 1

value: 1
Maximum
value: 65535

device Gateway out interface or tunnel. string Not Specified

comment Optional comments. var-string Not Specified

blackhole Enable/disable black hole. option - disable

Option Description

enable Enable black hole.

disable Disable black hole.

dynamic- Enable use of dynamic gateway retrieved from a option - disable

gateway DHCP or PPP server.

Option Description

enable Enable dynamic gateway.

disable Disable dynamic gateway.

sdwan-zone Choose SD-WAN Zone. string Maximum

<name> SD-WAN zone name. length: 79

dstaddr Name of firewall address or address group. string Not Specified

FortiOS 7.2.1 CLI Reference 683

Fortinet Inc.
Parameter Description Type Size Default

internet- Application ID in the Internet service database. integer Minimum 0

service value: 0
Maximum
value:
4294967295

internet- Application name in the Internet service custom string Not Specified
service- database.
custom

link-monitor- Enable/disable withdrawal of this static route when option - disable

exempt link monitor or health check is down.

Option Description

enable Keep this static route when link monitor or health check is down.

disable Withdraw this static route when link monitor or health check is down. (default)

vrf Virtual Routing Forwarding ID. integer Minimum 0

value: 0
Maximum
value: 63

bfd Enable/disable Bidirectional Forwarding Detection option - disable

(BFD).

Option Description

enable Enable Bidirectional Forwarding Detection (BFD).

disable Disable Bidirectional Forwarding Detection (BFD).

config router policy

Configure IPv4 routing policies.

config router policy
Description: Configure IPv4 routing policies.
edit <seq-num>
set input-device <name1>, <name2>, ...
set input-device-negate [enable|disable]
set src <subnet1>, <subnet2>, ...
set srcaddr <name1>, <name2>, ...
set src-negate [enable|disable]
set dst <subnet1>, <subnet2>, ...
set dstaddr <name1>, <name2>, ...
set dst-negate [enable|disable]
set action [deny|permit]
set protocol {integer}
set start-port {integer}
set end-port {integer}
set start-source-port {integer}

FortiOS 7.2.1 CLI Reference 684

Fortinet Inc.
set end-source-port {integer}
set gateway {ipv4-address}
set output-device {string}
set tos {user}
set tos-mask {user}
set status [enable|disable]
set comments {var-string}
set internet-service-id <id1>, <id2>, ...
set internet-service-custom <name1>, <name2>, ...
next
end

config router policy

Parameter Description Type Size Default

input-device Incoming interface name. string Maximum

<name> Interface name. length: 79

input-device- Enable/disable negation of input device match. option - disable

deny Do not search policy route table.

permit Use this policy route for forwarding.

protocol Protocol number . integer Minimum 0

value: 0
Maximum
value: 255

start-port Start destination port number . integer Minimum 0

value: 0
Maximum
value: 65535

end-port End destination port number . integer Minimum 65535

value: 0
Maximum
value: 65535

start-source- Start source port number . integer Minimum 0

port value: 0
Maximum
value: 65535

end-source- End source port number . integer Minimum 65535

port value: 0
Maximum
value: 65535

gateway IP address of the gateway. ipv4- Not Specified 0.0.0.0

address

output-device Outgoing interface name. string Not Specified

tos Type of service bit pattern. user Not Specified

tos-mask Type of service evaluated bits. user Not Specified

status Enable/disable this policy route. option - enable

Option Description

enable Enable this policy route.

disable Disable this policy route.

comments Optional comments. var-string Not Specified

FortiOS 7.2.1 CLI Reference 686

Fortinet Inc.
Parameter Description Type Size Default

internet- Destination Internet Service ID. integer Minimum

service-id Destination Internet Service ID. value: 0
<id> Maximum
value:
4294967295

internet- Custom Destination Internet Service name. string Maximum

service- Custom Destination Internet Service name. length: 79
custom
<name>

config router policy6

Configure IPv6 routing policies.

config router policy6
Description: Configure IPv6 routing policies.
edit <seq-num>
set input-device <name1>, <name2>, ...
set input-device-negate [enable|disable]
set src <addr61>, <addr62>, ...
set srcaddr <name1>, <name2>, ...
set src-negate [enable|disable]
set dst <addr61>, <addr62>, ...
set dstaddr <name1>, <name2>, ...
set dst-negate [enable|disable]
set action [deny|permit]
set protocol {integer}
set start-port {integer}
set end-port {integer}
set gateway {ipv6-address}
set output-device {string}
set tos {user}
set tos-mask {user}
set status [enable|disable]
set comments {var-string}
set internet-service-id <id1>, <id2>, ...
set internet-service-custom <name1>, <name2>, ...
next
end

config router policy6

Parameter Description Type Size Default

input-device Incoming interface name. string Maximum

<name> Interface name. length: 79

FortiOS 7.2.1 CLI Reference 687

Fortinet Inc.
Parameter Description Type Size Default

input-device- Enable/disable negation of input device match. option - disable

negate

address

output-device Outgoing interface name. string Not Specified

tos Type of service bit pattern. user Not Specified

tos-mask Type of service evaluated bits. user Not Specified

status Enable/disable this policy route. option - enable

Option Description

enable Enable this policy route.

disable Disable this policy route.

comments Optional comments. var-string Not Specified

internet- Destination Internet Service ID. integer Minimum

service-id Destination Internet Service ID. value: 0
<id> Maximum
value:
4294967295

internet- Custom Destination Internet Service name. string Maximum

service- Custom Destination Internet Service name. length: 79
custom
<name>

config router static6

Configure IPv6 static routing tables.

config router static6
Description: Configure IPv6 static routing tables.
edit <seq-num>
set status [enable|disable]
set dst {ipv6-network}
set gateway {ipv6-address}
set device {string}
set devindex {integer}
set distance {integer}
set weight {integer}

FortiOS 7.2.1 CLI Reference 689

Fortinet Inc.
set priority {integer}
set comment {var-string}
set blackhole [enable|disable]
set dynamic-gateway [enable|disable]
set sdwan-zone <name1>, <name2>, ...
set dstaddr {string}
set link-monitor-exempt [enable|disable]
set vrf {integer}
set bfd [enable|disable]
next
end

config router static6

Parameter Description Type Size Default

status Enable/disable this static route. option - enable

Option Description

enable Enable static route.

disable Disable static route.

dst Destination IPv6 prefix. ipv6- Not Specified ::/0

network

gateway IPv6 address of the gateway. ipv6- Not Specified ::

address

device Gateway out interface or tunnel. string Not Specified

devindex Device index . integer Minimum 0

value: 0
Maximum
value:
4294967295

distance Administrative distance . integer Minimum 10

value: 1
Maximum
value: 255

weight Administrative weight . integer Minimum 0

value: 0
Maximum
value: 255

priority Administrative priority . integer Minimum 1024

value: 1
Maximum
value: 65535

comment Optional comments. var-string Not Specified

FortiOS 7.2.1 CLI Reference 690

Fortinet Inc.
Parameter Description Type Size Default

blackhole Enable/disable black hole. option - disable

Option Description

enable Enable black hole.

disable Disable black hole.

dynamic- Enable use of dynamic gateway retrieved from Router option - disable
gateway Advertisement (RA).

Option Description

enable Enable dynamic gateway.

disable Disable dynamic gateway.

sdwan-zone Choose SD-WAN Zone. string Maximum

<name> SD-WAN zone name. length: 79

dstaddr Name of firewall address or address group. string Not Specified

link-monitor- Enable/disable withdrawal of this static route when option - disable

exempt link monitor or health check is down.

Option Description

enable Keep this static route when link monitor or health check is down.

disable Withdraw this static route when link monitor or health check is down. (default)

vrf Virtual Routing Forwarding ID. integer Minimum 0

value: 0
Maximum
value: 63

bfd Enable/disable Bidirectional Forwarding Detection option - disable

(BFD).

Option Description

enable Enable Bidirectional Forwarding Detection (BFD).

disable Disable Bidirectional Forwarding Detection (BFD).

config router ospf

Configure OSPF.
config router ospf
Description: Configure OSPF.
set abr-type [cisco|ibm|...]
set auto-cost-ref-bandwidth {integer}
set distance-external {integer}

FortiOS 7.2.1 CLI Reference 691

Fortinet Inc.
set distance-inter-area {integer}
set distance-intra-area {integer}
set database-overflow [enable|disable]
set database-overflow-max-lsas {integer}
set database-overflow-time-to-recover {integer}
set default-information-originate [enable|always|...]
set default-information-metric {integer}
set default-information-metric-type [1|2]
set default-information-route-map {string}
set default-metric {integer}
set distance {integer}
set rfc1583-compatible [enable|disable]
set router-id {ipv4-address-any}
set spf-timers {user}
set bfd [enable|disable]
set log-neighbour-changes [enable|disable]
set distribute-list-in {string}
set distribute-route-map-in {string}
set restart-mode [none|lls|...]
set restart-period {integer}
set restart-on-topology-change [enable|disable]
config area
Description: OSPF area configuration.
edit <id>
set shortcut [disable|enable|...]
set authentication [none|text|...]
set default-cost {integer}
set nssa-translator-role [candidate|never|...]
set stub-type [no-summary|summary]
set type [regular|nssa|...]
set nssa-default-information-originate [enable|always|...]
set nssa-default-information-originate-metric {integer}
set nssa-default-information-originate-metric-type [1|2]
set nssa-redistribution [enable|disable]
set comments {var-string}
config range
Description: OSPF area range configuration.
edit <id>
set prefix {ipv4-classnet-any}
set advertise [disable|enable]
set substitute {ipv4-classnet-any}
set substitute-status [enable|disable]
next
end
config virtual-link
Description: OSPF virtual link configuration.
edit <name>
set authentication [none|text|...]
set authentication-key {password}
set keychain {string}
set dead-interval {integer}
set hello-interval {integer}
set retransmit-interval {integer}
set transmit-delay {integer}
set peer {ipv4-address-any}
config md5-keys
Description: MD5 key.

FortiOS 7.2.1 CLI Reference 692

Fortinet Inc.
edit <id>
set key-string {password}
next
end
next
end
config filter-list
Description: OSPF area filter-list configuration.
edit <id>
set list {string}
set direction [in|out]
next
end
next
end
config ospf-interface
Description: OSPF interface configuration.
edit <name>
set comments {var-string}
set interface {string}
set ip {ipv4-address}
set authentication [none|text|...]
set authentication-key {password}
set keychain {string}
set prefix-length {integer}
set retransmit-interval {integer}
set transmit-delay {integer}
set cost {integer}
set priority {integer}
set dead-interval {integer}
set hello-interval {integer}
set hello-multiplier {integer}
set database-filter-out [enable|disable]
set mtu {integer}
set mtu-ignore [enable|disable]
set network-type [broadcast|non-broadcast|...]
set bfd [global|enable|...]
set status [disable|enable]
set resync-timeout {integer}
config md5-keys
Description: MD5 key.
edit <id>
set key-string {password}
next
end
next
end
config network
Description: OSPF network configuration.
edit <id>
set prefix {ipv4-classnet}
set area {ipv4-address-any}
set comments {var-string}
next
end
config neighbor

FortiOS 7.2.1 CLI Reference 693

Fortinet Inc.
Description: OSPF neighbor configuration are used when OSPF runs on non-broadcast
media.
edit <id>
set ip {ipv4-address}
set poll-interval {integer}
set cost {integer}
set priority {integer}
next
end
set passive-interface <name1>, <name2>, ...
config summary-address
Description: IP address summary configuration.
edit <id>
set prefix {ipv4-classnet}
set tag {integer}
set advertise [disable|enable]
next
end
config distribute-list
Description: Distribute list configuration.
edit <id>
set access-list {string}
set protocol [connected|static|...]
next
end
config redistribute
Description: Redistribute configuration.
edit <name>
set status [enable|disable]
set metric {integer}
set routemap {string}
set metric-type [1|2]
set tag {integer}
next
end
end

config router ospf

Parameter Description Type Size Default

abr-type Area border router type. option - standard

Option Description

cisco Cisco.

ibm IBM.

shortcut Shortcut.

standard Standard.

FortiOS 7.2.1 CLI Reference 694

Fortinet Inc.
Parameter Description Type Size Default

auto-cost-ref- Reference bandwidth in terms of megabits per integer Minimum 1000

bandwidth second. value: 1
Maximum
value:
1000000

distance- Administrative external distance. integer Minimum 110

external value: 1
Maximum
value: 255

distance-inter- Administrative inter-area distance. integer Minimum 110

area value: 1
Maximum
value: 255

distance-intra- Administrative intra-area distance. integer Minimum 110

area value: 1
Maximum
value: 255

database- Enable/disable database overflow. option - disable

overflow

Option Description

enable Enable setting.

disable Disable setting.

database- Database overflow maximum LSAs. integer Minimum 10000

overflow-max- value: 0
lsas Maximum
value:
4294967295

database- Database overflow time to recover (sec). integer Minimum 300

overflow-time- value: 0
to-recover Maximum
value: 65535

default- Enable/disable generation of default route. option - disable

information-
originate

Option Description

enable Enable setting.

always Always advertise the default router.

disable Disable setting.

FortiOS 7.2.1 CLI Reference 695

Fortinet Inc.
Parameter Description Type Size Default

default- Default information metric. integer Minimum 10

information- value: 1
metric Maximum
value:
16777214

default- Default information metric type. option - 2

information-
metric-type

Option Description

1 Type 1.

2 Type 2.

default- Default information route map. string Not Specified

information-
route-map

default-metric Default metric of redistribute routes. integer Minimum 10

value: 1
Maximum
value:
16777214

distribute-list- Filter incoming routes. string Not Specified

distribute- Filter incoming external routes by route-map. string Not Specified

route-map-in

restart-mode OSPF restart mode (graceful or LLS). option - none

Option Description

none Hitless restart disabled.

lls LLS mode.

graceful-restart Graceful Restart Mode.

restart-period Graceful restart period. integer Minimum 120

value: 1
Maximum
value: 3600

restart-on- Enable/disable continuing graceful restart upon option - disable

topology- topology change.
change

Option Description

enable Continue graceful restart upon topology change.

disable Exit graceful restart upon topology change.

passive- Passive interface configuration. string Maximum

interface Passive interface name. length: 79
<name>

config area

Parameter Description Type Size Default

shortcut Enable/disable shortcut option. option - disable

FortiOS 7.2.1 CLI Reference 697

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable shortcut option.

enable Enable shortcut option.

default Default shortcut option.

authentication Authentication type. option - none

Option Description

none None.

text Text.

message-digest Message digest.

default-cost Summary default cost of stub or NSSA area. integer Minimum 10

value: 0
Maximum
value:
4294967295

nssa-translator- NSSA translator role type. option - candidate

role

Option Description

candidate Candidate.

never Never.

always Always.

stub-type Stub summary setting. option - summary

Option Description

no-summary No summary.

summary Summary.

type Area type setting. option - regular

Option Description

regular Regular.

nssa NSSA.

stub Stub.

FortiOS 7.2.1 CLI Reference 698

Fortinet Inc.
Parameter Description Type Size Default

nssa-default- Redistribute, advertise, or do not originate Type-7 option - disable

information- default route into NSSA area.
originate

Option Description

enable Redistribute Type-7 default route from routing table.

always Advertise a self-originated Type-7 default route.

disable Do not advertise Type-7 default route.

nssa-default- OSPF default metric. integer Minimum 10

information- value: 0
originate-metric Maximum
value:
16777214

nssa-default- OSPF metric type for default routes. option - 2

information-
originate-metric-
type

Option Description

1 Type 1.

2 Type 2.

nssa- Enable/disable redistribute into NSSA area. option - enable

redistribution

Option Description

enable Enable redistribute into NSSA area.

disable Disable redistribute into NSSA area.

comments Comment. var-string Not Specified

config range

Parameter Description Type Size Default

prefix Prefix. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
any

advertise Enable/disable advertise status. option - enable

FortiOS 7.2.1 CLI Reference 699

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable advertise status.

enable Enable advertise status.

substitute Substitute prefix. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
any

substitute- Enable/disable substitute status. option - disable

status

Option Description

enable Enable substitute status.

disable Disable substitute status.

config virtual-link

Parameter Description Type Size Default

authentication Authentication type. option - none

Option Description

none None.

text Text.

message-digest Message digest.

authentication- Authentication key. password Not

key Specified

keychain Message-digest key-chain name. string Not

Specified

dead-interval Dead interval. integer Minimum 40

value: 1
Maximum
value:
65535

hello-interval Hello interval. integer Minimum 10

value: 1
Maximum
value:
65535

FortiOS 7.2.1 CLI Reference 700

Fortinet Inc.
Parameter Description Type Size Default

retransmit- Retransmit interval. integer Minimum 5

interval value: 1
Maximum
value:
65535

transmit-delay Transmit delay. integer Minimum 1

value: 1
Maximum
value:
65535

peer Peer IP. ipv4- Not 0.0.0.0

address- Specified
any

direction Direction. option - out

Option Description

in In.

value: 0
Maximum
value:
65535

hello-multiplier Number of hello packets within dead interval. integer Minimum 0

value: 3
Maximum
value: 10

database-filter- Enable/disable control of flooding out LSAs. option - disable

out

Option Description

enable Enable setting.

disable Disable setting.

mtu MTU for database description packets. integer Minimum 0

value: 576
Maximum
value:
65535

mtu-ignore Enable/disable ignore MTU. option - disable

Option Description

enable Enable setting.

disable Disable setting.

network-type Network type. option - broadcast

Option Description

broadcast Broadcast.

FortiOS 7.2.1 CLI Reference 703

Fortinet Inc.
Parameter Description Type Size Default

Option Description

non-broadcast Non-broadcast.

point-to-point Point-to-point.

point-to- Point-to-multipoint.
multipoint

point-to- Point-to-multipoint and non-broadcast.

multipoint-non-
broadcast

bfd Bidirectional Forwarding Detection (BFD). option - global

Option Description

global Follow global configuration.

enable Enable BFD on this interface.

disable Disable BFD on this interface.

status Enable/disable status. option - enable

Option Description

disable Disable status.

enable Enable status.

resync-timeout Graceful restart neighbor resynchronization timeout. integer Minimum 40

value: 1
Maximum
value: 3600

config md5-keys

Parameter Description Type Size Default

key-string Password for the key. password Not

Specified

config md5-keys

Parameter Description Type Size Default

key-string Password for the key. password Not

Specified

FortiOS 7.2.1 CLI Reference 704

Fortinet Inc.
config network

Parameter Description Type Size Default

prefix Prefix. ipv4- Not 0.0.0.0

classnet Specified 0.0.0.0

area Attach the network to area. ipv4- Not 0.0.0.0

address- Specified
any

comments Comment. var-string Not

Specified

config neighbor

Parameter Description Type Size Default

ip Interface IP address of the neighbor. ipv4- Not 0.0.0.0

address Specified

poll-interval Poll interval time in seconds. integer Minimum 10

value: 1
Maximum
value:
65535

cost Cost of the interface, value range from 0 to 65535, 0 integer Minimum 0
means auto-cost. value: 0
Maximum
value:
65535

priority Priority. integer Minimum 1

value: 0
Maximum
value: 255

config summary-address

Parameter Description Type Size Default

prefix Prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0

tag Tag value. integer Minimum 0

value: 0
Maximum
value:
4294967295

advertise Enable/disable advertise status. option - enable

FortiOS 7.2.1 CLI Reference 705

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable advertise status.

enable Enable advertise status.

config distribute-list

Parameter Description Type Size Default

access-list Access list name. string Not

Specified

protocol Protocol type. option - connected

Option Description

connected Connected type.

static Static type.

rip RIP type.

config redistribute

Parameter Description Type Size Default

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

metric Redistribute metric setting. integer Minimum 0

value: 0
Maximum
value:
16777214

routemap Route map name. string Not Specified

metric-type Metric type. option - 2

Option Description

1 Type 1.

2 Type 2.

FortiOS 7.2.1 CLI Reference 706

Fortinet Inc.
Parameter Description Type Size Default

tag Tag value. integer Minimum 0

value: 0
Maximum
value:
4294967295

config router ospf6

Configure IPv6 OSPF.

config router ospf6
Description: Configure IPv6 OSPF.
set abr-type [cisco|ibm|...]
set auto-cost-ref-bandwidth {integer}
set default-information-originate [enable|always|...]
set log-neighbour-changes [enable|disable]
set default-information-metric {integer}
set default-information-metric-type [1|2]
set default-information-route-map {string}
set default-metric {integer}
set router-id {ipv4-address-any}
set spf-timers {user}
set bfd [enable|disable]
set restart-mode [none|graceful-restart]
set restart-period {integer}
set restart-on-topology-change [enable|disable]
config area
Description: OSPF6 area configuration.
edit <id>
set default-cost {integer}
set nssa-translator-role [candidate|never|...]
set stub-type [no-summary|summary]
set type [regular|nssa|...]
set nssa-default-information-originate [enable|disable]
set nssa-default-information-originate-metric {integer}
set nssa-default-information-originate-metric-type [1|2]
set nssa-redistribution [enable|disable]
set authentication [none|ah|...]
set key-rollover-interval {integer}
set ipsec-auth-alg [md5|sha1|...]
set ipsec-enc-alg [null|des|...]
config ipsec-keys
Description: IPsec authentication and encryption keys.
edit <spi>
set auth-key {password}
set enc-key {password}
next
end
config range
Description: OSPF6 area range configuration.
edit <id>
set prefix6 {ipv6-network}
set advertise [disable|enable]

FortiOS 7.2.1 CLI Reference 707

Fortinet Inc.
next
end
config virtual-link
Description: OSPF6 virtual link configuration.
edit <name>
set dead-interval {integer}
set hello-interval {integer}
set retransmit-interval {integer}
set transmit-delay {integer}
set peer {ipv4-address-any}
set authentication [none|ah|...]
set key-rollover-interval {integer}
set ipsec-auth-alg [md5|sha1|...]
set ipsec-enc-alg [null|des|...]
config ipsec-keys
Description: IPsec authentication and encryption keys.
edit <spi>
set auth-key {password}
set enc-key {password}
next
end
next
end
next
end
config ospf6-interface
Description: OSPF6 interface configuration.
edit <name>
set area-id {ipv4-address-any}
set interface {string}
set retransmit-interval {integer}
set transmit-delay {integer}
set cost {integer}
set priority {integer}
set dead-interval {integer}
set hello-interval {integer}
set status [disable|enable]
set network-type [broadcast|point-to-point|...]
set bfd [global|enable|...]
set mtu {integer}
set mtu-ignore [enable|disable]
set authentication [none|ah|...]
set key-rollover-interval {integer}
set ipsec-auth-alg [md5|sha1|...]
set ipsec-enc-alg [null|des|...]
config ipsec-keys
Description: IPsec authentication and encryption keys.
edit <spi>
set auth-key {password}
set enc-key {password}
next
end
config neighbor
Description: OSPFv3 neighbors are used when OSPFv3 runs on non-broadcast media.
edit <ip6>
set poll-interval {integer}
set cost {integer}

FortiOS 7.2.1 CLI Reference 708

Fortinet Inc.
set priority {integer}
next
end
next
end
config redistribute
Description: Redistribute configuration.
edit <name>
set status [enable|disable]
set metric {integer}
set routemap {string}
set metric-type [1|2]
next
end
set passive-interface <name1>, <name2>, ...
config summary-address
Description: IPv6 address summary configuration.
edit <id>
set prefix6 {ipv6-network}
set advertise [disable|enable]
set tag {integer}
next
end
end

config router ospf6

Parameter Description Type Size Default

abr-type Area border router type. option - standard

Option Description

cisco Cisco.

ibm IBM.

standard Standard.

auto-cost-ref- Reference bandwidth in terms of megabits per second. integer Minimum 1000
bandwidth value: 1
Maximum
value:
1000000

default- Enable/disable generation of default route. option - disable

default- Default information metric type. option - 2

information-
metric-type

Option Description

1 Type 1.

2 Type 2.

default- Default information route map. string Not

information- Specified
route-map

default-metric Default metric of redistribute routes. integer Minimum 10

value: 1
Maximum
value:
16777214

router-id A.B.C.D, in IPv4 address format. ipv4- Not 0.0.0.0

address- Specified
any

spf-timers SPF calculation frequency. user Not

Specified

bfd Enable/disable Bidirectional Forwarding Detection option - disable

(BFD).

FortiOS 7.2.1 CLI Reference 710

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable Bidirectional Forwarding Detection (BFD).

disable Disable Bidirectional Forwarding Detection (BFD).

restart-mode OSPFv3 restart mode (graceful or none). option - none

Option Description

none Disable hitless restart.

graceful-restart Enable graceful restart mode.

restart-period Graceful restart period in seconds. integer Minimum 120

value: 1
Maximum
value: 3600

restart-on- Enable/disable continuing graceful restart upon option - disable

topology- topology change.
change

Option Description

enable Continue graceful restart upon topology change.

disable Exit graceful restart upon topology change.

passive- Passive interface configuration. string Maximum

interface Passive interface name. length: 79
<name>

config area

Parameter Description Type Size Default

default-cost Summary default cost of stub or NSSA area. integer Minimum 10

value: 0
Maximum
value:
16777215

nssa-translator- NSSA translator role type. option - candidate

role

Option Description

candidate Candidate.

never Never.

FortiOS 7.2.1 CLI Reference 711

Fortinet Inc.
Parameter Description Type Size Default

Option Description

always Always.

stub-type Stub summary setting. option - summary

Option Description

no-summary No summary.

summary Summary.

type Area type setting. option - regular

Option Description

regular Regular.

nssa NSSA.

stub Stub.

nssa-default- Enable/disable originate type 7 default into NSSA option - disable

information- area.
originate

Option Description

enable Enable originate type 7 default into NSSA area.

disable Disable originate type 7 default into NSSA area.

nssa-default- OSPFv3 default metric. integer Minimum 10

information- value: 0
originate-metric Maximum
value:
16777214

nssa-default- OSPFv3 metric type for default routes. option - 2

information-
originate-metric-
type

Option Description

1 Type 1.

2 Type 2.

nssa- Enable/disable redistribute into NSSA area. option - enable

redistribution

FortiOS 7.2.1 CLI Reference 712

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable redistribute into NSSA area.

disable Disable redistribute into NSSA area.

authentication Authentication mode. option - none

Option Description

none Disable authentication.

ah Authentication Header.

esp Encapsulating Security Payload.

key-rollover- Key roll-over interval. integer Minimum 300

interval value: 300
Maximum
value:
216000

ipsec-auth-alg Authentication algorithm. option - md5

Option Description

md5 MD5.

sha1 SHA1.

sha256 SHA256.

sha384 SHA384.

sha512 SHA512.

ipsec-enc-alg Encryption algorithm. option - null

Option Description

null No encryption.

des DES.

3des 3DES.

aes128 AES128.

aes192 AES192.

aes256 AES256.

Option Description

disable disable

enable enable

config virtual-link

Parameter Description Type Size Default

dead-interval Dead interval. integer Minimum 40

value: 1
Maximum
value:
65535

hello-interval Hello interval. integer Minimum 10

value: 1
Maximum
value:
65535

FortiOS 7.2.1 CLI Reference 714

Fortinet Inc.
Parameter Description Type Size Default

retransmit- Retransmit interval. integer Minimum 5

interval value: 1
Maximum
value:
65535

transmit-delay Transmit delay. integer Minimum 1

value: 1
Maximum
value:
65535

peer A.B.C.D, peer router ID. ipv4- Not 0.0.0.0

address- Specified
any

authentication Authentication mode. option - area

Option Description

none Disable authentication.

ah Authentication Header.

esp Encapsulating Security Payload.

area Use the routing area's authentication configuration.

key-rollover- Key roll-over interval. integer Minimum 300

interval value: 300
Maximum
value:
216000

ipsec-auth-alg Authentication algorithm. option - md5

Option Description

md5 MD5.

sha1 SHA1.

sha256 SHA256.

sha384 SHA384.

sha512 SHA512.

ipsec-enc-alg Encryption algorithm. option - null

FortiOS 7.2.1 CLI Reference 715

Fortinet Inc.
Parameter Description Type Size Default

Option Description

null No encryption.

des DES.

3des 3DES.

address- Specified
any

interface Configuration interface name. string Not

Specified

retransmit- Retransmit interval. integer Minimum 5

interval value: 1
Maximum
value:
65535

FortiOS 7.2.1 CLI Reference 716

Fortinet Inc.
Parameter Description Type Size Default

transmit-delay Transmit delay. integer Minimum 1

value: 1
Maximum
value:
65535

cost Cost of the interface, value range from 0 to 65535, 0 integer Minimum 0
means auto-cost. value: 0
Maximum
value:
65535

priority Priority. integer Minimum 1

value: 0
Maximum
value: 255

dead-interval Dead interval. integer Minimum 0

value: 1
Maximum
value:
65535

hello-interval Hello interval. integer Minimum 0

value: 1
Maximum
value:
65535

status Enable/disable OSPF6 routing on this interface. option - enable

Option Description

disable Disable OSPF6 routing.

enable Enable OSPF6 routing.

network-type Network type. option - broadcast

Option Description

broadcast broadcast

point-to-point point-to-point

non-broadcast non-broadcast

point-to- point-to-multipoint
multipoint

enable Ignore MTU field in DBD packets.

disable Do not ignore MTU field in DBD packets.

authentication Authentication mode. option - area

Option Description

none Disable authentication.

ah Authentication Header.

esp Encapsulating Security Payload.

area Use the routing area's authentication configuration.

key-rollover- Key roll-over interval. integer Minimum 300

interval value: 300
Maximum
value:
216000

ipsec-auth-alg Authentication algorithm. option - md5

FortiOS 7.2.1 CLI Reference 718

Fortinet Inc.
Parameter Description Type Size Default

Option Description

md5 MD5.

sha1 SHA1.

sha256 SHA256.

sha384 SHA384.

sha512 SHA512.

ipsec-enc-alg Encryption algorithm. option - null

Option Description

null No encryption.

des DES.

3des 3DES.

aes128 AES128.

aes192 AES192.

aes256 AES256.

config ipsec-keys

Parameter Description Type Size Default

auth-key Authentication key. password Not

Specified

enc-key Encryption key. password Not

Specified

config ipsec-keys

Parameter Description Type Size Default

auth-key Authentication key. password Not

Specified

enc-key Encryption key. password Not

Specified

FortiOS 7.2.1 CLI Reference 719

Fortinet Inc.
config neighbor

Parameter Description Type Size Default

poll-interval Poll interval time in seconds. integer Minimum 10

value: 1
Maximum
value:
65535

cost Cost of the interface, value range from 0 to 65535, 0 integer Minimum 0
means auto-cost. value: 0
Maximum
value:
65535

priority Priority. integer Minimum 1

value: 0
Maximum
value: 255

config redistribute

Parameter Description Type Size Default

status Status. option - disable

Option Description

enable Enable setting.

disable Disable setting.

metric Redistribute metric setting. integer Minimum 0

value: 0
Maximum
value:
16777214

routemap Route map name. string Not

Specified

metric-type Metric type. option - 2

Option Description

1 Type 1.

2 Type 2.

FortiOS 7.2.1 CLI Reference 720

Fortinet Inc.
config summary-address

Parameter Description Type Size Default

prefix6 IPv6 prefix. ipv6- Not Specified ::/0

network

advertise Enable/disable advertise status. option - enable

Option Description

disable disable

enable enable

tag Tag value. integer Minimum 0

value: 0
Maximum
value:
4294967295

config router bgp

Configure BGP.
config router bgp
Description: Configure BGP.
set as {user}
set router-id {ipv4-address-any}
set keepalive-timer {integer}
set holdtime-timer {integer}
set always-compare-med [enable|disable]
set bestpath-as-path-ignore [enable|disable]
set bestpath-cmp-confed-aspath [enable|disable]
set bestpath-cmp-routerid [enable|disable]
set bestpath-med-confed [enable|disable]
set bestpath-med-missing-as-worst [enable|disable]
set client-to-client-reflection [enable|disable]
set dampening [enable|disable]
set deterministic-med [enable|disable]
set ebgp-multipath [enable|disable]
set ibgp-multipath [enable|disable]
set enforce-first-as [enable|disable]
set fast-external-failover [enable|disable]
set log-neighbour-changes [enable|disable]
set network-import-check [enable|disable]
set ignore-optional-capability [enable|disable]
set additional-path [enable|disable]
set additional-path6 [enable|disable]
set additional-path-vpnv4 [enable|disable]
set multipath-recursive-distance [enable|disable]
set recursive-next-hop [enable|disable]
set recursive-inherit-priority [enable|disable]
set tag-resolve-mode [disable|preferred|...]
set cluster-id {ipv4-address-any}

FortiOS 7.2.1 CLI Reference 721

Fortinet Inc.
set confederation-identifier {integer}
set confederation-peers <peer1>, <peer2>, ...
set dampening-route-map {string}
set dampening-reachability-half-life {integer}
set dampening-reuse {integer}
set dampening-suppress {integer}
set dampening-max-suppress-time {integer}
set dampening-unreachability-half-life {integer}
set default-local-preference {integer}
set scan-time {integer}
set distance-external {integer}
set distance-internal {integer}
set distance-local {integer}
set synchronization [enable|disable]
set graceful-restart [enable|disable]
set graceful-restart-time {integer}
set graceful-stalepath-time {integer}
set graceful-update-delay {integer}
set graceful-end-on-timer [enable|disable]
set additional-path-select {integer}
set additional-path-select6 {integer}
set additional-path-select-vpnv4 {integer}
config aggregate-address
Description: BGP aggregate address table.
edit <id>
set prefix {ipv4-classnet-any}
set as-set [enable|disable]
set summary-only [enable|disable]
next
end
config aggregate-address6
Description: BGP IPv6 aggregate address table.
edit <id>
set prefix6 {ipv6-prefix}
set as-set [enable|disable]
set summary-only [enable|disable]
next
end
config neighbor
Description: BGP neighbor table.
edit <ip>
set advertisement-interval {integer}
set allowas-in-enable [enable|disable]
set allowas-in-enable6 [enable|disable]
set allowas-in {integer}
set allowas-in6 {integer}
set allowas-in-vpnv4 {integer}
set attribute-unchanged {option1}, {option2}, ...
set attribute-unchanged6 {option1}, {option2}, ...
set attribute-unchanged-vpnv4 {option1}, {option2}, ...
set activate [enable|disable]
set activate6 [enable|disable]
set activate-vpnv4 [enable|disable]
set bfd [enable|disable]
set capability-dynamic [enable|disable]
set capability-orf [none|receive|...]
set capability-orf6 [none|receive|...]

FortiOS 7.2.1 CLI Reference 722

Fortinet Inc.
set capability-graceful-restart [enable|disable]
set capability-graceful-restart6 [enable|disable]
set capability-graceful-restart-vpnv4 [enable|disable]
set capability-route-refresh [enable|disable]
set capability-default-originate [enable|disable]
set capability-default-originate6 [enable|disable]
set dont-capability-negotiate [enable|disable]
set ebgp-enforce-multihop [enable|disable]
set link-down-failover [enable|disable]
set stale-route [enable|disable]
set next-hop-self [enable|disable]
set next-hop-self6 [enable|disable]
set next-hop-self-rr [enable|disable]
set next-hop-self-rr6 [enable|disable]
set next-hop-self-vpnv4 [enable|disable]
set override-capability [enable|disable]
set passive [enable|disable]
set remove-private-as [enable|disable]
set remove-private-as6 [enable|disable]
set remove-private-as-vpnv4 [enable|disable]
set route-reflector-client [enable|disable]
set route-reflector-client6 [enable|disable]
set route-reflector-client-vpnv4 [enable|disable]
set route-server-client [enable|disable]
set route-server-client6 [enable|disable]
set route-server-client-vpnv4 [enable|disable]
set shutdown [enable|disable]
set soft-reconfiguration [enable|disable]
set soft-reconfiguration6 [enable|disable]
set soft-reconfiguration-vpnv4 [enable|disable]
set as-override [enable|disable]
set as-override6 [enable|disable]
set strict-capability-match [enable|disable]
set default-originate-routemap {string}
set default-originate-routemap6 {string}
set description {string}
set distribute-list-in {string}
set distribute-list-in6 {string}
set distribute-list-in-vpnv4 {string}
set distribute-list-out {string}
set distribute-list-out6 {string}
set distribute-list-out-vpnv4 {string}
set ebgp-multihop-ttl {integer}
set filter-list-in {string}
set filter-list-in6 {string}
set filter-list-out {string}
set filter-list-out6 {string}
set interface {string}
set maximum-prefix {integer}
set maximum-prefix6 {integer}
set maximum-prefix-vpnv4 {integer}
set maximum-prefix-threshold {integer}
set maximum-prefix-threshold6 {integer}
set maximum-prefix-threshold-vpnv4 {integer}
set maximum-prefix-warning-only [enable|disable]
set maximum-prefix-warning-only6 [enable|disable]
set maximum-prefix-warning-only-vpnv4 [enable|disable]

FortiOS 7.2.1 CLI Reference 723

Fortinet Inc.
set prefix-list-in {string}
set prefix-list-in6 {string}
set prefix-list-in-vpnv4 {string}
set prefix-list-out {string}
set prefix-list-out6 {string}
set prefix-list-out-vpnv4 {string}
set remote-as {user}
set local-as {user}
set local-as-no-prepend [enable|disable]
set local-as-replace-as [enable|disable]
set retain-stale-time {integer}
set route-map-in {string}
set route-map-in6 {string}
set route-map-in-vpnv4 {string}
set route-map-out {string}
set route-map-out-preferable {string}
set route-map-out6 {string}
set route-map-out6-preferable {string}
set route-map-out-vpnv4 {string}
set route-map-out-vpnv4-preferable {string}
set send-community [standard|extended|...]
set send-community6 [standard|extended|...]
set send-community-vpnv4 [standard|extended|...]
set keep-alive-timer {integer}
set holdtime-timer {integer}
set connect-timer {integer}
set unsuppress-map {string}
set unsuppress-map6 {string}
set update-source {string}
set weight {integer}
set restart-time {integer}
set additional-path [send|receive|...]
set additional-path6 [send|receive|...]
set additional-path-vpnv4 [send|receive|...]
set adv-additional-path {integer}
set adv-additional-path6 {integer}
set adv-additional-path-vpnv4 {integer}
set password {password}
config conditional-advertise
Description: Conditional advertisement.
edit <advertise-routemap>
set condition-routemap <name1>, <name2>, ...
set condition-type [exist|non-exist]
next
end
config conditional-advertise6
Description: IPv6 conditional advertisement.
edit <advertise-routemap>
set condition-routemap <name1>, <name2>, ...
set condition-type [exist|non-exist]
next
end
next
end
config neighbor-group
Description: BGP neighbor group table.
edit <name>

FortiOS 7.2.1 CLI Reference 724

Fortinet Inc.
set advertisement-interval {integer}
set allowas-in-enable [enable|disable]
set allowas-in-enable6 [enable|disable]
set allowas-in {integer}
set allowas-in6 {integer}
set allowas-in-vpnv4 {integer}
set attribute-unchanged {option1}, {option2}, ...
set attribute-unchanged6 {option1}, {option2}, ...
set attribute-unchanged-vpnv4 {option1}, {option2}, ...
set activate [enable|disable]
set activate6 [enable|disable]
set activate-vpnv4 [enable|disable]
set bfd [enable|disable]
set capability-dynamic [enable|disable]
set capability-orf [none|receive|...]
set capability-orf6 [none|receive|...]
set capability-graceful-restart [enable|disable]
set capability-graceful-restart6 [enable|disable]
set capability-graceful-restart-vpnv4 [enable|disable]
set capability-route-refresh [enable|disable]
set capability-default-originate [enable|disable]
set capability-default-originate6 [enable|disable]
set dont-capability-negotiate [enable|disable]
set ebgp-enforce-multihop [enable|disable]
set link-down-failover [enable|disable]
set stale-route [enable|disable]
set next-hop-self [enable|disable]
set next-hop-self6 [enable|disable]
set next-hop-self-rr [enable|disable]
set next-hop-self-rr6 [enable|disable]
set next-hop-self-vpnv4 [enable|disable]
set override-capability [enable|disable]
set passive [enable|disable]
set remove-private-as [enable|disable]
set remove-private-as6 [enable|disable]
set remove-private-as-vpnv4 [enable|disable]
set route-reflector-client [enable|disable]
set route-reflector-client6 [enable|disable]
set route-reflector-client-vpnv4 [enable|disable]
set route-server-client [enable|disable]
set route-server-client6 [enable|disable]
set route-server-client-vpnv4 [enable|disable]
set shutdown [enable|disable]
set soft-reconfiguration [enable|disable]
set soft-reconfiguration6 [enable|disable]
set soft-reconfiguration-vpnv4 [enable|disable]
set as-override [enable|disable]
set as-override6 [enable|disable]
set strict-capability-match [enable|disable]
set default-originate-routemap {string}
set default-originate-routemap6 {string}
set description {string}
set distribute-list-in {string}
set distribute-list-in6 {string}
set distribute-list-in-vpnv4 {string}
set distribute-list-out {string}
set distribute-list-out6 {string}

FortiOS 7.2.1 CLI Reference 725

Fortinet Inc.
set distribute-list-out-vpnv4 {string}
set ebgp-multihop-ttl {integer}
set filter-list-in {string}
set filter-list-in6 {string}
set filter-list-out {string}
set filter-list-out6 {string}
set interface {string}
set maximum-prefix {integer}
set maximum-prefix6 {integer}
set maximum-prefix-vpnv4 {integer}
set maximum-prefix-threshold {integer}
set maximum-prefix-threshold6 {integer}
set maximum-prefix-threshold-vpnv4 {integer}
set maximum-prefix-warning-only [enable|disable]
set maximum-prefix-warning-only6 [enable|disable]
set maximum-prefix-warning-only-vpnv4 [enable|disable]
set prefix-list-in {string}
set prefix-list-in6 {string}
set prefix-list-in-vpnv4 {string}
set prefix-list-out {string}
set prefix-list-out6 {string}
set prefix-list-out-vpnv4 {string}
set remote-as {user}
set local-as {user}
set local-as-no-prepend [enable|disable]
set local-as-replace-as [enable|disable]
set retain-stale-time {integer}
set route-map-in {string}
set route-map-in6 {string}
set route-map-in-vpnv4 {string}
set route-map-out {string}
set route-map-out-preferable {string}
set route-map-out6 {string}
set route-map-out6-preferable {string}
set route-map-out-vpnv4 {string}
set route-map-out-vpnv4-preferable {string}
set send-community [standard|extended|...]
set send-community6 [standard|extended|...]
set send-community-vpnv4 [standard|extended|...]
set keep-alive-timer {integer}
set holdtime-timer {integer}
set connect-timer {integer}
set unsuppress-map {string}
set unsuppress-map6 {string}
set update-source {string}
set weight {integer}
set restart-time {integer}
set additional-path [send|receive|...]
set additional-path6 [send|receive|...]
set additional-path-vpnv4 [send|receive|...]
set adv-additional-path {integer}
set adv-additional-path6 {integer}
set adv-additional-path-vpnv4 {integer}
next
end
config neighbor-range
Description: BGP neighbor range table.

FortiOS 7.2.1 CLI Reference 726

Fortinet Inc.
edit <id>
set prefix {ipv4-classnet}
set max-neighbor-num {integer}
set neighbor-group {string}
next
end
config neighbor-range6
Description: BGP IPv6 neighbor range table.
edit <id>
set prefix6 {ipv6-network}
set max-neighbor-num {integer}
set neighbor-group {string}
next
end
config network
Description: BGP network table.
edit <id>
set prefix {ipv4-classnet}
set network-import-check [global|enable|...]
set backdoor [enable|disable]
set route-map {string}
next
end
config network6
Description: BGP IPv6 network table.
edit <id>
set prefix6 {ipv6-network}
set network-import-check [global|enable|...]
set backdoor [enable|disable]
set route-map {string}
next
end
config redistribute
Description: BGP IPv4 redistribute table.
edit <name>
set status [enable|disable]
set route-map {string}
next
end
config redistribute6
Description: BGP IPv6 redistribute table.
edit <name>
set status [enable|disable]
set route-map {string}
next
end
config admin-distance
Description: Administrative distance modifications.
edit <id>
set neighbour-prefix {ipv4-classnet}
set route-list {string}
set distance {integer}
next
end
config vrf
Description: BGP VRF leaking table.
edit <vrf>

FortiOS 7.2.1 CLI Reference 727

Fortinet Inc.
set role [standalone|ce|...]
set rd {string}
set export-rt <route-target1>, <route-target2>, ...
set import-rt <route-target1>, <route-target2>, ...
set import-route-map {string}
config leak-target
Description: Target VRF table.
edit <vrf>
set route-map {string}
set interface {string}
next
end
next
end
config vrf6
Description: BGP IPv6 VRF leaking table.
edit <vrf>
config leak-target
Description: Target VRF table.
edit <vrf>
set route-map {string}
set interface {string}
next
end
next
end
end

config router bgp

Parameter Description Type Size Default

as Router AS number, asplain/asdot/asdot+ format, user Not Specified

0 to disable BGP.

router-id Router ID. ipv4- Not Specified

address-
any

keepalive-timer Frequency to send keep alive requests. integer Minimum 60

value: 0
Maximum
value: 65535

holdtime-timer Number of seconds to mark peer as dead. integer Minimum 180

FortiOS 7.2.1 CLI Reference 729

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

dampening Enable/disable route-flap dampening. option - disable

Option Description

enable Enable setting.

enable Enable setting.

disable Disable setting.

disable Disable tag-match mode.

preferred Use tag-match if a BGP route resolution with another route containing the
same tag is successful.

merge Merge tag-match with best-match if they are using different routes. The
result will exclude the next hops of tag-match whose interfaces have
appeared in best-match.

cluster-id Route reflector cluster ID. ipv4- Not Specified 0.0.0.0

address-
any

FortiOS 7.2.1 CLI Reference 732

Fortinet Inc.
Parameter Description Type Size Default

confederation- Confederation identifier. integer Minimum 0

identifier value: 1
Maximum
value:
4294967295

confederation- Confederation peers. string Maximum

peers <peer> Peer ID. length: 79

dampening-route- Criteria for dampening. string Not Specified

map

dampening- Reachability half-life time for penalty (min). integer Minimum 15

reachability-half- value: 1
life Maximum
value: 45

dampening-reuse Threshold to reuse routes. integer Minimum 750

value: 1
Maximum
value: 20000

dampening- Threshold to suppress routes. integer Minimum 2000

suppress value: 1
Maximum
value: 20000

dampening-max- Maximum minutes a route can be suppressed. integer Minimum 60

suppress-time value: 1
Maximum
value: 255

dampening- Unreachability half-life time for penalty (min). integer Minimum 15

unreachability- value: 1
half-life Maximum
value: 45

default-local- Default local preference. integer Minimum 100

preference value: 0
Maximum
value:
4294967295

scan-time Background scanner interval (sec), 0 to disable it. integer Minimum 60

value: 5
Maximum
value: 60

FortiOS 7.2.1 CLI Reference 733

Fortinet Inc.
Parameter Description Type Size Default

distance-external Distance for routes external to the AS. integer Minimum 20

value: 1
Maximum
value: 255

distance-internal Distance for routes internal to the AS. integer Minimum 200
value: 1
Maximum
value: 255

distance-local Distance for routes local to the AS. integer Minimum 200
value: 1
Maximum
value: 255

synchronization Enable/disable only advertise routes from iBGP if option - disable

routes present in an IGP.

Option Description

enable Enable setting.

disable Disable setting.

graceful-restart Enable/disable BGP graceful restart capabilities. option - disable

Option Description

enable Enable setting.

disable Disable setting.

graceful-restart- Time needed for neighbors to restart (sec). integer Minimum 120
time value: 1
Maximum
value: 3600

graceful- Time to hold stale paths of restarting neighbor integer Minimum 360
stalepath-time (sec). value: 1
Maximum
value: 3600

graceful-update- Route advertisement/selection delay after restart integer Minimum 120

delay (sec). value: 1
Maximum
value: 3600

graceful-end-on- Enable/disable to exit graceful restart on timer option - disable

timer only.

FortiOS 7.2.1 CLI Reference 734

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

additional-path- Number of additional paths to be selected for integer Minimum 2

select each IPv4 NLRI. value: 2
Maximum
value: 255

additional-path- Number of additional paths to be selected for integer Minimum 2

select6 each IPv6 NLRI. value: 2
Maximum
value: 255

additional-path- Number of additional paths to be selected for integer Minimum 2

select-vpnv4 each VPNv4 NLRI. value: 2
Maximum
value: 255

config aggregate-address

Parameter Description Type Size Default

prefix Aggregate prefix. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
any

as-set Enable/disable generate AS set path information. option - disable

Option Description

enable Enable setting.

disable Disable setting.

summary-only Enable/disable filter more specific routes from updates. option - disable

Option Description

enable Enable setting.

disable Disable setting.

FortiOS 7.2.1 CLI Reference 735

Fortinet Inc.
config aggregate-address6

Parameter Description Type Size Default

prefix6 Aggregate IPv6 prefix. ipv6-prefix Not ::/0

Specified

as-set Enable/disable generate AS set path information. option - disable

Option Description

enable Enable setting.

disable Disable setting.

summary-only Enable/disable filter more specific routes from updates. option - disable

Option Description

enable Enable setting.

disable Disable setting.

config neighbor

Parameter Description Type Size Default

advertisement- Minimum interval (sec) between sending integer Minimum 30

interval updates. value: 0
Maximum
value: 600

allowas-in-enable Enable/disable IPv4 Enable to allow my AS in option - disable

AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in- Enable/disable IPv6 Enable to allow my AS in option - disable

enable6 AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in IPv4 The maximum number of occurrence of integer Minimum 0

my AS number allowed. value: 1
Maximum
value: 10

FortiOS 7.2.1 CLI Reference 736

Fortinet Inc.
Parameter Description Type Size Default

allowas-in6 IPv6 The maximum number of occurrence of integer Minimum 0

my AS number allowed. value: 1
Maximum
value: 10

allowas-in-vpnv4 The maximum number of occurrence of my integer Minimum 0

AS number allowed for VPNv4 route. value: 1
Maximum
value: 10

attribute- IPv4 List of attributes that should be option -

unchanged unchanged.

Option Description

as-path AS path.

med MED.

next-hop Next hop.

attribute- IPv6 List of attributes that should be option -

unchanged6 unchanged.

FortiOS 7.2.1 CLI Reference 737

Fortinet Inc.
Parameter Description Type Size Default

to this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

capability-orf Accept/Send IPv4 ORF lists to/from this option - none

neighbor.

Option Description

none None.

receive Receive ORF lists.

send Send ORF list.

both Send and receive ORF lists.

capability-orf6 Accept/Send IPv6 ORF lists to/from this option - none

neighbor.

FortiOS 7.2.1 CLI Reference 738

Fortinet Inc.
Parameter Description Type Size Default

Option Description

none None.

receive Receive ORF lists.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

FortiOS 7.2.1 CLI Reference 742

Fortinet Inc.
Parameter Description Type Size Default

route-reflector- Enable/disable VPNv4 AS route reflector option - disable

client-vpnv4 client for this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

route-server-client Enable/disable IPv4 AS route server client. option - disable

Option Description

enable Enable setting.

disable Disable setting.

route-server- Enable/disable IPv6 AS route server client. option - disable

client6

Option Description

enable Enable setting.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

disable Disable setting.

default-originate- Route map to specify criteria to originate IPv4 string Not Specified
routemap default.

default-originate- Route map to specify criteria to originate IPv6 string Not Specified
routemap6 default.

description Description. string Not Specified

FortiOS 7.2.1 CLI Reference 744

Fortinet Inc.
Parameter Description Type Size Default

distribute-list-in Filter for IPv4 updates from this neighbor. string Not Specified

distribute-list-in6 Filter for IPv6 updates from this neighbor. string Not Specified

distribute-list-in- Filter for VPNv4 updates from this neighbor. string Not Specified
vpnv4

distribute-list-out Filter for IPv4 updates to this neighbor. string Not Specified

distribute-list-out6 Filter for IPv6 updates to this neighbor. string Not Specified

distribute-list-out- Filter for VPNv4 updates to this neighbor. string Not Specified
vpnv4

ebgp-multihop-ttl EBGP multihop TTL for this peer. integer Minimum 255
value: 1
Maximum
value: 255

filter-list-in BGP filter for IPv4 inbound routes. string Not Specified

filter-list-in6 BGP filter for IPv6 inbound routes. string Not Specified

filter-list-out BGP filter for IPv4 outbound routes. string Not Specified

filter-list-out6 BGP filter for IPv6 outbound routes. string Not Specified

interface Specify outgoing interface for peer string Not Specified

connection. For IPv6 peer, the interface
should have link-local address.

maximum-prefix Maximum number of IPv4 prefixes to accept integer Minimum 0

from this peer. value: 1
Maximum
value:
4294967295

maximum-prefix6 Maximum number of IPv6 prefixes to accept integer Minimum 0

from this peer. value: 1
Maximum
value:
4294967295

maximum-prefix- Maximum number of VPNv4 prefixes to integer Minimum 0

vpnv4 accept from this peer. value: 1
Maximum
value:
4294967295

maximum-prefix- Maximum IPv4 prefix threshold value . integer Minimum 75

threshold value: 1
Maximum
value: 100

FortiOS 7.2.1 CLI Reference 745

Fortinet Inc.
Parameter Description Type Size Default

maximum-prefix- Maximum IPv6 prefix threshold value . integer Minimum 75

threshold6 value: 1
Maximum
value: 100

maximum-prefix- Maximum VPNv4 prefix threshold value . integer Minimum 75

threshold-vpnv4 value: 1
Maximum
value: 100

maximum-prefix- Enable/disable IPv4 Only give warning option - disable

warning-only message when limit is exceeded.

Option Description

enable Enable setting.

disable Disable setting.

maximum-prefix- Enable/disable IPv6 Only give warning option - disable

warning-only6 message when limit is exceeded.

Option Description

enable Enable setting.

disable Disable setting.

maximum-prefix- Enable/disable only giving warning message option - disable

warning-only- when limit is exceeded for VPNv4 routes.
vpnv4

Option Description

enable Enable setting.

disable Disable setting.

prefix-list-in IPv4 Inbound filter for updates from this string Not Specified
neighbor.

prefix-list-in6 IPv6 Inbound filter for updates from this string Not Specified
neighbor.

prefix-list-in-vpnv4 Inbound filter for VPNv4 updates from this string Not Specified
neighbor.

prefix-list-out IPv4 Outbound filter for updates to this string Not Specified
neighbor.

prefix-list-out6 IPv6 Outbound filter for updates to this string Not Specified
neighbor.

FortiOS 7.2.1 CLI Reference 746

Fortinet Inc.
Parameter Description Type Size Default

prefix-list-out- Outbound filter for VPNv4 updates to this string Not Specified
vpnv4 neighbor.

remote-as AS number of neighbor. user Not Specified

local-as Local AS number of neighbor. user Not Specified

local-as-no- Do not prepend local-as to incoming updates. option - disable

prepend

Option Description

enable Enable setting.

disable Disable setting.

local-as-replace- Replace real AS with local-as in outgoing option - disable

as updates.

Option Description

enable Enable setting.

disable Disable setting.

retain-stale-time Time to retain stale routes. integer Minimum 0

value: 0
Maximum
value: 65535

route-map-in IPv4 Inbound route map filter. string Not Specified

route-map-in6 IPv6 Inbound route map filter. string Not Specified

route-map-in- VPNv4 inbound route map filter. string Not Specified

vpnv4

route-map-out IPv4 outbound route map filter. string Not Specified

route-map-out- IPv4 outbound route map filter if the peer is string Not Specified
preferable preferred.

route-map-out6 IPv6 Outbound route map filter. string Not Specified

route-map-out6- IPv6 outbound route map filter if the peer is string Not Specified
preferable preferred.

route-map-out- VPNv4 outbound route map filter. string Not Specified

both Both.

disable Disable

keep-alive-timer Keep alive timer interval (sec). integer Minimum 4294967295

adv-additional- Number of IPv4 additional paths that can be integer Minimum 2

path advertised to this neighbor. value: 2
Maximum
value: 255

adv-additional- Number of IPv6 additional paths that can be integer Minimum 2

path6 advertised to this neighbor. value: 2
Maximum
value: 255

adv-additional- Number of VPNv4 additional paths that can integer Minimum 2

path-vpnv4 be advertised to this neighbor. value: 2
Maximum
value: 255

password Password used in MD5 authentication. password Not Specified

config conditional-advertise

Parameter Description Type Size Default

condition- List of conditional route maps. string Maximum

routemap route map length: 79
<name>

condition-type Type of condition. option - exist

Option Description

exist True if condition route map is matched.

non-exist True if condition route map is not matched.

config conditional-advertise6

Parameter Description Type Size Default

condition- List of conditional route maps. string Maximum

routemap route map length: 79
<name>

condition-type Type of condition. option - exist

Option Description

exist True if condition route map is matched.

non-exist True if condition route map is not matched.

FortiOS 7.2.1 CLI Reference 750

Fortinet Inc.
config neighbor-group

Parameter Description Type Size Default

advertisement- Minimum interval (sec) between sending integer Minimum 30

interval updates. value: 0
Maximum
value: 600

allowas-in-enable Enable/disable IPv4 Enable to allow my AS in option - disable

AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in- Enable/disable IPv6 Enable to allow my AS in option - disable

enable6 AS path.

Option Description

enable Enable setting.

disable Disable setting.

allowas-in IPv4 The maximum number of occurrence of integer Minimum 0

my AS number allowed. value: 1
Maximum
value: 10

allowas-in6 IPv6 The maximum number of occurrence of integer Minimum 0

my AS number allowed. value: 1
Maximum
value: 10

allowas-in-vpnv4 The maximum number of occurrence of my AS integer Minimum 0

number allowed for VPNv4 route. value: 1
Maximum
value: 10

attribute- IPv4 List of attributes that should be option -

unchanged unchanged.

Option Description

as-path AS path.

med MED.

next-hop Next hop.

attribute- IPv6 List of attributes that should be option -

unchanged6 unchanged.

FortiOS 7.2.1 CLI Reference 751

Fortinet Inc.
Parameter Description Type Size Default

both Send and receive ORF lists.

capability- Enable/disable advertise IPv4 graceful restart option - disable

graceful-restart capability to this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

capability- Enable/disable advertise IPv6 graceful restart option - disable

graceful-restart6 capability to this neighbor.

Option Description

enable Enable setting.

disable Disable setting.

enable Enable setting.

FortiOS 7.2.1 CLI Reference 754

Fortinet Inc.
Parameter Description Type Size Default

Option Description

disable Disable setting.

link-down-failover Enable/disable failover upon link down. option - disable

remove-private- Enable/disable remove private AS number option - disable

as-vpnv4 from VPNv4 outbound updates.

client6

Option Description

enable Enable setting.

disable Disable setting.

route-server- Enable/disable VPNv4 AS route server client option - disable

client-vpnv4 for this neighbor.

FortiOS 7.2.1 CLI Reference 757

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

shutdown Enable/disable shutdown this neighbor. option - disable

FortiOS 7.2.1 CLI Reference 758

Fortinet Inc.
Parameter Description Type Size Default

Option Description

enable Enable setting.

disable Disable setting.

strict-capability- Enable/disable strict capability matching. option - disable

match